3 #ifndef LDNS_DNSSEC_VERIFY_H
4 #define LDNS_DNSSEC_VERIFY_H
6 #define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10
8 #include <ldns/dnssec.h>
9 #include <ldns/host2str.h>
16 * Chain structure that contains all DNSSEC data needed to
19 typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain;
20 struct ldns_dnssec_data_chain_struct
23 ldns_rr_list *signatures;
24 ldns_rr_type parent_type;
25 ldns_dnssec_data_chain *parent;
26 ldns_pkt_rcode packet_rcode;
27 ldns_rr_type packet_qtype;
32 * Creates a new dnssec_chain structure
33 * \return ldns_dnssec_data_chain *
35 ldns_dnssec_data_chain *ldns_dnssec_data_chain_new();
38 * Frees a dnssec_data_chain structure
40 * \param[in] *chain The chain to free
42 void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain);
45 * Frees a dnssec_data_chain structure, and all data
48 * \param[in] *chain The dnssec_data_chain to free
50 void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain);
53 * Prints the dnssec_data_chain to the given file stream
55 * \param[in] *out The file stream to print to
56 * \param[in] *chain The dnssec_data_chain to print
58 void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain);
61 * Prints the dnssec_data_chain to the given file stream
63 * \param[in] *out The file stream to print to
64 * \param[in] *fmt The format of the textual representation
65 * \param[in] *chain The dnssec_data_chain to print
67 void ldns_dnssec_data_chain_print_fmt(FILE *out,
68 const ldns_output_format *fmt,
69 const ldns_dnssec_data_chain *chain);
72 * Build an ldns_dnssec_data_chain, which contains all
73 * DNSSEC data that is needed to derive the trust tree later
75 * The data_set will be cloned
77 * \param[in] *res resolver structure for further needed queries
78 * \param[in] qflags resolution flags
79 * \param[in] *data_set The original rrset where the chain ends
80 * \param[in] *pkt optional, can contain the original packet
81 * (and hence the sigs and maybe the key)
82 * \param[in] *orig_rr The original Resource Record
84 * \return the DNSSEC data chain
86 ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res,
87 const uint16_t qflags,
88 const ldns_rr_list *data_set,
93 * Tree structure that contains the relation of DNSSEC data,
94 * and their cryptographic status.
96 * This tree is derived from a data_chain, and can be used
97 * to look whether there is a connection between an RRSET
98 * and a trusted key. The tree only contains pointers to the
99 * data_chain, and therefore one should *never* free() the
100 * data_chain when there is still a trust tree derived from
116 * For each signature there is a parent; if the parent
117 * pointer is null, it couldn't be found and there was no
118 * denial; otherwise is a tree which contains either a
119 * DNSKEY, a DS, or a NSEC rr
121 typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree;
122 struct ldns_dnssec_trust_tree_struct
125 /* the complete rrset this rr was in */
127 ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
128 ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
129 /** for debugging, add signatures too (you might want
130 those if they contain errors) */
131 ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
136 * Creates a new (empty) dnssec_trust_tree structure
138 * \return ldns_dnssec_trust_tree *
140 ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new();
143 * Frees the dnssec_trust_tree recursively
145 * There is no deep free; all data in the trust tree
146 * consists of pointers to a data_chain
148 * \param[in] tree The tree to free
150 void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree);
153 * returns the depth of the trust tree
155 * \param[in] tree tree to calculate the depth of
156 * \return The depth of the tree
158 size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree);
161 * Prints the dnssec_trust_tree structure to the given file
164 * If a link status is not LDNS_STATUS_OK; the status and
165 * relevant signatures are printed too
167 * \param[in] *out The file stream to print to
168 * \param[in] tree The trust tree to print
169 * \param[in] tabs Prepend each line with tabs*2 spaces
170 * \param[in] extended If true, add little explanation lines to the output
172 void ldns_dnssec_trust_tree_print(FILE *out,
173 ldns_dnssec_trust_tree *tree,
178 * Prints the dnssec_trust_tree structure to the given file
181 * If a link status is not LDNS_STATUS_OK; the status and
182 * relevant signatures are printed too
184 * \param[in] *out The file stream to print to
185 * \param[in] *fmt The format of the textual representation
186 * \param[in] tree The trust tree to print
187 * \param[in] tabs Prepend each line with tabs*2 spaces
188 * \param[in] extended If true, add little explanation lines to the output
190 void ldns_dnssec_trust_tree_print_fmt(FILE *out,
191 const ldns_output_format *fmt,
192 ldns_dnssec_trust_tree *tree,
197 * Adds a trust tree as a parent for the given trust tree
199 * \param[in] *tree The tree to add the parent to
200 * \param[in] *parent The parent tree to add
201 * \param[in] *parent_signature The RRSIG relevant to this parent/child
203 * \param[in] parent_status The DNSSEC status for this parent, child and RRSIG
204 * \return LDNS_STATUS_OK if the addition succeeds, error otherwise
206 ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree,
207 const ldns_dnssec_trust_tree *parent,
208 const ldns_rr *parent_signature,
209 const ldns_status parent_status);
212 * Generates a dnssec_trust_tree for the given rr from the
215 * This does not clone the actual data; Don't free the
216 * data_chain before you are done with this tree
218 * \param[in] *data_chain The chain to derive the trust tree from
219 * \param[in] *rr The RR this tree will be about
220 * \return ldns_dnssec_trust_tree *
222 ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree(
223 ldns_dnssec_data_chain *data_chain,
227 * Generates a dnssec_trust_tree for the given rr from the
230 * This does not clone the actual data; Don't free the
231 * data_chain before you are done with this tree
233 * \param[in] *data_chain The chain to derive the trust tree from
234 * \param[in] *rr The RR this tree will be about
235 * \param[in] check_time the time for which the validation is performed
236 * \return ldns_dnssec_trust_tree *
238 ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time(
239 ldns_dnssec_data_chain *data_chain,
240 ldns_rr *rr, time_t check_time);
243 * Sub function for derive_trust_tree that is used for a 'normal' rrset
245 * \param[in] new_tree The trust tree that we are building
246 * \param[in] data_chain The data chain containing the data for the trust tree
247 * \param[in] cur_sig_rr The currently relevant signature
249 void ldns_dnssec_derive_trust_tree_normal_rrset(
250 ldns_dnssec_trust_tree *new_tree,
251 ldns_dnssec_data_chain *data_chain,
252 ldns_rr *cur_sig_rr);
255 * Sub function for derive_trust_tree that is used for a 'normal' rrset
257 * \param[in] new_tree The trust tree that we are building
258 * \param[in] data_chain The data chain containing the data for the trust tree
259 * \param[in] cur_sig_rr The currently relevant signature
260 * \param[in] check_time the time for which the validation is performed
262 void ldns_dnssec_derive_trust_tree_normal_rrset_time(
263 ldns_dnssec_trust_tree *new_tree,
264 ldns_dnssec_data_chain *data_chain,
265 ldns_rr *cur_sig_rr, time_t check_time);
269 * Sub function for derive_trust_tree that is used for DNSKEY rrsets
271 * \param[in] new_tree The trust tree that we are building
272 * \param[in] data_chain The data chain containing the data for the trust tree
273 * \param[in] cur_rr The currently relevant DNSKEY RR
274 * \param[in] cur_sig_rr The currently relevant signature
276 void ldns_dnssec_derive_trust_tree_dnskey_rrset(
277 ldns_dnssec_trust_tree *new_tree,
278 ldns_dnssec_data_chain *data_chain,
280 ldns_rr *cur_sig_rr);
283 * Sub function for derive_trust_tree that is used for DNSKEY rrsets
285 * \param[in] new_tree The trust tree that we are building
286 * \param[in] data_chain The data chain containing the data for the trust tree
287 * \param[in] cur_rr The currently relevant DNSKEY RR
288 * \param[in] cur_sig_rr The currently relevant signature
289 * \param[in] check_time the time for which the validation is performed
291 void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
292 ldns_dnssec_trust_tree *new_tree,
293 ldns_dnssec_data_chain *data_chain,
294 ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
299 * Sub function for derive_trust_tree that is used for DNSKEY rrsets
301 * \param[in] new_tree The trust tree that we are building
302 * \param[in] data_chain The data chain containing the data for the trust tree
303 * \param[in] cur_rr The currently relevant DNSKEY RR
304 * \param[in] cur_sig_rr The currently relevant signature
305 * \param[in] check_time the time for which the validation is performed
307 void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
308 ldns_dnssec_trust_tree *new_tree,
309 ldns_dnssec_data_chain *data_chain,
310 ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
315 * Sub function for derive_trust_tree that is used for DS rrsets
317 * \param[in] new_tree The trust tree that we are building
318 * \param[in] data_chain The data chain containing the data for the trust tree
319 * \param[in] cur_rr The currently relevant DS RR
321 void ldns_dnssec_derive_trust_tree_ds_rrset(
322 ldns_dnssec_trust_tree *new_tree,
323 ldns_dnssec_data_chain *data_chain,
327 * Sub function for derive_trust_tree that is used for DS rrsets
329 * \param[in] new_tree The trust tree that we are building
330 * \param[in] data_chain The data chain containing the data for the trust tree
331 * \param[in] cur_rr The currently relevant DS RR
332 * \param[in] check_time the time for which the validation is performed
334 void ldns_dnssec_derive_trust_tree_ds_rrset_time(
335 ldns_dnssec_trust_tree *new_tree,
336 ldns_dnssec_data_chain *data_chain,
337 ldns_rr *cur_rr, time_t check_time);
340 * Sub function for derive_trust_tree that is used when there are no
343 * \param[in] new_tree The trust tree that we are building
344 * \param[in] data_chain The data chain containing the data for the trust tree
346 void ldns_dnssec_derive_trust_tree_no_sig(
347 ldns_dnssec_trust_tree *new_tree,
348 ldns_dnssec_data_chain *data_chain);
351 * Sub function for derive_trust_tree that is used when there are no
354 * \param[in] new_tree The trust tree that we are building
355 * \param[in] data_chain The data chain containing the data for the trust tree
356 * \param[in] check_time the time for which the validation is performed
358 void ldns_dnssec_derive_trust_tree_no_sig_time(
359 ldns_dnssec_trust_tree *new_tree,
360 ldns_dnssec_data_chain *data_chain,
365 * Returns OK if there is a trusted path in the tree to one of
366 * the DNSKEY or DS RRs in the given list
368 * \param *tree The trust tree so search
369 * \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for
371 * \return LDNS_STATUS_OK if there is a trusted path to one of
372 * the keys, or the *first* error encountered
373 * if there were no paths
375 ldns_status ldns_dnssec_trust_tree_contains_keys(
376 ldns_dnssec_trust_tree *tree,
380 * Verifies a list of signatures for one rrset.
382 * \param[in] rrset the rrset to verify
383 * \param[in] rrsig a list of signatures to check
384 * \param[in] keys a list of keys to check with
385 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
386 * from keys that validate one of the signatures
388 * \return status LDNS_STATUS_OK if there is at least one correct key
390 ldns_status ldns_verify(ldns_rr_list *rrset,
392 const ldns_rr_list *keys,
393 ldns_rr_list *good_keys);
396 * Verifies a list of signatures for one rrset.
398 * \param[in] rrset the rrset to verify
399 * \param[in] rrsig a list of signatures to check
400 * \param[in] keys a list of keys to check with
401 * \param[in] check_time the time for which the validation is performed
402 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
403 * from keys that validate one of the signatures
405 * \return status LDNS_STATUS_OK if there is at least one correct key
407 ldns_status ldns_verify_time(ldns_rr_list *rrset,
409 const ldns_rr_list *keys,
411 ldns_rr_list *good_keys);
415 * Verifies a list of signatures for one rrset, but disregard the time.
416 * Inception and Expiration are not checked.
418 * \param[in] rrset the rrset to verify
419 * \param[in] rrsig a list of signatures to check
420 * \param[in] keys a list of keys to check with
421 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
422 * from keys that validate one of the signatures
424 * \return status LDNS_STATUS_OK if there is at least one correct key
426 ldns_status ldns_verify_notime(ldns_rr_list *rrset,
428 const ldns_rr_list *keys,
429 ldns_rr_list *good_keys);
432 * Tries to build an authentication chain from the given
433 * keys down to the queried domain.
435 * If we find a valid trust path, return the valid keys for the domain.
437 * \param[in] res the current resolver
438 * \param[in] domain the domain we want valid keys for
439 * \param[in] keys the current set of trusted keys
440 * \param[out] status pointer to the status variable where the result
441 * code will be stored
442 * \return the set of trusted keys for the domain, or NULL if no
443 * trust path could be built.
445 ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res,
446 const ldns_rdf * domain,
447 const ldns_rr_list * keys,
448 ldns_status *status);
451 * Tries to build an authentication chain from the given
452 * keys down to the queried domain.
454 * If we find a valid trust path, return the valid keys for the domain.
456 * \param[in] res the current resolver
457 * \param[in] domain the domain we want valid keys for
458 * \param[in] keys the current set of trusted keys
459 * \param[in] check_time the time for which the validation is performed
460 * \param[out] status pointer to the status variable where the result
461 * code will be stored
462 * \return the set of trusted keys for the domain, or NULL if no
463 * trust path could be built.
465 ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res,
466 const ldns_rdf * domain, const ldns_rr_list * keys,
467 time_t check_time, ldns_status *status);
471 * Validates the DNSKEY RRset for the given domain using the provided
474 * \param[in] res the current resolver
475 * \param[in] domain the domain we want valid keys for
476 * \param[in] keys the current set of trusted keys
477 * \return the set of trusted keys for the domain, or NULL if the RRSET
478 * could not be validated
480 ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res,
481 const ldns_rdf *domain,
482 const ldns_rr_list *keys);
485 * Validates the DNSKEY RRset for the given domain using the provided
488 * \param[in] res the current resolver
489 * \param[in] domain the domain we want valid keys for
490 * \param[in] keys the current set of trusted keys
491 * \param[in] check_time the time for which the validation is performed
492 * \return the set of trusted keys for the domain, or NULL if the RRSET
493 * could not be validated
495 ldns_rr_list *ldns_validate_domain_dnskey_time(
496 const ldns_resolver *res, const ldns_rdf *domain,
497 const ldns_rr_list *keys, time_t check_time);
501 * Validates the DS RRset for the given domain using the provided trusted keys.
503 * \param[in] res the current resolver
504 * \param[in] domain the domain we want valid keys for
505 * \param[in] keys the current set of trusted keys
506 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
508 ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res,
511 const ldns_rr_list * keys);
514 * Validates the DS RRset for the given domain using the provided trusted keys.
516 * \param[in] res the current resolver
517 * \param[in] domain the domain we want valid keys for
518 * \param[in] keys the current set of trusted keys
519 * \param[in] check_time the time for which the validation is performed
520 * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
522 ldns_rr_list *ldns_validate_domain_ds_time(
523 const ldns_resolver *res, const ldns_rdf *domain,
524 const ldns_rr_list * keys, time_t check_time);
528 * Verifies a list of signatures for one RRset using a valid trust path.
530 * \param[in] res the current resolver
531 * \param[in] rrset the rrset to verify
532 * \param[in] rrsigs a list of signatures to check
533 * \param[out] validating_keys if this is a (initialized) list, the
534 * keys from keys that validate one of
535 * the signatures are added to it
536 * \return status LDNS_STATUS_OK if there is at least one correct key
538 ldns_status ldns_verify_trusted(ldns_resolver *res,
540 ldns_rr_list *rrsigs,
541 ldns_rr_list *validating_keys);
544 * Verifies a list of signatures for one RRset using a valid trust path.
546 * \param[in] res the current resolver
547 * \param[in] rrset the rrset to verify
548 * \param[in] rrsigs a list of signatures to check
549 * \param[in] check_time the time for which the validation is performed
550 * \param[out] validating_keys if this is a (initialized) list, the
551 * keys from keys that validate one of
552 * the signatures are added to it
553 * \return status LDNS_STATUS_OK if there is at least one correct key
555 ldns_status ldns_verify_trusted_time(
556 ldns_resolver *res, ldns_rr_list *rrset,
557 ldns_rr_list *rrsigs, time_t check_time,
558 ldns_rr_list *validating_keys);
562 * denial is not just a river in egypt
564 * \param[in] rr The (query) RR to check the denial of existence for
565 * \param[in] nsecs The list of NSEC RRs that are supposed to deny the
566 * existence of the RR
567 * \param[in] rrsigs The RRSIG RR covering the NSEC RRs
568 * \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code
569 * containing the reason they do not otherwise
571 ldns_status ldns_dnssec_verify_denial(ldns_rr *rr,
573 ldns_rr_list *rrsigs);
576 * Denial of existence using NSEC3 records
577 * Since NSEC3 is a bit more complicated than normal denial, some
578 * context arguments are needed
580 * \param[in] rr The (query) RR to check the denial of existence for
581 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
582 * existence of the RR
583 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs
584 * \param[in] packet_rcode The RCODE value of the packet that provided the
586 * \param[in] packet_qtype The original query RR type
587 * \param[in] packet_nodata True if the providing packet had an empty ANSWER
589 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
590 * containing the reason they do not otherwise
592 ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
594 ldns_rr_list *rrsigs,
595 ldns_pkt_rcode packet_rcode,
596 ldns_rr_type packet_qtype,
600 * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns
601 * the nsec rr that matched.
603 * \param[in] rr The (query) RR to check the denial of existence for
604 * \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
605 * existence of the RR
606 * \param[in] rrsigs The RRSIG rr covering the NSEC RRs
607 * \param[in] packet_rcode The RCODE value of the packet that provided the
609 * \param[in] packet_qtype The original query RR type
610 * \param[in] packet_nodata True if the providing packet had an empty ANSWER
612 * \param[in] match On match, the given (reference to a) pointer will be set
613 * to point to the matching nsec resource record.
614 * \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
615 * containing the reason they do not otherwise
617 ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr,
619 ldns_rr_list *rrsigs,
620 ldns_pkt_rcode packet_rcode,
621 ldns_rr_type packet_qtype,
625 * Verifies the already processed data in the buffers
626 * This function should probably not be used directly.
628 * \param[in] rawsig_buf Buffer containing signature data to use
629 * \param[in] verify_buf Buffer containing data to verify
630 * \param[in] key_buf Buffer containing key data to use
631 * \param[in] algo Signing algorithm
632 * \return status LDNS_STATUS_OK if the data verifies. Error if not.
634 ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf,
635 ldns_buffer *verify_buf,
636 ldns_buffer *key_buf,
640 * Like ldns_verify_rrsig_buffers, but uses raw data.
642 * \param[in] sig signature data to use
643 * \param[in] siglen length of signature data to use
644 * \param[in] verify_buf Buffer containing data to verify
645 * \param[in] key key data to use
646 * \param[in] keylen length of key data to use
647 * \param[in] algo Signing algorithm
648 * \return status LDNS_STATUS_OK if the data verifies. Error if not.
650 ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig,
652 ldns_buffer *verify_buf,
658 * Verifies an rrsig. All keys in the keyset are tried.
659 * \param[in] rrset the rrset to check
660 * \param[in] rrsig the signature of the rrset
661 * \param[in] keys the keys to try
662 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
663 * from keys that validate one of the signatures
665 * \return a list of keys which validate the rrsig + rrset. Returns
666 * status LDNS_STATUS_OK if at least one key matched. Else an error.
668 ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
670 const ldns_rr_list *keys,
671 ldns_rr_list *good_keys);
674 * Verifies an rrsig. All keys in the keyset are tried.
675 * \param[in] rrset the rrset to check
676 * \param[in] rrsig the signature of the rrset
677 * \param[in] keys the keys to try
678 * \param[in] check_time the time for which the validation is performed
679 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
680 * from keys that validate one of the signatures
682 * \return a list of keys which validate the rrsig + rrset. Returns
683 * status LDNS_STATUS_OK if at least one key matched. Else an error.
685 ldns_status ldns_verify_rrsig_keylist_time(
686 ldns_rr_list *rrset, ldns_rr *rrsig,
687 const ldns_rr_list *keys, time_t check_time,
688 ldns_rr_list *good_keys);
692 * Verifies an rrsig. All keys in the keyset are tried. Time is not checked.
693 * \param[in] rrset the rrset to check
694 * \param[in] rrsig the signature of the rrset
695 * \param[in] keys the keys to try
696 * \param[out] good_keys if this is a (initialized) list, the pointer to keys
697 * from keys that validate one of the signatures
699 * \return a list of keys which validate the rrsig + rrset. Returns
700 * status LDNS_STATUS_OK if at least one key matched. Else an error.
702 ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset,
704 const ldns_rr_list *keys,
705 ldns_rr_list *good_keys);
708 * verify an rrsig with 1 key
709 * \param[in] rrset the rrset
710 * \param[in] rrsig the rrsig to verify
711 * \param[in] key the key to use
712 * \return status message wether verification succeeded.
714 ldns_status ldns_verify_rrsig(ldns_rr_list *rrset,
720 * verify an rrsig with 1 key
721 * \param[in] rrset the rrset
722 * \param[in] rrsig the rrsig to verify
723 * \param[in] key the key to use
724 * \param[in] check_time the time for which the validation is performed
725 * \return status message wether verification succeeded.
727 ldns_status ldns_verify_rrsig_time(
728 ldns_rr_list *rrset, ldns_rr *rrsig,
729 ldns_rr *key, time_t check_time);
732 #if LDNS_BUILD_CONFIG_HAVE_SSL
734 * verifies a buffer with signature data for a buffer with rrset data
737 * \param[in] sig the signature data
738 * \param[in] rrset the rrset data, sorted and processed for verification
739 * \param[in] key the EVP key structure
740 * \param[in] digest_type The digest type of the signature
742 ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig,
745 const EVP_MD *digest_type);
748 * Like ldns_verify_rrsig_evp, but uses raw signature data.
749 * \param[in] sig the signature data, wireformat uncompressed
750 * \param[in] siglen length of the signature data
751 * \param[in] rrset the rrset data, sorted and processed for verification
752 * \param[in] key the EVP key structure
753 * \param[in] digest_type The digest type of the signature
755 ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig,
759 const EVP_MD *digest_type);
763 * verifies a buffer with signature data (DSA) for a buffer with rrset data
764 * with a buffer with key data.
766 * \param[in] sig the signature data
767 * \param[in] rrset the rrset data, sorted and processed for verification
768 * \param[in] key the key data
770 ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig,
775 * verifies a buffer with signature data (RSASHA1) for a buffer with rrset data
776 * with a buffer with key data.
778 * \param[in] sig the signature data
779 * \param[in] rrset the rrset data, sorted and processed for verification
780 * \param[in] key the key data
782 ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig,
787 * verifies a buffer with signature data (RSAMD5) for a buffer with rrset data
788 * with a buffer with key data.
790 * \param[in] sig the signature data
791 * \param[in] rrset the rrset data, sorted and processed for verification
792 * \param[in] key the key data
794 ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig,
799 * Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
800 * \param[in] sig raw uncompressed wireformat signature data
801 * \param[in] siglen length of signature data
802 * \param[in] rrset ldns buffer with prepared rrset data.
803 * \param[in] key raw uncompressed wireformat key data
804 * \param[in] keylen length of key data
806 ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig,
813 * Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
814 * \param[in] sig raw uncompressed wireformat signature data
815 * \param[in] siglen length of signature data
816 * \param[in] rrset ldns buffer with prepared rrset data.
817 * \param[in] key raw uncompressed wireformat key data
818 * \param[in] keylen length of key data
820 ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig,
827 * Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
828 * \param[in] sig raw uncompressed wireformat signature data
829 * \param[in] siglen length of signature data
830 * \param[in] rrset ldns buffer with prepared rrset data.
831 * \param[in] key raw uncompressed wireformat key data
832 * \param[in] keylen length of key data
835 ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig,
842 * Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
843 * \param[in] sig raw uncompressed wireformat signature data
844 * \param[in] siglen length of signature data
845 * \param[in] rrset ldns buffer with prepared rrset data.
846 * \param[in] key raw uncompressed wireformat key data
847 * \param[in] keylen length of key data
849 ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig,
856 * Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
857 * \param[in] sig raw uncompressed wireformat signature data
858 * \param[in] siglen length of signature data
859 * \param[in] rrset ldns buffer with prepared rrset data.
860 * \param[in] key raw uncompressed wireformat key data
861 * \param[in] keylen length of key data
863 ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,