2 * keys.c handle private keys for use in DNSSEC
4 * This module should hide some of the openSSL complexities
5 * and give a general interface for private keys and hmac
8 * (c) NLnet Labs, 2004-2006
10 * See the file LICENSE for the license
13 #include <ldns/config.h>
15 #include <ldns/ldns.h>
18 #include <openssl/ssl.h>
19 #include <openssl/engine.h>
20 #include <openssl/rand.h>
23 ldns_lookup_table ldns_signing_algorithms[] = {
24 { LDNS_SIGN_RSAMD5, "RSAMD5" },
25 { LDNS_SIGN_RSASHA1, "RSASHA1" },
26 { LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1-NSEC3-SHA1" },
28 { LDNS_SIGN_RSASHA256, "RSASHA256" },
29 { LDNS_SIGN_RSASHA512, "RSASHA512" },
32 { LDNS_SIGN_ECC_GOST, "ECC-GOST" },
35 { LDNS_SIGN_ECDSAP256SHA256, "ECDSAP256SHA256" },
36 { LDNS_SIGN_ECDSAP384SHA384, "ECDSAP384SHA384" },
39 { LDNS_SIGN_ED25519, "ED25519" },
42 { LDNS_SIGN_ED448, "ED448" },
45 { LDNS_SIGN_DSA, "DSA" },
46 { LDNS_SIGN_DSA_NSEC3, "DSA-NSEC3-SHA1" },
48 { LDNS_SIGN_HMACMD5, "hmac-md5.sig-alg.reg.int" },
49 { LDNS_SIGN_HMACSHA1, "hmac-sha1" },
50 { LDNS_SIGN_HMACSHA256, "hmac-sha256" },
51 { LDNS_SIGN_HMACSHA224, "hmac-sha224" },
52 { LDNS_SIGN_HMACSHA384, "hmac-sha384" },
53 { LDNS_SIGN_HMACSHA512, "hmac-sha512" },
58 ldns_key_list_new(void)
60 ldns_key_list *key_list = LDNS_MALLOC(ldns_key_list);
64 key_list->_key_count = 0;
65 key_list->_keys = NULL;
75 newkey = LDNS_MALLOC(ldns_key);
79 /* some defaults - not sure wether to do this */
80 ldns_key_set_use(newkey, true);
81 ldns_key_set_flags(newkey, LDNS_KEY_ZONE_KEY);
82 ldns_key_set_origttl(newkey, 0);
83 ldns_key_set_keytag(newkey, 0);
84 ldns_key_set_inception(newkey, 0);
85 ldns_key_set_expiration(newkey, 0);
86 ldns_key_set_pubkey_owner(newkey, NULL);
88 ldns_key_set_evp_key(newkey, NULL);
90 ldns_key_set_hmac_key(newkey, NULL);
91 ldns_key_set_external_key(newkey, NULL);
97 ldns_key_new_frm_fp(ldns_key **k, FILE *fp)
99 return ldns_key_new_frm_fp_l(k, fp, NULL);
104 ldns_key_new_frm_engine(ldns_key **key, ENGINE *e, char *key_id, ldns_algorithm alg)
109 if(!k) return LDNS_STATUS_MEM_ERR;
111 k->_key.key = ENGINE_load_private_key(e, key_id, UI_OpenSSL(), NULL);
114 return LDNS_STATUS_ERR;
116 ldns_key_set_algorithm(k, (ldns_signing_algorithm) alg);
119 return LDNS_STATUS_ENGINE_KEY_NOT_LOADED;
123 return LDNS_STATUS_OK;
128 /** store GOST engine reference loaded into OpenSSL library */
129 ENGINE* ldns_gost_engine = NULL;
132 ldns_key_EVP_load_gost_id(void)
134 static int gost_id = 0;
135 const EVP_PKEY_ASN1_METHOD* meth;
138 if(gost_id) return gost_id;
140 /* see if configuration loaded gost implementation from other engine*/
141 meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1);
143 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
147 /* see if engine can be loaded already */
148 e = ENGINE_by_id("gost");
150 /* load it ourself, in case statically linked */
151 ENGINE_load_builtin_engines();
152 ENGINE_load_dynamic();
153 e = ENGINE_by_id("gost");
156 /* no gost engine in openssl */
159 if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
165 meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1);
172 /* Note: do not ENGINE_finish and ENGINE_free the acquired engine
173 * on some platforms this frees up the meth and unloads gost stuff */
174 ldns_gost_engine = e;
176 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
180 void ldns_key_EVP_unload_gost(void)
182 if(ldns_gost_engine) {
183 ENGINE_finish(ldns_gost_engine);
184 ENGINE_free(ldns_gost_engine);
185 ldns_gost_engine = NULL;
189 /** read GOST private key */
191 ldns_key_new_frm_fp_gost_l(FILE* fp, int* line_nr)
194 const unsigned char* pp;
197 ldns_rdf* b64rdf = NULL;
199 gost_id = ldns_key_EVP_load_gost_id();
203 if (ldns_fget_keyword_data_l(fp, "GostAsn1", ": ", token, "\n",
204 sizeof(token), line_nr) == -1)
206 while(strlen(token) < 96) {
207 /* read more b64 from the file, b64 split on multiple lines */
208 if(ldns_fget_token_l(fp, token+strlen(token), "\n",
209 sizeof(token)-strlen(token), line_nr) == -1)
212 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK)
214 pp = (unsigned char*)ldns_rdf_data(b64rdf);
215 pkey = d2i_PrivateKey(gost_id, NULL, &pp, (int)ldns_rdf_size(b64rdf));
216 ldns_rdf_deep_free(b64rdf);
222 /** calculate public key from private key */
224 ldns_EC_KEY_calc_public(EC_KEY* ec)
227 const EC_GROUP* group;
228 group = EC_KEY_get0_group(ec);
229 pub_key = EC_POINT_new(group);
230 if(!pub_key) return 0;
231 if(!EC_POINT_copy(pub_key, EC_GROUP_get0_generator(group))) {
232 EC_POINT_free(pub_key);
235 if(!EC_POINT_mul(group, pub_key, EC_KEY_get0_private_key(ec),
237 EC_POINT_free(pub_key);
240 if(EC_KEY_set_public_key(ec, pub_key) == 0) {
241 EC_POINT_free(pub_key);
244 EC_POINT_free(pub_key);
248 /** read ECDSA private key */
250 ldns_key_new_frm_fp_ecdsa_l(FILE* fp, ldns_algorithm alg, int* line_nr)
253 ldns_rdf* b64rdf = NULL;
258 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n",
259 sizeof(token), line_nr) == -1)
261 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK)
263 pp = (unsigned char*)ldns_rdf_data(b64rdf);
265 if(alg == LDNS_ECDSAP256SHA256)
266 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
267 else if(alg == LDNS_ECDSAP384SHA384)
268 ec = EC_KEY_new_by_curve_name(NID_secp384r1);
271 ldns_rdf_deep_free(b64rdf);
274 bn = BN_bin2bn(pp, (int)ldns_rdf_size(b64rdf), NULL);
275 ldns_rdf_deep_free(b64rdf);
280 EC_KEY_set_private_key(ec, bn);
282 if(!ldns_EC_KEY_calc_public(ec)) {
287 evp_key = EVP_PKEY_new();
292 if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
293 EVP_PKEY_free(evp_key);
302 /** turn private key buffer into EC_KEY structure */
304 ldns_ed25519_priv_raw(uint8_t* pkey, int plen)
306 const unsigned char* pp;
309 uint8_t pre[] = {0x30, 0x32, 0x02, 0x01, 0x01, 0x04, 0x20};
311 uint8_t post[] = {0xa0, 0x0b, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04,
312 0x01, 0xda, 0x47, 0x0f, 0x01};
315 /* ASN looks like this for ED25519
316 * 30320201010420 <32byteskey>
317 * andparameters a00b06092b06010401da470f01
318 * (noparameters, preamble is 30250201010420).
319 * the key is reversed (little endian).
321 buflen = pre_len + plen + post_len;
322 if((size_t)buflen > sizeof(buf))
324 memmove(buf, pre, pre_len);
325 /* reverse the pkey into the buf */
326 for(i=0; i<plen; i++)
327 buf[pre_len+i] = pkey[plen-1-i];
328 memmove(buf+pre_len+plen, post, post_len);
330 return d2i_ECPrivateKey(NULL, &pp, buflen);
333 /** read ED25519 private key */
335 ldns_key_new_frm_fp_ed25519_l(FILE* fp, int* line_nr)
338 ldns_rdf* b64rdf = NULL;
341 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n",
342 sizeof(token), line_nr) == -1)
344 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK)
347 /* we use d2i_ECPrivateKey because it calculates the public key
348 * from the private part, which others, EC_KEY_set_private_key,
349 * and o2i methods, do not do */
350 /* for that the private key has to be encoded in ASN1 notation
351 * with a X25519 prefix on it */
353 ec = ldns_ed25519_priv_raw(ldns_rdf_data(b64rdf),
354 (int)ldns_rdf_size(b64rdf));
355 ldns_rdf_deep_free(b64rdf);
357 if(EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)) != NID_X25519) {
358 /* wrong group, bad asn conversion */
363 evp_key = EVP_PKEY_new();
368 if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
369 EVP_PKEY_free(evp_key);
378 /** turn private key buffer into EC_KEY structure */
380 ldns_ed448_priv_raw(uint8_t* pkey, int plen)
382 const unsigned char* pp;
385 uint8_t pre[] = {0x30, 0x4b, 0x02, 0x01, 0x01, 0x04, 0x39};
387 uint8_t post[] = {0xa0, 0x0b, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04,
388 0x01, 0xda, 0x47, 0x0f, 0x02};
391 /* ASN looks like this for ED25519
392 * And for ED448, the parameters are ...02 instead of ...01
393 * For ED25519 it was:
394 * 30320201010420 <32byteskey>
395 * andparameters a00b06092b06010401da470f01
396 * (noparameters, preamble is 30250201010420).
397 * the key is reversed (little endian).
399 * For ED448 the key is 57 bytes, and that changes lengths.
400 * 304b0201010439 <57bytekey> a00b06092b06010401da470f02
402 buflen = pre_len + plen + post_len;
403 if((size_t)buflen > sizeof(buf))
405 memmove(buf, pre, pre_len);
406 /* reverse the pkey into the buf */
407 for(i=0; i<plen; i++)
408 buf[pre_len+i] = pkey[plen-1-i];
409 memmove(buf+pre_len+plen, post, post_len);
411 return d2i_ECPrivateKey(NULL, &pp, buflen);
414 /** read ED448 private key */
416 ldns_key_new_frm_fp_ed448_l(FILE* fp, int* line_nr)
419 ldns_rdf* b64rdf = NULL;
422 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n",
423 sizeof(token), line_nr) == -1)
425 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK)
428 /* convert private key into ASN notation and then convert that */
429 ec = ldns_ed448_priv_raw(ldns_rdf_data(b64rdf),
430 (int)ldns_rdf_size(b64rdf));
431 ldns_rdf_deep_free(b64rdf);
433 if(EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)) != NID_X448) {
434 /* wrong group, bad asn conversion */
439 evp_key = EVP_PKEY_new();
444 if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
445 EVP_PKEY_free(evp_key);
454 ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr)
458 ldns_signing_algorithm alg;
467 #endif /* HAVE_SSL */
471 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
475 return LDNS_STATUS_MEM_ERR;
480 /* the file is highly structured. Do this in sequence */
482 * Private-key-format: v1.x.
486 /* get the key format version number */
487 if (ldns_fget_keyword_data_l(fp, "Private-key-format", ": ", d, "\n",
488 LDNS_MAX_LINELEN, line_nr) == -1) {
489 /* no version information */
492 return LDNS_STATUS_SYNTAX_ERR;
494 if (strncmp(d, "v1.", 3) != 0) {
497 return LDNS_STATUS_SYNTAX_VERSION_ERR;
500 /* get the algorithm type, our file function strip ( ) so there are
501 * not in the return string! */
502 if (ldns_fget_keyword_data_l(fp, "Algorithm", ": ", d, "\n",
503 LDNS_MAX_LINELEN, line_nr) == -1) {
504 /* no alg information */
507 return LDNS_STATUS_SYNTAX_ALG_ERR;
510 if (strncmp(d, "1 RSA", 2) == 0) {
511 alg = LDNS_SIGN_RSAMD5;
513 if (strncmp(d, "2 DH", 2) == 0) {
514 alg = (ldns_signing_algorithm)LDNS_DH;
516 if (strncmp(d, "3 DSA", 2) == 0) {
521 fprintf(stderr, "Warning: DSA not compiled into this ");
522 fprintf(stderr, "version of ldns\n");
526 if (strncmp(d, "4 ECC", 2) == 0) {
527 alg = (ldns_signing_algorithm)LDNS_ECC;
529 if (strncmp(d, "5 RSASHA1", 2) == 0) {
530 alg = LDNS_SIGN_RSASHA1;
532 if (strncmp(d, "6 DSA", 2) == 0) {
534 alg = LDNS_SIGN_DSA_NSEC3;
537 fprintf(stderr, "Warning: DSA not compiled into this ");
538 fprintf(stderr, "version of ldns\n");
542 if (strncmp(d, "7 RSASHA1", 2) == 0) {
543 alg = LDNS_SIGN_RSASHA1_NSEC3;
546 if (strncmp(d, "8 RSASHA256", 2) == 0) {
548 alg = LDNS_SIGN_RSASHA256;
551 fprintf(stderr, "Warning: SHA256 not compiled into this ");
552 fprintf(stderr, "version of ldns\n");
556 if (strncmp(d, "10 RSASHA512", 3) == 0) {
558 alg = LDNS_SIGN_RSASHA512;
561 fprintf(stderr, "Warning: SHA512 not compiled into this ");
562 fprintf(stderr, "version of ldns\n");
566 if (strncmp(d, "12 ECC-GOST", 3) == 0) {
568 alg = LDNS_SIGN_ECC_GOST;
571 fprintf(stderr, "Warning: ECC-GOST not compiled into this ");
572 fprintf(stderr, "version of ldns, use --enable-gost\n");
576 if (strncmp(d, "13 ECDSAP256SHA256", 3) == 0) {
578 alg = LDNS_SIGN_ECDSAP256SHA256;
581 fprintf(stderr, "Warning: ECDSA not compiled into this ");
582 fprintf(stderr, "version of ldns, use --enable-ecdsa\n");
586 if (strncmp(d, "14 ECDSAP384SHA384", 3) == 0) {
588 alg = LDNS_SIGN_ECDSAP384SHA384;
591 fprintf(stderr, "Warning: ECDSA not compiled into this ");
592 fprintf(stderr, "version of ldns, use --enable-ecdsa\n");
596 if (strncmp(d, "15 ED25519", 3) == 0) {
598 alg = LDNS_SIGN_ED25519;
601 fprintf(stderr, "Warning: ED25519 not compiled into this ");
602 fprintf(stderr, "version of ldns, use --enable-ed25519\n");
606 if (strncmp(d, "16 ED448", 3) == 0) {
608 alg = LDNS_SIGN_ED448;
611 fprintf(stderr, "Warning: ED448 not compiled into this ");
612 fprintf(stderr, "version of ldns, use --enable-ed448\n");
616 if (strncmp(d, "157 HMAC-MD5", 4) == 0) {
617 alg = LDNS_SIGN_HMACMD5;
619 if (strncmp(d, "158 HMAC-SHA1", 4) == 0) {
620 alg = LDNS_SIGN_HMACSHA1;
622 if (strncmp(d, "159 HMAC-SHA256", 4) == 0) {
623 alg = LDNS_SIGN_HMACSHA256;
625 /* For compatibility with dnssec-keygen */
626 if (strncmp(d, "161 ", 4) == 0) {
627 alg = LDNS_SIGN_HMACSHA1;
629 if (strncmp(d, "162 HMAC-SHA224", 4) == 0) {
630 alg = LDNS_SIGN_HMACSHA224;
632 /* For compatibility with dnssec-keygen */
633 if (strncmp(d, "163 ", 4) == 0) {
634 alg = LDNS_SIGN_HMACSHA256;
636 if (strncmp(d, "164 HMAC-SHA384", 4) == 0) {
637 alg = LDNS_SIGN_HMACSHA384;
639 if (strncmp(d, "165 HMAC-SHA512", 4) == 0) {
640 alg = LDNS_SIGN_HMACSHA512;
645 case LDNS_SIGN_RSAMD5:
646 case LDNS_SIGN_RSASHA1:
647 case LDNS_SIGN_RSASHA1_NSEC3:
649 case LDNS_SIGN_RSASHA256:
650 case LDNS_SIGN_RSASHA512:
652 ldns_key_set_algorithm(k, alg);
654 rsa = ldns_key_new_frm_fp_rsa_l(fp, line_nr);
657 return LDNS_STATUS_ERR;
659 ldns_key_assign_rsa_key(k, rsa);
660 #endif /* HAVE_SSL */
664 case LDNS_SIGN_DSA_NSEC3:
665 ldns_key_set_algorithm(k, alg);
667 dsa = ldns_key_new_frm_fp_dsa_l(fp, line_nr);
670 return LDNS_STATUS_ERR;
672 ldns_key_assign_dsa_key(k, dsa);
673 #endif /* HAVE_SSL */
676 case LDNS_SIGN_HMACMD5:
677 case LDNS_SIGN_HMACSHA1:
678 case LDNS_SIGN_HMACSHA224:
679 case LDNS_SIGN_HMACSHA256:
680 case LDNS_SIGN_HMACSHA384:
681 case LDNS_SIGN_HMACSHA512:
682 ldns_key_set_algorithm(k, alg);
684 hmac = ldns_key_new_frm_fp_hmac_l(fp, line_nr, &hmac_size);
687 return LDNS_STATUS_ERR;
689 ldns_key_set_hmac_size(k, hmac_size);
690 ldns_key_set_hmac_key(k, hmac);
691 #endif /* HAVE_SSL */
693 case LDNS_SIGN_ECC_GOST:
694 ldns_key_set_algorithm(k, alg);
695 #if defined(HAVE_SSL) && defined(USE_GOST)
696 if(!ldns_key_EVP_load_gost_id()) {
698 return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL;
700 ldns_key_set_evp_key(k,
701 ldns_key_new_frm_fp_gost_l(fp, line_nr));
705 return LDNS_STATUS_ERR;
711 case LDNS_SIGN_ECDSAP256SHA256:
712 case LDNS_SIGN_ECDSAP384SHA384:
713 ldns_key_set_algorithm(k, alg);
714 ldns_key_set_evp_key(k,
715 ldns_key_new_frm_fp_ecdsa_l(fp, (ldns_algorithm)alg, line_nr));
719 return LDNS_STATUS_ERR;
725 case LDNS_SIGN_ED25519:
726 ldns_key_set_algorithm(k, alg);
727 ldns_key_set_evp_key(k,
728 ldns_key_new_frm_fp_ed25519_l(fp, line_nr));
732 return LDNS_STATUS_ERR;
738 case LDNS_SIGN_ED448:
739 ldns_key_set_algorithm(k, alg);
740 ldns_key_set_evp_key(k,
741 ldns_key_new_frm_fp_ed448_l(fp, line_nr));
745 return LDNS_STATUS_ERR;
752 return LDNS_STATUS_SYNTAX_ALG_ERR;
754 key_rr = ldns_key2rr(k);
755 ldns_key_set_keytag(k, ldns_calc_keytag(key_rr));
756 ldns_rr_free(key_rr);
760 return LDNS_STATUS_OK;
763 return LDNS_STATUS_ERR;
768 ldns_key_new_frm_fp_rsa(FILE *f)
770 return ldns_key_new_frm_fp_rsa_l(f, NULL);
774 ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr)
790 * BIGNUM *n; // public modulus
791 * BIGNUM *e; // public exponent
792 * BIGNUM *d; // private exponent
793 * BIGNUM *p; // secret prime factor
794 * BIGNUM *q; // secret prime factor
795 * BIGNUM *dmp1; // d mod (p-1)
796 * BIGNUM *dmq1; // d mod (q-1)
797 * BIGNUM *iqmp; // q^-1 mod p
805 BIGNUM *n=NULL, *e=NULL, *d=NULL, *p=NULL, *q=NULL,
806 *dmp1=NULL, *dmq1=NULL, *iqmp=NULL;
808 b = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
809 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN);
811 if (!b || !rsa || !buf) {
815 /* I could use functions again, but that seems an overkill,
816 * allthough this also looks tedious
819 /* Modules, rsa->n */
820 if (ldns_fget_keyword_data_l(f, "Modulus", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
823 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
825 n = BN_bin2bn((const char unsigned*)buf, i, NULL);
830 /* PublicExponent, rsa->e */
831 if (ldns_fget_keyword_data_l(f, "PublicExponent", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
834 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
835 e = BN_bin2bn((const char unsigned*)buf, i, NULL);
840 /* PrivateExponent, rsa->d */
841 if (ldns_fget_keyword_data_l(f, "PrivateExponent", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
844 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
845 d = BN_bin2bn((const char unsigned*)buf, i, NULL);
851 if (ldns_fget_keyword_data_l(f, "Prime1", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
854 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
855 p = BN_bin2bn((const char unsigned*)buf, i, NULL);
861 if (ldns_fget_keyword_data_l(f, "Prime2", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
864 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
865 q = BN_bin2bn((const char unsigned*)buf, i, NULL);
870 /* Exponent1, rsa->dmp1 */
871 if (ldns_fget_keyword_data_l(f, "Exponent1", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
874 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
875 dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL);
880 /* Exponent2, rsa->dmq1 */
881 if (ldns_fget_keyword_data_l(f, "Exponent2", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
884 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
885 dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL);
890 /* Coefficient, rsa->iqmp */
891 if (ldns_fget_keyword_data_l(f, "Coefficient", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
894 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b)));
895 iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL);
901 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
913 if(!RSA_set0_key(rsa, n, e, d))
918 if(!RSA_set0_factors(rsa, p, q))
922 if(!RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp))
946 ldns_key_new_frm_fp_dsa(FILE *f)
948 return ldns_key_new_frm_fp_dsa_l(f, NULL);
952 ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr))
958 BIGNUM *p=NULL, *q=NULL, *g=NULL, *priv_key=NULL, *pub_key=NULL;
960 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
961 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN);
963 if (!d || !dsa || !buf) {
967 /* the line parser removes the () from the input... */
970 if (ldns_fget_keyword_data_l(f, "Primep", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
973 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
975 p = BN_bin2bn((const char unsigned*)buf, i, NULL);
980 /* Subprime, dsa->q */
981 if (ldns_fget_keyword_data_l(f, "Subprimeq", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
984 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
985 q = BN_bin2bn((const char unsigned*)buf, i, NULL);
991 if (ldns_fget_keyword_data_l(f, "Baseg", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
994 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
995 g = BN_bin2bn((const char unsigned*)buf, i, NULL);
1000 /* Private key, dsa->priv_key */
1001 if (ldns_fget_keyword_data_l(f, "Private_valuex", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
1004 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
1005 priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL);
1010 /* Public key, dsa->priv_key */
1011 if (ldns_fget_keyword_data_l(f, "Public_valuey", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
1014 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
1015 pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL);
1021 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
1026 dsa->priv_key = priv_key;
1027 dsa->pub_key = pub_key;
1030 if(!DSA_set0_pqg(dsa, p, q, g))
1035 if(!DSA_set0_key(dsa, pub_key, priv_key))
1057 ldns_key_new_frm_fp_hmac(FILE *f, size_t *hmac_size)
1059 return ldns_key_new_frm_fp_hmac_l(f, NULL, hmac_size);
1063 ldns_key_new_frm_fp_hmac_l( FILE *f
1064 , ATTR_UNUSED(int *line_nr)
1069 char d[LDNS_MAX_LINELEN];
1070 unsigned char *buf = NULL;
1072 if (ldns_fget_keyword_data_l(f, "Key", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
1075 bufsz = ldns_b64_ntop_calculate_size(strlen(d));
1076 buf = LDNS_XMALLOC(unsigned char, bufsz);
1077 i = (size_t) ldns_b64_pton((const char*)d, buf, bufsz);
1087 #endif /* HAVE_SSL */
1091 ldns_gen_gost_key(void)
1095 int gost_id = ldns_key_EVP_load_gost_id();
1098 ctx = EVP_PKEY_CTX_new_id(gost_id, NULL);
1100 /* the id should be available now */
1103 if(EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0) {
1104 /* cannot set paramset */
1105 EVP_PKEY_CTX_free(ctx);
1109 if(EVP_PKEY_keygen_init(ctx) <= 0) {
1110 EVP_PKEY_CTX_free(ctx);
1113 if(EVP_PKEY_keygen(ctx, &p) <= 0) {
1115 EVP_PKEY_CTX_free(ctx);
1118 EVP_PKEY_CTX_free(ctx);
1124 ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size)
1130 #endif /* USE_DSA */
1134 # ifdef HAVE_EVP_PKEY_KEYGEN
1141 uint16_t offset = 0;
1143 unsigned char *hmac;
1150 case LDNS_SIGN_RSAMD5:
1151 case LDNS_SIGN_RSASHA1:
1152 case LDNS_SIGN_RSASHA1_NSEC3:
1153 case LDNS_SIGN_RSASHA256:
1154 case LDNS_SIGN_RSASHA512:
1156 #ifdef HAVE_EVP_PKEY_KEYGEN
1157 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
1162 if(EVP_PKEY_keygen_init(ctx) <= 0) {
1164 EVP_PKEY_CTX_free(ctx);
1167 if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, size) <= 0) {
1169 EVP_PKEY_CTX_free(ctx);
1173 if (EVP_PKEY_keygen(ctx, &k->_key.key) <= 0) {
1175 EVP_PKEY_CTX_free(ctx);
1179 EVP_PKEY_CTX_free(ctx);
1180 #else /* HAVE_EVP_PKEY_KEYGEN */
1181 r = RSA_generate_key((int)size, RSA_F4, NULL, NULL);
1186 if (RSA_check_key(r) != 1) {
1190 ldns_key_set_rsa_key(k, r);
1192 #endif /* HAVE_EVP_PKEY_KEYGEN */
1193 #endif /* HAVE_SSL */
1196 case LDNS_SIGN_DSA_NSEC3:
1199 # if OPENSSL_VERSION_NUMBER < 0x00908000L
1200 d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL);
1207 if (! (d = DSA_new())) {
1211 if (! DSA_generate_parameters_ex(d, (int)size, NULL, 0, NULL, NULL, NULL)) {
1217 if (DSA_generate_key(d) != 1) {
1221 ldns_key_set_dsa_key(k, d);
1223 #endif /* HAVE_SSL */
1224 #endif /* USE_DSA */
1226 case LDNS_SIGN_HMACMD5:
1227 case LDNS_SIGN_HMACSHA1:
1228 case LDNS_SIGN_HMACSHA224:
1229 case LDNS_SIGN_HMACSHA256:
1230 case LDNS_SIGN_HMACSHA384:
1231 case LDNS_SIGN_HMACSHA512:
1236 #endif /* HAVE_SSL */
1238 ldns_key_set_hmac_size(k, size);
1240 hmac = LDNS_XMALLOC(unsigned char, size);
1246 if (RAND_bytes(hmac, (int) size) != 1) {
1252 while (offset + sizeof(i) < size) {
1254 memcpy(&hmac[offset], &i, sizeof(i));
1255 offset += sizeof(i);
1257 if (offset < size) {
1259 memcpy(&hmac[offset], &i, size - offset);
1261 #endif /* HAVE_SSL */
1262 ldns_key_set_hmac_key(k, hmac);
1264 ldns_key_set_flags(k, 0);
1266 case LDNS_SIGN_ECC_GOST:
1267 #if defined(HAVE_SSL) && defined(USE_GOST)
1268 ldns_key_set_evp_key(k, ldns_gen_gost_key());
1278 #endif /* HAVE_SSL and USE_GOST */
1280 case LDNS_SIGN_ECDSAP256SHA256:
1281 case LDNS_SIGN_ECDSAP384SHA384:
1283 if(alg == LDNS_SIGN_ECDSAP256SHA256)
1284 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1285 else if(alg == LDNS_SIGN_ECDSAP384SHA384)
1286 ec = EC_KEY_new_by_curve_name(NID_secp384r1);
1291 if(!EC_KEY_generate_key(ec)) {
1297 k->_key.key = EVP_PKEY_new();
1303 if (!EVP_PKEY_assign_EC_KEY(k->_key.key, ec)) {
1315 case LDNS_SIGN_ED25519:
1316 #ifdef HAVE_EVP_PKEY_KEYGEN
1317 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1322 if(EVP_PKEY_keygen_init(ctx) <= 0) {
1324 EVP_PKEY_CTX_free(ctx);
1327 if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx,
1330 EVP_PKEY_CTX_free(ctx);
1333 if (EVP_PKEY_keygen(ctx, &k->_key.key) <= 0) {
1335 EVP_PKEY_CTX_free(ctx);
1338 EVP_PKEY_CTX_free(ctx);
1341 #endif /* ED25519 */
1343 case LDNS_SIGN_ED448:
1344 #ifdef HAVE_EVP_PKEY_KEYGEN
1345 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1350 if(EVP_PKEY_keygen_init(ctx) <= 0) {
1352 EVP_PKEY_CTX_free(ctx);
1355 if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx,
1358 EVP_PKEY_CTX_free(ctx);
1361 if (EVP_PKEY_keygen(ctx, &k->_key.key) <= 0) {
1363 EVP_PKEY_CTX_free(ctx);
1366 EVP_PKEY_CTX_free(ctx);
1371 ldns_key_set_algorithm(k, alg);
1376 ldns_key_print(FILE *output, const ldns_key *k)
1378 char *str = ldns_key2str(k);
1380 fprintf(output, "%s", str);
1382 fprintf(output, "Unable to convert private key to string\n");
1389 ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l)
1395 ldns_key_set_flags(ldns_key *k, uint16_t f)
1397 k->_extra.dnssec.flags = f;
1403 ldns_key_set_evp_key(ldns_key *k, EVP_PKEY *e)
1409 ldns_key_set_rsa_key(ldns_key *k, RSA *r)
1411 EVP_PKEY *key = EVP_PKEY_new();
1412 EVP_PKEY_set1_RSA(key, r);
1417 ldns_key_set_dsa_key(ldns_key *k, DSA *d)
1420 EVP_PKEY *key = EVP_PKEY_new();
1421 EVP_PKEY_set1_DSA(key, d);
1429 ldns_key_assign_rsa_key(ldns_key *k, RSA *r)
1431 EVP_PKEY *key = EVP_PKEY_new();
1432 EVP_PKEY_assign_RSA(key, r);
1437 ldns_key_assign_dsa_key(ldns_key *k, DSA *d)
1440 EVP_PKEY *key = EVP_PKEY_new();
1441 EVP_PKEY_assign_DSA(key, d);
1448 #endif /* HAVE_SSL */
1451 ldns_key_set_hmac_key(ldns_key *k, unsigned char *hmac)
1453 k->_key.hmac.key = hmac;
1457 ldns_key_set_hmac_size(ldns_key *k, size_t hmac_size)
1459 k->_key.hmac.size = hmac_size;
1463 ldns_key_set_external_key(ldns_key *k, void *external_key)
1465 k->_key.external_key = external_key;
1469 ldns_key_set_origttl(ldns_key *k, uint32_t t)
1471 k->_extra.dnssec.orig_ttl = t;
1475 ldns_key_set_inception(ldns_key *k, uint32_t i)
1477 k->_extra.dnssec.inception = i;
1481 ldns_key_set_expiration(ldns_key *k, uint32_t e)
1483 k->_extra.dnssec.expiration = e;
1487 ldns_key_set_pubkey_owner(ldns_key *k, ldns_rdf *r)
1489 k->_pubkey_owner = r;
1493 ldns_key_set_keytag(ldns_key *k, uint16_t tag)
1495 k->_extra.dnssec.keytag = tag;
1500 ldns_key_list_key_count(const ldns_key_list *key_list)
1502 return key_list->_key_count;
1506 ldns_key_list_key(const ldns_key_list *key, size_t nr)
1508 if (nr < ldns_key_list_key_count(key)) {
1509 return key->_keys[nr];
1515 ldns_signing_algorithm
1516 ldns_key_algorithm(const ldns_key *k)
1522 ldns_key_set_use(ldns_key *k, bool v)
1530 ldns_key_use(const ldns_key *k)
1541 ldns_key_evp_key(const ldns_key *k)
1547 ldns_key_rsa_key(const ldns_key *k)
1550 return EVP_PKEY_get1_RSA(k->_key.key);
1557 ldns_key_dsa_key(const ldns_key *k)
1561 return EVP_PKEY_get1_DSA(k->_key.key);
1571 #endif /* HAVE_SSL */
1574 ldns_key_hmac_key(const ldns_key *k)
1576 if (k->_key.hmac.key) {
1577 return k->_key.hmac.key;
1584 ldns_key_hmac_size(const ldns_key *k)
1586 if (k->_key.hmac.size) {
1587 return k->_key.hmac.size;
1594 ldns_key_external_key(const ldns_key *k)
1596 return k->_key.external_key;
1600 ldns_key_origttl(const ldns_key *k)
1602 return k->_extra.dnssec.orig_ttl;
1606 ldns_key_flags(const ldns_key *k)
1608 return k->_extra.dnssec.flags;
1612 ldns_key_inception(const ldns_key *k)
1614 return k->_extra.dnssec.inception;
1618 ldns_key_expiration(const ldns_key *k)
1620 return k->_extra.dnssec.expiration;
1624 ldns_key_keytag(const ldns_key *k)
1626 return k->_extra.dnssec.keytag;
1630 ldns_key_pubkey_owner(const ldns_key *k)
1632 return k->_pubkey_owner;
1637 ldns_key_list_set_use(ldns_key_list *keys, bool v)
1641 for (i = 0; i < ldns_key_list_key_count(keys); i++) {
1642 ldns_key_set_use(ldns_key_list_key(keys, i), v);
1647 ldns_key_list_set_key_count(ldns_key_list *key, size_t count)
1649 key->_key_count = count;
1653 ldns_key_list_push_key(ldns_key_list *key_list, ldns_key *key)
1658 key_count = ldns_key_list_key_count(key_list);
1660 /* grow the array */
1661 keys = LDNS_XREALLOC(
1662 key_list->_keys, ldns_key *, key_count + 1);
1667 /* add the new member */
1668 key_list->_keys = keys;
1669 key_list->_keys[key_count] = key;
1671 ldns_key_list_set_key_count(key_list, key_count + 1);
1676 ldns_key_list_pop_key(ldns_key_list *key_list)
1686 key_count = ldns_key_list_key_count(key_list);
1687 if (key_count == 0) {
1691 pop = ldns_key_list_key(key_list, key_count);
1693 /* shrink the array */
1694 a = LDNS_XREALLOC(key_list->_keys, ldns_key *, key_count - 1);
1696 key_list->_keys = a;
1699 ldns_key_list_set_key_count(key_list, key_count - 1);
1706 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */
1708 ldns_key_rsa2bin(unsigned char *data, RSA *k, uint16_t *size)
1711 const BIGNUM *n=NULL, *e=NULL;
1716 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
1720 RSA_get0_key(k, &n, &e, NULL);
1723 if (BN_num_bytes(e) <= 256) {
1724 /* normally only this path is executed (small factors are
1727 data[0] = (unsigned char) BN_num_bytes(e);
1728 i = BN_bn2bin(e, data + 1);
1729 j = BN_bn2bin(n, data + i + 1);
1730 *size = (uint16_t) i + j;
1731 } else if (BN_num_bytes(e) <= 65536) {
1733 /* BN_bn2bin does bigendian, _uint16 also */
1734 ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(e));
1736 BN_bn2bin(e, data + 3);
1737 BN_bn2bin(n, data + 4 + BN_num_bytes(e));
1738 *size = (uint16_t) BN_num_bytes(n) + 6;
1746 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */
1748 ldns_key_dsa2bin(unsigned char *data, DSA *k, uint16_t *size)
1751 const BIGNUM *p, *q, *g;
1752 const BIGNUM *pub_key, *priv_key;
1759 # ifdef HAVE_DSA_GET0_PQG
1760 DSA_get0_pqg(k, &p, &q, &g);
1762 p = k->p; q = k->q; g = k->g;
1764 # ifdef HAVE_DSA_GET0_KEY
1765 DSA_get0_key(k, &pub_key, &priv_key);
1767 pub_key = k->pub_key; priv_key = k->priv_key;
1770 *size = (uint16_t)BN_num_bytes(p);
1771 T = (*size - 64) / 8;
1775 fprintf(stderr, "DSA key with T > 8 (ie. > 1024 bits)");
1776 fprintf(stderr, " not implemented\n");
1781 /* size = 64 + (T * 8); */
1782 memset(data, 0, 21 + *size * 3);
1783 data[0] = (unsigned char)T;
1784 BN_bn2bin(q, data + 1 ); /* 20 octects */
1785 BN_bn2bin(p, data + 21 ); /* offset octects */
1786 BN_bn2bin(g, data + 21 + *size * 2 - BN_num_bytes(g));
1787 BN_bn2bin(pub_key,data + 21 + *size * 3 - BN_num_bytes(pub_key));
1788 *size = 21 + *size * 3;
1791 #endif /* USE_DSA */
1795 ldns_key_gost2bin(unsigned char* data, EVP_PKEY* k, uint16_t* size)
1798 unsigned char* pp = NULL;
1799 if(i2d_PUBKEY(k, &pp) != 37 + 64) {
1800 /* expect 37 byte(ASN header) and 64 byte(X and Y) */
1804 /* omit ASN header */
1811 #endif /* USE_GOST */
1813 #endif /* HAVE_SSL */
1816 ldns_key2rr(const ldns_key *k)
1818 /* this function will convert a the keydata contained in
1819 * rsa/dsa pointers to a DNSKEY rr. It will fill in as
1820 * much as it can, but it does not know about key-flags
1825 unsigned char *bin = NULL;
1831 #endif /* USE_DSA */
1832 #endif /* HAVE_SSL */
1836 int internal_data = 0;
1841 pubkey = ldns_rr_new();
1843 switch (ldns_key_algorithm(k)) {
1844 case LDNS_SIGN_HMACMD5:
1845 case LDNS_SIGN_HMACSHA1:
1846 case LDNS_SIGN_HMACSHA224:
1847 case LDNS_SIGN_HMACSHA256:
1848 case LDNS_SIGN_HMACSHA384:
1849 case LDNS_SIGN_HMACSHA512:
1850 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_KEY);
1853 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_DNSKEY);
1856 /* zero-th rdf - flags */
1857 ldns_rr_push_rdf(pubkey,
1858 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
1859 ldns_key_flags(k)));
1861 ldns_rr_push_rdf(pubkey,
1862 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, LDNS_DNSSEC_KEYPROTO));
1864 if (ldns_key_pubkey_owner(k)) {
1865 ldns_rr_set_owner(pubkey, ldns_rdf_clone(ldns_key_pubkey_owner(k)));
1868 /* third - da algorithm */
1869 switch(ldns_key_algorithm(k)) {
1870 case LDNS_SIGN_RSAMD5:
1871 case LDNS_SIGN_RSASHA1:
1872 case LDNS_SIGN_RSASHA1_NSEC3:
1873 case LDNS_SIGN_RSASHA256:
1874 case LDNS_SIGN_RSASHA512:
1875 ldns_rr_push_rdf(pubkey,
1876 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1878 rsa = ldns_key_rsa_key(k);
1880 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1882 ldns_rr_free(pubkey);
1885 if (!ldns_key_rsa2bin(bin, rsa, &size)) {
1887 ldns_rr_free(pubkey);
1897 ldns_rr_push_rdf(pubkey,
1898 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA));
1901 dsa = ldns_key_dsa_key(k);
1903 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1905 ldns_rr_free(pubkey);
1908 if (!ldns_key_dsa2bin(bin, dsa, &size)) {
1910 ldns_rr_free(pubkey);
1916 #endif /* HAVE_SSL */
1917 #endif /* USE_DSA */
1919 case LDNS_SIGN_DSA_NSEC3:
1920 ldns_rr_push_rdf(pubkey,
1921 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA_NSEC3));
1924 dsa = ldns_key_dsa_key(k);
1926 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1928 ldns_rr_free(pubkey);
1931 if (!ldns_key_dsa2bin(bin, dsa, &size)) {
1933 ldns_rr_free(pubkey);
1939 #endif /* HAVE_SSL */
1940 #endif /* USE_DSA */
1942 case LDNS_SIGN_ECC_GOST:
1943 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(
1944 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1945 #if defined(HAVE_SSL) && defined(USE_GOST)
1946 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1948 ldns_rr_free(pubkey);
1952 if (!ldns_key_gost2bin(bin, k->_key.key, &size)) {
1954 ldns_rr_free(pubkey);
1960 ldns_rr_free(pubkey);
1962 #endif /* HAVE_SSL and USE_GOST */
1964 case LDNS_SIGN_ECDSAP256SHA256:
1965 case LDNS_SIGN_ECDSAP384SHA384:
1967 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(
1968 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1971 ec = EVP_PKEY_get1_EC_KEY(k->_key.key);
1973 EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED);
1974 size = (uint16_t)i2o_ECPublicKey(ec, NULL);
1975 if(!i2o_ECPublicKey(ec, &bin)) {
1977 ldns_rr_free(pubkey);
1981 /* move back one byte to shave off the 0x02
1982 * 'uncompressed' indicator that openssl made
1983 * Actually its 0x04 (from implementation).
1985 assert(bin[0] == POINT_CONVERSION_UNCOMPRESSED);
1987 memmove(bin, bin+1, size);
1989 /* down the reference count for ec, its still assigned
1994 ldns_rr_free(pubkey);
1999 case LDNS_SIGN_ED25519:
2000 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(
2001 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
2003 ec = EVP_PKEY_get1_EC_KEY(k->_key.key);
2004 EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED);
2005 size = (uint16_t)i2o_ECPublicKey(ec, NULL);
2006 if(!i2o_ECPublicKey(ec, &bin)) {
2008 ldns_rr_free(pubkey);
2011 /* down the reference count for ec, its still assigned
2018 case LDNS_SIGN_ED448:
2019 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(
2020 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
2022 ec = EVP_PKEY_get1_EC_KEY(k->_key.key);
2023 EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED);
2024 size = (uint16_t)i2o_ECPublicKey(ec, NULL);
2025 if(!i2o_ECPublicKey(ec, &bin)) {
2027 ldns_rr_free(pubkey);
2030 /* down the reference count for ec, its still assigned
2036 case LDNS_SIGN_HMACMD5:
2037 case LDNS_SIGN_HMACSHA1:
2038 case LDNS_SIGN_HMACSHA224:
2039 case LDNS_SIGN_HMACSHA256:
2040 case LDNS_SIGN_HMACSHA384:
2041 case LDNS_SIGN_HMACSHA512:
2042 bin = LDNS_XMALLOC(unsigned char, ldns_key_hmac_size(k));
2044 ldns_rr_free(pubkey);
2047 ldns_rr_push_rdf(pubkey,
2048 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG,
2049 ldns_key_algorithm(k)));
2050 size = ldns_key_hmac_size(k);
2051 memcpy(bin, ldns_key_hmac_key(k), size);
2055 /* fourth the key bin material */
2056 if (internal_data) {
2057 keybin = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, size, bin);
2059 ldns_rr_push_rdf(pubkey, keybin);
2065 ldns_key_free(ldns_key *key)
2071 ldns_key_deep_free(ldns_key *key)
2073 unsigned char* hmac;
2074 if (ldns_key_pubkey_owner(key)) {
2075 ldns_rdf_deep_free(ldns_key_pubkey_owner(key));
2078 if (ldns_key_evp_key(key)) {
2079 EVP_PKEY_free(ldns_key_evp_key(key));
2081 #endif /* HAVE_SSL */
2082 if (ldns_key_hmac_key(key)) {
2083 hmac = ldns_key_hmac_key(key);
2090 ldns_key_list_free(ldns_key_list *key_list)
2093 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
2094 ldns_key_deep_free(ldns_key_list_key(key_list, i));
2096 LDNS_FREE(key_list->_keys);
2097 LDNS_FREE(key_list);
2101 ldns_read_anchor_file(const char *filename)
2104 /*char line[LDNS_MAX_PACKETLEN];*/
2105 char *line = LDNS_XMALLOC(char, LDNS_MAX_PACKETLEN);
2114 fp = fopen(filename, "r");
2117 fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
2123 while ((c = fgetc(fp)) && i+1 < LDNS_MAX_PACKETLEN && c != EOF) {
2133 fprintf(stderr, "nothing read from %s", filename);
2138 status = ldns_rr_new_frm_str(&r, line, 0, NULL, NULL);
2139 if (status == LDNS_STATUS_OK && (ldns_rr_get_type(r) == LDNS_RR_TYPE_DNSKEY || ldns_rr_get_type(r) == LDNS_RR_TYPE_DS)) {
2144 fprintf(stderr, "Error creating DNSKEY or DS rr from %s: %s\n", filename, ldns_get_errorstr_by_id(status));
2153 ldns_key_get_file_base_name(const ldns_key *key)
2155 ldns_buffer *buffer;
2156 char *file_base_name;
2158 buffer = ldns_buffer_new(255);
2159 ldns_buffer_printf(buffer, "K");
2160 (void)ldns_rdf2buffer_str_dname(buffer, ldns_key_pubkey_owner(key));
2161 ldns_buffer_printf(buffer,
2163 ldns_key_algorithm(key),
2164 ldns_key_keytag(key));
2165 file_base_name = ldns_buffer_export(buffer);
2166 ldns_buffer_free(buffer);
2167 return file_base_name;
2170 int ldns_key_algo_supported(int algo)
2172 ldns_lookup_table *lt = ldns_signing_algorithms;
2181 ldns_signing_algorithm ldns_get_signing_algorithm_by_name(const char* name)
2183 /* list of (signing algorithm id, alias_name) */
2184 ldns_lookup_table aliases[] = {
2185 /* from bind dnssec-keygen */
2186 {LDNS_SIGN_HMACMD5, "HMAC-MD5"},
2187 {LDNS_SIGN_DSA_NSEC3, "NSEC3DSA"},
2188 {LDNS_SIGN_RSASHA1_NSEC3, "NSEC3RSASHA1"},
2189 /* old ldns usage, now RFC names */
2191 {LDNS_SIGN_DSA_NSEC3, "DSA_NSEC3" },
2193 {LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1_NSEC3" },
2195 {LDNS_SIGN_ECC_GOST, "GOST"},
2197 /* compat with possible output */
2200 {LDNS_INDIRECT, "INDIRECT"},
2201 {LDNS_PRIVATEDNS, "PRIVATEDNS"},
2202 {LDNS_PRIVATEOID, "PRIVATEOID"},
2204 ldns_lookup_table* lt = ldns_signing_algorithms;
2205 ldns_signing_algorithm a;
2209 if(strcasecmp(lt->name, name) == 0)
2215 if(strcasecmp(lt->name, name) == 0)
2219 a = strtol(name, &endptr, 10);
2220 if (*name && !*endptr)
projects / FreeBSD / FreeBSD.git / blob