key.h 8.52 KB
Newer Older
1
/*  Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
2 3 4 5 6 7 8 9 10 11 12 13 14 15

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/
16
/*!
17 18
 * \file
 *
19
 * \addtogroup key
20
 *
21
 * \brief DNSSEC public and private key manipulation.
22
 *
23
 * The dnssec_key_t is an abstraction for a DNSSEC key pair. If the key
24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
 * key is initialized with a public key data only, it can be used only for
 * signature verification. In order to use the key for signing, private key
 * has to be loaded. If only a private key is loaded into the structure,
 * the public key is automatically constructed.
 *
 * The module interface provides various functions to retrieve information
 * about the key. But the key is mostly used by other modules of the library.
 *
 * The following example shows construction of a key from DNSKEY RDATA:
 *
 * ~~~~~ {.c}
 *
 * dnssec_binary_t rdata = // ...;
 *
 * int result;
 * dnssec_key_t *key = NULL;
 *
 * // create new DNSSEC key
 * result = dnssec_key_new(&key);
 * if (result != DNSSEC_EOK) {
 *     return result;
 * }
 *
 * // load the DNSKEY RDATA
 * result = dnssec_key_set_rdata(key, &rdata);
 * if (result != DNSSEC_EOK) {
 *     dnssec_key_free(key);
 *     return result;
 * }
 *
54 55
 * // print key tag
 * printf("key %s\n", dnssec_key_get_keytag(key));
56 57 58 59 60 61 62 63 64 65 66 67
 *
 * // make sure what we can do with the key
 * assert(dnssec_key_can_verify(key) == true);
 * assert(dnssec_key_can_sign(key) == false);
 *
 * // ...
 *
 * // cleanup
 * dnssec_key_free(key);
 *
 * ~~~~~
 *
68
 * @{
69
 */
70

71 72
#pragma once

73
#include <stdbool.h>
74
#include <stdint.h>
75

Daniel Salzman's avatar
Daniel Salzman committed
76
#include <libdnssec/binary.h>
77

78 79 80 81 82
/*!
 * DNSKEY algorithm numbers.
 *
 * \see https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
 */
83 84 85 86 87 88 89 90
typedef enum dnssec_key_algorithm {
	DNSSEC_KEY_ALGORITHM_INVALID = 0,
	DNSSEC_KEY_ALGORITHM_RSA_SHA1 = 5,
	DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3 = 7,
	DNSSEC_KEY_ALGORITHM_RSA_SHA256 = 8,
	DNSSEC_KEY_ALGORITHM_RSA_SHA512 = 10,
	DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256 = 13,
	DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384 = 14,
91 92
	DNSSEC_KEY_ALGORITHM_ED25519 = 15,
	DNSSEC_KEY_ALGORITHM_ED448 = 16,
93
} dnssec_key_algorithm_t;
94

95 96
struct dnssec_key;

97 98 99 100
/*!
 * DNSSEC key.
 */
typedef struct dnssec_key dnssec_key_t;
101

102 103 104 105 106 107 108
/*!
 * Check whether a DNSKEY algorithm is supported.
 *
 * @note: less secure algorithms may go unsupported on purpose.
 */
bool dnssec_algorithm_key_support(dnssec_key_algorithm_t algo);

109 110 111
/*!
 * Allocate new DNSSEC key.
 *
112 113 114
 * The protocol field of the key is set to 3 (DNSSEC).
 * The flags field of the key is set to 256 (zone key, no SEP).
 *
115 116 117
 * \return Error code, DNSSEC_EOK if successful.
 */
int dnssec_key_new(dnssec_key_t **key);
Jan Včelák's avatar
Jan Včelák committed
118

119 120
/*!
 * Clear the DNSSEC key.
121 122
 *
 * Has the same effect as calling \ref dnssec_key_free and \ref dnssec_key_new.
123 124
 */
void dnssec_key_clear(dnssec_key_t *key);
125

126 127 128 129
/*!
 * Free the key allocated by \ref dnssec_key_new.
 */
void dnssec_key_free(dnssec_key_t *key);
130

131 132 133 134 135 136 137
/*!
 * Create a copy of a DNSSEC key.
 *
 * Only a public part of the key is copied.
 */
dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key);

138
/*!
139
 * Get the key tag of the DNSSEC key.
140
 */
141
uint16_t dnssec_key_get_keytag(const dnssec_key_t *key);
142 143 144 145

/*!
 * Get the domain name of the DNSSEC key.
 */
146
const uint8_t *dnssec_key_get_dname(const dnssec_key_t *key);
147 148 149 150

/*!
 * Set the domain name of the DNSSEC key.
 */
151
int dnssec_key_set_dname(dnssec_key_t *key, const uint8_t *dname);
152

153 154 155
/*!
 * Get the flags field of the DNSSEC key.
 */
156
uint16_t dnssec_key_get_flags(const dnssec_key_t *key);
157 158 159 160

/*!
 * Set the flags field of the DNSSEC key.
 */
161 162
int dnssec_key_set_flags(dnssec_key_t *key, uint16_t flags);

163 164 165
/*!
 * Get the protocol field of the DNSSEC key.
 */
166
uint8_t dnssec_key_get_protocol(const dnssec_key_t *key);
167 168 169 170

/*!
 * Get the protocol field of the DNSSEC key.
 */
171 172
int dnssec_key_set_protocol(dnssec_key_t *key, uint8_t protocol);

173 174 175
/*!
 * Get the algorithm field of the DNSSEC key.
 */
176
uint8_t dnssec_key_get_algorithm(const dnssec_key_t *key);
177 178 179 180 181 182 183 184

/*!
 * Set the algorithm field of the DNSSEC key.
 *
 * The function will fail if the algorithm is incompatible with the
 * loaded key. This means, that the function can be used to set the initial
 * algorithm and later, only the hashing algorithm can be changed.
 */
185 186
int dnssec_key_set_algorithm(dnssec_key_t *key, uint8_t algorithm);

187 188 189 190 191 192
/*!
 * Get the public key field of the DNSSEC key.
 *
 * The returned content must not be modified by the caller. A reference
 * to internally allocated structure is returned.
 */
193
int dnssec_key_get_pubkey(const dnssec_key_t *key, dnssec_binary_t *pubkey);
194 195 196 197 198 199 200 201

/*!
 * Set the public key field of the DNSSEC key.
 *
 * A valid algorithm has to be set prior to calling this function.
 *
 * The function will fail if the key is already loaded in the structure.
 */
202 203
int dnssec_key_set_pubkey(dnssec_key_t *key, const dnssec_binary_t *pubkey);

204 205 206
/*!
 * Get the bit size of the cryptographic key used with the DNSSEC key.
 */
207 208
unsigned dnssec_key_get_size(const dnssec_key_t *key);

209 210 211 212 213 214 215 216 217 218
/*!
 * \brief Compute key ID from public key.
 *
 * \param key  Key structure holding the public key.
 * \param id   Output: key ID in hex.
 *
 * \return DNSSEC_E*
 */
int dnssec_key_get_keyid(const dnssec_key_t *key, char **id);

219 220 221 222 223 224
/*!
 * Get the RDATA of the DNSSEC key.
 *
 * The returned content must not be modified by the caller. A reference
 * to internally allocated structure is returned.
 */
225
int dnssec_key_get_rdata(const dnssec_key_t *key, dnssec_binary_t *rdata);
226 227 228 229 230 231 232

/*!
 * Set the RDATA of the DNSSEC key.
 *
 * Calling this function has the same effect as setting the individual
 * fields of the key step-by-step. The same limitations apply.
 */
233 234
int dnssec_key_set_rdata(dnssec_key_t *key, const dnssec_binary_t *rdata);

235
/*!
236
 * Load PKCS #8 private key in the unencrypted PEM format.
237 238 239 240 241 242 243
 *
 * At least an algorithm must be set prior to calling this function.
 *
 * The function will create public key, unless it was already set (using
 * \ref dnssec_key_set_pubkey or \ref dnssec_key_set_rdata). If the public key
 * was set, the function will prevent loading of non-matching private key.
 */
244
int dnssec_key_load_pkcs8(dnssec_key_t *key, const dnssec_binary_t *pem);
245

246 247 248
/*!
 * Check if the key can be used for signing.
 */
249
bool dnssec_key_can_sign(const dnssec_key_t *key);
250 251 252 253

/*!
 * Check if the key can be used for verification.
 */
254 255
bool dnssec_key_can_verify(const dnssec_key_t *key);

256 257 258 259 260 261 262 263 264 265 266 267 268
/*!
 * Get private key size range for a DNSSEC algorithm.
 *
 * \param[in]  algorithm  DNSKEY algorithm.
 * \param[out] min        Minimal size of the private key (can be NULL).
 * \param[out] max        Maximal size of the private key (can be NULL).
 *
 * \return DNSSEC_EOK for valid parameters.
 */
int dnssec_algorithm_key_size_range(dnssec_key_algorithm_t algorithm,
				    unsigned *min, unsigned *max);

/*!
269
 * Check if the private key size matches DNSKEY constraints.
270 271 272 273 274 275 276 277 278
 *
 * \param algorithm  DNSKEY algorithm.
 * \param bits       Private key size.
 *
 * \return DNSKEY algorithm matches the key size constraints.
 */
bool dnssec_algorithm_key_size_check(dnssec_key_algorithm_t algorithm,
				     unsigned bits);

279 280 281 282 283 284 285 286
/*!
 * Get default key size for given algorithm.
 *
 * The default size is balance between security and response lengths with
 * respect to use in DNS.
 */
int dnssec_algorithm_key_size_default(dnssec_key_algorithm_t algorithm);

287 288 289 290 291 292 293 294 295 296 297
/*!
 * DS algorithm numbers.
 *
 * \see https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml
 */
typedef enum dnssec_key_digest {
	DNSSEC_KEY_DIGEST_INVALID = 0,
	DNSSEC_KEY_DIGEST_SHA1 = 1,
	DNSSEC_KEY_DIGEST_SHA256 = 2,
	DNSSEC_KEY_DIGEST_SHA384 = 4,
} dnssec_key_digest_t;
298

299 300 301 302 303 304 305
/*!
 * Check whether a DS algorithm is supported.
 *
 * @note: less secure algorithms may go unsupported on purpose.
 */
bool dnssec_algorithm_digest_support(dnssec_key_digest_t algo);

306 307 308 309 310 311 312 313 314 315 316
/*!
 * Create DS (Delgation Signer) RDATA from DNSSEC key.
 *
 * \param[in]  key     DNSSEC key.
 * \param[in]  digest  Digest algorithm to be used.
 * \param[out] rdata   Allocated DS RDATA.
 *
 * \return Error code, DNSSEC_EOK if successful.
 */
int dnssec_key_create_ds(const dnssec_key_t *key, dnssec_key_digest_t digest,
			 dnssec_binary_t *rdata);
317 318

/** @} */