1 #include <ldns/config.h>
5 #include <ldns/dnssec.h>
6 #include <ldns/dnssec_sign.h>
12 /* this entire file is rather useless when you don't have
15 #include <openssl/ssl.h>
16 #include <openssl/evp.h>
17 #include <openssl/rand.h>
18 #include <openssl/err.h>
19 #include <openssl/md5.h>
23 ldns_create_empty_rrsig(ldns_rr_list *rrset,
24 ldns_key *current_key)
27 ldns_rr_class orig_class;
32 label_count = ldns_dname_label_count(ldns_rr_owner(ldns_rr_list_rr(rrset,
34 /* RFC4035 2.2: not counting the leftmost label if it is a wildcard */
35 if(ldns_dname_is_wildcard(ldns_rr_owner(ldns_rr_list_rr(rrset, 0))))
38 current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG);
40 /* set the type on the new signature */
41 orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
42 orig_class = ldns_rr_get_class(ldns_rr_list_rr(rrset, 0));
44 ldns_rr_set_ttl(current_sig, orig_ttl);
45 ldns_rr_set_class(current_sig, orig_class);
46 ldns_rr_set_owner(current_sig,
49 ldns_rr_list_rr(rrset,
52 /* fill in what we know of the signature */
54 /* set the orig_ttl */
55 (void)ldns_rr_rrsig_set_origttl(
57 ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
59 /* the signers name */
60 (void)ldns_rr_rrsig_set_signame(
62 ldns_rdf_clone(ldns_key_pubkey_owner(current_key)));
63 /* label count - get it from the first rr in the rr_list */
64 (void)ldns_rr_rrsig_set_labels(
66 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
68 /* inception, expiration */
70 if (ldns_key_inception(current_key) != 0) {
71 (void)ldns_rr_rrsig_set_inception(
73 ldns_native2rdf_int32(
75 ldns_key_inception(current_key)));
77 (void)ldns_rr_rrsig_set_inception(
79 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now));
81 if (ldns_key_expiration(current_key) != 0) {
82 (void)ldns_rr_rrsig_set_expiration(
84 ldns_native2rdf_int32(
86 ldns_key_expiration(current_key)));
88 (void)ldns_rr_rrsig_set_expiration(
90 ldns_native2rdf_int32(
92 now + LDNS_DEFAULT_EXP_TIME));
95 (void)ldns_rr_rrsig_set_keytag(
97 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
98 ldns_key_keytag(current_key)));
100 (void)ldns_rr_rrsig_set_algorithm(
102 ldns_native2rdf_int8(
104 ldns_key_algorithm(current_key)));
106 (void)ldns_rr_rrsig_set_typecovered(
108 ldns_native2rdf_int16(
110 ldns_rr_get_type(ldns_rr_list_rr(rrset,
117 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key)
119 ldns_rdf *b64rdf = NULL;
121 switch(ldns_key_algorithm(current_key)) {
123 case LDNS_SIGN_DSA_NSEC3:
124 b64rdf = ldns_sign_public_evp(
126 ldns_key_evp_key(current_key),
129 case LDNS_SIGN_RSASHA1:
130 case LDNS_SIGN_RSASHA1_NSEC3:
131 b64rdf = ldns_sign_public_evp(
133 ldns_key_evp_key(current_key),
137 case LDNS_SIGN_RSASHA256:
138 b64rdf = ldns_sign_public_evp(
140 ldns_key_evp_key(current_key),
143 case LDNS_SIGN_RSASHA512:
144 b64rdf = ldns_sign_public_evp(
146 ldns_key_evp_key(current_key),
149 #endif /* USE_SHA2 */
151 case LDNS_SIGN_ECC_GOST:
152 b64rdf = ldns_sign_public_evp(
154 ldns_key_evp_key(current_key),
155 EVP_get_digestbyname("md_gost94"));
157 #endif /* USE_GOST */
159 case LDNS_SIGN_ECDSAP256SHA256:
160 b64rdf = ldns_sign_public_evp(
162 ldns_key_evp_key(current_key),
165 case LDNS_SIGN_ECDSAP384SHA384:
166 b64rdf = ldns_sign_public_evp(
168 ldns_key_evp_key(current_key),
172 case LDNS_SIGN_RSAMD5:
173 b64rdf = ldns_sign_public_evp(
175 ldns_key_evp_key(current_key),
179 /* do _you_ know this alg? */
180 printf("unknown algorithm, ");
181 printf("is the one used available on this system?\n");
189 * use this function to sign with a public/private key alg
190 * return the created signatures
193 ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys)
195 ldns_rr_list *signatures;
196 ldns_rr_list *rrset_clone;
197 ldns_rr *current_sig;
199 ldns_key *current_key;
202 ldns_buffer *sign_buf;
205 if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) {
211 signatures = ldns_rr_list_new();
213 /* prepare a signature and add all the know data
214 * prepare the rrset. Sign this together. */
215 rrset_clone = ldns_rr_list_clone(rrset);
220 /* make it canonical */
221 for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
222 ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i),
223 ldns_rr_ttl(ldns_rr_list_rr(rrset, 0)));
224 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
227 ldns_rr_list_sort(rrset_clone);
230 key_count < ldns_key_list_key_count(keys);
232 if (!ldns_key_use(ldns_key_list_key(keys, key_count))) {
235 sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
237 ldns_rr_list_free(rrset_clone);
238 ldns_rr_list_free(signatures);
239 ldns_rdf_free(new_owner);
244 current_key = ldns_key_list_key(keys, key_count);
245 /* sign all RRs with keys that have ZSKbit, !SEPbit.
246 sign DNSKEY RRs with keys that have ZSKbit&SEPbit */
247 if (ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY) {
248 current_sig = ldns_create_empty_rrsig(rrset_clone,
251 /* right now, we have: a key, a semi-sig and an rrset. For
252 * which we can create the sig and base64 encode that and
253 * add that to the signature */
255 if (ldns_rrsig2buffer_wire(sign_buf, current_sig)
257 ldns_buffer_free(sign_buf);
259 ldns_rr_list_deep_free(rrset_clone);
263 /* add the rrset in sign_buf */
264 if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone)
266 ldns_buffer_free(sign_buf);
267 ldns_rr_list_deep_free(rrset_clone);
271 b64rdf = ldns_sign_public_buffer(sign_buf, current_key);
274 /* signing went wrong */
275 ldns_rr_list_deep_free(rrset_clone);
279 ldns_rr_rrsig_set_sig(current_sig, b64rdf);
281 /* push the signature to the signatures list */
282 ldns_rr_list_push_rr(signatures, current_sig);
284 ldns_buffer_free(sign_buf); /* restart for the next key */
286 ldns_rr_list_deep_free(rrset_clone);
294 * \param[in] to_sign The ldns_buffer containing raw data that is
296 * \param[in] key The DSA key structure to sign with
297 * \return ldns_rdf for the RRSIG ldns_rr
300 ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
302 unsigned char *sha1_hash;
303 ldns_rdf *sigdata_rdf;
310 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
315 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
316 ldns_buffer_position(to_sign), NULL);
318 ldns_buffer_free(b64sig);
322 sig = DSA_do_sign(sha1_hash, SHA_DIGEST_LENGTH, key);
324 ldns_buffer_free(b64sig);
328 data = LDNS_XMALLOC(uint8_t, 1 + 2 * SHA_DIGEST_LENGTH);
330 ldns_buffer_free(b64sig);
336 pad = 20 - (size_t) BN_num_bytes(sig->r);
338 memset(data + 1, 0, pad);
340 BN_bn2bin(sig->r, (unsigned char *) (data + 1) + pad);
342 pad = 20 - (size_t) BN_num_bytes(sig->s);
344 memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad);
346 BN_bn2bin(sig->s, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad));
348 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64,
349 1 + 2 * SHA_DIGEST_LENGTH,
352 ldns_buffer_free(b64sig);
362 ldns_pkey_is_ecdsa(EVP_PKEY* pkey)
366 if(EVP_PKEY_type(pkey->type) != EVP_PKEY_EC)
368 ec = EVP_PKEY_get1_EC_KEY(pkey);
369 g = EC_KEY_get0_group(ec);
374 if(EC_GROUP_get_curve_name(g) == NID_secp224r1 ||
375 EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1 ||
376 EC_GROUP_get_curve_name(g) == NID_secp384r1) {
380 /* downref the eckey, the original is still inside the pkey */
385 #endif /* USE_ECDSA */
388 ldns_sign_public_evp(ldns_buffer *to_sign,
390 const EVP_MD *digest_type)
393 ldns_rdf *sigdata_rdf;
396 const EVP_MD *md_type;
400 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
405 /* initializes a signing context */
406 md_type = digest_type;
408 /* unknown message difest */
409 ldns_buffer_free(b64sig);
413 EVP_MD_CTX_init(&ctx);
414 r = EVP_SignInit(&ctx, md_type);
416 r = EVP_SignUpdate(&ctx, (unsigned char*)
417 ldns_buffer_begin(to_sign),
418 ldns_buffer_position(to_sign));
420 ldns_buffer_free(b64sig);
424 r = EVP_SignFinal(&ctx, (unsigned char*)
425 ldns_buffer_begin(b64sig), &siglen, key);
427 ldns_buffer_free(b64sig);
431 ldns_buffer_free(b64sig);
435 /* unfortunately, OpenSSL output is differenct from DNS DSA format */
437 if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) {
438 sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen);
440 } else if(EVP_PKEY_type(key->type) == EVP_PKEY_EC &&
441 ldns_pkey_is_ecdsa(key)) {
442 sigdata_rdf = ldns_convert_ecdsa_rrsig_asn12rdf(b64sig, siglen);
445 /* ok output for other types is the same */
446 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
447 ldns_buffer_begin(b64sig));
450 ldns_buffer_free(b64sig);
451 EVP_MD_CTX_cleanup(&ctx);
456 ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key)
458 unsigned char *sha1_hash;
460 ldns_rdf *sigdata_rdf;
465 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
470 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
471 ldns_buffer_position(to_sign), NULL);
473 ldns_buffer_free(b64sig);
477 result = RSA_sign(NID_sha1, sha1_hash, SHA_DIGEST_LENGTH,
478 (unsigned char*)ldns_buffer_begin(b64sig),
488 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
489 ldns_buffer_begin(b64sig));
490 ldns_buffer_free(b64sig); /* can't free this buffer ?? */
495 ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key)
497 unsigned char *md5_hash;
499 ldns_rdf *sigdata_rdf;
502 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
507 md5_hash = MD5((unsigned char*)ldns_buffer_begin(to_sign),
508 ldns_buffer_position(to_sign), NULL);
510 ldns_buffer_free(b64sig);
514 RSA_sign(NID_md5, md5_hash, MD5_DIGEST_LENGTH,
515 (unsigned char*)ldns_buffer_begin(b64sig),
518 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
519 ldns_buffer_begin(b64sig));
520 ldns_buffer_free(b64sig);
523 #endif /* HAVE_SSL */
526 ldns_dnssec_name_has_only_a(ldns_dnssec_name *cur_name)
528 ldns_dnssec_rrsets *cur_rrset;
529 cur_rrset = cur_name->rrsets;
531 if (cur_rrset->type != LDNS_RR_TYPE_A &&
532 cur_rrset->type != LDNS_RR_TYPE_AAAA) {
535 cur_rrset = cur_rrset->next;
542 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone)
544 ldns_rbnode_t *cur_node;
545 ldns_dnssec_name *cur_name;
546 ldns_rdf *cur_owner, *cur_parent;
548 cur_node = ldns_rbtree_first(zone->names);
549 while (cur_node != LDNS_RBTREE_NULL) {
550 cur_name = (ldns_dnssec_name *) cur_node->data;
551 cur_node = ldns_rbtree_next(cur_node);
552 if (ldns_dnssec_name_has_only_a(cur_name)) {
553 /* assume glue XXX check for zone cur */
554 cur_owner = ldns_rdf_clone(ldns_rr_owner(
555 cur_name->rrsets->rrs->rr));
556 while (ldns_dname_label_count(cur_owner) >
557 ldns_dname_label_count(zone->soa->name)) {
558 if (ldns_dnssec_zone_find_rrset(zone,
562 fprintf(stderr, "[XX] Marking as glue: ");
563 ldns_rdf_print(stderr, cur_name->name);
564 fprintf(stderr, "\n");
566 cur_name->is_glue = true;
568 cur_parent = ldns_dname_left_chop(cur_owner);
569 ldns_rdf_deep_free(cur_owner);
570 cur_owner = cur_parent;
572 ldns_rdf_deep_free(cur_owner);
575 return LDNS_STATUS_OK;
579 ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node)
581 ldns_rbnode_t *next_node = NULL;
582 ldns_dnssec_name *next_name = NULL;
585 if (node == LDNS_RBTREE_NULL) {
590 if (next_node == LDNS_RBTREE_NULL) {
593 next_name = (ldns_dnssec_name *)next_node->data;
594 if (!next_name->is_glue) {
597 next_node = ldns_rbtree_next(next_node);
605 ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
606 ldns_rr_list *new_rrs)
609 ldns_rbnode_t *first_node, *cur_node, *next_node;
610 ldns_dnssec_name *cur_name, *next_name;
613 ldns_dnssec_rrsets *soa;
615 /* the TTL of NSEC rrs should be set to the minimum TTL of
616 * the zone SOA (RFC4035 Section 2.3)
618 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA);
620 /* did the caller actually set it? if not,
621 * fall back to default ttl
623 if (soa && soa->rrs && soa->rrs->rr) {
624 nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(
627 nsec_ttl = LDNS_DEFAULT_TTL;
630 first_node = ldns_dnssec_name_node_next_nonglue(
631 ldns_rbtree_first(zone->names));
632 cur_node = first_node;
634 next_node = ldns_dnssec_name_node_next_nonglue(
635 ldns_rbtree_next(cur_node));
640 while (cur_node && next_node) {
641 cur_name = (ldns_dnssec_name *)cur_node->data;
642 next_name = (ldns_dnssec_name *)next_node->data;
643 nsec_rr = ldns_dnssec_create_nsec(cur_name,
646 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
647 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
648 ldns_rr_free(nsec_rr);
649 return LDNS_STATUS_ERR;
651 ldns_rr_list_push_rr(new_rrs, nsec_rr);
652 cur_node = next_node;
654 next_node = ldns_dnssec_name_node_next_nonglue(
655 ldns_rbtree_next(cur_node));
659 if (cur_node && !next_node) {
660 cur_name = (ldns_dnssec_name *)cur_node->data;
661 next_name = (ldns_dnssec_name *)first_node->data;
662 nsec_rr = ldns_dnssec_create_nsec(cur_name,
665 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
666 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
667 ldns_rr_free(nsec_rr);
668 return LDNS_STATUS_ERR;
670 ldns_rr_list_push_rr(new_rrs, nsec_rr);
675 return LDNS_STATUS_OK;
680 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone,
681 ldns_rr_list *new_rrs,
688 ldns_rbnode_t *first_name_node;
689 ldns_rbnode_t *current_name_node;
690 ldns_dnssec_name *current_name;
691 ldns_status result = LDNS_STATUS_OK;
693 ldns_rr_list *nsec3_list;
695 ldns_dnssec_rrsets *soa;
697 if (!zone || !new_rrs || !zone->names) {
698 return LDNS_STATUS_ERR;
701 /* the TTL of NSEC rrs should be set to the minimum TTL of
702 * the zone SOA (RFC4035 Section 2.3)
704 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA);
706 /* did the caller actually set it? if not,
707 * fall back to default ttl
709 if (soa && soa->rrs && soa->rrs->rr) {
710 nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(
713 nsec_ttl = LDNS_DEFAULT_TTL;
716 nsec3_list = ldns_rr_list_new();
718 first_name_node = ldns_dnssec_name_node_next_nonglue(
719 ldns_rbtree_first(zone->names));
721 current_name_node = first_name_node;
723 while (current_name_node &&
724 current_name_node != LDNS_RBTREE_NULL) {
725 current_name = (ldns_dnssec_name *) current_name_node->data;
726 nsec_rr = ldns_dnssec_create_nsec3(current_name,
734 /* by default, our nsec based generator adds rrsigs
735 * remove the bitmap for empty nonterminals */
736 if (!current_name->rrsets) {
737 ldns_rdf_deep_free(ldns_rr_pop_rdf(nsec_rr));
739 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
740 result = ldns_dnssec_name_add_rr(current_name, nsec_rr);
741 ldns_rr_list_push_rr(new_rrs, nsec_rr);
742 ldns_rr_list_push_rr(nsec3_list, nsec_rr);
743 current_name_node = ldns_dnssec_name_node_next_nonglue(
744 ldns_rbtree_next(current_name_node));
746 if (result != LDNS_STATUS_OK) {
750 ldns_rr_list_sort_nsec3(nsec3_list);
751 result = ldns_dnssec_chain_nsec3_list(nsec3_list);
752 if (result != LDNS_STATUS_OK) {
756 ldns_rr_list_free(nsec3_list);
759 #endif /* HAVE_SSL */
762 ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures,
763 ldns_key_list *key_list,
764 int (*func)(ldns_rr *, void *),
767 ldns_dnssec_rrs *base_rrs = signatures;
768 ldns_dnssec_rrs *cur_rr = base_rrs;
769 ldns_dnssec_rrs *prev_rr = NULL;
770 ldns_dnssec_rrs *next_rr;
778 switch(func(NULL, arg)) {
779 case LDNS_SIGNATURE_LEAVE_ADD_NEW:
780 case LDNS_SIGNATURE_REMOVE_ADD_NEW:
782 case LDNS_SIGNATURE_LEAVE_NO_ADD:
783 case LDNS_SIGNATURE_REMOVE_NO_ADD:
784 ldns_key_list_set_use(key_list, false);
787 fprintf(stderr, "[XX] unknown return value from callback\n");
792 (void)func(cur_rr->rr, arg);
795 next_rr = cur_rr->next;
797 switch (func(cur_rr->rr, arg)) {
798 case LDNS_SIGNATURE_LEAVE_ADD_NEW:
801 case LDNS_SIGNATURE_LEAVE_NO_ADD:
802 keytag = ldns_rdf2native_int16(
803 ldns_rr_rrsig_keytag(cur_rr->rr));
804 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
805 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) ==
807 ldns_key_set_use(ldns_key_list_key(key_list, i),
813 case LDNS_SIGNATURE_REMOVE_NO_ADD:
814 keytag = ldns_rdf2native_int16(
815 ldns_rr_rrsig_keytag(cur_rr->rr));
816 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
817 if (ldns_key_keytag(ldns_key_list_key(key_list, i))
819 ldns_key_set_use(ldns_key_list_key(key_list, i),
824 prev_rr->next = next_rr;
830 case LDNS_SIGNATURE_REMOVE_ADD_NEW:
832 prev_rr->next = next_rr;
839 fprintf(stderr, "[XX] unknown return value from callback\n");
850 ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
851 ldns_rr_list *new_rrs,
852 ldns_key_list *key_list,
853 int (*func)(ldns_rr *, void*),
856 return ldns_dnssec_zone_create_rrsigs_flg(zone, new_rrs, key_list,
860 /** If there are KSKs use only them and mark ZSKs unused */
862 ldns_key_list_filter_for_dnskey(ldns_key_list *key_list)
866 for(i=0; i<ldns_key_list_key_count(key_list); i++)
867 if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
873 for(i=0; i<ldns_key_list_key_count(key_list); i++)
874 if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
875 ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
878 /** If there are no ZSKs use KSK as ZSK */
880 ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list)
884 for(i=0; i<ldns_key_list_key_count(key_list); i++)
885 if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
891 /* else filter all KSKs */
892 for(i=0; i<ldns_key_list_key_count(key_list); i++)
893 if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
894 ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
898 ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone,
899 ldns_rr_list *new_rrs,
900 ldns_key_list *key_list,
901 int (*func)(ldns_rr *, void*),
905 ldns_status result = LDNS_STATUS_OK;
907 ldns_rbnode_t *cur_node;
908 ldns_rr_list *rr_list;
910 ldns_dnssec_name *cur_name;
911 ldns_dnssec_rrsets *cur_rrset;
912 ldns_dnssec_rrs *cur_rr;
914 ldns_rr_list *siglist;
918 ldns_rr_list *pubkey_list = ldns_rr_list_new();
922 for (i = 0; i<ldns_key_list_key_count(key_list); i++) {
923 ldns_rr_list_push_rr(pubkey_list,
924 ldns_key2rr(ldns_key_list_key(key_list, i)));
926 /* TODO: callback to see is list should be signed */
927 /* TODO: remove 'old' signatures from signature list */
928 cur_node = ldns_rbtree_first(zone->names);
929 while (cur_node != LDNS_RBTREE_NULL) {
930 cur_name = (ldns_dnssec_name *) cur_node->data;
932 if (!cur_name->is_glue) {
933 cur_rrset = cur_name->rrsets;
935 /* reset keys to use */
936 ldns_key_list_set_use(key_list, true);
938 /* walk through old sigs, remove the old,
939 and mark which keys (not) to use) */
940 cur_rrset->signatures =
941 ldns_dnssec_remove_signatures(cur_rrset->signatures,
945 if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) &&
946 cur_rrset->type == LDNS_RR_TYPE_DNSKEY)
947 ldns_key_list_filter_for_dnskey(key_list);
949 if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY)
950 ldns_key_list_filter_for_non_dnskey(key_list);
952 /* TODO: just set count to zero? */
953 rr_list = ldns_rr_list_new();
955 cur_rr = cur_rrset->rrs;
957 ldns_rr_list_push_rr(rr_list, cur_rr->rr);
958 cur_rr = cur_rr->next;
961 /* only sign non-delegation RRsets */
962 /* (glue should have been marked earlier) */
963 if ((ldns_rr_list_type(rr_list) != LDNS_RR_TYPE_NS ||
964 ldns_dname_compare(ldns_rr_list_owner(rr_list),
965 zone->soa->name) == 0) &&
966 /* OK, there is also the possibility that the record
967 * is glue, but at the same owner name as other records that
968 * are not NS nor A/AAAA. Bleh, our current data structure
969 * doesn't really support that... */
970 !((ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_A ||
971 ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_AAAA) &&
972 !ldns_dname_compare(ldns_rr_list_owner(rr_list), zone->soa->name) == 0 &&
973 ldns_dnssec_zone_find_rrset(zone, ldns_rr_list_owner(rr_list), LDNS_RR_TYPE_NS)
976 siglist = ldns_sign_public(rr_list, key_list);
977 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
978 if (cur_rrset->signatures) {
979 result = ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
980 ldns_rr_list_rr(siglist,
983 cur_rrset->signatures = ldns_dnssec_rrs_new();
984 cur_rrset->signatures->rr =
985 ldns_rr_list_rr(siglist, i);
986 ldns_rr_list_push_rr(new_rrs,
987 ldns_rr_list_rr(siglist,
991 ldns_rr_list_free(siglist);
994 ldns_rr_list_free(rr_list);
996 cur_rrset = cur_rrset->next;
1000 ldns_key_list_set_use(key_list, true);
1001 cur_name->nsec_signatures =
1002 ldns_dnssec_remove_signatures(cur_name->nsec_signatures,
1006 ldns_key_list_filter_for_non_dnskey(key_list);
1008 rr_list = ldns_rr_list_new();
1009 ldns_rr_list_push_rr(rr_list, cur_name->nsec);
1010 siglist = ldns_sign_public(rr_list, key_list);
1012 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
1013 if (cur_name->nsec_signatures) {
1014 result = ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
1015 ldns_rr_list_rr(siglist, i));
1017 cur_name->nsec_signatures = ldns_dnssec_rrs_new();
1018 cur_name->nsec_signatures->rr =
1019 ldns_rr_list_rr(siglist, i);
1020 ldns_rr_list_push_rr(new_rrs,
1021 ldns_rr_list_rr(siglist, i));
1025 ldns_rr_list_free(siglist);
1026 ldns_rr_list_free(rr_list);
1028 cur_node = ldns_rbtree_next(cur_node);
1031 ldns_rr_list_deep_free(pubkey_list);
1036 ldns_dnssec_zone_sign(ldns_dnssec_zone *zone,
1037 ldns_rr_list *new_rrs,
1038 ldns_key_list *key_list,
1039 int (*func)(ldns_rr *, void *),
1042 return ldns_dnssec_zone_sign_flg(zone, new_rrs, key_list, func, arg, 0);
1046 ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone,
1047 ldns_rr_list *new_rrs,
1048 ldns_key_list *key_list,
1049 int (*func)(ldns_rr *, void *),
1053 ldns_status result = LDNS_STATUS_OK;
1055 if (!zone || !new_rrs || !key_list) {
1056 return LDNS_STATUS_ERR;
1059 /* zone is already sorted */
1060 result = ldns_dnssec_zone_mark_glue(zone);
1061 if (result != LDNS_STATUS_OK) {
1065 /* check whether we need to add nsecs */
1066 if (zone->names && !((ldns_dnssec_name *)zone->names->root->data)->nsec) {
1067 result = ldns_dnssec_zone_create_nsecs(zone, new_rrs);
1068 if (result != LDNS_STATUS_OK) {
1073 result = ldns_dnssec_zone_create_rrsigs_flg(zone,
1084 ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
1085 ldns_rr_list *new_rrs,
1086 ldns_key_list *key_list,
1087 int (*func)(ldns_rr *, void *),
1091 uint16_t iterations,
1092 uint8_t salt_length,
1095 return ldns_dnssec_zone_sign_nsec3_flg(zone, new_rrs, key_list,
1096 func, arg, algorithm, flags, iterations, salt_length, salt, 0);
1100 ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
1101 ldns_rr_list *new_rrs,
1102 ldns_key_list *key_list,
1103 int (*func)(ldns_rr *, void *),
1107 uint16_t iterations,
1108 uint8_t salt_length,
1112 ldns_rr *nsec3, *nsec3params;
1113 ldns_status result = LDNS_STATUS_OK;
1115 /* zone is already sorted */
1116 result = ldns_dnssec_zone_mark_glue(zone);
1117 if (result != LDNS_STATUS_OK) {
1121 /* TODO if there are already nsec3s presents and their
1122 * parameters are the same as these, we don't have to recreate
1125 /* add empty nonterminals */
1126 result = ldns_dnssec_zone_add_empty_nonterminals(zone);
1127 if (result != LDNS_STATUS_OK) {
1131 nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec;
1132 if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) {
1133 /* no need to recreate */
1135 if (!ldns_dnssec_zone_find_rrset(zone,
1137 LDNS_RR_TYPE_NSEC3PARAMS)) {
1138 /* create and add the nsec3params rr */
1140 ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAMS);
1141 ldns_rr_set_owner(nsec3params,
1142 ldns_rdf_clone(zone->soa->name));
1143 ldns_nsec3_add_param_rdfs(nsec3params,
1149 /* always set bit 7 of the flags to zero, according to
1150 * rfc5155 section 11 */
1151 ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3params, 1)), 7, 0);
1152 result = ldns_dnssec_zone_add_rr(zone, nsec3params);
1153 if (result != LDNS_STATUS_OK) {
1156 ldns_rr_list_push_rr(new_rrs, nsec3params);
1158 result = ldns_dnssec_zone_create_nsec3s(zone,
1165 if (result != LDNS_STATUS_OK) {
1170 result = ldns_dnssec_zone_create_rrsigs_flg(zone,
1183 ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list)
1185 ldns_dnssec_zone *dnssec_zone;
1186 ldns_zone *signed_zone;
1187 ldns_rr_list *new_rrs;
1190 signed_zone = ldns_zone_new();
1191 dnssec_zone = ldns_dnssec_zone_new();
1193 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1194 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
1196 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1197 (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1198 ldns_rr_list_rr(ldns_zone_rrs(zone),
1200 ldns_zone_push_rr(signed_zone,
1201 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
1205 new_rrs = ldns_rr_list_new();
1206 (void) ldns_dnssec_zone_sign(dnssec_zone,
1209 ldns_dnssec_default_replace_signatures,
1212 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1213 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
1214 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1217 ldns_rr_list_deep_free(new_rrs);
1218 ldns_dnssec_zone_free(dnssec_zone);
1224 ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
1226 ldns_dnssec_zone *dnssec_zone;
1227 ldns_zone *signed_zone;
1228 ldns_rr_list *new_rrs;
1231 signed_zone = ldns_zone_new();
1232 dnssec_zone = ldns_dnssec_zone_new();
1234 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1235 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
1237 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1238 (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1239 ldns_rr_list_rr(ldns_zone_rrs(zone),
1241 ldns_zone_push_rr(signed_zone,
1242 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
1246 new_rrs = ldns_rr_list_new();
1247 (void) ldns_dnssec_zone_sign_nsec3(dnssec_zone,
1250 ldns_dnssec_default_replace_signatures,
1258 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1259 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
1260 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1263 ldns_rr_list_deep_free(new_rrs);
1264 ldns_dnssec_zone_free(dnssec_zone);
1268 #endif /* HAVE_SSL */