/** If there are KSKs use only them and mark ZSKs unused */
static void
ldns_key_list_filter_for_dnskey(ldns_key_list *key_list)
{
int saw_ksk = 0;
size_t i;
for(i=0; i<ldns_key_list_key_count(key_list); i++)
if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
saw_ksk = 1;
break;
}
if(!saw_ksk)
return;
for(i=0; i<ldns_key_list_key_count(key_list); i++)
if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
}
ldns_status
ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
ldns_rr_list *new_rrs,
ldns_key_list *key_list,
int (*func)(ldns_rr *, void*),
void *arg)
{
ldns_status result = LDNS_STATUS_OK;
ldns_rbnode_t *cur_node;
ldns_rr_list *rr_list;
ldns_dnssec_name *cur_name;
ldns_dnssec_rrsets *cur_rrset;
ldns_dnssec_rrs *cur_rr;
ldns_rr_list *siglist;
size_t i;
ldns_rr_list *pubkey_list = ldns_rr_list_new();
zone = zone;
new_rrs = new_rrs;
key_list = key_list;
for (i = 0; i<ldns_key_list_key_count(key_list); i++) {
ldns_rr_list_push_rr(pubkey_list,
ldns_key2rr(ldns_key_list_key(key_list, i)));
}
/* TODO: callback to see is list should be signed */
/* TODO: remove 'old' signatures from signature list */
cur_node = ldns_rbtree_first(zone->names);
while (cur_node != LDNS_RBTREE_NULL) {
cur_name = (ldns_dnssec_name *) cur_node->data;
if (!cur_name->is_glue) {
cur_rrset = cur_name->rrsets;
while (cur_rrset) {
/* reset keys to use */
ldns_key_list_set_use(key_list, true);
/* walk through old sigs, remove the old,
and mark which keys (not) to use) */
cur_rrset->signatures =
ldns_dnssec_remove_signatures(cur_rrset->signatures,
key_list,
func,
arg);
/* TODO: just set count to zero? */
rr_list = ldns_rr_list_new();
cur_rr = cur_rrset->rrs;
while (cur_rr) {
ldns_rr_list_push_rr(rr_list, cur_rr->rr);
cur_rr = cur_rr->next;
}
/* only sign non-delegation RRsets */
/* (glue should have been marked earlier) */
if ((ldns_rr_list_type(rr_list) != LDNS_RR_TYPE_NS ||
ldns_dname_compare(ldns_rr_list_owner(rr_list),
zone->soa->name) == 0) &&
/* OK, there is also the possibility that the record
* is glue, but at the same owner name as other records that
* are not NS nor A/AAAA. Bleh, our current data structure
* doesn't really support that... */
!((ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_A ||
ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_AAAA) &&
!ldns_dname_compare(ldns_rr_list_owner(rr_list), zone->soa->name) == 0 &&
ldns_dnssec_zone_find_rrset(zone, ldns_rr_list_owner(rr_list), LDNS_RR_TYPE_NS)
)) {
siglist = ldns_sign_public(rr_list, key_list);
for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
if (cur_rrset->signatures) {
ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
ldns_rr_list_rr(siglist,
i));
} else {
cur_rrset->signatures = ldns_dnssec_rrs_new();
cur_rrset->signatures->rr =
ldns_rr_list_rr(siglist, i);
ldns_rr_list_push_rr(new_rrs,
ldns_rr_list_rr(siglist,
i));
}
}
ldns_rr_list_free(siglist);
}
ldns_rr_list_free(rr_list);
cur_rrset = cur_rrset->next;
}
/* sign the nsec */
cur_name->nsec_signatures =
ldns_dnssec_remove_signatures(cur_name->nsec_signatures,
key_list,
func,
arg);
rr_list = ldns_rr_list_new();
ldns_rr_list_push_rr(rr_list, cur_name->nsec);
siglist = ldns_sign_public(rr_list, key_list);
for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
if (cur_name->nsec_signatures) {
ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
ldns_rr_list_rr(siglist, i));
} else {
cur_name->nsec_signatures = ldns_dnssec_rrs_new();
cur_name->nsec_signatures->rr =
ldns_rr_list_rr(siglist, i);
ldns_rr_list_push_rr(new_rrs,
ldns_rr_list_rr(siglist, i));
}
}
ldns_rr_list_free(siglist);
ldns_rr_list_free(rr_list);
}
cur_node = ldns_rbtree_next(cur_node);
}
ldns_rr_list_deep_free(pubkey_list);
return result;
}
ldns_dnssec_rrs *
ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures,
ldns_key_list *key_list,
int (*func)(ldns_rr *, void *),
void *arg)
{
ldns_dnssec_rrs *base_rrs = signatures;
ldns_dnssec_rrs *cur_rr = base_rrs;
ldns_dnssec_rrs *prev_rr = NULL;
ldns_dnssec_rrs *next_rr;
uint16_t keytag;
size_t i;
int v;
key_list = key_list;
if (!cur_rr) {
switch(func(NULL, arg)) {
case LDNS_SIGNATURE_LEAVE_ADD_NEW:
case LDNS_SIGNATURE_REMOVE_ADD_NEW:
break;
case LDNS_SIGNATURE_LEAVE_NO_ADD:
case LDNS_SIGNATURE_REMOVE_NO_ADD:
ldns_key_list_set_use(key_list, false);
break;
default:
fprintf(stderr, "[XX] unknown return value from callback\n");
break;
}
return NULL;
}
v = func(cur_rr->rr, arg);
while (cur_rr) {
next_rr = cur_rr->next;
switch (func(cur_rr->rr, arg)) {
case LDNS_SIGNATURE_LEAVE_ADD_NEW:
prev_rr = cur_rr;
break;
case LDNS_SIGNATURE_LEAVE_NO_ADD:
keytag = ldns_rdf2native_int16(
ldns_rr_rrsig_keytag(cur_rr->rr));
for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
if (ldns_key_keytag(ldns_key_list_key(key_list, i)) ==
keytag) {
ldns_key_set_use(ldns_key_list_key(key_list, i),
false);
}
}
prev_rr = cur_rr;
break;
case LDNS_SIGNATURE_REMOVE_NO_ADD:
keytag = ldns_rdf2native_int16(
ldns_rr_rrsig_keytag(cur_rr->rr));
for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
if (ldns_key_keytag(ldns_key_list_key(key_list, i))
== keytag) {
ldns_key_set_use(ldns_key_list_key(key_list, i),
false);
}
}
if (prev_rr) {
prev_rr->next = next_rr;
} else {
base_rrs = next_rr;
}
LDNS_FREE(cur_rr);
break;
case LDNS_SIGNATURE_REMOVE_ADD_NEW:
if (prev_rr) {
prev_rr->next = next_rr;
} else {
base_rrs = next_rr;
}
LDNS_FREE(cur_rr);
break;
default:
fprintf(stderr, "[XX] unknown return value from callback\n");
break;
}
cur_rr = next_rr;
}
return base_rrs;
}
/**
* use this function to sign with a public/private key alg
* return the created signatures
*/
ldns_rr_list *
ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys)
{
ldns_rr_list *signatures;
ldns_rr_list *rrset_clone;
ldns_rr *current_sig;
ldns_rdf *b64rdf;
ldns_key *current_key;
size_t key_count;
uint16_t i;
ldns_buffer *sign_buf;
ldns_rdf *new_owner;
if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) {
return NULL;
}
new_owner = NULL;
key_count = 0;
signatures = ldns_rr_list_new();
/* prepare a signature and add all the know data
* prepare the rrset. Sign this together. */
rrset_clone = ldns_rr_list_clone(rrset);
if (!rrset_clone) {
return NULL;
}
/* make it canonical */
for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
}
/* sort */
ldns_rr_list_sort(rrset_clone);
for (key_count = 0;
key_count < ldns_key_list_key_count(keys);
key_count++) {
if (!ldns_key_use(ldns_key_list_key(keys, key_count))) {
continue;
}
sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
if (!sign_buf) {
ldns_rr_list_free(rrset_clone);
ldns_rr_list_free(signatures);
ldns_rdf_free(new_owner);
return NULL;
}
b64rdf = NULL;
current_key = ldns_key_list_key(keys, key_count);
/* sign all RRs with keys that have ZSKbit, !SEPbit.
sign DNSKEY RRs with keys that have ZSKbit&SEPbit */
if (
ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY &&
(!(ldns_key_flags(current_key) & LDNS_KEY_SEP_KEY)
|| ldns_rr_get_type(ldns_rr_list_rr(rrset, 0))
== LDNS_RR_TYPE_DNSKEY)
) {
current_sig = ldns_create_empty_rrsig(rrset_clone,
current_key);
/* right now, we have: a key, a semi-sig and an rrset. For
* which we can create the sig and base64 encode that and
* add that to the signature */
if (ldns_rrsig2buffer_wire(sign_buf, current_sig)
!= LDNS_STATUS_OK) {
ldns_buffer_free(sign_buf);
/* ERROR */
ldns_rr_list_deep_free(rrset_clone);
return NULL;
}
/* add the rrset in sign_buf */
if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone)
!= LDNS_STATUS_OK) {
ldns_buffer_free(sign_buf);
ldns_rr_list_deep_free(rrset_clone);
return NULL;
}
b64rdf = ldns_sign_public_buffer(sign_buf, current_key);
if (!b64rdf) {
/* signing went wrong */
ldns_rr_list_deep_free(rrset_clone);
return NULL;
}
ldns_rr_rrsig_set_sig(current_sig, b64rdf);
/* push the signature to the signatures list */
ldns_rr_list_push_rr(signatures, current_sig);
}
ldns_buffer_free(sign_buf); /* restart for the next key */
}
ldns_rr_list_deep_free(rrset_clone);
return signatures;
}
ldns_status
ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone
, ldns_rr_list *new_rrs
, ldns_key_list *key_list
, int (*func)(ldns_rr *, void*)
, void *arg
, int flags
)
{
ldns_status result = LDNS_STATUS_OK;
ldns_rbnode_t *cur_node;
ldns_rr_list *rr_list;
ldns_dnssec_name *cur_name;
ldns_dnssec_rrsets *cur_rrset;
ldns_dnssec_rrs *cur_rr;
ldns_rr_list *siglist;
size_t i;
int on_delegation_point = 0; /* handle partially occluded names */
ldns_rr_list *pubkey_list = ldns_rr_list_new();
for (i = 0; i<ldns_key_list_key_count(key_list); i++) {
ldns_rr_list_push_rr( pubkey_list
, ldns_key2rr(ldns_key_list_key(
key_list, i))
);
}
/* TODO: callback to see is list should be signed */
/* TODO: remove 'old' signatures from signature list */
cur_node = ldns_rbtree_first(zone->names);
while (cur_node != LDNS_RBTREE_NULL) {
cur_name = (ldns_dnssec_name *) cur_node->data;
if (!cur_name->is_glue) {
on_delegation_point = ldns_dnssec_rrsets_contains_type(
cur_name->rrsets, LDNS_RR_TYPE_NS)
&& !ldns_dnssec_rrsets_contains_type(
cur_name->rrsets, LDNS_RR_TYPE_SOA);
cur_rrset = cur_name->rrsets;
while (cur_rrset) {
/* reset keys to use */
ldns_key_list_set_use(key_list, true);
/* walk through old sigs, remove the old,
and mark which keys (not) to use) */
cur_rrset->signatures =
ldns_dnssec_remove_signatures(cur_rrset->signatures,
key_list,
func,
arg);
if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) &&
cur_rrset->type == LDNS_RR_TYPE_DNSKEY)
ldns_key_list_filter_for_dnskey(key_list);
if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY)
ldns_key_list_filter_for_non_dnskey(key_list);
/* TODO: just set count to zero? */
rr_list = ldns_rr_list_new();
cur_rr = cur_rrset->rrs;
while (cur_rr) {
ldns_rr_list_push_rr(rr_list, cur_rr->rr);
cur_rr = cur_rr->next;
}
/* only sign non-delegation RRsets */
/* (glue should have been marked earlier,
* except on the delegation points itself) */
if (!on_delegation_point ||
ldns_rr_list_type(rr_list)
== LDNS_RR_TYPE_DS ||
ldns_rr_list_type(rr_list)
== LDNS_RR_TYPE_NSEC ||
ldns_rr_list_type(rr_list)
== LDNS_RR_TYPE_NSEC3) {
siglist = ldns_sign_public(rr_list, key_list);
for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
if (cur_rrset->signatures) {
result = ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
ldns_rr_list_rr(siglist,
i));
} else {
cur_rrset->signatures = ldns_dnssec_rrs_new();
cur_rrset->signatures->rr =
ldns_rr_list_rr(siglist, i);
}
if (new_rrs) {
ldns_rr_list_push_rr(new_rrs,
ldns_rr_list_rr(siglist,
i));
}
}
ldns_rr_list_free(siglist);
}
ldns_rr_list_free(rr_list);
cur_rrset = cur_rrset->next;
}
/* sign the nsec */
ldns_key_list_set_use(key_list, true);
cur_name->nsec_signatures =
ldns_dnssec_remove_signatures(cur_name->nsec_signatures,
key_list,
func,
arg);
ldns_key_list_filter_for_non_dnskey(key_list);
rr_list = ldns_rr_list_new();
ldns_rr_list_push_rr(rr_list, cur_name->nsec);
siglist = ldns_sign_public(rr_list, key_list);
for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
if (cur_name->nsec_signatures) {
result = ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
ldns_rr_list_rr(siglist, i));
} else {
cur_name->nsec_signatures = ldns_dnssec_rrs_new();
cur_name->nsec_signatures->rr =
ldns_rr_list_rr(siglist, i);
}
if (new_rrs) {
ldns_rr_list_push_rr(new_rrs,
ldns_rr_list_rr(siglist, i));
}
}
ldns_rr_list_free(siglist);
ldns_rr_list_free(rr_list);
}
cur_node = ldns_rbtree_next(cur_node);
}
ldns_rr_list_deep_free(pubkey_list);
return result;
}
