1 #include <ldns/config.h>
5 #include <ldns/dnssec.h>
6 #include <ldns/dnssec_sign.h>
12 /* this entire file is rather useless when you don't have
15 #include <openssl/ssl.h>
16 #include <openssl/evp.h>
17 #include <openssl/rand.h>
18 #include <openssl/err.h>
19 #include <openssl/md5.h>
23 ldns_create_empty_rrsig(ldns_rr_list *rrset,
24 ldns_key *current_key)
27 ldns_rr_class orig_class;
32 label_count = ldns_dname_label_count(ldns_rr_owner(ldns_rr_list_rr(rrset,
34 /* RFC4035 2.2: not counting the leftmost label if it is a wildcard */
35 if(ldns_dname_is_wildcard(ldns_rr_owner(ldns_rr_list_rr(rrset, 0))))
38 current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG);
40 /* set the type on the new signature */
41 orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
42 orig_class = ldns_rr_get_class(ldns_rr_list_rr(rrset, 0));
44 ldns_rr_set_ttl(current_sig, orig_ttl);
45 ldns_rr_set_class(current_sig, orig_class);
46 ldns_rr_set_owner(current_sig,
49 ldns_rr_list_rr(rrset,
52 /* fill in what we know of the signature */
54 /* set the orig_ttl */
55 (void)ldns_rr_rrsig_set_origttl(
57 ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
59 /* the signers name */
60 (void)ldns_rr_rrsig_set_signame(
62 ldns_rdf_clone(ldns_key_pubkey_owner(current_key)));
63 /* label count - get it from the first rr in the rr_list */
64 (void)ldns_rr_rrsig_set_labels(
66 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
68 /* inception, expiration */
70 if (ldns_key_inception(current_key) != 0) {
71 (void)ldns_rr_rrsig_set_inception(
73 ldns_native2rdf_int32(
75 ldns_key_inception(current_key)));
77 (void)ldns_rr_rrsig_set_inception(
79 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now));
81 if (ldns_key_expiration(current_key) != 0) {
82 (void)ldns_rr_rrsig_set_expiration(
84 ldns_native2rdf_int32(
86 ldns_key_expiration(current_key)));
88 (void)ldns_rr_rrsig_set_expiration(
90 ldns_native2rdf_int32(
92 now + LDNS_DEFAULT_EXP_TIME));
95 (void)ldns_rr_rrsig_set_keytag(
97 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
98 ldns_key_keytag(current_key)));
100 (void)ldns_rr_rrsig_set_algorithm(
102 ldns_native2rdf_int8(
104 ldns_key_algorithm(current_key)));
106 (void)ldns_rr_rrsig_set_typecovered(
108 ldns_native2rdf_int16(
110 ldns_rr_get_type(ldns_rr_list_rr(rrset,
117 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key)
119 ldns_rdf *b64rdf = NULL;
121 switch(ldns_key_algorithm(current_key)) {
123 case LDNS_SIGN_DSA_NSEC3:
124 b64rdf = ldns_sign_public_evp(
126 ldns_key_evp_key(current_key),
129 case LDNS_SIGN_RSASHA1:
130 case LDNS_SIGN_RSASHA1_NSEC3:
131 b64rdf = ldns_sign_public_evp(
133 ldns_key_evp_key(current_key),
137 case LDNS_SIGN_RSASHA256:
138 b64rdf = ldns_sign_public_evp(
140 ldns_key_evp_key(current_key),
143 case LDNS_SIGN_RSASHA512:
144 b64rdf = ldns_sign_public_evp(
146 ldns_key_evp_key(current_key),
149 #endif /* USE_SHA2 */
151 case LDNS_SIGN_ECC_GOST:
152 b64rdf = ldns_sign_public_evp(
154 ldns_key_evp_key(current_key),
155 EVP_get_digestbyname("md_gost94"));
157 #endif /* USE_GOST */
159 case LDNS_SIGN_ECDSAP256SHA256:
160 b64rdf = ldns_sign_public_evp(
162 ldns_key_evp_key(current_key),
165 case LDNS_SIGN_ECDSAP384SHA384:
166 b64rdf = ldns_sign_public_evp(
168 ldns_key_evp_key(current_key),
172 case LDNS_SIGN_RSAMD5:
173 b64rdf = ldns_sign_public_evp(
175 ldns_key_evp_key(current_key),
179 /* do _you_ know this alg? */
180 printf("unknown algorithm, ");
181 printf("is the one used available on this system?\n");
189 * use this function to sign with a public/private key alg
190 * return the created signatures
193 ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys)
195 ldns_rr_list *signatures;
196 ldns_rr_list *rrset_clone;
197 ldns_rr *current_sig;
199 ldns_key *current_key;
202 ldns_buffer *sign_buf;
205 if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) {
211 signatures = ldns_rr_list_new();
213 /* prepare a signature and add all the know data
214 * prepare the rrset. Sign this together. */
215 rrset_clone = ldns_rr_list_clone(rrset);
220 /* make it canonical */
221 for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
222 ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i),
223 ldns_rr_ttl(ldns_rr_list_rr(rrset, 0)));
224 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
227 ldns_rr_list_sort(rrset_clone);
230 key_count < ldns_key_list_key_count(keys);
232 if (!ldns_key_use(ldns_key_list_key(keys, key_count))) {
235 sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
237 ldns_rr_list_free(rrset_clone);
238 ldns_rr_list_free(signatures);
239 ldns_rdf_free(new_owner);
244 current_key = ldns_key_list_key(keys, key_count);
245 /* sign all RRs with keys that have ZSKbit, !SEPbit.
246 sign DNSKEY RRs with keys that have ZSKbit&SEPbit */
247 if (ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY) {
248 current_sig = ldns_create_empty_rrsig(rrset_clone,
251 /* right now, we have: a key, a semi-sig and an rrset. For
252 * which we can create the sig and base64 encode that and
253 * add that to the signature */
255 if (ldns_rrsig2buffer_wire(sign_buf, current_sig)
257 ldns_buffer_free(sign_buf);
259 ldns_rr_list_deep_free(rrset_clone);
263 /* add the rrset in sign_buf */
264 if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone)
266 ldns_buffer_free(sign_buf);
267 ldns_rr_list_deep_free(rrset_clone);
271 b64rdf = ldns_sign_public_buffer(sign_buf, current_key);
274 /* signing went wrong */
275 ldns_rr_list_deep_free(rrset_clone);
279 ldns_rr_rrsig_set_sig(current_sig, b64rdf);
281 /* push the signature to the signatures list */
282 ldns_rr_list_push_rr(signatures, current_sig);
284 ldns_buffer_free(sign_buf); /* restart for the next key */
286 ldns_rr_list_deep_free(rrset_clone);
294 * \param[in] to_sign The ldns_buffer containing raw data that is
296 * \param[in] key The DSA key structure to sign with
297 * \return ldns_rdf for the RRSIG ldns_rr
300 ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
302 unsigned char *sha1_hash;
303 ldns_rdf *sigdata_rdf;
310 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
315 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
316 ldns_buffer_position(to_sign), NULL);
318 ldns_buffer_free(b64sig);
322 sig = DSA_do_sign(sha1_hash, SHA_DIGEST_LENGTH, key);
324 ldns_buffer_free(b64sig);
328 data = LDNS_XMALLOC(uint8_t, 1 + 2 * SHA_DIGEST_LENGTH);
330 ldns_buffer_free(b64sig);
336 pad = 20 - (size_t) BN_num_bytes(sig->r);
338 memset(data + 1, 0, pad);
340 BN_bn2bin(sig->r, (unsigned char *) (data + 1) + pad);
342 pad = 20 - (size_t) BN_num_bytes(sig->s);
344 memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad);
346 BN_bn2bin(sig->s, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad));
348 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64,
349 1 + 2 * SHA_DIGEST_LENGTH,
352 ldns_buffer_free(b64sig);
362 ldns_pkey_is_ecdsa(EVP_PKEY* pkey)
366 if(EVP_PKEY_type(pkey->type) != EVP_PKEY_EC)
368 ec = EVP_PKEY_get1_EC_KEY(pkey);
369 g = EC_KEY_get0_group(ec);
374 if(EC_GROUP_get_curve_name(g) == NID_secp224r1 ||
375 EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1 ||
376 EC_GROUP_get_curve_name(g) == NID_secp384r1) {
380 /* downref the eckey, the original is still inside the pkey */
385 #endif /* USE_ECDSA */
388 ldns_sign_public_evp(ldns_buffer *to_sign,
390 const EVP_MD *digest_type)
393 ldns_rdf *sigdata_rdf;
396 const EVP_MD *md_type;
400 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
405 /* initializes a signing context */
406 md_type = digest_type;
408 /* unknown message difest */
409 ldns_buffer_free(b64sig);
413 EVP_MD_CTX_init(&ctx);
414 r = EVP_SignInit(&ctx, md_type);
416 r = EVP_SignUpdate(&ctx, (unsigned char*)
417 ldns_buffer_begin(to_sign),
418 ldns_buffer_position(to_sign));
420 ldns_buffer_free(b64sig);
424 r = EVP_SignFinal(&ctx, (unsigned char*)
425 ldns_buffer_begin(b64sig), &siglen, key);
427 ldns_buffer_free(b64sig);
431 ldns_buffer_free(b64sig);
435 /* unfortunately, OpenSSL output is differenct from DNS DSA format */
437 if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) {
438 sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen);
440 } else if(EVP_PKEY_type(key->type) == EVP_PKEY_EC &&
441 ldns_pkey_is_ecdsa(key)) {
442 sigdata_rdf = ldns_convert_ecdsa_rrsig_asn12rdf(b64sig, siglen);
445 /* ok output for other types is the same */
446 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
447 ldns_buffer_begin(b64sig));
450 ldns_buffer_free(b64sig);
451 EVP_MD_CTX_cleanup(&ctx);
456 ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key)
458 unsigned char *sha1_hash;
460 ldns_rdf *sigdata_rdf;
465 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
470 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
471 ldns_buffer_position(to_sign), NULL);
473 ldns_buffer_free(b64sig);
477 result = RSA_sign(NID_sha1, sha1_hash, SHA_DIGEST_LENGTH,
478 (unsigned char*)ldns_buffer_begin(b64sig),
488 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
489 ldns_buffer_begin(b64sig));
490 ldns_buffer_free(b64sig); /* can't free this buffer ?? */
495 ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key)
497 unsigned char *md5_hash;
499 ldns_rdf *sigdata_rdf;
502 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
507 md5_hash = MD5((unsigned char*)ldns_buffer_begin(to_sign),
508 ldns_buffer_position(to_sign), NULL);
510 ldns_buffer_free(b64sig);
514 RSA_sign(NID_md5, md5_hash, MD5_DIGEST_LENGTH,
515 (unsigned char*)ldns_buffer_begin(b64sig),
518 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
519 ldns_buffer_begin(b64sig));
520 ldns_buffer_free(b64sig);
523 #endif /* HAVE_SSL */
526 * Pushes all rrs from the rrsets of type A and AAAA on gluelist.
529 ldns_dnssec_addresses_on_glue_list(
530 ldns_dnssec_rrsets *cur_rrset,
531 ldns_rr_list *glue_list)
533 ldns_dnssec_rrs *cur_rrs;
535 if (cur_rrset->type == LDNS_RR_TYPE_A
536 || cur_rrset->type == LDNS_RR_TYPE_AAAA) {
537 for (cur_rrs = cur_rrset->rrs;
539 cur_rrs = cur_rrs->next) {
541 if (!ldns_rr_list_push_rr(glue_list,
543 return LDNS_STATUS_MEM_ERR;
544 /* ldns_rr_list_push_rr()
545 * returns false when unable
546 * to increase the capacity
547 * of the ldsn_rr_list
553 cur_rrset = cur_rrset->next;
555 return LDNS_STATUS_OK;
559 * Marks the names in the zone that are occluded. Those names will be skipped
560 * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
561 * function. But watch out! Names that are partially occluded (like glue with
562 * the same name as the delegation) will not be marked and should specifically
563 * be taken into account seperately.
565 * When glue_list is given (not NULL), in the process of marking the names, all
566 * glue resource records will be pushed to that list, even glue at delegation names.
568 * \param[in] zone the zone in which to mark the names
569 * \param[in] glue_list the list to which to push the glue rrs
570 * \return LDNS_STATUS_OK on success, an error code otherwise
573 ldns_dnssec_zone_mark_and_get_glue(ldns_dnssec_zone *zone,
574 ldns_rr_list *glue_list)
577 ldns_dnssec_name *name;
579 ldns_rdf *cut = NULL; /* keeps track of zone cuts */
580 /* When the cut is caused by a delegation, below_delegation will be 1.
581 * When caused by a DNAME, below_delegation will be 0.
583 int below_delegation = -1; /* init suppresses comiler warning */
586 if (!zone || !zone->names) {
587 return LDNS_STATUS_NULL;
589 for (node = ldns_rbtree_first(zone->names);
590 node != LDNS_RBTREE_NULL;
591 node = ldns_rbtree_next(node)) {
592 name = (ldns_dnssec_name *) node->data;
593 owner = ldns_dnssec_name_name(name);
596 /* The previous node was a zone cut, or a subdomain
597 * below a zone cut. Is this node (still) a subdomain
598 * below the cut? Then the name is occluded. Unless
599 * the name contains a SOA, after which we are
600 * authoritative again.
602 * FIXME! If there are labels in between the SOA and
603 * the cut, going from the authoritative space (below
604 * the SOA) up into occluded space again, will not be
605 * detected with the contruct below!
607 if (ldns_dname_is_subdomain(owner, cut) &&
608 !ldns_dnssec_rrsets_contains_type(
609 name->rrsets, LDNS_RR_TYPE_SOA)) {
611 if (below_delegation && glue_list) {
612 s = ldns_dnssec_addresses_on_glue_list(
613 name->rrsets, glue_list);
614 if (s != LDNS_STATUS_OK) {
618 name->is_glue = true; /* Mark occluded name! */
625 /* The node is not below a zone cut. Is it a zone cut itself?
626 * Everything below a SOA is authoritative of course; Except
627 * when the name also contains a DNAME :).
629 if (ldns_dnssec_rrsets_contains_type(
630 name->rrsets, LDNS_RR_TYPE_NS)
631 && !ldns_dnssec_rrsets_contains_type(
632 name->rrsets, LDNS_RR_TYPE_SOA)) {
634 below_delegation = 1;
635 if (glue_list) { /* record glue on the zone cut */
636 s = ldns_dnssec_addresses_on_glue_list(
637 name->rrsets, glue_list);
638 if (s != LDNS_STATUS_OK) {
642 } else if (ldns_dnssec_rrsets_contains_type(
643 name->rrsets, LDNS_RR_TYPE_DNAME)) {
645 below_delegation = 0;
648 return LDNS_STATUS_OK;
652 * Marks the names in the zone that are occluded. Those names will be skipped
653 * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
654 * function. But watch out! Names that are partially occluded (like glue with
655 * the same name as the delegation) will not be marked and should specifically
656 * be taken into account seperately.
658 * \param[in] zone the zone in which to mark the names
659 * \return LDNS_STATUS_OK on success, an error code otherwise
662 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone)
664 return ldns_dnssec_zone_mark_and_get_glue(zone, NULL);
668 ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node)
670 ldns_rbnode_t *next_node = NULL;
671 ldns_dnssec_name *next_name = NULL;
674 if (node == LDNS_RBTREE_NULL) {
679 if (next_node == LDNS_RBTREE_NULL) {
682 next_name = (ldns_dnssec_name *)next_node->data;
683 if (!next_name->is_glue) {
686 next_node = ldns_rbtree_next(next_node);
694 ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
695 ldns_rr_list *new_rrs)
698 ldns_rbnode_t *first_node, *cur_node, *next_node;
699 ldns_dnssec_name *cur_name, *next_name;
702 ldns_dnssec_rrsets *soa;
704 /* the TTL of NSEC rrs should be set to the minimum TTL of
705 * the zone SOA (RFC4035 Section 2.3)
707 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA);
709 /* did the caller actually set it? if not,
710 * fall back to default ttl
712 if (soa && soa->rrs && soa->rrs->rr
713 && (ldns_rr_rdf(soa->rrs->rr, 6) != NULL)) {
714 nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(soa->rrs->rr, 6));
716 nsec_ttl = LDNS_DEFAULT_TTL;
719 first_node = ldns_dnssec_name_node_next_nonglue(
720 ldns_rbtree_first(zone->names));
721 cur_node = first_node;
723 next_node = ldns_dnssec_name_node_next_nonglue(
724 ldns_rbtree_next(cur_node));
729 while (cur_node && next_node) {
730 cur_name = (ldns_dnssec_name *)cur_node->data;
731 next_name = (ldns_dnssec_name *)next_node->data;
732 nsec_rr = ldns_dnssec_create_nsec(cur_name,
735 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
736 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
737 ldns_rr_free(nsec_rr);
738 return LDNS_STATUS_ERR;
740 ldns_rr_list_push_rr(new_rrs, nsec_rr);
741 cur_node = next_node;
743 next_node = ldns_dnssec_name_node_next_nonglue(
744 ldns_rbtree_next(cur_node));
748 if (cur_node && !next_node) {
749 cur_name = (ldns_dnssec_name *)cur_node->data;
750 next_name = (ldns_dnssec_name *)first_node->data;
751 nsec_rr = ldns_dnssec_create_nsec(cur_name,
754 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
755 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
756 ldns_rr_free(nsec_rr);
757 return LDNS_STATUS_ERR;
759 ldns_rr_list_push_rr(new_rrs, nsec_rr);
764 return LDNS_STATUS_OK;
768 /* in dnssec_zone.c */
769 extern int ldns_dname_compare_v(const void *a, const void *b);
772 ldns_dnssec_zone_create_nsec3s_mkmap(ldns_dnssec_zone *zone,
773 ldns_rr_list *new_rrs,
781 ldns_rbnode_t *first_name_node;
782 ldns_rbnode_t *current_name_node;
783 ldns_dnssec_name *current_name;
784 ldns_status result = LDNS_STATUS_OK;
786 ldns_rr_list *nsec3_list;
788 ldns_dnssec_rrsets *soa;
789 ldns_rbnode_t *hashmap_node;
791 if (!zone || !new_rrs || !zone->names) {
792 return LDNS_STATUS_ERR;
795 /* the TTL of NSEC rrs should be set to the minimum TTL of
796 * the zone SOA (RFC4035 Section 2.3)
798 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA);
800 /* did the caller actually set it? if not,
801 * fall back to default ttl
803 if (soa && soa->rrs && soa->rrs->rr
804 && ldns_rr_rdf(soa->rrs->rr, 6) != NULL) {
805 nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(soa->rrs->rr, 6));
807 nsec_ttl = LDNS_DEFAULT_TTL;
811 if ((*map = ldns_rbtree_create(ldns_dname_compare_v))
816 nsec3_list = ldns_rr_list_new();
818 first_name_node = ldns_dnssec_name_node_next_nonglue(
819 ldns_rbtree_first(zone->names));
821 current_name_node = first_name_node;
823 while (current_name_node &&
824 current_name_node != LDNS_RBTREE_NULL) {
825 current_name = (ldns_dnssec_name *) current_name_node->data;
826 nsec_rr = ldns_dnssec_create_nsec3(current_name,
834 /* by default, our nsec based generator adds rrsigs
835 * remove the bitmap for empty nonterminals */
836 if (!current_name->rrsets) {
837 ldns_rdf_deep_free(ldns_rr_pop_rdf(nsec_rr));
839 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
840 result = ldns_dnssec_name_add_rr(current_name, nsec_rr);
841 ldns_rr_list_push_rr(new_rrs, nsec_rr);
842 ldns_rr_list_push_rr(nsec3_list, nsec_rr);
844 hashmap_node = LDNS_MALLOC(ldns_rbnode_t);
845 if (hashmap_node && ldns_rr_owner(nsec_rr)) {
846 hashmap_node->key = ldns_dname_label(
847 ldns_rr_owner(nsec_rr), 0);
848 if (hashmap_node->key) {
849 hashmap_node->data = current_name->name;
850 (void) ldns_rbtree_insert(
855 current_name_node = ldns_dnssec_name_node_next_nonglue(
856 ldns_rbtree_next(current_name_node));
858 if (result != LDNS_STATUS_OK) {
862 ldns_rr_list_sort_nsec3(nsec3_list);
863 result = ldns_dnssec_chain_nsec3_list(nsec3_list);
864 if (result != LDNS_STATUS_OK) {
868 ldns_rr_list_free(nsec3_list);
873 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone,
874 ldns_rr_list *new_rrs,
881 return ldns_dnssec_zone_create_nsec3s_mkmap(zone, new_rrs, algorithm,
882 flags, iterations, salt_length, salt, NULL);
885 #endif /* HAVE_SSL */
888 ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures,
889 ldns_key_list *key_list,
890 int (*func)(ldns_rr *, void *),
893 ldns_dnssec_rrs *base_rrs = signatures;
894 ldns_dnssec_rrs *cur_rr = base_rrs;
895 ldns_dnssec_rrs *prev_rr = NULL;
896 ldns_dnssec_rrs *next_rr;
904 switch(func(NULL, arg)) {
905 case LDNS_SIGNATURE_LEAVE_ADD_NEW:
906 case LDNS_SIGNATURE_REMOVE_ADD_NEW:
908 case LDNS_SIGNATURE_LEAVE_NO_ADD:
909 case LDNS_SIGNATURE_REMOVE_NO_ADD:
910 ldns_key_list_set_use(key_list, false);
913 fprintf(stderr, "[XX] unknown return value from callback\n");
918 (void)func(cur_rr->rr, arg);
921 next_rr = cur_rr->next;
923 switch (func(cur_rr->rr, arg)) {
924 case LDNS_SIGNATURE_LEAVE_ADD_NEW:
927 case LDNS_SIGNATURE_LEAVE_NO_ADD:
928 keytag = ldns_rdf2native_int16(
929 ldns_rr_rrsig_keytag(cur_rr->rr));
930 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
931 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) ==
933 ldns_key_set_use(ldns_key_list_key(key_list, i),
939 case LDNS_SIGNATURE_REMOVE_NO_ADD:
940 keytag = ldns_rdf2native_int16(
941 ldns_rr_rrsig_keytag(cur_rr->rr));
942 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
943 if (ldns_key_keytag(ldns_key_list_key(key_list, i))
945 ldns_key_set_use(ldns_key_list_key(key_list, i),
950 prev_rr->next = next_rr;
956 case LDNS_SIGNATURE_REMOVE_ADD_NEW:
958 prev_rr->next = next_rr;
965 fprintf(stderr, "[XX] unknown return value from callback\n");
976 ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
977 ldns_rr_list *new_rrs,
978 ldns_key_list *key_list,
979 int (*func)(ldns_rr *, void*),
982 return ldns_dnssec_zone_create_rrsigs_flg(zone, new_rrs, key_list,
986 /** If there are KSKs use only them and mark ZSKs unused */
988 ldns_key_list_filter_for_dnskey(ldns_key_list *key_list)
992 for(i=0; i<ldns_key_list_key_count(key_list); i++)
993 if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
999 for(i=0; i<ldns_key_list_key_count(key_list); i++)
1000 if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
1001 ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
1004 /** If there are no ZSKs use KSK as ZSK */
1006 ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list)
1010 for(i=0; i<ldns_key_list_key_count(key_list); i++)
1011 if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
1017 /* else filter all KSKs */
1018 for(i=0; i<ldns_key_list_key_count(key_list); i++)
1019 if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
1020 ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
1024 ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone,
1025 ldns_rr_list *new_rrs,
1026 ldns_key_list *key_list,
1027 int (*func)(ldns_rr *, void*),
1031 ldns_status result = LDNS_STATUS_OK;
1033 ldns_rbnode_t *cur_node;
1034 ldns_rr_list *rr_list;
1036 ldns_dnssec_name *cur_name;
1037 ldns_dnssec_rrsets *cur_rrset;
1038 ldns_dnssec_rrs *cur_rr;
1040 ldns_rr_list *siglist;
1044 int on_delegation_point = 0; /* handle partially occluded names */
1046 ldns_rr_list *pubkey_list = ldns_rr_list_new();
1049 key_list = key_list;
1050 for (i = 0; i<ldns_key_list_key_count(key_list); i++) {
1051 ldns_rr_list_push_rr(pubkey_list,
1052 ldns_key2rr(ldns_key_list_key(key_list, i)));
1054 /* TODO: callback to see is list should be signed */
1055 /* TODO: remove 'old' signatures from signature list */
1056 cur_node = ldns_rbtree_first(zone->names);
1057 while (cur_node != LDNS_RBTREE_NULL) {
1058 cur_name = (ldns_dnssec_name *) cur_node->data;
1060 if (!cur_name->is_glue) {
1061 on_delegation_point = ldns_dnssec_rrsets_contains_type(
1062 cur_name->rrsets, LDNS_RR_TYPE_NS)
1063 && !ldns_dnssec_rrsets_contains_type(
1064 cur_name->rrsets, LDNS_RR_TYPE_SOA);
1065 cur_rrset = cur_name->rrsets;
1067 /* reset keys to use */
1068 ldns_key_list_set_use(key_list, true);
1070 /* walk through old sigs, remove the old,
1071 and mark which keys (not) to use) */
1072 cur_rrset->signatures =
1073 ldns_dnssec_remove_signatures(cur_rrset->signatures,
1077 if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) &&
1078 cur_rrset->type == LDNS_RR_TYPE_DNSKEY)
1079 ldns_key_list_filter_for_dnskey(key_list);
1081 if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY)
1082 ldns_key_list_filter_for_non_dnskey(key_list);
1084 /* TODO: just set count to zero? */
1085 rr_list = ldns_rr_list_new();
1087 cur_rr = cur_rrset->rrs;
1089 ldns_rr_list_push_rr(rr_list, cur_rr->rr);
1090 cur_rr = cur_rr->next;
1093 /* only sign non-delegation RRsets */
1094 /* (glue should have been marked earlier,
1095 * except on the delegation points itself) */
1096 if (!on_delegation_point ||
1097 ldns_rr_list_type(rr_list)
1098 == LDNS_RR_TYPE_DS ||
1099 ldns_rr_list_type(rr_list)
1100 == LDNS_RR_TYPE_NSEC ||
1101 ldns_rr_list_type(rr_list)
1102 == LDNS_RR_TYPE_NSEC3) {
1103 siglist = ldns_sign_public(rr_list, key_list);
1104 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
1105 if (cur_rrset->signatures) {
1106 result = ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
1107 ldns_rr_list_rr(siglist,
1110 cur_rrset->signatures = ldns_dnssec_rrs_new();
1111 cur_rrset->signatures->rr =
1112 ldns_rr_list_rr(siglist, i);
1113 ldns_rr_list_push_rr(new_rrs,
1114 ldns_rr_list_rr(siglist,
1118 ldns_rr_list_free(siglist);
1121 ldns_rr_list_free(rr_list);
1123 cur_rrset = cur_rrset->next;
1127 ldns_key_list_set_use(key_list, true);
1128 cur_name->nsec_signatures =
1129 ldns_dnssec_remove_signatures(cur_name->nsec_signatures,
1133 ldns_key_list_filter_for_non_dnskey(key_list);
1135 rr_list = ldns_rr_list_new();
1136 ldns_rr_list_push_rr(rr_list, cur_name->nsec);
1137 siglist = ldns_sign_public(rr_list, key_list);
1139 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
1140 if (cur_name->nsec_signatures) {
1141 result = ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
1142 ldns_rr_list_rr(siglist, i));
1144 cur_name->nsec_signatures = ldns_dnssec_rrs_new();
1145 cur_name->nsec_signatures->rr =
1146 ldns_rr_list_rr(siglist, i);
1147 ldns_rr_list_push_rr(new_rrs,
1148 ldns_rr_list_rr(siglist, i));
1152 ldns_rr_list_free(siglist);
1153 ldns_rr_list_free(rr_list);
1155 cur_node = ldns_rbtree_next(cur_node);
1158 ldns_rr_list_deep_free(pubkey_list);
1163 ldns_dnssec_zone_sign(ldns_dnssec_zone *zone,
1164 ldns_rr_list *new_rrs,
1165 ldns_key_list *key_list,
1166 int (*func)(ldns_rr *, void *),
1169 return ldns_dnssec_zone_sign_flg(zone, new_rrs, key_list, func, arg, 0);
1173 ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone,
1174 ldns_rr_list *new_rrs,
1175 ldns_key_list *key_list,
1176 int (*func)(ldns_rr *, void *),
1180 ldns_status result = LDNS_STATUS_OK;
1182 if (!zone || !new_rrs || !key_list) {
1183 return LDNS_STATUS_ERR;
1186 /* zone is already sorted */
1187 result = ldns_dnssec_zone_mark_glue(zone);
1188 if (result != LDNS_STATUS_OK) {
1192 /* check whether we need to add nsecs */
1193 if (zone->names && !((ldns_dnssec_name *)zone->names->root->data)->nsec) {
1194 result = ldns_dnssec_zone_create_nsecs(zone, new_rrs);
1195 if (result != LDNS_STATUS_OK) {
1200 result = ldns_dnssec_zone_create_rrsigs_flg(zone,
1211 ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
1212 ldns_rr_list *new_rrs,
1213 ldns_key_list *key_list,
1214 int (*func)(ldns_rr *, void *),
1218 uint16_t iterations,
1219 uint8_t salt_length,
1222 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list,
1223 func, arg, algorithm, flags, iterations, salt_length, salt, 0,
1228 ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone,
1229 ldns_rr_list *new_rrs,
1230 ldns_key_list *key_list,
1231 int (*func)(ldns_rr *, void *),
1235 uint16_t iterations,
1236 uint8_t salt_length,
1239 ldns_rbtree_t **map)
1241 ldns_rr *nsec3, *nsec3param;
1242 ldns_status result = LDNS_STATUS_OK;
1244 /* zone is already sorted */
1245 result = ldns_dnssec_zone_mark_glue(zone);
1246 if (result != LDNS_STATUS_OK) {
1250 /* TODO if there are already nsec3s presents and their
1251 * parameters are the same as these, we don't have to recreate
1254 /* add empty nonterminals */
1255 result = ldns_dnssec_zone_add_empty_nonterminals(zone);
1256 if (result != LDNS_STATUS_OK) {
1260 nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec;
1261 if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) {
1262 /* no need to recreate */
1264 if (!ldns_dnssec_zone_find_rrset(zone,
1266 LDNS_RR_TYPE_NSEC3PARAM)) {
1267 /* create and add the nsec3param rr */
1269 ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAM);
1270 ldns_rr_set_owner(nsec3param,
1271 ldns_rdf_clone(zone->soa->name));
1272 ldns_nsec3_add_param_rdfs(nsec3param,
1278 /* always set bit 7 of the flags to zero, according to
1279 * rfc5155 section 11 */
1280 ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 7, 0);
1281 result = ldns_dnssec_zone_add_rr(zone, nsec3param);
1282 if (result != LDNS_STATUS_OK) {
1285 ldns_rr_list_push_rr(new_rrs, nsec3param);
1287 result = ldns_dnssec_zone_create_nsec3s_mkmap(zone,
1295 if (result != LDNS_STATUS_OK) {
1300 result = ldns_dnssec_zone_create_rrsigs_flg(zone,
1312 ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
1313 ldns_rr_list *new_rrs,
1314 ldns_key_list *key_list,
1315 int (*func)(ldns_rr *, void *),
1319 uint16_t iterations,
1320 uint8_t salt_length,
1324 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list,
1325 func, arg, algorithm, flags, iterations, salt_length, salt,
1330 ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list)
1332 ldns_dnssec_zone *dnssec_zone;
1333 ldns_zone *signed_zone;
1334 ldns_rr_list *new_rrs;
1337 signed_zone = ldns_zone_new();
1338 dnssec_zone = ldns_dnssec_zone_new();
1340 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1341 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
1343 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1344 (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1345 ldns_rr_list_rr(ldns_zone_rrs(zone),
1347 ldns_zone_push_rr(signed_zone,
1348 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
1352 new_rrs = ldns_rr_list_new();
1353 (void) ldns_dnssec_zone_sign(dnssec_zone,
1356 ldns_dnssec_default_replace_signatures,
1359 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1360 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
1361 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1364 ldns_rr_list_deep_free(new_rrs);
1365 ldns_dnssec_zone_free(dnssec_zone);
1371 ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
1373 ldns_dnssec_zone *dnssec_zone;
1374 ldns_zone *signed_zone;
1375 ldns_rr_list *new_rrs;
1378 signed_zone = ldns_zone_new();
1379 dnssec_zone = ldns_dnssec_zone_new();
1381 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1382 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
1384 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1385 (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1386 ldns_rr_list_rr(ldns_zone_rrs(zone),
1388 ldns_zone_push_rr(signed_zone,
1389 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
1393 new_rrs = ldns_rr_list_new();
1394 (void) ldns_dnssec_zone_sign_nsec3(dnssec_zone,
1397 ldns_dnssec_default_replace_signatures,
1405 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1406 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
1407 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1410 ldns_rr_list_deep_free(new_rrs);
1411 ldns_dnssec_zone_free(dnssec_zone);
1415 #endif /* HAVE_SSL */