2 * keys.c handle private keys for use in DNSSEC
4 * This module should hide some of the openSSL complexities
5 * and give a general interface for private keys and hmac
8 * (c) NLnet Labs, 2004-2006
10 * See the file LICENSE for the license
13 #include <ldns/config.h>
15 #include <ldns/ldns.h>
18 #include <openssl/ssl.h>
19 #include <openssl/engine.h>
20 #include <openssl/rand.h>
23 ldns_lookup_table ldns_signing_algorithms[] = {
24 { LDNS_SIGN_RSAMD5, "RSAMD5" },
25 { LDNS_SIGN_RSASHA1, "RSASHA1" },
26 { LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1-NSEC3-SHA1" },
28 { LDNS_SIGN_RSASHA256, "RSASHA256" },
29 { LDNS_SIGN_RSASHA512, "RSASHA512" },
32 { LDNS_SIGN_ECC_GOST, "ECC-GOST" },
35 { LDNS_SIGN_ECDSAP256SHA256, "ECDSAP256SHA256" },
36 { LDNS_SIGN_ECDSAP384SHA384, "ECDSAP384SHA384" },
38 { LDNS_SIGN_DSA, "DSA" },
39 { LDNS_SIGN_DSA_NSEC3, "DSA-NSEC3-SHA1" },
40 { LDNS_SIGN_HMACMD5, "hmac-md5.sig-alg.reg.int" },
41 { LDNS_SIGN_HMACSHA1, "hmac-sha1" },
42 { LDNS_SIGN_HMACSHA256, "hmac-sha256" },
49 ldns_key_list *key_list = LDNS_MALLOC(ldns_key_list);
53 key_list->_key_count = 0;
54 key_list->_keys = NULL;
64 newkey = LDNS_MALLOC(ldns_key);
68 /* some defaults - not sure wether to do this */
69 ldns_key_set_use(newkey, true);
70 ldns_key_set_flags(newkey, LDNS_KEY_ZONE_KEY);
71 ldns_key_set_origttl(newkey, 0);
72 ldns_key_set_keytag(newkey, 0);
73 ldns_key_set_inception(newkey, 0);
74 ldns_key_set_expiration(newkey, 0);
75 ldns_key_set_pubkey_owner(newkey, NULL);
77 ldns_key_set_evp_key(newkey, NULL);
79 ldns_key_set_hmac_key(newkey, NULL);
80 ldns_key_set_external_key(newkey, NULL);
86 ldns_key_new_frm_fp(ldns_key **k, FILE *fp)
88 return ldns_key_new_frm_fp_l(k, fp, NULL);
93 ldns_key_new_frm_engine(ldns_key **key, ENGINE *e, char *key_id, ldns_algorithm alg)
98 k->_key.key = ENGINE_load_private_key(e, key_id, UI_OpenSSL(), NULL);
99 ldns_key_set_algorithm(k, (ldns_signing_algorithm) alg);
101 return LDNS_STATUS_ENGINE_KEY_NOT_LOADED;
104 return LDNS_STATUS_OK;
110 /** store GOST engine reference loaded into OpenSSL library */
111 ENGINE* ldns_gost_engine = NULL;
114 ldns_key_EVP_load_gost_id(void)
116 static int gost_id = 0;
117 const EVP_PKEY_ASN1_METHOD* meth;
120 if(gost_id) return gost_id;
122 /* see if configuration loaded gost implementation from other engine*/
123 meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1);
125 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
129 /* see if engine can be loaded already */
130 e = ENGINE_by_id("gost");
132 /* load it ourself, in case statically linked */
133 ENGINE_load_builtin_engines();
134 ENGINE_load_dynamic();
135 e = ENGINE_by_id("gost");
138 /* no gost engine in openssl */
141 if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
147 meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1);
154 /* Note: do not ENGINE_finish and ENGINE_free the acquired engine
155 * on some platforms this frees up the meth and unloads gost stuff */
156 ldns_gost_engine = e;
158 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
162 void ldns_key_EVP_unload_gost(void)
164 if(ldns_gost_engine) {
165 ENGINE_finish(ldns_gost_engine);
166 ENGINE_free(ldns_gost_engine);
167 ldns_gost_engine = NULL;
171 /** read GOST private key */
173 ldns_key_new_frm_fp_gost_l(FILE* fp, int* line_nr)
176 const unsigned char* pp;
179 ldns_rdf* b64rdf = NULL;
181 gost_id = ldns_key_EVP_load_gost_id();
185 if (ldns_fget_keyword_data_l(fp, "GostAsn1", ": ", token, "\n",
186 sizeof(token), line_nr) == -1)
188 while(strlen(token) < 96) {
189 /* read more b64 from the file, b64 split on multiple lines */
190 if(ldns_fget_token_l(fp, token+strlen(token), "\n",
191 sizeof(token)-strlen(token), line_nr) == -1)
194 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK)
196 pp = (unsigned char*)ldns_rdf_data(b64rdf);
197 pkey = d2i_PrivateKey(gost_id, NULL, &pp, ldns_rdf_size(b64rdf));
198 ldns_rdf_deep_free(b64rdf);
204 /** calculate public key from private key */
206 ldns_EC_KEY_calc_public(EC_KEY* ec)
209 const EC_GROUP* group;
210 group = EC_KEY_get0_group(ec);
211 pub_key = EC_POINT_new(group);
212 if(!pub_key) return 0;
213 if(!EC_POINT_copy(pub_key, EC_GROUP_get0_generator(group))) {
214 EC_POINT_free(pub_key);
217 if(!EC_POINT_mul(group, pub_key, EC_KEY_get0_private_key(ec),
219 EC_POINT_free(pub_key);
222 if(EC_KEY_set_public_key(ec, pub_key) == 0) {
223 EC_POINT_free(pub_key);
226 EC_POINT_free(pub_key);
230 /** read ECDSA private key */
232 ldns_key_new_frm_fp_ecdsa_l(FILE* fp, ldns_algorithm alg, int* line_nr)
235 ldns_rdf* b64rdf = NULL;
240 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n",
241 sizeof(token), line_nr) == -1)
243 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK)
245 pp = (unsigned char*)ldns_rdf_data(b64rdf);
247 if(alg == LDNS_ECDSAP256SHA256)
248 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
249 else if(alg == LDNS_ECDSAP384SHA384)
250 ec = EC_KEY_new_by_curve_name(NID_secp384r1);
253 ldns_rdf_deep_free(b64rdf);
256 bn = BN_bin2bn(pp, ldns_rdf_size(b64rdf), NULL);
257 ldns_rdf_deep_free(b64rdf);
262 EC_KEY_set_private_key(ec, bn);
264 if(!ldns_EC_KEY_calc_public(ec)) {
269 evp_key = EVP_PKEY_new();
274 EVP_PKEY_assign_EC_KEY(evp_key, ec);
281 ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr)
285 ldns_signing_algorithm alg;
292 #endif /* HAVE_SSL */
296 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
298 return LDNS_STATUS_MEM_ERR;
303 /* the file is highly structured. Do this in sequence */
305 * Private-key-format: v1.2
309 /* get the key format version number */
310 if (ldns_fget_keyword_data_l(fp, "Private-key-format", ": ", d, "\n",
311 LDNS_MAX_LINELEN, line_nr) == -1) {
312 /* no version information */
313 return LDNS_STATUS_SYNTAX_ERR;
315 if (strncmp(d, "v1.2", strlen(d)) != 0) {
316 return LDNS_STATUS_SYNTAX_VERSION_ERR;
319 /* get the algorithm type, our file function strip ( ) so there are
320 * not in the return string! */
321 if (ldns_fget_keyword_data_l(fp, "Algorithm", ": ", d, "\n",
322 LDNS_MAX_LINELEN, line_nr) == -1) {
323 /* no alg information */
324 return LDNS_STATUS_SYNTAX_ALG_ERR;
327 if (strncmp(d, "1 RSA", 2) == 0) {
328 alg = LDNS_SIGN_RSAMD5;
330 if (strncmp(d, "2 DH", 2) == 0) {
331 alg = (ldns_signing_algorithm)LDNS_DH;
333 if (strncmp(d, "3 DSA", 2) == 0) {
336 if (strncmp(d, "4 ECC", 2) == 0) {
337 alg = (ldns_signing_algorithm)LDNS_ECC;
339 if (strncmp(d, "5 RSASHA1", 2) == 0) {
340 alg = LDNS_SIGN_RSASHA1;
342 if (strncmp(d, "6 DSA", 2) == 0) {
343 alg = LDNS_SIGN_DSA_NSEC3;
345 if (strncmp(d, "7 RSASHA1", 2) == 0) {
346 alg = LDNS_SIGN_RSASHA1_NSEC3;
349 if (strncmp(d, "8 RSASHA256", 2) == 0) {
351 alg = LDNS_SIGN_RSASHA256;
353 fprintf(stderr, "Warning: SHA256 not compiled into this ");
354 fprintf(stderr, "version of ldns\n");
357 if (strncmp(d, "10 RSASHA512", 3) == 0) {
359 alg = LDNS_SIGN_RSASHA512;
361 fprintf(stderr, "Warning: SHA512 not compiled into this ");
362 fprintf(stderr, "version of ldns\n");
365 if (strncmp(d, "12 ECC-GOST", 3) == 0) {
367 alg = LDNS_SIGN_ECC_GOST;
369 fprintf(stderr, "Warning: ECC-GOST not compiled into this ");
370 fprintf(stderr, "version of ldns, use --enable-gost\n");
374 if (strncmp(d, "13 ECDSAP256SHA256", 3) == 0) {
375 alg = LDNS_ECDSAP256SHA256;
377 if (strncmp(d, "14 ECDSAP384SHA384", 3) == 0) {
378 alg = LDNS_ECDSAP384SHA384;
381 if (strncmp(d, "157 HMAC-MD5", 4) == 0) {
382 alg = LDNS_SIGN_HMACMD5;
384 if (strncmp(d, "158 HMAC-SHA1", 4) == 0) {
385 alg = LDNS_SIGN_HMACSHA1;
387 if (strncmp(d, "159 HMAC-SHA256", 4) == 0) {
388 alg = LDNS_SIGN_HMACSHA256;
394 case LDNS_SIGN_RSAMD5:
395 case LDNS_SIGN_RSASHA1:
396 case LDNS_RSASHA1_NSEC3:
398 case LDNS_SIGN_RSASHA256:
399 case LDNS_SIGN_RSASHA512:
401 ldns_key_set_algorithm(k, alg);
403 rsa = ldns_key_new_frm_fp_rsa_l(fp, line_nr);
406 return LDNS_STATUS_ERR;
408 ldns_key_set_rsa_key(k, rsa);
410 #endif /* HAVE_SSL */
414 ldns_key_set_algorithm(k, alg);
416 dsa = ldns_key_new_frm_fp_dsa_l(fp, line_nr);
419 return LDNS_STATUS_ERR;
421 ldns_key_set_dsa_key(k, dsa);
423 #endif /* HAVE_SSL */
425 case LDNS_SIGN_HMACMD5:
426 case LDNS_SIGN_HMACSHA1:
427 case LDNS_SIGN_HMACSHA256:
428 ldns_key_set_algorithm(k, alg);
430 hmac = ldns_key_new_frm_fp_hmac_l(fp, line_nr, &hmac_size);
433 return LDNS_STATUS_ERR;
435 ldns_key_set_hmac_size(k, hmac_size);
436 ldns_key_set_hmac_key(k, hmac);
437 #endif /* HAVE_SSL */
439 case LDNS_SIGN_ECC_GOST:
440 ldns_key_set_algorithm(k, alg);
441 #if defined(HAVE_SSL) && defined(USE_GOST)
442 if(!ldns_key_EVP_load_gost_id()) {
444 return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL;
446 ldns_key_set_evp_key(k,
447 ldns_key_new_frm_fp_gost_l(fp, line_nr));
450 return LDNS_STATUS_ERR;
455 case LDNS_SIGN_ECDSAP256SHA256:
456 case LDNS_SIGN_ECDSAP384SHA384:
457 ldns_key_set_algorithm(k, alg);
458 ldns_key_set_evp_key(k,
459 ldns_key_new_frm_fp_ecdsa_l(fp, alg, line_nr));
462 return LDNS_STATUS_ERR;
468 return LDNS_STATUS_SYNTAX_ALG_ERR;
470 key_rr = ldns_key2rr(k);
471 ldns_key_set_keytag(k, ldns_calc_keytag(key_rr));
472 ldns_rr_free(key_rr);
476 return LDNS_STATUS_OK;
478 return LDNS_STATUS_ERR;
483 ldns_key_new_frm_fp_rsa(FILE *f)
485 return ldns_key_new_frm_fp_rsa_l(f, NULL);
489 ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr)
505 * BIGNUM *n; // public modulus
506 * BIGNUM *e; // public exponent
507 * BIGNUM *d; // private exponent
508 * BIGNUM *p; // secret prime factor
509 * BIGNUM *q; // secret prime factor
510 * BIGNUM *dmp1; // d mod (p-1)
511 * BIGNUM *dmq1; // d mod (q-1)
512 * BIGNUM *iqmp; // q^-1 mod p
521 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
522 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN);
524 if (!d || !rsa || !buf) {
528 /* I could use functions again, but that seems an overkill,
529 * allthough this also looks tedious
532 /* Modules, rsa->n */
533 if (ldns_fget_keyword_data_l(f, "Modulus", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
536 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
537 rsa->n = BN_bin2bn((const char unsigned*)buf, i, NULL);
542 /* PublicExponent, rsa->e */
543 if (ldns_fget_keyword_data_l(f, "PublicExponent", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
546 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
547 rsa->e = BN_bin2bn((const char unsigned*)buf, i, NULL);
552 /* PrivateExponent, rsa->d */
553 if (ldns_fget_keyword_data_l(f, "PrivateExponent", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
556 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
557 rsa->d = BN_bin2bn((const char unsigned*)buf, i, NULL);
563 if (ldns_fget_keyword_data_l(f, "Prime1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
566 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
567 rsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL);
573 if (ldns_fget_keyword_data_l(f, "Prime2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
576 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
577 rsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL);
582 /* Exponent1, rsa->dmp1 */
583 if (ldns_fget_keyword_data_l(f, "Exponent1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
586 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
587 rsa->dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL);
592 /* Exponent2, rsa->dmq1 */
593 if (ldns_fget_keyword_data_l(f, "Exponent2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
596 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
597 rsa->dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL);
602 /* Coefficient, rsa->iqmp */
603 if (ldns_fget_keyword_data_l(f, "Coefficient", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
606 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
607 rsa->iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL);
624 ldns_key_new_frm_fp_dsa(FILE *f)
626 return ldns_key_new_frm_fp_dsa_l(f, NULL);
630 ldns_key_new_frm_fp_dsa_l(FILE *f, int *line_nr)
639 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
640 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN);
646 /* the line parser removes the () from the input... */
649 if (ldns_fget_keyword_data_l(f, "Primep", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
652 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
653 dsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL);
658 /* Subprime, dsa->q */
659 if (ldns_fget_keyword_data_l(f, "Subprimeq", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
662 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
663 dsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL);
669 if (ldns_fget_keyword_data_l(f, "Baseg", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
672 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
673 dsa->g = BN_bin2bn((const char unsigned*)buf, i, NULL);
678 /* Private key, dsa->priv_key */
679 if (ldns_fget_keyword_data_l(f, "Private_valuex", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
682 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
683 dsa->priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL);
684 if (!dsa->priv_key) {
688 /* Public key, dsa->priv_key */
689 if (ldns_fget_keyword_data_l(f, "Public_valuey", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
692 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
693 dsa->pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL);
710 ldns_key_new_frm_fp_hmac(FILE *f, size_t *hmac_size)
712 return ldns_key_new_frm_fp_hmac_l(f, NULL, hmac_size);
716 ldns_key_new_frm_fp_hmac_l(FILE *f, int *line_nr, size_t *hmac_size)
724 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
725 buf = LDNS_XMALLOC(unsigned char, LDNS_MAX_LINELEN);
727 if (ldns_fget_keyword_data_l(f, "Key", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
730 i = (size_t) ldns_b64_pton((const char*)d,
732 ldns_b64_ntop_calculate_size(strlen(d)));
743 #endif /* HAVE_SSL */
747 ldns_gen_gost_key(void)
751 int gost_id = ldns_key_EVP_load_gost_id();
754 ctx = EVP_PKEY_CTX_new_id(gost_id, NULL);
756 /* the id should be available now */
759 if(EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0) {
760 /* cannot set paramset */
761 EVP_PKEY_CTX_free(ctx);
765 if(EVP_PKEY_keygen_init(ctx) <= 0) {
766 EVP_PKEY_CTX_free(ctx);
769 if(EVP_PKEY_keygen(ctx, &p) <= 0) {
771 EVP_PKEY_CTX_free(ctx);
774 EVP_PKEY_CTX_free(ctx);
780 ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size)
800 case LDNS_SIGN_RSAMD5:
801 case LDNS_SIGN_RSASHA1:
802 case LDNS_SIGN_RSASHA1_NSEC3:
803 case LDNS_SIGN_RSASHA256:
804 case LDNS_SIGN_RSASHA512:
806 r = RSA_generate_key((int)size, RSA_F4, NULL, NULL);
807 if (RSA_check_key(r) != 1) {
811 ldns_key_set_rsa_key(k, r);
812 #endif /* HAVE_SSL */
815 case LDNS_SIGN_DSA_NSEC3:
817 d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL);
821 if (DSA_generate_key(d) != 1) {
824 ldns_key_set_dsa_key(k, d);
825 #endif /* HAVE_SSL */
827 case LDNS_SIGN_HMACMD5:
828 case LDNS_SIGN_HMACSHA1:
829 case LDNS_SIGN_HMACSHA256:
832 #endif /* HAVE_SSL */
834 ldns_key_set_hmac_size(k, size);
836 hmac = LDNS_XMALLOC(unsigned char, size);
838 if (RAND_bytes(hmac, (int) size) != 1) {
844 while (offset + sizeof(i) < size) {
846 memcpy(&hmac[offset], &i, sizeof(i));
851 memcpy(&hmac[offset], &i, size - offset);
853 #endif /* HAVE_SSL */
854 ldns_key_set_hmac_key(k, hmac);
856 ldns_key_set_flags(k, 0);
858 case LDNS_SIGN_ECC_GOST:
859 #if defined(HAVE_SSL) && defined(USE_GOST)
860 ldns_key_set_evp_key(k, ldns_gen_gost_key());
861 #endif /* HAVE_SSL and USE_GOST */
864 case LDNS_ECDSAP256SHA256:
865 case LDNS_ECDSAP384SHA384:
866 if(alg == LDNS_ECDSAP256SHA256)
867 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
868 else if(alg == LDNS_ECDSAP384SHA384)
869 ec = EC_KEY_new_by_curve_name(NID_secp384r1);
871 if(!EC_KEY_generate_key(ec)) {
875 k->_key.key = EVP_PKEY_new();
880 EVP_PKEY_assign_EC_KEY(k->_key.key, ec);
884 ldns_key_set_algorithm(k, alg);
889 ldns_key_print(FILE *output, const ldns_key *k)
891 char *str = ldns_key2str(k);
893 fprintf(output, "%s", str);
895 fprintf(output, "Unable to convert private key to string\n");
902 ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l)
908 ldns_key_set_flags(ldns_key *k, uint16_t f)
910 k->_extra.dnssec.flags = f;
915 ldns_key_set_evp_key(ldns_key *k, EVP_PKEY *e)
921 ldns_key_set_rsa_key(ldns_key *k, RSA *r)
923 EVP_PKEY *key = EVP_PKEY_new();
924 EVP_PKEY_set1_RSA(key, r);
929 ldns_key_set_dsa_key(ldns_key *k, DSA *d)
931 EVP_PKEY *key = EVP_PKEY_new();
932 EVP_PKEY_set1_DSA(key, d);
935 #endif /* HAVE_SSL */
938 ldns_key_set_hmac_key(ldns_key *k, unsigned char *hmac)
940 k->_key.hmac.key = hmac;
944 ldns_key_set_hmac_size(ldns_key *k, size_t hmac_size)
946 k->_key.hmac.size = hmac_size;
950 ldns_key_set_external_key(ldns_key *k, void *external_key)
952 k->_key.external_key = external_key;
956 ldns_key_set_origttl(ldns_key *k, uint32_t t)
958 k->_extra.dnssec.orig_ttl = t;
962 ldns_key_set_inception(ldns_key *k, uint32_t i)
964 k->_extra.dnssec.inception = i;
968 ldns_key_set_expiration(ldns_key *k, uint32_t e)
970 k->_extra.dnssec.expiration = e;
974 ldns_key_set_pubkey_owner(ldns_key *k, ldns_rdf *r)
976 k->_pubkey_owner = r;
980 ldns_key_set_keytag(ldns_key *k, uint16_t tag)
982 k->_extra.dnssec.keytag = tag;
987 ldns_key_list_key_count(const ldns_key_list *key_list)
989 return key_list->_key_count;
993 ldns_key_list_key(const ldns_key_list *key, size_t nr)
995 if (nr < ldns_key_list_key_count(key)) {
996 return key->_keys[nr];
1002 ldns_signing_algorithm
1003 ldns_key_algorithm(const ldns_key *k)
1009 ldns_key_set_use(ldns_key *k, bool v)
1017 ldns_key_use(const ldns_key *k)
1027 ldns_key_evp_key(const ldns_key *k)
1033 ldns_key_rsa_key(const ldns_key *k)
1036 return EVP_PKEY_get1_RSA(k->_key.key);
1043 ldns_key_dsa_key(const ldns_key *k)
1046 return EVP_PKEY_get1_DSA(k->_key.key);
1051 #endif /* HAVE_SSL */
1054 ldns_key_hmac_key(const ldns_key *k)
1056 if (k->_key.hmac.key) {
1057 return k->_key.hmac.key;
1064 ldns_key_hmac_size(const ldns_key *k)
1066 if (k->_key.hmac.size) {
1067 return k->_key.hmac.size;
1074 ldns_key_external_key(const ldns_key *k)
1076 return k->_key.external_key;
1080 ldns_key_origttl(const ldns_key *k)
1082 return k->_extra.dnssec.orig_ttl;
1086 ldns_key_flags(const ldns_key *k)
1088 return k->_extra.dnssec.flags;
1092 ldns_key_inception(const ldns_key *k)
1094 return k->_extra.dnssec.inception;
1098 ldns_key_expiration(const ldns_key *k)
1100 return k->_extra.dnssec.expiration;
1104 ldns_key_keytag(const ldns_key *k)
1106 return k->_extra.dnssec.keytag;
1110 ldns_key_pubkey_owner(const ldns_key *k)
1112 return k->_pubkey_owner;
1117 ldns_key_list_set_use(ldns_key_list *keys, bool v)
1121 for (i = 0; i < ldns_key_list_key_count(keys); i++) {
1122 ldns_key_set_use(ldns_key_list_key(keys, i), v);
1127 ldns_key_list_set_key_count(ldns_key_list *key, size_t count)
1129 key->_key_count = count;
1133 ldns_key_list_push_key(ldns_key_list *key_list, ldns_key *key)
1138 key_count = ldns_key_list_key_count(key_list);
1140 /* grow the array */
1141 keys = LDNS_XREALLOC(
1142 key_list->_keys, ldns_key *, key_count + 1);
1147 /* add the new member */
1148 key_list->_keys = keys;
1149 key_list->_keys[key_count] = key;
1151 ldns_key_list_set_key_count(key_list, key_count + 1);
1156 ldns_key_list_pop_key(ldns_key_list *key_list)
1165 key_count = ldns_key_list_key_count(key_list);
1166 if (key_count == 0) {
1170 pop = ldns_key_list_key(key_list, key_count);
1172 /* shrink the array */
1173 key_list->_keys = LDNS_XREALLOC(
1174 key_list->_keys, ldns_key *, key_count - 1);
1176 ldns_key_list_set_key_count(key_list, key_count - 1);
1183 ldns_key_rsa2bin(unsigned char *data, RSA *k, uint16_t *size)
1191 if (BN_num_bytes(k->e) <= 256) {
1192 /* normally only this path is executed (small factors are
1195 data[0] = (unsigned char) BN_num_bytes(k->e);
1196 i = BN_bn2bin(k->e, data + 1);
1197 j = BN_bn2bin(k->n, data + i + 1);
1198 *size = (uint16_t) i + j;
1199 } else if (BN_num_bytes(k->e) <= 65536) {
1201 /* BN_bn2bin does bigendian, _uint16 also */
1202 ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(k->e));
1204 BN_bn2bin(k->e, data + 3);
1205 BN_bn2bin(k->n, data + 4 + BN_num_bytes(k->e));
1206 *size = (uint16_t) BN_num_bytes(k->n) + 6;
1214 ldns_key_dsa2bin(unsigned char *data, DSA *k, uint16_t *size)
1223 *size = (uint16_t)BN_num_bytes(k->g);
1224 T = (*size - 64) / 8;
1225 memcpy(data, &T, 1);
1228 fprintf(stderr, "DSA key with T > 8 (ie. > 1024 bits)");
1229 fprintf(stderr, " not implemented\n");
1233 /* size = 64 + (T * 8); */
1234 data[0] = (unsigned char)T;
1235 BN_bn2bin(k->q, data + 1 ); /* 20 octects */
1236 BN_bn2bin(k->p, data + 21 ); /* offset octects */
1237 BN_bn2bin(k->g, data + 21 + *size); /* offset octets */
1238 BN_bn2bin(k->pub_key, data + 21 + *size + *size); /* offset octets */
1239 *size = 21 + (*size * 3);
1245 ldns_key_gost2bin(unsigned char* data, EVP_PKEY* k, uint16_t* size)
1248 unsigned char* pp = NULL;
1249 if(i2d_PUBKEY(k, &pp) != 37 + 64) {
1250 /* expect 37 byte(ASN header) and 64 byte(X and Y) */
1254 /* omit ASN header */
1261 #endif /* USE_GOST */
1262 #endif /* HAVE_SSL */
1265 ldns_key2rr(const ldns_key *k)
1267 /* this function will convert a the keydata contained in
1268 * rsa/dsa pointers to a DNSKEY rr. It will fill in as
1269 * much as it can, but it does not know about key-flags
1274 unsigned char *bin = NULL;
1279 #endif /* HAVE_SSL */
1283 int internal_data = 0;
1285 pubkey = ldns_rr_new();
1290 switch (ldns_key_algorithm(k)) {
1291 case LDNS_SIGN_HMACMD5:
1292 case LDNS_SIGN_HMACSHA1:
1293 case LDNS_SIGN_HMACSHA256:
1294 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_KEY);
1297 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_DNSKEY);
1300 /* zero-th rdf - flags */
1301 ldns_rr_push_rdf(pubkey,
1302 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
1303 ldns_key_flags(k)));
1305 ldns_rr_push_rdf(pubkey,
1306 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, LDNS_DNSSEC_KEYPROTO));
1308 if (ldns_key_pubkey_owner(k)) {
1309 ldns_rr_set_owner(pubkey, ldns_rdf_clone(ldns_key_pubkey_owner(k)));
1312 /* third - da algorithm */
1313 switch(ldns_key_algorithm(k)) {
1316 case LDNS_RSASHA1_NSEC3:
1317 case LDNS_RSASHA256:
1318 case LDNS_RSASHA512:
1319 ldns_rr_push_rdf(pubkey,
1320 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1322 rsa = ldns_key_rsa_key(k);
1324 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1328 if (!ldns_key_rsa2bin(bin, rsa, &size)) {
1338 ldns_rr_push_rdf(pubkey,
1339 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA));
1341 dsa = ldns_key_dsa_key(k);
1343 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1347 if (!ldns_key_dsa2bin(bin, dsa, &size)) {
1353 #endif /* HAVE_SSL */
1355 case LDNS_DSA_NSEC3:
1356 ldns_rr_push_rdf(pubkey,
1357 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA_NSEC3));
1359 dsa = ldns_key_dsa_key(k);
1361 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1365 if (!ldns_key_dsa2bin(bin, dsa, &size)) {
1371 #endif /* HAVE_SSL */
1373 case LDNS_SIGN_ECC_GOST:
1374 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(
1375 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1376 #if defined(HAVE_SSL) && defined(USE_GOST)
1377 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1380 if (!ldns_key_gost2bin(bin, k->_key.key, &size)) {
1384 #endif /* HAVE_SSL and USE_GOST */
1387 case LDNS_SIGN_ECDSAP256SHA256:
1388 case LDNS_SIGN_ECDSAP384SHA384:
1389 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(
1390 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1392 ec = EVP_PKEY_get1_EC_KEY(k->_key.key);
1393 EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED);
1394 size = i2o_ECPublicKey(ec, NULL);
1395 if(!i2o_ECPublicKey(ec, &bin))
1398 /* move back one byte to shave off the 0x02
1399 * 'uncompressed' indicator that openssl made
1400 * Actually its 0x04 (from implementation).
1402 assert(bin[0] == POINT_CONVERSION_UNCOMPRESSED);
1404 memmove(bin, bin+1, size);
1406 /* down the reference count for ec, its still assigned
1412 case LDNS_SIGN_HMACMD5:
1413 case LDNS_SIGN_HMACSHA1:
1414 case LDNS_SIGN_HMACSHA256:
1415 bin = LDNS_XMALLOC(unsigned char, ldns_key_hmac_size(k));
1419 ldns_rr_push_rdf(pubkey,
1420 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG,
1421 ldns_key_algorithm(k)));
1422 size = ldns_key_hmac_size(k);
1423 memcpy(bin, ldns_key_hmac_key(k), size);
1427 /* fourth the key bin material */
1428 if (internal_data) {
1429 keybin = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, size, bin);
1431 ldns_rr_push_rdf(pubkey, keybin);
1437 ldns_key_free(ldns_key *key)
1443 ldns_key_deep_free(ldns_key *key)
1445 if (ldns_key_pubkey_owner(key)) {
1446 ldns_rdf_deep_free(ldns_key_pubkey_owner(key));
1449 if (ldns_key_evp_key(key)) {
1450 EVP_PKEY_free(ldns_key_evp_key(key));
1452 #endif /* HAVE_SSL */
1453 if (ldns_key_hmac_key(key)) {
1454 free(ldns_key_hmac_key(key));
1460 ldns_key_list_free(ldns_key_list *key_list)
1463 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1464 ldns_key_deep_free(ldns_key_list_key(key_list, i));
1466 LDNS_FREE(key_list->_keys);
1467 LDNS_FREE(key_list);
1471 ldns_read_anchor_file(const char *filename)
1474 /*char line[LDNS_MAX_PACKETLEN];*/
1475 char *line = LDNS_XMALLOC(char, LDNS_MAX_PACKETLEN);
1481 fp = fopen(filename, "r");
1483 fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
1488 while ((c = fgetc(fp)) && i < LDNS_MAX_PACKETLEN && c != EOF) {
1497 fprintf(stderr, "nothing read from %s", filename);
1501 status = ldns_rr_new_frm_str(&r, line, 0, NULL, NULL);
1502 if (status == LDNS_STATUS_OK && (ldns_rr_get_type(r) == LDNS_RR_TYPE_DNSKEY || ldns_rr_get_type(r) == LDNS_RR_TYPE_DS)) {
1506 fprintf(stderr, "Error creating DNSKEY or DS rr from %s: %s\n", filename, ldns_get_errorstr_by_id(status));
1514 ldns_key_get_file_base_name(ldns_key *key)
1516 ldns_buffer *buffer;
1517 char *file_base_name;
1519 buffer = ldns_buffer_new(255);
1520 ldns_buffer_printf(buffer, "K");
1521 (void)ldns_rdf2buffer_str_dname(buffer, ldns_key_pubkey_owner(key));
1522 ldns_buffer_printf(buffer,
1524 ldns_key_algorithm(key),
1525 ldns_key_keytag(key));
1526 file_base_name = strdup(ldns_buffer_export(buffer));
1527 ldns_buffer_free(buffer);
1528 return file_base_name;
1531 int ldns_key_algo_supported(int algo)
1533 ldns_lookup_table *lt = ldns_signing_algorithms;
1542 ldns_signing_algorithm ldns_get_signing_algorithm_by_name(const char* name)
1544 /* list of (signing algorithm id, alias_name) */
1545 ldns_lookup_table aliases[] = {
1546 /* from bind dnssec-keygen */
1547 {LDNS_SIGN_HMACMD5, "HMAC-MD5"},
1548 {LDNS_SIGN_DSA_NSEC3, "NSEC3DSA"},
1549 {LDNS_SIGN_RSASHA1_NSEC3, "NSEC3RSASHA1"},
1550 /* old ldns usage, now RFC names */
1551 {LDNS_SIGN_DSA_NSEC3, "DSA_NSEC3" },
1552 {LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1_NSEC3" },
1554 {LDNS_SIGN_ECC_GOST, "GOST"},
1556 /* compat with possible output */
1559 {LDNS_INDIRECT, "INDIRECT"},
1560 {LDNS_PRIVATEDNS, "PRIVATEDNS"},
1561 {LDNS_PRIVATEOID, "PRIVATEOID"},
1563 ldns_lookup_table* lt = ldns_signing_algorithms;
1565 if(strcasecmp(lt->name, name) == 0)
1571 if(strcasecmp(lt->name, name) == 0)