key.h 8.52 KB
 Daniel Salzman committed Mar 12, 2018 1 /* Copyright (C) 2018 CZ.NIC, z.s.p.o.  Jan Včelák committed May 02, 2014 2 3 4 5 6 7 8 9 10 11 12 13 14 15  This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */  Jan Včelák committed May 02, 2014 16 /*!  Jan Včelák committed May 25, 2014 17 18  * \file *  Filip Široký committed Dec 21, 2017 19  * \addtogroup key  Jan Včelák committed May 02, 2014 20  *  Filip Široký committed Dec 21, 2017 21  * \brief DNSSEC public and private key manipulation.  Jan Včelák committed May 24, 2014 22  *  Filip Široký committed Oct 03, 2017 23  * The dnssec_key_t is an abstraction for a DNSSEC key pair. If the key  Jan Včelák committed May 25, 2014 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53  * key is initialized with a public key data only, it can be used only for * signature verification. In order to use the key for signing, private key * has to be loaded. If only a private key is loaded into the structure, * the public key is automatically constructed. * * The module interface provides various functions to retrieve information * about the key. But the key is mostly used by other modules of the library. * * The following example shows construction of a key from DNSKEY RDATA: * * ~~~~~ {.c} * * dnssec_binary_t rdata = // ...; * * int result; * dnssec_key_t *key = NULL; * * // create new DNSSEC key * result = dnssec_key_new(&key); * if (result != DNSSEC_EOK) { * return result; * } * * // load the DNSKEY RDATA * result = dnssec_key_set_rdata(key, &rdata); * if (result != DNSSEC_EOK) { * dnssec_key_free(key); * return result; * } *  Jan Včelák committed Oct 26, 2015 54 55  * // print key tag * printf("key %s\n", dnssec_key_get_keytag(key));  Jan Včelák committed May 25, 2014 56 57 58 59 60 61 62 63 64 65 66 67  * * // make sure what we can do with the key * assert(dnssec_key_can_verify(key) == true); * assert(dnssec_key_can_sign(key) == false); * * // ... * * // cleanup * dnssec_key_free(key); * * ~~~~~ *  Jan Včelák committed May 24, 2014 68  * @{  Jan Včelák committed May 02, 2014 69  */  Jan Včelák committed May 02, 2014 70   Jan Včelák committed Mar 18, 2014 71 72 #pragma once  Jan Včelák committed Mar 18, 2014 73 #include  Jan Včelák committed Mar 18, 2014 74 #include  Jan Včelák committed Mar 18, 2014 75   Daniel Salzman committed Mar 12, 2018 76 #include  Jan Včelák committed Apr 02, 2014 77   Jan Včelák committed Mar 18, 2014 78 79 80 81 82 /*! * DNSKEY algorithm numbers. * * \see https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml */  Jan Včelák committed Mar 18, 2014 83 84 85 86 87 88 89 90 typedef enum dnssec_key_algorithm { DNSSEC_KEY_ALGORITHM_INVALID = 0, DNSSEC_KEY_ALGORITHM_RSA_SHA1 = 5, DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3 = 7, DNSSEC_KEY_ALGORITHM_RSA_SHA256 = 8, DNSSEC_KEY_ALGORITHM_RSA_SHA512 = 10, DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256 = 13, DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384 = 14,  Ondřej Surý committed Jan 10, 2017 91 92  DNSSEC_KEY_ALGORITHM_ED25519 = 15, DNSSEC_KEY_ALGORITHM_ED448 = 16,  Jan Včelák committed Mar 18, 2014 93 } dnssec_key_algorithm_t;  Jan Včelák committed Mar 18, 2014 94   Jan Včelák committed May 24, 2014 95 96 struct dnssec_key;  Jan Včelák committed Mar 18, 2014 97 98 99 100 /*! * DNSSEC key. */ typedef struct dnssec_key dnssec_key_t;  Jan Včelák committed Mar 18, 2014 101   Vladimír Čunát committed Jun 28, 2017 102 103 104 105 106 107 108 /*! * Check whether a DNSKEY algorithm is supported. * * @note: less secure algorithms may go unsupported on purpose. */ bool dnssec_algorithm_key_support(dnssec_key_algorithm_t algo);  Jan Včelák committed Mar 18, 2014 109 110 111 /*! * Allocate new DNSSEC key. *  Jan Včelák committed May 02, 2014 112 113 114  * The protocol field of the key is set to 3 (DNSSEC). * The flags field of the key is set to 256 (zone key, no SEP). *  Jan Včelák committed Mar 18, 2014 115 116 117  * \return Error code, DNSSEC_EOK if successful. */ int dnssec_key_new(dnssec_key_t **key);  Jan Včelák committed Mar 18, 2014 118   Jan Včelák committed Mar 18, 2014 119 120 /*! * Clear the DNSSEC key.  Jan Včelák committed Mar 18, 2014 121 122  * * Has the same effect as calling \ref dnssec_key_free and \ref dnssec_key_new.  Jan Včelák committed Mar 18, 2014 123 124  */ void dnssec_key_clear(dnssec_key_t *key);  Jan Včelák committed Mar 18, 2014 125   Jan Včelák committed Mar 18, 2014 126 127 128 129 /*! * Free the key allocated by \ref dnssec_key_new. */ void dnssec_key_free(dnssec_key_t *key);  Jan Včelák committed Mar 18, 2014 130   Jan Včelák committed Oct 01, 2015 131 132 133 134 135 136 137 /*! * Create a copy of a DNSSEC key. * * Only a public part of the key is copied. */ dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key);  Jan Včelák committed Mar 18, 2014 138 /*!  Jan Včelák committed May 02, 2014 139  * Get the key tag of the DNSSEC key.  Jan Včelák committed Mar 18, 2014 140  */  Jan Včelák committed Apr 10, 2014 141 uint16_t dnssec_key_get_keytag(const dnssec_key_t *key);  Jan Včelák committed May 02, 2014 142 143 144 145  /*! * Get the domain name of the DNSSEC key. */  Jan Včelák committed Apr 10, 2014 146 const uint8_t *dnssec_key_get_dname(const dnssec_key_t *key);  Jan Včelák committed May 02, 2014 147 148 149 150  /*! * Set the domain name of the DNSSEC key. */  Jan Včelák committed Apr 10, 2014 151 int dnssec_key_set_dname(dnssec_key_t *key, const uint8_t *dname);  Jan Včelák committed Mar 18, 2014 152   Jan Včelák committed May 02, 2014 153 154 155 /*! * Get the flags field of the DNSSEC key. */  Jan Včelák committed Apr 10, 2014 156 uint16_t dnssec_key_get_flags(const dnssec_key_t *key);  Jan Včelák committed May 02, 2014 157 158 159 160  /*! * Set the flags field of the DNSSEC key. */  Jan Včelák committed Mar 18, 2014 161 162 int dnssec_key_set_flags(dnssec_key_t *key, uint16_t flags);  Jan Včelák committed May 02, 2014 163 164 165 /*! * Get the protocol field of the DNSSEC key. */  Jan Včelák committed Apr 10, 2014 166 uint8_t dnssec_key_get_protocol(const dnssec_key_t *key);  Jan Včelák committed May 02, 2014 167 168 169 170  /*! * Get the protocol field of the DNSSEC key. */  Jan Včelák committed Mar 18, 2014 171 172 int dnssec_key_set_protocol(dnssec_key_t *key, uint8_t protocol);  Jan Včelák committed May 02, 2014 173 174 175 /*! * Get the algorithm field of the DNSSEC key. */  Jan Včelák committed Apr 10, 2014 176 uint8_t dnssec_key_get_algorithm(const dnssec_key_t *key);  Jan Včelák committed May 02, 2014 177 178 179 180 181 182 183 184  /*! * Set the algorithm field of the DNSSEC key. * * The function will fail if the algorithm is incompatible with the * loaded key. This means, that the function can be used to set the initial * algorithm and later, only the hashing algorithm can be changed. */  Jan Včelák committed Mar 18, 2014 185 186 int dnssec_key_set_algorithm(dnssec_key_t *key, uint8_t algorithm);  Jan Včelák committed May 02, 2014 187 188 189 190 191 192 /*! * Get the public key field of the DNSSEC key. * * The returned content must not be modified by the caller. A reference * to internally allocated structure is returned. */  Jan Včelák committed Mar 18, 2014 193 int dnssec_key_get_pubkey(const dnssec_key_t *key, dnssec_binary_t *pubkey);  Jan Včelák committed May 02, 2014 194 195 196 197 198 199 200 201  /*! * Set the public key field of the DNSSEC key. * * A valid algorithm has to be set prior to calling this function. * * The function will fail if the key is already loaded in the structure. */  Jan Včelák committed Mar 18, 2014 202 203 int dnssec_key_set_pubkey(dnssec_key_t *key, const dnssec_binary_t *pubkey);  Jan Včelák committed May 02, 2014 204 205 206 /*! * Get the bit size of the cryptographic key used with the DNSSEC key. */  Jan Včelák committed Apr 11, 2014 207 208 unsigned dnssec_key_get_size(const dnssec_key_t *key);  Libor Peltan committed Sep 19, 2017 209 210 211 212 213 214 215 216 217 218 /*! * \brief Compute key ID from public key. * * \param key Key structure holding the public key. * \param id Output: key ID in hex. * * \return DNSSEC_E* */ int dnssec_key_get_keyid(const dnssec_key_t *key, char **id);  Jan Včelák committed May 02, 2014 219 220 221 222 223 224 /*! * Get the RDATA of the DNSSEC key. * * The returned content must not be modified by the caller. A reference * to internally allocated structure is returned. */  Jan Včelák committed Mar 18, 2014 225 int dnssec_key_get_rdata(const dnssec_key_t *key, dnssec_binary_t *rdata);  Jan Včelák committed May 02, 2014 226 227 228 229 230 231 232  /*! * Set the RDATA of the DNSSEC key. * * Calling this function has the same effect as setting the individual * fields of the key step-by-step. The same limitations apply. */  Jan Včelák committed Mar 18, 2014 233 234 int dnssec_key_set_rdata(dnssec_key_t *key, const dnssec_binary_t *rdata);  Jan Včelák committed Mar 18, 2014 235 /*!  Jan Včelák committed May 02, 2014 236  * Load PKCS #8 private key in the unencrypted PEM format.  Jan Včelák committed Mar 18, 2014 237 238 239 240 241 242 243  * * At least an algorithm must be set prior to calling this function. * * The function will create public key, unless it was already set (using * \ref dnssec_key_set_pubkey or \ref dnssec_key_set_rdata). If the public key * was set, the function will prevent loading of non-matching private key. */  Jan Včelák committed Mar 18, 2014 244 int dnssec_key_load_pkcs8(dnssec_key_t *key, const dnssec_binary_t *pem);  Jan Včelák committed Mar 18, 2014 245   Jan Včelák committed Mar 28, 2014 246 247 248 /*! * Check if the key can be used for signing. */  Jan Včelák committed Mar 18, 2014 249 bool dnssec_key_can_sign(const dnssec_key_t *key);  Jan Včelák committed Mar 28, 2014 250 251 252 253  /*! * Check if the key can be used for verification. */  Jan Včelák committed Mar 18, 2014 254 255 bool dnssec_key_can_verify(const dnssec_key_t *key);  Jan Včelák committed Mar 29, 2014 256 257 258 259 260 261 262 263 264 265 266 267 268 /*! * Get private key size range for a DNSSEC algorithm. * * \param[in] algorithm DNSKEY algorithm. * \param[out] min Minimal size of the private key (can be NULL). * \param[out] max Maximal size of the private key (can be NULL). * * \return DNSSEC_EOK for valid parameters. */ int dnssec_algorithm_key_size_range(dnssec_key_algorithm_t algorithm, unsigned *min, unsigned *max); /*!  klemens committed May 02, 2016 269  * Check if the private key size matches DNSKEY constraints.  Jan Včelák committed Mar 29, 2014 270 271 272 273 274 275 276 277 278  * * \param algorithm DNSKEY algorithm. * \param bits Private key size. * * \return DNSKEY algorithm matches the key size constraints. */ bool dnssec_algorithm_key_size_check(dnssec_key_algorithm_t algorithm, unsigned bits);  Jan Včelák committed Mar 23, 2016 279 280 281 282 283 284 285 286 /*! * Get default key size for given algorithm. * * The default size is balance between security and response lengths with * respect to use in DNS. */ int dnssec_algorithm_key_size_default(dnssec_key_algorithm_t algorithm);  Jan Včelák committed Mar 18, 2014 287 288 289 290 291 292 293 294 295 296 297 /*! * DS algorithm numbers. * * \see https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml */ typedef enum dnssec_key_digest { DNSSEC_KEY_DIGEST_INVALID = 0, DNSSEC_KEY_DIGEST_SHA1 = 1, DNSSEC_KEY_DIGEST_SHA256 = 2, DNSSEC_KEY_DIGEST_SHA384 = 4, } dnssec_key_digest_t;  Jan Včelák committed Mar 18, 2014 298   Vladimír Čunát committed Jun 28, 2017 299 300 301 302 303 304 305 /*! * Check whether a DS algorithm is supported. * * @note: less secure algorithms may go unsupported on purpose. */ bool dnssec_algorithm_digest_support(dnssec_key_digest_t algo);  Jan Včelák committed Mar 18, 2014 306 307 308 309 310 311 312 313 314 315 316 /*! * Create DS (Delgation Signer) RDATA from DNSSEC key. * * \param[in] key DNSSEC key. * \param[in] digest Digest algorithm to be used. * \param[out] rdata Allocated DS RDATA. * * \return Error code, DNSSEC_EOK if successful. */ int dnssec_key_create_ds(const dnssec_key_t *key, dnssec_key_digest_t digest, dnssec_binary_t *rdata);  Jan Včelák committed May 24, 2014 317 318  /** @} */