/** If there are KSKs use only them and mark ZSKs unused */ static void ldns_key_list_filter_for_dnskey(ldns_key_list *key_list) { int saw_ksk = 0; size_t i; for(i=0; i<ldns_key_list_key_count(key_list); i++) if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) { saw_ksk = 1; break; } if(!saw_ksk) return; for(i=0; i<ldns_key_list_key_count(key_list); i++) if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) ldns_key_set_use(ldns_key_list_key(key_list, i), 0); }
ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int (*func)(ldns_rr *, void*), void *arg) { ldns_status result = LDNS_STATUS_OK; ldns_rbnode_t *cur_node; ldns_rr_list *rr_list; ldns_dnssec_name *cur_name; ldns_dnssec_rrsets *cur_rrset; ldns_dnssec_rrs *cur_rr; ldns_rr_list *siglist; size_t i; ldns_rr_list *pubkey_list = ldns_rr_list_new(); zone = zone; new_rrs = new_rrs; key_list = key_list; for (i = 0; i<ldns_key_list_key_count(key_list); i++) { ldns_rr_list_push_rr(pubkey_list, ldns_key2rr(ldns_key_list_key(key_list, i))); } /* TODO: callback to see is list should be signed */ /* TODO: remove 'old' signatures from signature list */ cur_node = ldns_rbtree_first(zone->names); while (cur_node != LDNS_RBTREE_NULL) { cur_name = (ldns_dnssec_name *) cur_node->data; if (!cur_name->is_glue) { cur_rrset = cur_name->rrsets; while (cur_rrset) { /* reset keys to use */ ldns_key_list_set_use(key_list, true); /* walk through old sigs, remove the old, and mark which keys (not) to use) */ cur_rrset->signatures = ldns_dnssec_remove_signatures(cur_rrset->signatures, key_list, func, arg); /* TODO: just set count to zero? */ rr_list = ldns_rr_list_new(); cur_rr = cur_rrset->rrs; while (cur_rr) { ldns_rr_list_push_rr(rr_list, cur_rr->rr); cur_rr = cur_rr->next; } /* only sign non-delegation RRsets */ /* (glue should have been marked earlier) */ if ((ldns_rr_list_type(rr_list) != LDNS_RR_TYPE_NS || ldns_dname_compare(ldns_rr_list_owner(rr_list), zone->soa->name) == 0) && /* OK, there is also the possibility that the record * is glue, but at the same owner name as other records that * are not NS nor A/AAAA. Bleh, our current data structure * doesn't really support that... */ !((ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_A || ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_AAAA) && !ldns_dname_compare(ldns_rr_list_owner(rr_list), zone->soa->name) == 0 && ldns_dnssec_zone_find_rrset(zone, ldns_rr_list_owner(rr_list), LDNS_RR_TYPE_NS) )) { siglist = ldns_sign_public(rr_list, key_list); for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) { if (cur_rrset->signatures) { ldns_dnssec_rrs_add_rr(cur_rrset->signatures, ldns_rr_list_rr(siglist, i)); } else { cur_rrset->signatures = ldns_dnssec_rrs_new(); cur_rrset->signatures->rr = ldns_rr_list_rr(siglist, i); ldns_rr_list_push_rr(new_rrs, ldns_rr_list_rr(siglist, i)); } } ldns_rr_list_free(siglist); } ldns_rr_list_free(rr_list); cur_rrset = cur_rrset->next; } /* sign the nsec */ cur_name->nsec_signatures = ldns_dnssec_remove_signatures(cur_name->nsec_signatures, key_list, func, arg); rr_list = ldns_rr_list_new(); ldns_rr_list_push_rr(rr_list, cur_name->nsec); siglist = ldns_sign_public(rr_list, key_list); for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) { if (cur_name->nsec_signatures) { ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures, ldns_rr_list_rr(siglist, i)); } else { cur_name->nsec_signatures = ldns_dnssec_rrs_new(); cur_name->nsec_signatures->rr = ldns_rr_list_rr(siglist, i); ldns_rr_list_push_rr(new_rrs, ldns_rr_list_rr(siglist, i)); } } ldns_rr_list_free(siglist); ldns_rr_list_free(rr_list); } cur_node = ldns_rbtree_next(cur_node); } ldns_rr_list_deep_free(pubkey_list); return result; }
ldns_dnssec_rrs * ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures, ldns_key_list *key_list, int (*func)(ldns_rr *, void *), void *arg) { ldns_dnssec_rrs *base_rrs = signatures; ldns_dnssec_rrs *cur_rr = base_rrs; ldns_dnssec_rrs *prev_rr = NULL; ldns_dnssec_rrs *next_rr; uint16_t keytag; size_t i; int v; key_list = key_list; if (!cur_rr) { switch(func(NULL, arg)) { case LDNS_SIGNATURE_LEAVE_ADD_NEW: case LDNS_SIGNATURE_REMOVE_ADD_NEW: break; case LDNS_SIGNATURE_LEAVE_NO_ADD: case LDNS_SIGNATURE_REMOVE_NO_ADD: ldns_key_list_set_use(key_list, false); break; default: fprintf(stderr, "[XX] unknown return value from callback\n"); break; } return NULL; } v = func(cur_rr->rr, arg); while (cur_rr) { next_rr = cur_rr->next; switch (func(cur_rr->rr, arg)) { case LDNS_SIGNATURE_LEAVE_ADD_NEW: prev_rr = cur_rr; break; case LDNS_SIGNATURE_LEAVE_NO_ADD: keytag = ldns_rdf2native_int16( ldns_rr_rrsig_keytag(cur_rr->rr)); for (i = 0; i < ldns_key_list_key_count(key_list); i++) { if (ldns_key_keytag(ldns_key_list_key(key_list, i)) == keytag) { ldns_key_set_use(ldns_key_list_key(key_list, i), false); } } prev_rr = cur_rr; break; case LDNS_SIGNATURE_REMOVE_NO_ADD: keytag = ldns_rdf2native_int16( ldns_rr_rrsig_keytag(cur_rr->rr)); for (i = 0; i < ldns_key_list_key_count(key_list); i++) { if (ldns_key_keytag(ldns_key_list_key(key_list, i)) == keytag) { ldns_key_set_use(ldns_key_list_key(key_list, i), false); } } if (prev_rr) { prev_rr->next = next_rr; } else { base_rrs = next_rr; } LDNS_FREE(cur_rr); break; case LDNS_SIGNATURE_REMOVE_ADD_NEW: if (prev_rr) { prev_rr->next = next_rr; } else { base_rrs = next_rr; } LDNS_FREE(cur_rr); break; default: fprintf(stderr, "[XX] unknown return value from callback\n"); break; } cur_rr = next_rr; } return base_rrs; }
/** * use this function to sign with a public/private key alg * return the created signatures */ ldns_rr_list * ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys) { ldns_rr_list *signatures; ldns_rr_list *rrset_clone; ldns_rr *current_sig; ldns_rdf *b64rdf; ldns_key *current_key; size_t key_count; uint16_t i; ldns_buffer *sign_buf; ldns_rdf *new_owner; if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) { return NULL; } new_owner = NULL; key_count = 0; signatures = ldns_rr_list_new(); /* prepare a signature and add all the know data * prepare the rrset. Sign this together. */ rrset_clone = ldns_rr_list_clone(rrset); if (!rrset_clone) { return NULL; } /* make it canonical */ for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) { ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i)); } /* sort */ ldns_rr_list_sort(rrset_clone); for (key_count = 0; key_count < ldns_key_list_key_count(keys); key_count++) { if (!ldns_key_use(ldns_key_list_key(keys, key_count))) { continue; } sign_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN); if (!sign_buf) { ldns_rr_list_free(rrset_clone); ldns_rr_list_free(signatures); ldns_rdf_free(new_owner); return NULL; } b64rdf = NULL; current_key = ldns_key_list_key(keys, key_count); /* sign all RRs with keys that have ZSKbit, !SEPbit. sign DNSKEY RRs with keys that have ZSKbit&SEPbit */ if ( ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY && (!(ldns_key_flags(current_key) & LDNS_KEY_SEP_KEY) || ldns_rr_get_type(ldns_rr_list_rr(rrset, 0)) == LDNS_RR_TYPE_DNSKEY) ) { current_sig = ldns_create_empty_rrsig(rrset_clone, current_key); /* right now, we have: a key, a semi-sig and an rrset. For * which we can create the sig and base64 encode that and * add that to the signature */ if (ldns_rrsig2buffer_wire(sign_buf, current_sig) != LDNS_STATUS_OK) { ldns_buffer_free(sign_buf); /* ERROR */ ldns_rr_list_deep_free(rrset_clone); return NULL; } /* add the rrset in sign_buf */ if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone) != LDNS_STATUS_OK) { ldns_buffer_free(sign_buf); ldns_rr_list_deep_free(rrset_clone); return NULL; } b64rdf = ldns_sign_public_buffer(sign_buf, current_key); if (!b64rdf) { /* signing went wrong */ ldns_rr_list_deep_free(rrset_clone); return NULL; } ldns_rr_rrsig_set_sig(current_sig, b64rdf); /* push the signature to the signatures list */ ldns_rr_list_push_rr(signatures, current_sig); } ldns_buffer_free(sign_buf); /* restart for the next key */ } ldns_rr_list_deep_free(rrset_clone); return signatures; }
ldns_status ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone , ldns_rr_list *new_rrs , ldns_key_list *key_list , int (*func)(ldns_rr *, void*) , void *arg , int flags ) { ldns_status result = LDNS_STATUS_OK; ldns_rbnode_t *cur_node; ldns_rr_list *rr_list; ldns_dnssec_name *cur_name; ldns_dnssec_rrsets *cur_rrset; ldns_dnssec_rrs *cur_rr; ldns_rr_list *siglist; size_t i; int on_delegation_point = 0; /* handle partially occluded names */ ldns_rr_list *pubkey_list = ldns_rr_list_new(); for (i = 0; i<ldns_key_list_key_count(key_list); i++) { ldns_rr_list_push_rr( pubkey_list , ldns_key2rr(ldns_key_list_key( key_list, i)) ); } /* TODO: callback to see is list should be signed */ /* TODO: remove 'old' signatures from signature list */ cur_node = ldns_rbtree_first(zone->names); while (cur_node != LDNS_RBTREE_NULL) { cur_name = (ldns_dnssec_name *) cur_node->data; if (!cur_name->is_glue) { on_delegation_point = ldns_dnssec_rrsets_contains_type( cur_name->rrsets, LDNS_RR_TYPE_NS) && !ldns_dnssec_rrsets_contains_type( cur_name->rrsets, LDNS_RR_TYPE_SOA); cur_rrset = cur_name->rrsets; while (cur_rrset) { /* reset keys to use */ ldns_key_list_set_use(key_list, true); /* walk through old sigs, remove the old, and mark which keys (not) to use) */ cur_rrset->signatures = ldns_dnssec_remove_signatures(cur_rrset->signatures, key_list, func, arg); if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) && cur_rrset->type == LDNS_RR_TYPE_DNSKEY) ldns_key_list_filter_for_dnskey(key_list); if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY) ldns_key_list_filter_for_non_dnskey(key_list); /* TODO: just set count to zero? */ rr_list = ldns_rr_list_new(); cur_rr = cur_rrset->rrs; while (cur_rr) { ldns_rr_list_push_rr(rr_list, cur_rr->rr); cur_rr = cur_rr->next; } /* only sign non-delegation RRsets */ /* (glue should have been marked earlier, * except on the delegation points itself) */ if (!on_delegation_point || ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_DS || ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_NSEC || ldns_rr_list_type(rr_list) == LDNS_RR_TYPE_NSEC3) { siglist = ldns_sign_public(rr_list, key_list); for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) { if (cur_rrset->signatures) { result = ldns_dnssec_rrs_add_rr(cur_rrset->signatures, ldns_rr_list_rr(siglist, i)); } else { cur_rrset->signatures = ldns_dnssec_rrs_new(); cur_rrset->signatures->rr = ldns_rr_list_rr(siglist, i); } if (new_rrs) { ldns_rr_list_push_rr(new_rrs, ldns_rr_list_rr(siglist, i)); } } ldns_rr_list_free(siglist); } ldns_rr_list_free(rr_list); cur_rrset = cur_rrset->next; } /* sign the nsec */ ldns_key_list_set_use(key_list, true); cur_name->nsec_signatures = ldns_dnssec_remove_signatures(cur_name->nsec_signatures, key_list, func, arg); ldns_key_list_filter_for_non_dnskey(key_list); rr_list = ldns_rr_list_new(); ldns_rr_list_push_rr(rr_list, cur_name->nsec); siglist = ldns_sign_public(rr_list, key_list); for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) { if (cur_name->nsec_signatures) { result = ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures, ldns_rr_list_rr(siglist, i)); } else { cur_name->nsec_signatures = ldns_dnssec_rrs_new(); cur_name->nsec_signatures->rr = ldns_rr_list_rr(siglist, i); } if (new_rrs) { ldns_rr_list_push_rr(new_rrs, ldns_rr_list_rr(siglist, i)); } } ldns_rr_list_free(siglist); ldns_rr_list_free(rr_list); } cur_node = ldns_rbtree_next(cur_node); } ldns_rr_list_deep_free(pubkey_list); return result; }