2 * keys.c handle private keys for use in DNSSEC
4 * This module should hide some of the openSSL complexities
5 * and give a general interface for private keys and hmac
8 * (c) NLnet Labs, 2004-2006
10 * See the file LICENSE for the license
13 #include <ldns/config.h>
15 #include <ldns/ldns.h>
18 #include <openssl/ssl.h>
19 #ifndef OPENSSL_NO_ENGINE
20 #include <openssl/engine.h>
22 #include <openssl/rand.h>
25 ldns_lookup_table ldns_signing_algorithms[] = {
26 { LDNS_SIGN_RSAMD5, "RSAMD5" },
27 { LDNS_SIGN_RSASHA1, "RSASHA1" },
28 { LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1-NSEC3-SHA1" },
30 { LDNS_SIGN_RSASHA256, "RSASHA256" },
31 { LDNS_SIGN_RSASHA512, "RSASHA512" },
34 { LDNS_SIGN_ECC_GOST, "ECC-GOST" },
37 { LDNS_SIGN_ECDSAP256SHA256, "ECDSAP256SHA256" },
38 { LDNS_SIGN_ECDSAP384SHA384, "ECDSAP384SHA384" },
41 { LDNS_SIGN_ED25519, "ED25519" },
44 { LDNS_SIGN_ED448, "ED448" },
47 { LDNS_SIGN_DSA, "DSA" },
48 { LDNS_SIGN_DSA_NSEC3, "DSA-NSEC3-SHA1" },
50 { LDNS_SIGN_HMACMD5, "hmac-md5.sig-alg.reg.int" },
51 { LDNS_SIGN_HMACSHA1, "hmac-sha1" },
52 { LDNS_SIGN_HMACSHA256, "hmac-sha256" },
53 { LDNS_SIGN_HMACSHA224, "hmac-sha224" },
54 { LDNS_SIGN_HMACSHA384, "hmac-sha384" },
55 { LDNS_SIGN_HMACSHA512, "hmac-sha512" },
60 ldns_key_list_new(void)
62 ldns_key_list *key_list = LDNS_MALLOC(ldns_key_list);
66 key_list->_key_count = 0;
67 key_list->_keys = NULL;
77 newkey = LDNS_MALLOC(ldns_key);
81 /* some defaults - not sure wether to do this */
82 ldns_key_set_use(newkey, true);
83 ldns_key_set_flags(newkey, LDNS_KEY_ZONE_KEY);
84 ldns_key_set_origttl(newkey, 0);
85 ldns_key_set_keytag(newkey, 0);
86 ldns_key_set_inception(newkey, 0);
87 ldns_key_set_expiration(newkey, 0);
88 ldns_key_set_pubkey_owner(newkey, NULL);
90 ldns_key_set_evp_key(newkey, NULL);
92 ldns_key_set_hmac_key(newkey, NULL);
93 ldns_key_set_external_key(newkey, NULL);
99 ldns_key_new_frm_fp(ldns_key **k, FILE *fp)
101 return ldns_key_new_frm_fp_l(k, fp, NULL);
104 #if defined(HAVE_SSL) && !defined(OPENSSL_NO_ENGINE)
106 ldns_key_new_frm_engine(ldns_key **key, ENGINE *e, char *key_id, ldns_algorithm alg)
111 if(!k) return LDNS_STATUS_MEM_ERR;
113 k->_key.key = ENGINE_load_private_key(e, key_id, UI_OpenSSL(), NULL);
116 return LDNS_STATUS_ERR;
118 ldns_key_set_algorithm(k, (ldns_signing_algorithm) alg);
121 return LDNS_STATUS_ENGINE_KEY_NOT_LOADED;
125 return LDNS_STATUS_OK;
130 /** store GOST engine reference loaded into OpenSSL library */
131 ENGINE* ldns_gost_engine = NULL;
134 ldns_key_EVP_load_gost_id(void)
136 static int gost_id = 0;
137 const EVP_PKEY_ASN1_METHOD* meth;
140 if(gost_id) return gost_id;
142 /* see if configuration loaded gost implementation from other engine*/
143 meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1);
145 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
149 /* see if engine can be loaded already */
150 e = ENGINE_by_id("gost");
152 /* load it ourself, in case statically linked */
153 ENGINE_load_builtin_engines();
154 ENGINE_load_dynamic();
155 e = ENGINE_by_id("gost");
158 /* no gost engine in openssl */
161 if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
167 meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1);
174 /* Note: do not ENGINE_finish and ENGINE_free the acquired engine
175 * on some platforms this frees up the meth and unloads gost stuff */
176 ldns_gost_engine = e;
178 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
182 void ldns_key_EVP_unload_gost(void)
184 if(ldns_gost_engine) {
185 ENGINE_finish(ldns_gost_engine);
186 ENGINE_free(ldns_gost_engine);
187 ldns_gost_engine = NULL;
191 /** read GOST private key */
193 ldns_key_new_frm_fp_gost_l(FILE* fp, int* line_nr)
196 const unsigned char* pp;
199 ldns_rdf* b64rdf = NULL;
201 gost_id = ldns_key_EVP_load_gost_id();
205 if (ldns_fget_keyword_data_l(fp, "GostAsn1", ": ", token, "\n",
206 sizeof(token), line_nr) == -1)
208 while(strlen(token) < 96) {
209 /* read more b64 from the file, b64 split on multiple lines */
210 if(ldns_fget_token_l(fp, token+strlen(token), "\n",
211 sizeof(token)-strlen(token), line_nr) == -1)
214 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK)
216 pp = (unsigned char*)ldns_rdf_data(b64rdf);
217 pkey = d2i_PrivateKey(gost_id, NULL, &pp, (int)ldns_rdf_size(b64rdf));
218 ldns_rdf_deep_free(b64rdf);
224 /** calculate public key from private key */
226 ldns_EC_KEY_calc_public(EC_KEY* ec)
229 const EC_GROUP* group;
230 group = EC_KEY_get0_group(ec);
231 pub_key = EC_POINT_new(group);
232 if(!pub_key) return 0;
233 if(!EC_POINT_copy(pub_key, EC_GROUP_get0_generator(group))) {
234 EC_POINT_free(pub_key);
237 if(!EC_POINT_mul(group, pub_key, EC_KEY_get0_private_key(ec),
239 EC_POINT_free(pub_key);
242 if(EC_KEY_set_public_key(ec, pub_key) == 0) {
243 EC_POINT_free(pub_key);
246 EC_POINT_free(pub_key);
250 /** read ECDSA private key */
252 ldns_key_new_frm_fp_ecdsa_l(FILE* fp, ldns_algorithm alg, int* line_nr)
255 ldns_rdf* b64rdf = NULL;
260 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n",
261 sizeof(token), line_nr) == -1)
263 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK)
265 pp = (unsigned char*)ldns_rdf_data(b64rdf);
267 if(alg == LDNS_ECDSAP256SHA256)
268 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
269 else if(alg == LDNS_ECDSAP384SHA384)
270 ec = EC_KEY_new_by_curve_name(NID_secp384r1);
273 ldns_rdf_deep_free(b64rdf);
276 bn = BN_bin2bn(pp, (int)ldns_rdf_size(b64rdf), NULL);
277 ldns_rdf_deep_free(b64rdf);
282 EC_KEY_set_private_key(ec, bn);
284 if(!ldns_EC_KEY_calc_public(ec)) {
289 evp_key = EVP_PKEY_new();
294 if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
295 EVP_PKEY_free(evp_key);
304 /** turn private key buffer into EC_KEY structure */
306 ldns_ed25519_priv_raw(uint8_t* pkey, int plen)
308 const unsigned char* pp;
311 uint8_t pre[] = {0x30, 0x32, 0x02, 0x01, 0x01, 0x04, 0x20};
313 uint8_t post[] = {0xa0, 0x0b, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04,
314 0x01, 0xda, 0x47, 0x0f, 0x01};
317 /* ASN looks like this for ED25519
318 * 30320201010420 <32byteskey>
319 * andparameters a00b06092b06010401da470f01
320 * (noparameters, preamble is 30250201010420).
321 * the key is reversed (little endian).
323 buflen = pre_len + plen + post_len;
324 if((size_t)buflen > sizeof(buf))
326 memmove(buf, pre, pre_len);
327 /* reverse the pkey into the buf */
328 for(i=0; i<plen; i++)
329 buf[pre_len+i] = pkey[plen-1-i];
330 memmove(buf+pre_len+plen, post, post_len);
332 return d2i_ECPrivateKey(NULL, &pp, buflen);
335 /** read ED25519 private key */
337 ldns_key_new_frm_fp_ed25519_l(FILE* fp, int* line_nr)
340 ldns_rdf* b64rdf = NULL;
343 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n",
344 sizeof(token), line_nr) == -1)
346 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK)
349 /* we use d2i_ECPrivateKey because it calculates the public key
350 * from the private part, which others, EC_KEY_set_private_key,
351 * and o2i methods, do not do */
352 /* for that the private key has to be encoded in ASN1 notation
353 * with a X25519 prefix on it */
355 ec = ldns_ed25519_priv_raw(ldns_rdf_data(b64rdf),
356 (int)ldns_rdf_size(b64rdf));
357 ldns_rdf_deep_free(b64rdf);
359 if(EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)) != NID_X25519) {
360 /* wrong group, bad asn conversion */
365 evp_key = EVP_PKEY_new();
370 if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
371 EVP_PKEY_free(evp_key);
380 /** turn private key buffer into EC_KEY structure */
382 ldns_ed448_priv_raw(uint8_t* pkey, int plen)
384 const unsigned char* pp;
387 uint8_t pre[] = {0x30, 0x4b, 0x02, 0x01, 0x01, 0x04, 0x39};
389 uint8_t post[] = {0xa0, 0x0b, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04,
390 0x01, 0xda, 0x47, 0x0f, 0x02};
393 /* ASN looks like this for ED25519
394 * And for ED448, the parameters are ...02 instead of ...01
395 * For ED25519 it was:
396 * 30320201010420 <32byteskey>
397 * andparameters a00b06092b06010401da470f01
398 * (noparameters, preamble is 30250201010420).
399 * the key is reversed (little endian).
401 * For ED448 the key is 57 bytes, and that changes lengths.
402 * 304b0201010439 <57bytekey> a00b06092b06010401da470f02
404 buflen = pre_len + plen + post_len;
405 if((size_t)buflen > sizeof(buf))
407 memmove(buf, pre, pre_len);
408 /* reverse the pkey into the buf */
409 for(i=0; i<plen; i++)
410 buf[pre_len+i] = pkey[plen-1-i];
411 memmove(buf+pre_len+plen, post, post_len);
413 return d2i_ECPrivateKey(NULL, &pp, buflen);
416 /** read ED448 private key */
418 ldns_key_new_frm_fp_ed448_l(FILE* fp, int* line_nr)
421 ldns_rdf* b64rdf = NULL;
424 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n",
425 sizeof(token), line_nr) == -1)
427 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK)
430 /* convert private key into ASN notation and then convert that */
431 ec = ldns_ed448_priv_raw(ldns_rdf_data(b64rdf),
432 (int)ldns_rdf_size(b64rdf));
433 ldns_rdf_deep_free(b64rdf);
435 if(EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)) != NID_X448) {
436 /* wrong group, bad asn conversion */
441 evp_key = EVP_PKEY_new();
446 if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
447 EVP_PKEY_free(evp_key);
456 ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr)
460 ldns_signing_algorithm alg;
469 #endif /* HAVE_SSL */
473 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
477 return LDNS_STATUS_MEM_ERR;
482 /* the file is highly structured. Do this in sequence */
484 * Private-key-format: v1.x.
488 /* get the key format version number */
489 if (ldns_fget_keyword_data_l(fp, "Private-key-format", ": ", d, "\n",
490 LDNS_MAX_LINELEN, line_nr) == -1) {
491 /* no version information */
494 return LDNS_STATUS_SYNTAX_ERR;
496 if (strncmp(d, "v1.", 3) != 0) {
499 return LDNS_STATUS_SYNTAX_VERSION_ERR;
502 /* get the algorithm type, our file function strip ( ) so there are
503 * not in the return string! */
504 if (ldns_fget_keyword_data_l(fp, "Algorithm", ": ", d, "\n",
505 LDNS_MAX_LINELEN, line_nr) == -1) {
506 /* no alg information */
509 return LDNS_STATUS_SYNTAX_ALG_ERR;
512 if (strncmp(d, "1 RSA", 2) == 0) {
513 alg = LDNS_SIGN_RSAMD5;
515 if (strncmp(d, "2 DH", 2) == 0) {
516 alg = (ldns_signing_algorithm)LDNS_DH;
518 if (strncmp(d, "3 DSA", 2) == 0) {
523 fprintf(stderr, "Warning: DSA not compiled into this ");
524 fprintf(stderr, "version of ldns\n");
528 if (strncmp(d, "4 ECC", 2) == 0) {
529 alg = (ldns_signing_algorithm)LDNS_ECC;
531 if (strncmp(d, "5 RSASHA1", 2) == 0) {
532 alg = LDNS_SIGN_RSASHA1;
534 if (strncmp(d, "6 DSA", 2) == 0) {
536 alg = LDNS_SIGN_DSA_NSEC3;
539 fprintf(stderr, "Warning: DSA not compiled into this ");
540 fprintf(stderr, "version of ldns\n");
544 if (strncmp(d, "7 RSASHA1", 2) == 0) {
545 alg = LDNS_SIGN_RSASHA1_NSEC3;
548 if (strncmp(d, "8 RSASHA256", 2) == 0) {
550 alg = LDNS_SIGN_RSASHA256;
553 fprintf(stderr, "Warning: SHA256 not compiled into this ");
554 fprintf(stderr, "version of ldns\n");
558 if (strncmp(d, "10 RSASHA512", 3) == 0) {
560 alg = LDNS_SIGN_RSASHA512;
563 fprintf(stderr, "Warning: SHA512 not compiled into this ");
564 fprintf(stderr, "version of ldns\n");
568 if (strncmp(d, "12 ECC-GOST", 3) == 0) {
570 alg = LDNS_SIGN_ECC_GOST;
573 fprintf(stderr, "Warning: ECC-GOST not compiled into this ");
574 fprintf(stderr, "version of ldns, use --enable-gost\n");
578 if (strncmp(d, "13 ECDSAP256SHA256", 3) == 0) {
580 alg = LDNS_SIGN_ECDSAP256SHA256;
583 fprintf(stderr, "Warning: ECDSA not compiled into this ");
584 fprintf(stderr, "version of ldns, use --enable-ecdsa\n");
588 if (strncmp(d, "14 ECDSAP384SHA384", 3) == 0) {
590 alg = LDNS_SIGN_ECDSAP384SHA384;
593 fprintf(stderr, "Warning: ECDSA not compiled into this ");
594 fprintf(stderr, "version of ldns, use --enable-ecdsa\n");
598 if (strncmp(d, "15 ED25519", 3) == 0) {
600 alg = LDNS_SIGN_ED25519;
603 fprintf(stderr, "Warning: ED25519 not compiled into this ");
604 fprintf(stderr, "version of ldns, use --enable-ed25519\n");
608 if (strncmp(d, "16 ED448", 3) == 0) {
610 alg = LDNS_SIGN_ED448;
613 fprintf(stderr, "Warning: ED448 not compiled into this ");
614 fprintf(stderr, "version of ldns, use --enable-ed448\n");
618 if (strncmp(d, "157 HMAC-MD5", 4) == 0) {
619 alg = LDNS_SIGN_HMACMD5;
621 if (strncmp(d, "158 HMAC-SHA1", 4) == 0) {
622 alg = LDNS_SIGN_HMACSHA1;
624 if (strncmp(d, "159 HMAC-SHA256", 4) == 0) {
625 alg = LDNS_SIGN_HMACSHA256;
627 /* For compatibility with dnssec-keygen */
628 if (strncmp(d, "161 ", 4) == 0) {
629 alg = LDNS_SIGN_HMACSHA1;
631 if (strncmp(d, "162 HMAC-SHA224", 4) == 0) {
632 alg = LDNS_SIGN_HMACSHA224;
634 /* For compatibility with dnssec-keygen */
635 if (strncmp(d, "163 ", 4) == 0) {
636 alg = LDNS_SIGN_HMACSHA256;
638 if (strncmp(d, "164 HMAC-SHA384", 4) == 0) {
639 alg = LDNS_SIGN_HMACSHA384;
641 if (strncmp(d, "165 HMAC-SHA512", 4) == 0) {
642 alg = LDNS_SIGN_HMACSHA512;
647 case LDNS_SIGN_RSAMD5:
648 case LDNS_SIGN_RSASHA1:
649 case LDNS_SIGN_RSASHA1_NSEC3:
651 case LDNS_SIGN_RSASHA256:
652 case LDNS_SIGN_RSASHA512:
654 ldns_key_set_algorithm(k, alg);
656 rsa = ldns_key_new_frm_fp_rsa_l(fp, line_nr);
659 return LDNS_STATUS_ERR;
661 ldns_key_assign_rsa_key(k, rsa);
662 #endif /* HAVE_SSL */
666 case LDNS_SIGN_DSA_NSEC3:
667 ldns_key_set_algorithm(k, alg);
669 dsa = ldns_key_new_frm_fp_dsa_l(fp, line_nr);
672 return LDNS_STATUS_ERR;
674 ldns_key_assign_dsa_key(k, dsa);
675 #endif /* HAVE_SSL */
678 case LDNS_SIGN_HMACMD5:
679 case LDNS_SIGN_HMACSHA1:
680 case LDNS_SIGN_HMACSHA224:
681 case LDNS_SIGN_HMACSHA256:
682 case LDNS_SIGN_HMACSHA384:
683 case LDNS_SIGN_HMACSHA512:
684 ldns_key_set_algorithm(k, alg);
686 hmac = ldns_key_new_frm_fp_hmac_l(fp, line_nr, &hmac_size);
689 return LDNS_STATUS_ERR;
691 ldns_key_set_hmac_size(k, hmac_size);
692 ldns_key_set_hmac_key(k, hmac);
693 #endif /* HAVE_SSL */
695 case LDNS_SIGN_ECC_GOST:
696 ldns_key_set_algorithm(k, alg);
697 #if defined(HAVE_SSL) && defined(USE_GOST)
698 if(!ldns_key_EVP_load_gost_id()) {
700 return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL;
702 ldns_key_set_evp_key(k,
703 ldns_key_new_frm_fp_gost_l(fp, line_nr));
707 return LDNS_STATUS_ERR;
713 case LDNS_SIGN_ECDSAP256SHA256:
714 case LDNS_SIGN_ECDSAP384SHA384:
715 ldns_key_set_algorithm(k, alg);
716 ldns_key_set_evp_key(k,
717 ldns_key_new_frm_fp_ecdsa_l(fp, (ldns_algorithm)alg, line_nr));
721 return LDNS_STATUS_ERR;
727 case LDNS_SIGN_ED25519:
728 ldns_key_set_algorithm(k, alg);
729 ldns_key_set_evp_key(k,
730 ldns_key_new_frm_fp_ed25519_l(fp, line_nr));
734 return LDNS_STATUS_ERR;
740 case LDNS_SIGN_ED448:
741 ldns_key_set_algorithm(k, alg);
742 ldns_key_set_evp_key(k,
743 ldns_key_new_frm_fp_ed448_l(fp, line_nr));
747 return LDNS_STATUS_ERR;
754 return LDNS_STATUS_SYNTAX_ALG_ERR;
756 key_rr = ldns_key2rr(k);
757 ldns_key_set_keytag(k, ldns_calc_keytag(key_rr));
758 ldns_rr_free(key_rr);
762 return LDNS_STATUS_OK;
765 return LDNS_STATUS_ERR;
770 ldns_key_new_frm_fp_rsa(FILE *f)
772 return ldns_key_new_frm_fp_rsa_l(f, NULL);
776 ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr)
792 * BIGNUM *n; // public modulus
793 * BIGNUM *e; // public exponent
794 * BIGNUM *d; // private exponent
795 * BIGNUM *p; // secret prime factor
796 * BIGNUM *q; // secret prime factor
797 * BIGNUM *dmp1; // d mod (p-1)
798 * BIGNUM *dmq1; // d mod (q-1)
799 * BIGNUM *iqmp; // q^-1 mod p
807 BIGNUM *n=NULL, *e=NULL, *d=NULL, *p=NULL, *q=NULL,
808 *dmp1=NULL, *dmq1=NULL, *iqmp=NULL;
810 b = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
811 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN);
813 if (!b || !rsa || !buf) {
817 /* I could use functions again, but that seems an overkill,
818 * allthough this also looks tedious
821 /* Modules, rsa->n */
822 if (ldns_fget_keyword_data_l(f, "Modulus", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
825 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
827 n = BN_bin2bn((const char unsigned*)buf, i, NULL);
832 /* PublicExponent, rsa->e */
833 if (ldns_fget_keyword_data_l(f, "PublicExponent", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
836 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
837 e = BN_bin2bn((const char unsigned*)buf, i, NULL);
842 /* PrivateExponent, rsa->d */
843 if (ldns_fget_keyword_data_l(f, "PrivateExponent", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
846 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
847 d = BN_bin2bn((const char unsigned*)buf, i, NULL);
853 if (ldns_fget_keyword_data_l(f, "Prime1", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
856 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
857 p = BN_bin2bn((const char unsigned*)buf, i, NULL);
863 if (ldns_fget_keyword_data_l(f, "Prime2", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
866 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
867 q = BN_bin2bn((const char unsigned*)buf, i, NULL);
872 /* Exponent1, rsa->dmp1 */
873 if (ldns_fget_keyword_data_l(f, "Exponent1", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
876 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
877 dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL);
882 /* Exponent2, rsa->dmq1 */
883 if (ldns_fget_keyword_data_l(f, "Exponent2", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
886 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
887 dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL);
892 /* Coefficient, rsa->iqmp */
893 if (ldns_fget_keyword_data_l(f, "Coefficient", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
896 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
897 iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL);
903 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
915 if(!RSA_set0_key(rsa, n, e, d))
920 if(!RSA_set0_factors(rsa, p, q))
924 if(!RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp))
948 ldns_key_new_frm_fp_dsa(FILE *f)
950 return ldns_key_new_frm_fp_dsa_l(f, NULL);
954 ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr))
960 BIGNUM *p=NULL, *q=NULL, *g=NULL, *priv_key=NULL, *pub_key=NULL;
962 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
963 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN);
965 if (!d || !dsa || !buf) {
969 /* the line parser removes the () from the input... */
972 if (ldns_fget_keyword_data_l(f, "Primep", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
975 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
977 p = BN_bin2bn((const char unsigned*)buf, i, NULL);
982 /* Subprime, dsa->q */
983 if (ldns_fget_keyword_data_l(f, "Subprimeq", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
986 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
987 q = BN_bin2bn((const char unsigned*)buf, i, NULL);
993 if (ldns_fget_keyword_data_l(f, "Baseg", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
996 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
997 g = BN_bin2bn((const char unsigned*)buf, i, NULL);
1002 /* Private key, dsa->priv_key */
1003 if (ldns_fget_keyword_data_l(f, "Private_valuex", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
1006 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
1007 priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL);
1012 /* Public key, dsa->priv_key */
1013 if (ldns_fget_keyword_data_l(f, "Public_valuey", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
1016 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
1017 pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL);
1023 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
1028 dsa->priv_key = priv_key;
1029 dsa->pub_key = pub_key;
1032 if(!DSA_set0_pqg(dsa, p, q, g))
1037 if(!DSA_set0_key(dsa, pub_key, priv_key))
1059 ldns_key_new_frm_fp_hmac(FILE *f, size_t *hmac_size)
1061 return ldns_key_new_frm_fp_hmac_l(f, NULL, hmac_size);
1065 ldns_key_new_frm_fp_hmac_l( FILE *f
1066 , ATTR_UNUSED(int *line_nr)
1071 char d[LDNS_MAX_LINELEN];
1072 unsigned char *buf = NULL;
1074 if (ldns_fget_keyword_data_l(f, "Key", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
1077 bufsz = ldns_b64_ntop_calculate_size(strlen(d));
1078 buf = LDNS_XMALLOC(unsigned char, bufsz);
1079 i = (size_t) ldns_b64_pton((const char*)d, buf, bufsz);
1089 #endif /* HAVE_SSL */
1093 ldns_gen_gost_key(void)
1097 int gost_id = ldns_key_EVP_load_gost_id();
1100 ctx = EVP_PKEY_CTX_new_id(gost_id, NULL);
1102 /* the id should be available now */
1105 if(EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0) {
1106 /* cannot set paramset */
1107 EVP_PKEY_CTX_free(ctx);
1111 if(EVP_PKEY_keygen_init(ctx) <= 0) {
1112 EVP_PKEY_CTX_free(ctx);
1115 if(EVP_PKEY_keygen(ctx, &p) <= 0) {
1117 EVP_PKEY_CTX_free(ctx);
1120 EVP_PKEY_CTX_free(ctx);
1126 ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size)
1132 #endif /* USE_DSA */
1136 # ifdef HAVE_EVP_PKEY_KEYGEN
1143 uint16_t offset = 0;
1145 unsigned char *hmac;
1152 case LDNS_SIGN_RSAMD5:
1153 case LDNS_SIGN_RSASHA1:
1154 case LDNS_SIGN_RSASHA1_NSEC3:
1155 case LDNS_SIGN_RSASHA256:
1156 case LDNS_SIGN_RSASHA512:
1158 #ifdef HAVE_EVP_PKEY_KEYGEN
1159 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
1164 if(EVP_PKEY_keygen_init(ctx) <= 0) {
1166 EVP_PKEY_CTX_free(ctx);
1169 if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, size) <= 0) {
1171 EVP_PKEY_CTX_free(ctx);
1175 if (EVP_PKEY_keygen(ctx, &k->_key.key) <= 0) {
1177 EVP_PKEY_CTX_free(ctx);
1181 EVP_PKEY_CTX_free(ctx);
1182 #else /* HAVE_EVP_PKEY_KEYGEN */
1183 r = RSA_generate_key((int)size, RSA_F4, NULL, NULL);
1188 if (RSA_check_key(r) != 1) {
1192 ldns_key_set_rsa_key(k, r);
1194 #endif /* HAVE_EVP_PKEY_KEYGEN */
1195 #endif /* HAVE_SSL */
1198 case LDNS_SIGN_DSA_NSEC3:
1201 # if OPENSSL_VERSION_NUMBER < 0x00908000L
1202 d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL);
1209 if (! (d = DSA_new())) {
1213 if (! DSA_generate_parameters_ex(d, (int)size, NULL, 0, NULL, NULL, NULL)) {
1219 if (DSA_generate_key(d) != 1) {
1223 ldns_key_set_dsa_key(k, d);
1225 #endif /* HAVE_SSL */
1226 #endif /* USE_DSA */
1228 case LDNS_SIGN_HMACMD5:
1229 case LDNS_SIGN_HMACSHA1:
1230 case LDNS_SIGN_HMACSHA224:
1231 case LDNS_SIGN_HMACSHA256:
1232 case LDNS_SIGN_HMACSHA384:
1233 case LDNS_SIGN_HMACSHA512:
1238 #endif /* HAVE_SSL */
1240 ldns_key_set_hmac_size(k, size);
1242 hmac = LDNS_XMALLOC(unsigned char, size);
1248 if (RAND_bytes(hmac, (int) size) != 1) {
1254 while (offset + sizeof(i) < size) {
1256 memcpy(&hmac[offset], &i, sizeof(i));
1257 offset += sizeof(i);
1259 if (offset < size) {
1261 memcpy(&hmac[offset], &i, size - offset);
1263 #endif /* HAVE_SSL */
1264 ldns_key_set_hmac_key(k, hmac);
1266 ldns_key_set_flags(k, 0);
1268 case LDNS_SIGN_ECC_GOST:
1269 #if defined(HAVE_SSL) && defined(USE_GOST)
1270 ldns_key_set_evp_key(k, ldns_gen_gost_key());
1280 #endif /* HAVE_SSL and USE_GOST */
1282 case LDNS_SIGN_ECDSAP256SHA256:
1283 case LDNS_SIGN_ECDSAP384SHA384:
1285 if(alg == LDNS_SIGN_ECDSAP256SHA256)
1286 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1287 else if(alg == LDNS_SIGN_ECDSAP384SHA384)
1288 ec = EC_KEY_new_by_curve_name(NID_secp384r1);
1293 if(!EC_KEY_generate_key(ec)) {
1299 k->_key.key = EVP_PKEY_new();
1305 if (!EVP_PKEY_assign_EC_KEY(k->_key.key, ec)) {
1317 case LDNS_SIGN_ED25519:
1318 #ifdef HAVE_EVP_PKEY_KEYGEN
1319 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1324 if(EVP_PKEY_keygen_init(ctx) <= 0) {
1326 EVP_PKEY_CTX_free(ctx);
1329 if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx,
1332 EVP_PKEY_CTX_free(ctx);
1335 if (EVP_PKEY_keygen(ctx, &k->_key.key) <= 0) {
1337 EVP_PKEY_CTX_free(ctx);
1340 EVP_PKEY_CTX_free(ctx);
1343 #endif /* ED25519 */
1345 case LDNS_SIGN_ED448:
1346 #ifdef HAVE_EVP_PKEY_KEYGEN
1347 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1352 if(EVP_PKEY_keygen_init(ctx) <= 0) {
1354 EVP_PKEY_CTX_free(ctx);
1357 if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx,
1360 EVP_PKEY_CTX_free(ctx);
1363 if (EVP_PKEY_keygen(ctx, &k->_key.key) <= 0) {
1365 EVP_PKEY_CTX_free(ctx);
1368 EVP_PKEY_CTX_free(ctx);
1373 ldns_key_set_algorithm(k, alg);
1378 ldns_key_print(FILE *output, const ldns_key *k)
1380 char *str = ldns_key2str(k);
1382 fprintf(output, "%s", str);
1384 fprintf(output, "Unable to convert private key to string\n");
1391 ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l)
1397 ldns_key_set_flags(ldns_key *k, uint16_t f)
1399 k->_extra.dnssec.flags = f;
1405 ldns_key_set_evp_key(ldns_key *k, EVP_PKEY *e)
1411 ldns_key_set_rsa_key(ldns_key *k, RSA *r)
1413 EVP_PKEY *key = EVP_PKEY_new();
1414 EVP_PKEY_set1_RSA(key, r);
1419 ldns_key_set_dsa_key(ldns_key *k, DSA *d)
1422 EVP_PKEY *key = EVP_PKEY_new();
1423 EVP_PKEY_set1_DSA(key, d);
1431 ldns_key_assign_rsa_key(ldns_key *k, RSA *r)
1433 EVP_PKEY *key = EVP_PKEY_new();
1434 EVP_PKEY_assign_RSA(key, r);
1439 ldns_key_assign_dsa_key(ldns_key *k, DSA *d)
1442 EVP_PKEY *key = EVP_PKEY_new();
1443 EVP_PKEY_assign_DSA(key, d);
1450 #endif /* HAVE_SSL */
1453 ldns_key_set_hmac_key(ldns_key *k, unsigned char *hmac)
1455 k->_key.hmac.key = hmac;
1459 ldns_key_set_hmac_size(ldns_key *k, size_t hmac_size)
1461 k->_key.hmac.size = hmac_size;
1465 ldns_key_set_external_key(ldns_key *k, void *external_key)
1467 k->_key.external_key = external_key;
1471 ldns_key_set_origttl(ldns_key *k, uint32_t t)
1473 k->_extra.dnssec.orig_ttl = t;
1477 ldns_key_set_inception(ldns_key *k, uint32_t i)
1479 k->_extra.dnssec.inception = i;
1483 ldns_key_set_expiration(ldns_key *k, uint32_t e)
1485 k->_extra.dnssec.expiration = e;
1489 ldns_key_set_pubkey_owner(ldns_key *k, ldns_rdf *r)
1491 k->_pubkey_owner = r;
1495 ldns_key_set_keytag(ldns_key *k, uint16_t tag)
1497 k->_extra.dnssec.keytag = tag;
1502 ldns_key_list_key_count(const ldns_key_list *key_list)
1504 return key_list->_key_count;
1508 ldns_key_list_key(const ldns_key_list *key, size_t nr)
1510 if (nr < ldns_key_list_key_count(key)) {
1511 return key->_keys[nr];
1517 ldns_signing_algorithm
1518 ldns_key_algorithm(const ldns_key *k)
1524 ldns_key_set_use(ldns_key *k, bool v)
1532 ldns_key_use(const ldns_key *k)
1543 ldns_key_evp_key(const ldns_key *k)
1549 ldns_key_rsa_key(const ldns_key *k)
1552 return EVP_PKEY_get1_RSA(k->_key.key);
1559 ldns_key_dsa_key(const ldns_key *k)
1563 return EVP_PKEY_get1_DSA(k->_key.key);
1573 #endif /* HAVE_SSL */
1576 ldns_key_hmac_key(const ldns_key *k)
1578 if (k->_key.hmac.key) {
1579 return k->_key.hmac.key;
1586 ldns_key_hmac_size(const ldns_key *k)
1588 if (k->_key.hmac.size) {
1589 return k->_key.hmac.size;
1596 ldns_key_external_key(const ldns_key *k)
1598 return k->_key.external_key;
1602 ldns_key_origttl(const ldns_key *k)
1604 return k->_extra.dnssec.orig_ttl;
1608 ldns_key_flags(const ldns_key *k)
1610 return k->_extra.dnssec.flags;
1614 ldns_key_inception(const ldns_key *k)
1616 return k->_extra.dnssec.inception;
1620 ldns_key_expiration(const ldns_key *k)
1622 return k->_extra.dnssec.expiration;
1626 ldns_key_keytag(const ldns_key *k)
1628 return k->_extra.dnssec.keytag;
1632 ldns_key_pubkey_owner(const ldns_key *k)
1634 return k->_pubkey_owner;
1639 ldns_key_list_set_use(ldns_key_list *keys, bool v)
1643 for (i = 0; i < ldns_key_list_key_count(keys); i++) {
1644 ldns_key_set_use(ldns_key_list_key(keys, i), v);
1649 ldns_key_list_set_key_count(ldns_key_list *key, size_t count)
1651 key->_key_count = count;
1655 ldns_key_list_push_key(ldns_key_list *key_list, ldns_key *key)
1660 key_count = ldns_key_list_key_count(key_list);
1662 /* grow the array */
1663 keys = LDNS_XREALLOC(
1664 key_list->_keys, ldns_key *, key_count + 1);
1669 /* add the new member */
1670 key_list->_keys = keys;
1671 key_list->_keys[key_count] = key;
1673 ldns_key_list_set_key_count(key_list, key_count + 1);
1678 ldns_key_list_pop_key(ldns_key_list *key_list)
1688 key_count = ldns_key_list_key_count(key_list);
1689 if (key_count == 0) {
1693 pop = ldns_key_list_key(key_list, key_count);
1695 /* shrink the array */
1696 a = LDNS_XREALLOC(key_list->_keys, ldns_key *, key_count - 1);
1698 key_list->_keys = a;
1701 ldns_key_list_set_key_count(key_list, key_count - 1);
1708 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */
1710 ldns_key_rsa2bin(unsigned char *data, RSA *k, uint16_t *size)
1713 const BIGNUM *n=NULL, *e=NULL;
1718 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
1722 RSA_get0_key(k, &n, &e, NULL);
1725 if (BN_num_bytes(e) <= 256) {
1726 /* normally only this path is executed (small factors are
1729 data[0] = (unsigned char) BN_num_bytes(e);
1730 i = BN_bn2bin(e, data + 1);
1731 j = BN_bn2bin(n, data + i + 1);
1732 *size = (uint16_t) i + j;
1733 } else if (BN_num_bytes(e) <= 65536) {
1735 /* BN_bn2bin does bigendian, _uint16 also */
1736 ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(e));
1738 BN_bn2bin(e, data + 3);
1739 BN_bn2bin(n, data + 4 + BN_num_bytes(e));
1740 *size = (uint16_t) BN_num_bytes(n) + 6;
1748 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */
1750 ldns_key_dsa2bin(unsigned char *data, DSA *k, uint16_t *size)
1753 const BIGNUM *p, *q, *g;
1754 const BIGNUM *pub_key, *priv_key;
1761 # ifdef HAVE_DSA_GET0_PQG
1762 DSA_get0_pqg(k, &p, &q, &g);
1764 p = k->p; q = k->q; g = k->g;
1766 # ifdef HAVE_DSA_GET0_KEY
1767 DSA_get0_key(k, &pub_key, &priv_key);
1769 pub_key = k->pub_key; priv_key = k->priv_key;
1772 *size = (uint16_t)BN_num_bytes(p);
1773 T = (*size - 64) / 8;
1777 fprintf(stderr, "DSA key with T > 8 (ie. > 1024 bits)");
1778 fprintf(stderr, " not implemented\n");
1783 /* size = 64 + (T * 8); */
1784 memset(data, 0, 21 + *size * 3);
1785 data[0] = (unsigned char)T;
1786 BN_bn2bin(q, data + 1 ); /* 20 octects */
1787 BN_bn2bin(p, data + 21 ); /* offset octects */
1788 BN_bn2bin(g, data + 21 + *size * 2 - BN_num_bytes(g));
1789 BN_bn2bin(pub_key,data + 21 + *size * 3 - BN_num_bytes(pub_key));
1790 *size = 21 + *size * 3;
1793 #endif /* USE_DSA */
1797 ldns_key_gost2bin(unsigned char* data, EVP_PKEY* k, uint16_t* size)
1800 unsigned char* pp = NULL;
1801 if(i2d_PUBKEY(k, &pp) != 37 + 64) {
1802 /* expect 37 byte(ASN header) and 64 byte(X and Y) */
1806 /* omit ASN header */
1813 #endif /* USE_GOST */
1815 #endif /* HAVE_SSL */
1818 ldns_key2rr(const ldns_key *k)
1820 /* this function will convert a the keydata contained in
1821 * rsa/dsa pointers to a DNSKEY rr. It will fill in as
1822 * much as it can, but it does not know about key-flags
1827 unsigned char *bin = NULL;
1833 #endif /* USE_DSA */
1834 #endif /* HAVE_SSL */
1838 int internal_data = 0;
1843 pubkey = ldns_rr_new();
1845 switch (ldns_key_algorithm(k)) {
1846 case LDNS_SIGN_HMACMD5:
1847 case LDNS_SIGN_HMACSHA1:
1848 case LDNS_SIGN_HMACSHA224:
1849 case LDNS_SIGN_HMACSHA256:
1850 case LDNS_SIGN_HMACSHA384:
1851 case LDNS_SIGN_HMACSHA512:
1852 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_KEY);
1855 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_DNSKEY);
1858 /* zero-th rdf - flags */
1859 ldns_rr_push_rdf(pubkey,
1860 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
1861 ldns_key_flags(k)));
1863 ldns_rr_push_rdf(pubkey,
1864 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, LDNS_DNSSEC_KEYPROTO));
1866 if (ldns_key_pubkey_owner(k)) {
1867 ldns_rr_set_owner(pubkey, ldns_rdf_clone(ldns_key_pubkey_owner(k)));
1870 /* third - da algorithm */
1871 switch(ldns_key_algorithm(k)) {
1872 case LDNS_SIGN_RSAMD5:
1873 case LDNS_SIGN_RSASHA1:
1874 case LDNS_SIGN_RSASHA1_NSEC3:
1875 case LDNS_SIGN_RSASHA256:
1876 case LDNS_SIGN_RSASHA512:
1877 ldns_rr_push_rdf(pubkey,
1878 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1880 rsa = ldns_key_rsa_key(k);
1882 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1884 ldns_rr_free(pubkey);
1887 if (!ldns_key_rsa2bin(bin, rsa, &size)) {
1889 ldns_rr_free(pubkey);
1899 ldns_rr_push_rdf(pubkey,
1900 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA));
1903 dsa = ldns_key_dsa_key(k);
1905 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1907 ldns_rr_free(pubkey);
1910 if (!ldns_key_dsa2bin(bin, dsa, &size)) {
1912 ldns_rr_free(pubkey);
1918 #endif /* HAVE_SSL */
1919 #endif /* USE_DSA */
1921 case LDNS_SIGN_DSA_NSEC3:
1922 ldns_rr_push_rdf(pubkey,
1923 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA_NSEC3));
1926 dsa = ldns_key_dsa_key(k);
1928 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1930 ldns_rr_free(pubkey);
1933 if (!ldns_key_dsa2bin(bin, dsa, &size)) {
1935 ldns_rr_free(pubkey);
1941 #endif /* HAVE_SSL */
1942 #endif /* USE_DSA */
1944 case LDNS_SIGN_ECC_GOST:
1945 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(
1946 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1947 #if defined(HAVE_SSL) && defined(USE_GOST)
1948 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1950 ldns_rr_free(pubkey);
1954 if (!ldns_key_gost2bin(bin, k->_key.key, &size)) {
1956 ldns_rr_free(pubkey);
1962 ldns_rr_free(pubkey);
1964 #endif /* HAVE_SSL and USE_GOST */
1966 case LDNS_SIGN_ECDSAP256SHA256:
1967 case LDNS_SIGN_ECDSAP384SHA384:
1969 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(
1970 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1973 ec = EVP_PKEY_get1_EC_KEY(k->_key.key);
1975 EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED);
1976 size = (uint16_t)i2o_ECPublicKey(ec, NULL);
1977 if(!i2o_ECPublicKey(ec, &bin)) {
1979 ldns_rr_free(pubkey);
1983 /* move back one byte to shave off the 0x02
1984 * 'uncompressed' indicator that openssl made
1985 * Actually its 0x04 (from implementation).
1987 assert(bin[0] == POINT_CONVERSION_UNCOMPRESSED);
1989 memmove(bin, bin+1, size);
1991 /* down the reference count for ec, its still assigned
1996 ldns_rr_free(pubkey);
2001 case LDNS_SIGN_ED25519:
2002 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(
2003 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
2005 ec = EVP_PKEY_get1_EC_KEY(k->_key.key);
2006 EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED);
2007 size = (uint16_t)i2o_ECPublicKey(ec, NULL);
2008 if(!i2o_ECPublicKey(ec, &bin)) {
2010 ldns_rr_free(pubkey);
2013 /* down the reference count for ec, its still assigned
2020 case LDNS_SIGN_ED448:
2021 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(
2022 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
2024 ec = EVP_PKEY_get1_EC_KEY(k->_key.key);
2025 EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED);
2026 size = (uint16_t)i2o_ECPublicKey(ec, NULL);
2027 if(!i2o_ECPublicKey(ec, &bin)) {
2029 ldns_rr_free(pubkey);
2032 /* down the reference count for ec, its still assigned
2038 case LDNS_SIGN_HMACMD5:
2039 case LDNS_SIGN_HMACSHA1:
2040 case LDNS_SIGN_HMACSHA224:
2041 case LDNS_SIGN_HMACSHA256:
2042 case LDNS_SIGN_HMACSHA384:
2043 case LDNS_SIGN_HMACSHA512:
2044 bin = LDNS_XMALLOC(unsigned char, ldns_key_hmac_size(k));
2046 ldns_rr_free(pubkey);
2049 ldns_rr_push_rdf(pubkey,
2050 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG,
2051 ldns_key_algorithm(k)));
2052 size = ldns_key_hmac_size(k);
2053 memcpy(bin, ldns_key_hmac_key(k), size);
2057 /* fourth the key bin material */
2058 if (internal_data) {
2059 keybin = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, size, bin);
2061 ldns_rr_push_rdf(pubkey, keybin);
2067 ldns_key_free(ldns_key *key)
2073 ldns_key_deep_free(ldns_key *key)
2075 unsigned char* hmac;
2076 if (ldns_key_pubkey_owner(key)) {
2077 ldns_rdf_deep_free(ldns_key_pubkey_owner(key));
2080 if (ldns_key_evp_key(key)) {
2081 EVP_PKEY_free(ldns_key_evp_key(key));
2083 #endif /* HAVE_SSL */
2084 if (ldns_key_hmac_key(key)) {
2085 hmac = ldns_key_hmac_key(key);
2092 ldns_key_list_free(ldns_key_list *key_list)
2095 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
2096 ldns_key_deep_free(ldns_key_list_key(key_list, i));
2098 LDNS_FREE(key_list->_keys);
2099 LDNS_FREE(key_list);
2103 ldns_read_anchor_file(const char *filename)
2106 /*char line[LDNS_MAX_PACKETLEN];*/
2107 char *line = LDNS_XMALLOC(char, LDNS_MAX_PACKETLEN);
2116 fp = fopen(filename, "r");
2119 fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
2125 while ((c = fgetc(fp)) && i+1 < LDNS_MAX_PACKETLEN && c != EOF) {
2135 fprintf(stderr, "nothing read from %s", filename);
2140 status = ldns_rr_new_frm_str(&r, line, 0, NULL, NULL);
2141 if (status == LDNS_STATUS_OK && (ldns_rr_get_type(r) == LDNS_RR_TYPE_DNSKEY || ldns_rr_get_type(r) == LDNS_RR_TYPE_DS)) {
2146 fprintf(stderr, "Error creating DNSKEY or DS rr from %s: %s\n", filename, ldns_get_errorstr_by_id(status));
2155 ldns_key_get_file_base_name(const ldns_key *key)
2157 ldns_buffer *buffer;
2158 char *file_base_name;
2160 buffer = ldns_buffer_new(255);
2161 ldns_buffer_printf(buffer, "K");
2162 (void)ldns_rdf2buffer_str_dname(buffer, ldns_key_pubkey_owner(key));
2163 ldns_buffer_printf(buffer,
2165 ldns_key_algorithm(key),
2166 ldns_key_keytag(key));
2167 file_base_name = ldns_buffer_export(buffer);
2168 ldns_buffer_free(buffer);
2169 return file_base_name;
2172 int ldns_key_algo_supported(int algo)
2174 ldns_lookup_table *lt = ldns_signing_algorithms;
2183 ldns_signing_algorithm ldns_get_signing_algorithm_by_name(const char* name)
2185 /* list of (signing algorithm id, alias_name) */
2186 ldns_lookup_table aliases[] = {
2187 /* from bind dnssec-keygen */
2188 {LDNS_SIGN_HMACMD5, "HMAC-MD5"},
2189 {LDNS_SIGN_DSA_NSEC3, "NSEC3DSA"},
2190 {LDNS_SIGN_RSASHA1_NSEC3, "NSEC3RSASHA1"},
2191 /* old ldns usage, now RFC names */
2193 {LDNS_SIGN_DSA_NSEC3, "DSA_NSEC3" },
2195 {LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1_NSEC3" },
2197 {LDNS_SIGN_ECC_GOST, "GOST"},
2199 /* compat with possible output */
2202 {LDNS_INDIRECT, "INDIRECT"},
2203 {LDNS_PRIVATEDNS, "PRIVATEDNS"},
2204 {LDNS_PRIVATEOID, "PRIVATEOID"},
2206 ldns_lookup_table* lt = ldns_signing_algorithms;
2207 ldns_signing_algorithm a;
2211 if(strcasecmp(lt->name, name) == 0)
2217 if(strcasecmp(lt->name, name) == 0)
2221 a = strtol(name, &endptr, 10);
2222 if (*name && !*endptr)