3 #ifndef LDNS_DNSSEC_SIGN_H
4 #define LDNS_DNSSEC_SIGN_H
6 #include <ldns/dnssec.h>
14 /** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/
15 #define LDNS_SIGN_DNSKEY_WITH_ZSK 1
18 * Create an empty RRSIG RR (i.e. without the actual signature data)
19 * \param[in] rrset The RRset to create the signature for
20 * \param[in] key The key that will create the signature
21 * \return signature rr
24 ldns_create_empty_rrsig(ldns_rr_list *rrset,
28 * Sign the buffer which contains the wiredata of an rrset, and the
29 * corresponding empty rrsig rr with the given key
30 * \param[in] sign_buf the buffer with data to sign
31 * \param[in] key the key to sign with
32 * \return an rdata field with the signature data
35 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *key);
39 * \param[in] rrset the rrset
40 * \param[in] keys the keys to use
41 * \return a rr_list with the signatures
43 ldns_rr_list *ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys);
47 * Sign a buffer with the DSA key (hash with SHA1)
48 * \param[in] to_sign buffer with the data
49 * \param[in] key the key to use
50 * \return a ldns_rdf with the signed data
52 ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key);
55 * Sign data with EVP (general method for different algorithms)
57 * \param[in] to_sign The ldns_buffer containing raw data that is
59 * \param[in] key The EVP_PKEY key structure to sign with
60 * \param[in] digest_type The digest algorithm to use in the creation of
62 * \return ldns_rdf for the RRSIG ldns_rr
64 ldns_rdf *ldns_sign_public_evp(ldns_buffer *to_sign,
66 const EVP_MD *digest_type);
69 * Sign a buffer with the RSA key (hash with SHA1)
70 * \param[in] to_sign buffer with the data
71 * \param[in] key the key to use
72 * \return a ldns_rdf with the signed data
74 ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key);
77 * Sign a buffer with the RSA key (hash with MD5)
78 * \param[in] to_sign buffer with the data
79 * \param[in] key the key to use
80 * \return a ldns_rdf with the signed data
82 ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key);
86 * Finds the first dnssec_name node in the rbtree that has not been marked
87 * as glue, starting at the given node
89 * \param[in] node the first node to check
90 * \return the first node that has not been marked as glue, or NULL
91 * if not found (TODO: make that LDNS_RBTREE_NULL?)
93 ldns_rbnode_t *ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node);
96 * Adds NSEC records to the given dnssec_zone
98 * \param[in] zone the zone to add the records to
99 * \param[in] new_rrs ldns_rr's created by this function are
100 * added to this rr list, so the caller can free them later
101 * \return LDNS_STATUS_OK on success, an error code otherwise
103 ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
104 ldns_rr_list *new_rrs);
107 * Adds NSEC3 records to the zone
110 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone,
111 ldns_rr_list *new_rrs,
119 * remove signatures if callback function tells to
121 * \param[in] signatures list of signatures to check, and
122 * possibly remove, depending on the value of the
124 * \param[in] key_list these are marked to be used or not,
125 * on the return value of the callback
126 * \param[in] func this function is called to specify what to
127 * do with each signature (and corresponding key)
128 * \param[in] arg Optional argument for the callback function
129 * \returns pointer to the new signatures rrs (the original
130 * passed to this function may have been removed)
132 ldns_dnssec_rrs *ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures,
133 ldns_key_list *key_list,
134 int (*func)(ldns_rr *, void *),
138 * Adds signatures to the zone
140 * \param[in] zone the zone to add RRSIG Resource Records to
141 * \param[in] new_rrs the RRSIG RRs that are created are also
142 * added to this list, so the caller can free them
144 * \param[in] key_list list of keys to sign with.
145 * \param[in] func Callback function to decide what keys to
146 * use and what to do with old signatures
147 * \param[in] arg Optional argument for the callback function
148 * \param[in] flags option flags for signing process. 0 makes DNSKEY
149 * RRset signed with the minimal key set, that is only SEP keys are used
150 * for signing. If there are no SEP keys available, non-SEP keys will
151 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all
152 * keys. 0 is the default.
153 * \return LDNS_STATUS_OK on success, error otherwise
155 ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone,
156 ldns_rr_list *new_rrs,
157 ldns_key_list *key_list,
158 int (*func)(ldns_rr *, void*),
163 * Adds signatures to the zone
165 * \param[in] zone the zone to add RRSIG Resource Records to
166 * \param[in] new_rrs the RRSIG RRs that are created are also
167 * added to this list, so the caller can free them
169 * \param[in] key_list list of keys to sign with.
170 * \param[in] func Callback function to decide what keys to
171 * use and what to do with old signatures
172 * \param[in] arg Optional argument for the callback function
173 * \return LDNS_STATUS_OK on success, error otherwise
175 ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
176 ldns_rr_list *new_rrs,
177 ldns_key_list *key_list,
178 int (*func)(ldns_rr *, void*),
182 * signs the given zone with the given keys
184 * \param[in] zone the zone to sign
185 * \param[in] key_list the list of keys to sign the zone with
186 * \param[in] new_rrs newly created resource records are added to this list, to free them later
187 * \param[in] func callback function that decides what to do with old signatures
188 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values:
189 * LDNS_SIGNATURE_LEAVE_ADD_NEW:
190 * leave the signature and add a new one for the corresponding key
191 * LDNS_SIGNATURE_REMOVE_ADD_NEW:
192 * remove the signature and replace is with a new one from the same key
193 * LDNS_SIGNATURE_LEAVE_NO_ADD:
194 * leave the signature and do not add a new one with the corresponding key
195 * LDNS_SIGNATURE_REMOVE_NO_ADD:
196 * remove the signature and do not replace
198 * \param[in] arg optional argument for the callback function
199 * \param[in] flags option flags for signing process. 0 makes DNSKEY
200 * RRset signed with the minimal key set, that is only SEP keys are used
201 * for signing. If there are no SEP keys available, non-SEP keys will
202 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all
203 * keys. 0 is the default.
204 * \return LDNS_STATUS_OK on success, an error code otherwise
206 ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone,
207 ldns_rr_list *new_rrs,
208 ldns_key_list *key_list,
209 int (*func)(ldns_rr *, void *),
214 * signs the given zone with the given new zone, with NSEC3
216 * \param[in] zone the zone to sign
217 * \param[in] key_list the list of keys to sign the zone with
218 * \param[in] new_rrs newly created resource records are added to this list, to free them later
219 * \param[in] func callback function that decides what to do with old signatures
220 * \param[in] arg optional argument for the callback function
221 * \param[in] algorithm the NSEC3 hashing algorithm to use
222 * \param[in] flags NSEC3 flags
223 * \param[in] iterations the number of NSEC3 hash iterations to use
224 * \param[in] salt_length the length (in octets) of the NSEC3 salt
225 * \param[in] salt the NSEC3 salt data
226 * \param[in] signflags option flags for signing process. 0 is the default.
227 * \return LDNS_STATUS_OK on success, an error code otherwise
229 ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
230 ldns_rr_list *new_rrs,
231 ldns_key_list *key_list,
232 int (*func)(ldns_rr *, void *),
242 * signs the given zone with the given keys
244 * \param[in] zone the zone to sign
245 * \param[in] key_list the list of keys to sign the zone with
246 * \param[in] new_rrs newly created resource records are added to this list, to free them later
247 * \param[in] func callback function that decides what to do with old signatures
248 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values:
249 * LDNS_SIGNATURE_LEAVE_ADD_NEW:
250 * leave the signature and add a new one for the corresponding key
251 * LDNS_SIGNATURE_REMOVE_ADD_NEW:
252 * remove the signature and replace is with a new one from the same key
253 * LDNS_SIGNATURE_LEAVE_NO_ADD:
254 * leave the signature and do not add a new one with the corresponding key
255 * LDNS_SIGNATURE_REMOVE_NO_ADD:
256 * remove the signature and do not replace
258 * \param[in] arg optional argument for the callback function
259 * \return LDNS_STATUS_OK on success, an error code otherwise
261 ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone,
262 ldns_rr_list *new_rrs,
263 ldns_key_list *key_list,
264 int (*func)(ldns_rr *, void *),
268 * signs the given zone with the given new zone, with NSEC3
270 * \param[in] zone the zone to sign
271 * \param[in] key_list the list of keys to sign the zone with
272 * \param[in] new_rrs newly created resource records are added to this list, to free them later
273 * \param[in] func callback function that decides what to do with old signatures
274 * \param[in] arg optional argument for the callback function
275 * \param[in] algorithm the NSEC3 hashing algorithm to use
276 * \param[in] flags NSEC3 flags
277 * \param[in] iterations the number of NSEC3 hash iterations to use
278 * \param[in] salt_length the length (in octets) of the NSEC3 salt
279 * \param[in] salt the NSEC3 salt data
280 * \return LDNS_STATUS_OK on success, an error code otherwise
282 ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
283 ldns_rr_list *new_rrs,
284 ldns_key_list *key_list,
285 int (*func)(ldns_rr *, void *),
294 * Signs the zone, and returns a newly allocated signed zone
295 * \param[in] zone the zone to sign
296 * \param[in] key_list list of keys to sign with
297 * \return signed zone
299 ldns_zone *ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list);
302 * Signs the zone with NSEC3, and returns a newly allocated signed zone
303 * \param[in] zone the zone to sign
304 * \param[in] key_list list of keys to sign with
305 * \param[in] algorithm the NSEC3 hashing algorithm to use
306 * \param[in] flags NSEC3 flags
307 * \param[in] iterations the number of NSEC3 hash iterations to use
308 * \param[in] salt_length the length (in octets) of the NSEC3 salt
309 * \param[in] salt the NSEC3 salt data
310 * \return signed zone
312 ldns_zone *ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt);