1 #include <ldns/config.h>
5 #include <ldns/dnssec.h>
6 #include <ldns/dnssec_sign.h>
12 /* this entire file is rather useless when you don't have
15 #include <openssl/ssl.h>
16 #include <openssl/evp.h>
17 #include <openssl/rand.h>
18 #include <openssl/err.h>
19 #include <openssl/md5.h>
23 ldns_create_empty_rrsig(ldns_rr_list *rrset,
24 ldns_key *current_key)
27 ldns_rr_class orig_class;
32 label_count = ldns_dname_label_count(ldns_rr_owner(ldns_rr_list_rr(rrset,
35 current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG);
37 /* set the type on the new signature */
38 orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
39 orig_class = ldns_rr_get_class(ldns_rr_list_rr(rrset, 0));
41 ldns_rr_set_ttl(current_sig, orig_ttl);
42 ldns_rr_set_class(current_sig, orig_class);
43 ldns_rr_set_owner(current_sig,
46 ldns_rr_list_rr(rrset,
49 /* fill in what we know of the signature */
51 /* set the orig_ttl */
52 (void)ldns_rr_rrsig_set_origttl(
54 ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
56 /* the signers name */
57 (void)ldns_rr_rrsig_set_signame(
59 ldns_rdf_clone(ldns_key_pubkey_owner(current_key)));
60 /* label count - get it from the first rr in the rr_list */
61 (void)ldns_rr_rrsig_set_labels(
63 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
65 /* inception, expiration */
67 if (ldns_key_inception(current_key) != 0) {
68 (void)ldns_rr_rrsig_set_inception(
70 ldns_native2rdf_int32(
72 ldns_key_inception(current_key)));
74 (void)ldns_rr_rrsig_set_inception(
76 ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now));
78 if (ldns_key_expiration(current_key) != 0) {
79 (void)ldns_rr_rrsig_set_expiration(
81 ldns_native2rdf_int32(
83 ldns_key_expiration(current_key)));
85 (void)ldns_rr_rrsig_set_expiration(
87 ldns_native2rdf_int32(
89 now + LDNS_DEFAULT_EXP_TIME));
92 (void)ldns_rr_rrsig_set_keytag(
94 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
95 ldns_key_keytag(current_key)));
97 (void)ldns_rr_rrsig_set_algorithm(
101 ldns_key_algorithm(current_key)));
103 (void)ldns_rr_rrsig_set_typecovered(
105 ldns_native2rdf_int16(
107 ldns_rr_get_type(ldns_rr_list_rr(rrset,
114 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key)
116 ldns_rdf *b64rdf = NULL;
118 switch(ldns_key_algorithm(current_key)) {
121 b64rdf = ldns_sign_public_evp(
123 ldns_key_evp_key(current_key),
126 case LDNS_SIGN_RSASHA1:
127 case LDNS_SIGN_RSASHA1_NSEC3:
128 b64rdf = ldns_sign_public_evp(
130 ldns_key_evp_key(current_key),
134 case LDNS_SIGN_RSASHA256:
135 b64rdf = ldns_sign_public_evp(
137 ldns_key_evp_key(current_key),
140 case LDNS_SIGN_RSASHA512:
141 b64rdf = ldns_sign_public_evp(
143 ldns_key_evp_key(current_key),
146 #endif /* USE_SHA2 */
149 b64rdf = ldns_sign_public_evp(
151 ldns_key_evp_key(current_key),
152 EVP_get_digestbyname("md_gost94"));
154 #endif /* USE_GOST */
155 case LDNS_SIGN_RSAMD5:
156 b64rdf = ldns_sign_public_evp(
158 ldns_key_evp_key(current_key),
162 /* do _you_ know this alg? */
163 printf("unknown algorithm, ");
164 printf("is the one used available on this system?\n");
172 * use this function to sign with a public/private key alg
173 * return the created signatures
176 ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys)
178 ldns_rr_list *signatures;
179 ldns_rr_list *rrset_clone;
180 ldns_rr *current_sig;
182 ldns_key *current_key;
185 ldns_buffer *sign_buf;
188 if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) {
195 signatures = ldns_rr_list_new();
197 /* prepare a signature and add all the know data
198 * prepare the rrset. Sign this together. */
199 rrset_clone = ldns_rr_list_clone(rrset);
204 /* make it canonical */
205 for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
206 ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i),
207 ldns_rr_ttl(ldns_rr_list_rr(rrset, 0)));
208 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
211 ldns_rr_list_sort(rrset_clone);
214 key_count < ldns_key_list_key_count(keys);
216 if (!ldns_key_use(ldns_key_list_key(keys, key_count))) {
219 sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
221 ldns_rr_list_free(rrset_clone);
222 ldns_rr_list_free(signatures);
223 ldns_rdf_free(new_owner);
228 current_key = ldns_key_list_key(keys, key_count);
229 /* sign all RRs with keys that have ZSKbit, !SEPbit.
230 sign DNSKEY RRs with keys that have ZSKbit&SEPbit */
232 ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY &&
233 (!(ldns_key_flags(current_key) & LDNS_KEY_SEP_KEY)
234 || ldns_rr_get_type(ldns_rr_list_rr(rrset, 0))
235 == LDNS_RR_TYPE_DNSKEY)
237 current_sig = ldns_create_empty_rrsig(rrset_clone,
240 /* right now, we have: a key, a semi-sig and an rrset. For
241 * which we can create the sig and base64 encode that and
242 * add that to the signature */
244 if (ldns_rrsig2buffer_wire(sign_buf, current_sig)
246 ldns_buffer_free(sign_buf);
248 ldns_rr_list_deep_free(rrset_clone);
252 /* add the rrset in sign_buf */
253 if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone)
255 ldns_buffer_free(sign_buf);
256 ldns_rr_list_deep_free(rrset_clone);
260 b64rdf = ldns_sign_public_buffer(sign_buf, current_key);
263 /* signing went wrong */
264 ldns_rr_list_deep_free(rrset_clone);
268 ldns_rr_rrsig_set_sig(current_sig, b64rdf);
270 /* push the signature to the signatures list */
271 ldns_rr_list_push_rr(signatures, current_sig);
273 ldns_buffer_free(sign_buf); /* restart for the next key */
275 ldns_rr_list_deep_free(rrset_clone);
283 * \param[in] to_sign The ldns_buffer containing raw data that is
285 * \param[in] key The DSA key structure to sign with
286 * \return ldns_rdf for the RRSIG ldns_rr
289 ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
291 unsigned char *sha1_hash;
292 ldns_rdf *sigdata_rdf;
299 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
304 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
305 ldns_buffer_position(to_sign), NULL);
307 ldns_buffer_free(b64sig);
312 sig = DSA_do_sign(sha1_hash, SHA_DIGEST_LENGTH, key);
314 data = LDNS_XMALLOC(uint8_t, 1 + 2 * SHA_DIGEST_LENGTH);
317 pad = 20 - (size_t) BN_num_bytes(sig->r);
319 memset(data + 1, 0, pad);
321 BN_bn2bin(sig->r, (unsigned char *) (data + 1) + pad);
323 pad = 20 - (size_t) BN_num_bytes(sig->s);
325 memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad);
327 BN_bn2bin(sig->s, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad));
329 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64,
330 1 + 2 * SHA_DIGEST_LENGTH,
333 ldns_buffer_free(b64sig);
340 ldns_sign_public_evp(ldns_buffer *to_sign,
342 const EVP_MD *digest_type)
345 ldns_rdf *sigdata_rdf;
348 const EVP_MD *md_type;
352 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
357 /* initializes a signing context */
358 md_type = digest_type;
360 /* unknown message difest */
361 ldns_buffer_free(b64sig);
365 EVP_MD_CTX_init(&ctx);
366 r = EVP_SignInit(&ctx, md_type);
368 r = EVP_SignUpdate(&ctx, (unsigned char*)
369 ldns_buffer_begin(to_sign),
370 ldns_buffer_position(to_sign));
372 ldns_buffer_free(b64sig);
376 r = EVP_SignFinal(&ctx, (unsigned char*)
377 ldns_buffer_begin(b64sig), &siglen, key);
379 ldns_buffer_free(b64sig);
383 ldns_buffer_free(b64sig);
387 /* unfortunately, OpenSSL output is differenct from DNS DSA format */
388 if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) {
389 sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen);
391 /* ok output for other types is the same */
392 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
393 ldns_buffer_begin(b64sig));
395 ldns_buffer_free(b64sig);
396 EVP_MD_CTX_cleanup(&ctx);
401 ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key)
403 unsigned char *sha1_hash;
405 ldns_rdf *sigdata_rdf;
410 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
415 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
416 ldns_buffer_position(to_sign), NULL);
418 ldns_buffer_free(b64sig);
422 result = RSA_sign(NID_sha1, sha1_hash, SHA_DIGEST_LENGTH,
423 (unsigned char*)ldns_buffer_begin(b64sig),
433 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
434 ldns_buffer_begin(b64sig));
435 ldns_buffer_free(b64sig); /* can't free this buffer ?? */
440 ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key)
442 unsigned char *md5_hash;
444 ldns_rdf *sigdata_rdf;
447 b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN);
452 md5_hash = MD5((unsigned char*)ldns_buffer_begin(to_sign),
453 ldns_buffer_position(to_sign), NULL);
455 ldns_buffer_free(b64sig);
459 RSA_sign(NID_md5, md5_hash, MD5_DIGEST_LENGTH,
460 (unsigned char*)ldns_buffer_begin(b64sig),
463 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
464 ldns_buffer_begin(b64sig));
465 ldns_buffer_free(b64sig);
468 #endif /* HAVE_SSL */
471 ldns_dnssec_name_has_only_a(ldns_dnssec_name *cur_name)
473 ldns_dnssec_rrsets *cur_rrset;
474 cur_rrset = cur_name->rrsets;
476 if (cur_rrset->type != LDNS_RR_TYPE_A &&
477 cur_rrset->type != LDNS_RR_TYPE_AAAA) {
480 cur_rrset = cur_rrset->next;
487 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone)
489 ldns_rbnode_t *cur_node;
490 ldns_dnssec_name *cur_name;
491 ldns_rdf *cur_owner, *cur_parent;
493 cur_node = ldns_rbtree_first(zone->names);
494 while (cur_node != LDNS_RBTREE_NULL) {
495 cur_name = (ldns_dnssec_name *) cur_node->data;
496 cur_node = ldns_rbtree_next(cur_node);
497 if (ldns_dnssec_name_has_only_a(cur_name)) {
498 /* assume glue XXX check for zone cur */
499 cur_owner = ldns_rdf_clone(ldns_rr_owner(
500 cur_name->rrsets->rrs->rr));
501 while (ldns_dname_label_count(cur_owner) >
502 ldns_dname_label_count(zone->soa->name)) {
503 if (ldns_dnssec_zone_find_rrset(zone,
507 fprintf(stderr, "[XX] Marking as glue: ");
508 ldns_rdf_print(stderr, cur_name->name);
509 fprintf(stderr, "\n");
511 cur_name->is_glue = true;
513 cur_parent = ldns_dname_left_chop(cur_owner);
514 ldns_rdf_deep_free(cur_owner);
515 cur_owner = cur_parent;
517 ldns_rdf_deep_free(cur_owner);
520 return LDNS_STATUS_OK;
524 ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node)
526 ldns_rbnode_t *next_node = NULL;
527 ldns_dnssec_name *next_name = NULL;
530 if (node == LDNS_RBTREE_NULL) {
535 if (next_node == LDNS_RBTREE_NULL) {
538 next_name = (ldns_dnssec_name *)next_node->data;
539 if (!next_name->is_glue) {
542 next_node = ldns_rbtree_next(next_node);
550 ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
551 ldns_rr_list *new_rrs)
554 ldns_rbnode_t *first_node, *cur_node, *next_node;
555 ldns_dnssec_name *cur_name, *next_name;
558 ldns_dnssec_rrsets *soa;
560 /* the TTL of NSEC rrs should be set to the minimum TTL of
561 * the zone SOA (RFC4035 Section 2.3)
563 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA);
565 /* did the caller actually set it? if not,
566 * fall back to default ttl
568 if (soa && soa->rrs && soa->rrs->rr) {
569 nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(
572 nsec_ttl = LDNS_DEFAULT_TTL;
575 first_node = ldns_dnssec_name_node_next_nonglue(
576 ldns_rbtree_first(zone->names));
577 cur_node = first_node;
579 next_node = ldns_dnssec_name_node_next_nonglue(
580 ldns_rbtree_next(cur_node));
585 while (cur_node && next_node) {
586 cur_name = (ldns_dnssec_name *)cur_node->data;
587 next_name = (ldns_dnssec_name *)next_node->data;
588 nsec_rr = ldns_dnssec_create_nsec(cur_name,
591 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
592 ldns_dnssec_name_add_rr(cur_name, nsec_rr);
593 ldns_rr_list_push_rr(new_rrs, nsec_rr);
594 cur_node = next_node;
596 next_node = ldns_dnssec_name_node_next_nonglue(
597 ldns_rbtree_next(cur_node));
601 if (cur_node && !next_node) {
602 cur_name = (ldns_dnssec_name *)cur_node->data;
603 next_name = (ldns_dnssec_name *)first_node->data;
604 nsec_rr = ldns_dnssec_create_nsec(cur_name,
607 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
608 ldns_dnssec_name_add_rr(cur_name, nsec_rr);
609 ldns_rr_list_push_rr(new_rrs, nsec_rr);
614 return LDNS_STATUS_OK;
619 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone,
620 ldns_rr_list *new_rrs,
627 ldns_rbnode_t *first_name_node;
628 ldns_rbnode_t *current_name_node;
629 ldns_dnssec_name *current_name;
630 ldns_status result = LDNS_STATUS_OK;
632 ldns_rr_list *nsec3_list;
634 ldns_dnssec_rrsets *soa;
636 if (!zone || !new_rrs || !zone->names) {
637 return LDNS_STATUS_ERR;
640 /* the TTL of NSEC rrs should be set to the minimum TTL of
641 * the zone SOA (RFC4035 Section 2.3)
643 soa = ldns_dnssec_name_find_rrset(zone->soa, LDNS_RR_TYPE_SOA);
645 /* did the caller actually set it? if not,
646 * fall back to default ttl
648 if (soa && soa->rrs && soa->rrs->rr) {
649 nsec_ttl = ldns_rdf2native_int32(ldns_rr_rdf(
652 nsec_ttl = LDNS_DEFAULT_TTL;
655 nsec3_list = ldns_rr_list_new();
657 first_name_node = ldns_dnssec_name_node_next_nonglue(
658 ldns_rbtree_first(zone->names));
660 current_name_node = first_name_node;
662 while (current_name_node &&
663 current_name_node != LDNS_RBTREE_NULL) {
664 current_name = (ldns_dnssec_name *) current_name_node->data;
665 nsec_rr = ldns_dnssec_create_nsec3(current_name,
673 /* by default, our nsec based generator adds rrsigs
674 * remove the bitmap for empty nonterminals */
675 if (!current_name->rrsets) {
676 ldns_rdf_deep_free(ldns_rr_pop_rdf(nsec_rr));
678 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
679 ldns_dnssec_name_add_rr(current_name, nsec_rr);
680 ldns_rr_list_push_rr(new_rrs, nsec_rr);
681 ldns_rr_list_push_rr(nsec3_list, nsec_rr);
682 current_name_node = ldns_dnssec_name_node_next_nonglue(
683 ldns_rbtree_next(current_name_node));
686 ldns_rr_list_sort_nsec3(nsec3_list);
687 ldns_dnssec_chain_nsec3_list(nsec3_list);
688 if (result != LDNS_STATUS_OK) {
692 ldns_rr_list_free(nsec3_list);
695 #endif /* HAVE_SSL */
698 ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures,
699 ldns_key_list *key_list,
700 int (*func)(ldns_rr *, void *),
703 ldns_dnssec_rrs *base_rrs = signatures;
704 ldns_dnssec_rrs *cur_rr = base_rrs;
705 ldns_dnssec_rrs *prev_rr = NULL;
706 ldns_dnssec_rrs *next_rr;
715 switch(func(NULL, arg)) {
716 case LDNS_SIGNATURE_LEAVE_ADD_NEW:
717 case LDNS_SIGNATURE_REMOVE_ADD_NEW:
719 case LDNS_SIGNATURE_LEAVE_NO_ADD:
720 case LDNS_SIGNATURE_REMOVE_NO_ADD:
721 ldns_key_list_set_use(key_list, false);
724 fprintf(stderr, "[XX] unknown return value from callback\n");
729 v = func(cur_rr->rr, arg);
732 next_rr = cur_rr->next;
734 switch (func(cur_rr->rr, arg)) {
735 case LDNS_SIGNATURE_LEAVE_ADD_NEW:
738 case LDNS_SIGNATURE_LEAVE_NO_ADD:
739 keytag = ldns_rdf2native_int16(
740 ldns_rr_rrsig_keytag(cur_rr->rr));
741 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
742 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) ==
744 ldns_key_set_use(ldns_key_list_key(key_list, i),
750 case LDNS_SIGNATURE_REMOVE_NO_ADD:
751 keytag = ldns_rdf2native_int16(
752 ldns_rr_rrsig_keytag(cur_rr->rr));
753 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
754 if (ldns_key_keytag(ldns_key_list_key(key_list, i))
756 ldns_key_set_use(ldns_key_list_key(key_list, i),
761 prev_rr->next = next_rr;
767 case LDNS_SIGNATURE_REMOVE_ADD_NEW:
769 prev_rr->next = next_rr;
776 fprintf(stderr, "[XX] unknown return value from callback\n");
787 ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
788 ldns_rr_list *new_rrs,
789 ldns_key_list *key_list,
790 int (*func)(ldns_rr *, void*),
793 return ldns_dnssec_zone_create_rrsigs_flg(zone, new_rrs, key_list,
797 /** If there are KSKs use only them and mark ZSKs unused */
799 ldns_key_list_filter_for_dnskey(ldns_key_list *key_list)
803 for(i=0; i<ldns_key_list_key_count(key_list); i++)
804 if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
810 for(i=0; i<ldns_key_list_key_count(key_list); i++)
811 if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
812 ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
816 ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone,
817 ldns_rr_list *new_rrs,
818 ldns_key_list *key_list,
819 int (*func)(ldns_rr *, void*),
823 ldns_status result = LDNS_STATUS_OK;
825 ldns_rbnode_t *cur_node;
826 ldns_rr_list *rr_list;
828 ldns_dnssec_name *cur_name;
829 ldns_dnssec_rrsets *cur_rrset;
830 ldns_dnssec_rrs *cur_rr;
832 ldns_rr_list *siglist;
836 ldns_rr_list *pubkey_list = ldns_rr_list_new();
840 for (i = 0; i<ldns_key_list_key_count(key_list); i++) {
841 ldns_rr_list_push_rr(pubkey_list,
842 ldns_key2rr(ldns_key_list_key(key_list, i)));
844 /* TODO: callback to see is list should be signed */
845 /* TODO: remove 'old' signatures from signature list */
846 cur_node = ldns_rbtree_first(zone->names);
847 while (cur_node != LDNS_RBTREE_NULL) {
848 cur_name = (ldns_dnssec_name *) cur_node->data;
850 if (!cur_name->is_glue) {
851 cur_rrset = cur_name->rrsets;
853 /* reset keys to use */
854 ldns_key_list_set_use(key_list, true);
856 /* walk through old sigs, remove the old,
857 and mark which keys (not) to use) */
858 cur_rrset->signatures =
859 ldns_dnssec_remove_signatures(cur_rrset->signatures,
863 if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) &&
864 cur_rrset->type == LDNS_RR_TYPE_DNSKEY)
865 ldns_key_list_filter_for_dnskey(key_list);
867 /* TODO: just set count to zero? */
868 rr_list = ldns_rr_list_new();
870 cur_rr = cur_rrset->rrs;
872 ldns_rr_list_push_rr(rr_list, cur_rr->rr);
873 cur_rr = cur_rr->next;
876 /* only sign non-delegation RRsets */
877 /* (glue should have been marked earlier) */
878 if ((ldns_rr_list_type(rr_list) != LDNS_RR_TYPE_NS ||
879 ldns_dname_compare(ldns_rr_list_owner(rr_list),
880 zone->soa->name) == 0) &&
881 /* OK, there is also the possibility that the record
882 * is glue, but at the same owner name as other records that
883 * are not NS nor A/AAAA. Bleh, our current data structure
884 * doesn't really support that... */
885 !((ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_A ||
886 ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_AAAA) &&
887 !ldns_dname_compare(ldns_rr_list_owner(rr_list), zone->soa->name) == 0 &&
888 ldns_dnssec_zone_find_rrset(zone, ldns_rr_list_owner(rr_list), LDNS_RR_TYPE_NS)
891 siglist = ldns_sign_public(rr_list, key_list);
892 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
893 if (cur_rrset->signatures) {
894 ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
895 ldns_rr_list_rr(siglist,
898 cur_rrset->signatures = ldns_dnssec_rrs_new();
899 cur_rrset->signatures->rr =
900 ldns_rr_list_rr(siglist, i);
901 ldns_rr_list_push_rr(new_rrs,
902 ldns_rr_list_rr(siglist,
906 ldns_rr_list_free(siglist);
909 ldns_rr_list_free(rr_list);
911 cur_rrset = cur_rrset->next;
915 cur_name->nsec_signatures =
916 ldns_dnssec_remove_signatures(cur_name->nsec_signatures,
921 rr_list = ldns_rr_list_new();
922 ldns_rr_list_push_rr(rr_list, cur_name->nsec);
923 siglist = ldns_sign_public(rr_list, key_list);
925 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
926 if (cur_name->nsec_signatures) {
927 ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
928 ldns_rr_list_rr(siglist, i));
930 cur_name->nsec_signatures = ldns_dnssec_rrs_new();
931 cur_name->nsec_signatures->rr =
932 ldns_rr_list_rr(siglist, i);
933 ldns_rr_list_push_rr(new_rrs,
934 ldns_rr_list_rr(siglist, i));
938 ldns_rr_list_free(siglist);
939 ldns_rr_list_free(rr_list);
941 cur_node = ldns_rbtree_next(cur_node);
944 ldns_rr_list_deep_free(pubkey_list);
949 ldns_dnssec_zone_sign(ldns_dnssec_zone *zone,
950 ldns_rr_list *new_rrs,
951 ldns_key_list *key_list,
952 int (*func)(ldns_rr *, void *),
955 return ldns_dnssec_zone_sign_flg(zone, new_rrs, key_list, func, arg, 0);
959 ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone,
960 ldns_rr_list *new_rrs,
961 ldns_key_list *key_list,
962 int (*func)(ldns_rr *, void *),
966 ldns_status result = LDNS_STATUS_OK;
968 if (!zone || !new_rrs || !key_list) {
969 return LDNS_STATUS_ERR;
972 /* zone is already sorted */
973 ldns_dnssec_zone_mark_glue(zone);
975 /* check whether we need to add nsecs */
976 if (zone->names && !((ldns_dnssec_name *)zone->names->root->data)->nsec) {
977 result = ldns_dnssec_zone_create_nsecs(zone, new_rrs);
978 if (result != LDNS_STATUS_OK) {
983 result = ldns_dnssec_zone_create_rrsigs_flg(zone,
994 ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
995 ldns_rr_list *new_rrs,
996 ldns_key_list *key_list,
997 int (*func)(ldns_rr *, void *),
1001 uint16_t iterations,
1002 uint8_t salt_length,
1005 return ldns_dnssec_zone_sign_nsec3_flg(zone, new_rrs, key_list,
1006 func, arg, algorithm, flags, iterations, salt_length, salt, 0);
1010 ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
1011 ldns_rr_list *new_rrs,
1012 ldns_key_list *key_list,
1013 int (*func)(ldns_rr *, void *),
1017 uint16_t iterations,
1018 uint8_t salt_length,
1022 ldns_rr *nsec3, *nsec3params;
1023 ldns_status result = LDNS_STATUS_OK;
1025 /* zone is already sorted */
1026 ldns_dnssec_zone_mark_glue(zone);
1028 /* TODO if there are already nsec3s presents and their
1029 * parameters are the same as these, we don't have to recreate
1032 /* add empty nonterminals */
1033 ldns_dnssec_zone_add_empty_nonterminals(zone);
1035 nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec;
1036 if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) {
1037 /* no need to recreate */
1039 if (!ldns_dnssec_zone_find_rrset(zone,
1041 LDNS_RR_TYPE_NSEC3PARAMS)) {
1042 /* create and add the nsec3params rr */
1044 ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAMS);
1045 ldns_rr_set_owner(nsec3params,
1046 ldns_rdf_clone(zone->soa->name));
1047 ldns_nsec3_add_param_rdfs(nsec3params,
1053 /* always set bit 7 of the flags to zero, according to
1054 * rfc5155 section 11 */
1055 ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3params, 1)), 7, 0);
1056 ldns_dnssec_zone_add_rr(zone, nsec3params);
1057 ldns_rr_list_push_rr(new_rrs, nsec3params);
1059 result = ldns_dnssec_zone_create_nsec3s(zone,
1066 if (result != LDNS_STATUS_OK) {
1071 result = ldns_dnssec_zone_create_rrsigs_flg(zone,
1084 ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list)
1086 ldns_dnssec_zone *dnssec_zone;
1087 ldns_zone *signed_zone;
1088 ldns_rr_list *new_rrs;
1091 signed_zone = ldns_zone_new();
1092 dnssec_zone = ldns_dnssec_zone_new();
1094 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1095 ldns_zone_set_soa(signed_zone, ldns_zone_soa(zone));
1097 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1098 (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1099 ldns_rr_list_rr(ldns_zone_rrs(zone),
1101 ldns_zone_push_rr(signed_zone,
1102 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
1106 new_rrs = ldns_rr_list_new();
1107 (void) ldns_dnssec_zone_sign(dnssec_zone,
1110 ldns_dnssec_default_replace_signatures,
1113 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1114 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
1115 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1118 ldns_rr_list_deep_free(new_rrs);
1119 ldns_dnssec_zone_free(dnssec_zone);
1125 ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
1127 ldns_dnssec_zone *dnssec_zone;
1128 ldns_zone *signed_zone;
1129 ldns_rr_list *new_rrs;
1132 signed_zone = ldns_zone_new();
1133 dnssec_zone = ldns_dnssec_zone_new();
1135 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1136 ldns_zone_set_soa(signed_zone, ldns_zone_soa(zone));
1138 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1139 (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1140 ldns_rr_list_rr(ldns_zone_rrs(zone),
1142 ldns_zone_push_rr(signed_zone,
1143 ldns_rr_clone(ldns_rr_list_rr(ldns_zone_rrs(zone),
1147 new_rrs = ldns_rr_list_new();
1148 (void) ldns_dnssec_zone_sign_nsec3(dnssec_zone,
1151 ldns_dnssec_default_replace_signatures,
1159 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1160 ldns_rr_list_push_rr(ldns_zone_rrs(signed_zone),
1161 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1164 ldns_rr_list_deep_free(new_rrs);
1165 ldns_dnssec_zone_free(dnssec_zone);
1169 #endif /* HAVE_SSL */