]> CyberLeo.Net >> Repos - FreeBSD/releng/10.2.git/blob - contrib/ldns/keys.c
projects / FreeBSD / releng / 10.2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
- Copy stable/10@285827 to releng/10.2 in preparation for 10.2-RC1
[FreeBSD/releng/10.2.git] / contrib / ldns / keys.c
1 /*
2  * keys.c handle private keys for use in DNSSEC
3  *
4  * This module should hide some of the openSSL complexities
5  * and give a general interface for private keys and hmac
6  * handling
7  *
8  * (c) NLnet Labs, 2004-2006
9  *
10  * See the file LICENSE for the license
11  */
12
13 #include <ldns/config.h>
14
15 #include <ldns/ldns.h>
16
17 #ifdef HAVE_SSL
18 #include <openssl/ssl.h>
19 #include <openssl/engine.h>
20 #include <openssl/rand.h>
21 #endif /* HAVE_SSL */
22
23 ldns_lookup_table ldns_signing_algorithms[] = {
24         { LDNS_SIGN_RSAMD5, "RSAMD5" },
25         { LDNS_SIGN_RSASHA1, "RSASHA1" },
26         { LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1-NSEC3-SHA1" },
27 #ifdef USE_SHA2
28         { LDNS_SIGN_RSASHA256, "RSASHA256" },
29         { LDNS_SIGN_RSASHA512, "RSASHA512" },
30 #endif
31 #ifdef USE_GOST
32         { LDNS_SIGN_ECC_GOST, "ECC-GOST" },
33 #endif
34 #ifdef USE_ECDSA
35         { LDNS_SIGN_ECDSAP256SHA256, "ECDSAP256SHA256" },
36         { LDNS_SIGN_ECDSAP384SHA384, "ECDSAP384SHA384" },
37 #endif
38         { LDNS_SIGN_DSA, "DSA" },
39         { LDNS_SIGN_DSA_NSEC3, "DSA-NSEC3-SHA1" },
40         { LDNS_SIGN_HMACMD5, "hmac-md5.sig-alg.reg.int" },
41         { LDNS_SIGN_HMACSHA1, "hmac-sha1" },
42         { LDNS_SIGN_HMACSHA256, "hmac-sha256" },
43         { 0, NULL }
44 };
45
46 ldns_key_list *
47 ldns_key_list_new(void)
48 {
49         ldns_key_list *key_list = LDNS_MALLOC(ldns_key_list);
50         if (!key_list) {
51                 return NULL;
52         } else {
53                 key_list->_key_count = 0;
54                 key_list->_keys = NULL;
55                 return key_list;
56         }
57 }
58
59 ldns_key *
60 ldns_key_new(void)
61 {
62         ldns_key *newkey;
63
64         newkey = LDNS_MALLOC(ldns_key);
65         if (!newkey) {
66                 return NULL;
67         } else {
68                 /* some defaults - not sure wether to do this */
69                 ldns_key_set_use(newkey, true);
70                 ldns_key_set_flags(newkey, LDNS_KEY_ZONE_KEY);
71                 ldns_key_set_origttl(newkey, 0);
72                 ldns_key_set_keytag(newkey, 0);
73                 ldns_key_set_inception(newkey, 0);
74                 ldns_key_set_expiration(newkey, 0);
75                 ldns_key_set_pubkey_owner(newkey, NULL);
76 #ifdef HAVE_SSL
77                 ldns_key_set_evp_key(newkey, NULL);
78 #endif /* HAVE_SSL */
79                 ldns_key_set_hmac_key(newkey, NULL);
80                 ldns_key_set_external_key(newkey, NULL);
81                 return newkey;
82         }
83 }
84
85 ldns_status
86 ldns_key_new_frm_fp(ldns_key **k, FILE *fp)
87 {
88         return ldns_key_new_frm_fp_l(k, fp, NULL);
89 }
90
91 #ifdef HAVE_SSL
92 ldns_status
93 ldns_key_new_frm_engine(ldns_key **key, ENGINE *e, char *key_id, ldns_algorithm alg)
94 {
95         ldns_key *k;
96
97         k = ldns_key_new();
98         if(!k) return LDNS_STATUS_MEM_ERR;
99 #ifndef S_SPLINT_S
100         k->_key.key = ENGINE_load_private_key(e, key_id, UI_OpenSSL(), NULL);
101         if(!k->_key.key) {
102                 ldns_key_free(k);
103                 return LDNS_STATUS_ERR;
104         }
105         ldns_key_set_algorithm(k, (ldns_signing_algorithm) alg);
106         if (!k->_key.key) {
107                 ldns_key_free(k);
108                 return LDNS_STATUS_ENGINE_KEY_NOT_LOADED;
109         } 
110 #endif /* splint */
111         *key = k;
112         return LDNS_STATUS_OK;
113 }
114 #endif
115
116 #ifdef USE_GOST
117 /** store GOST engine reference loaded into OpenSSL library */
118 ENGINE* ldns_gost_engine = NULL;
119
120 int
121 ldns_key_EVP_load_gost_id(void)
122 {
123         static int gost_id = 0;
124         const EVP_PKEY_ASN1_METHOD* meth;
125         ENGINE* e;
126
127         if(gost_id) return gost_id;
128
129         /* see if configuration loaded gost implementation from other engine*/
130         meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1);
131         if(meth) {
132                 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
133                 return gost_id;
134         }
135
136         /* see if engine can be loaded already */
137         e = ENGINE_by_id("gost");
138         if(!e) {
139                 /* load it ourself, in case statically linked */
140                 ENGINE_load_builtin_engines();
141                 ENGINE_load_dynamic();
142                 e = ENGINE_by_id("gost");
143         }
144         if(!e) {
145                 /* no gost engine in openssl */
146                 return 0;
147         }
148         if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
149                 ENGINE_finish(e);
150                 ENGINE_free(e);
151                 return 0;
152         }
153
154         meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1);
155         if(!meth) {
156                 /* algo not found */
157                 ENGINE_finish(e);
158                 ENGINE_free(e);
159                 return 0;
160         }
161         /* Note: do not ENGINE_finish and ENGINE_free the acquired engine
162          * on some platforms this frees up the meth and unloads gost stuff */
163         ldns_gost_engine = e;
164         
165         EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
166         return gost_id;
167
168
169 void ldns_key_EVP_unload_gost(void)
170 {
171         if(ldns_gost_engine) {
172                 ENGINE_finish(ldns_gost_engine);
173                 ENGINE_free(ldns_gost_engine);
174                 ldns_gost_engine = NULL;
175         }
176 }
177
178 /** read GOST private key */
179 static EVP_PKEY*
180 ldns_key_new_frm_fp_gost_l(FILE* fp, int* line_nr)
181 {
182         char token[16384];
183         const unsigned char* pp;
184         int gost_id;
185         EVP_PKEY* pkey;
186         ldns_rdf* b64rdf = NULL;
187
188         gost_id = ldns_key_EVP_load_gost_id();
189         if(!gost_id)
190                 return NULL;
191
192         if (ldns_fget_keyword_data_l(fp, "GostAsn1", ": ", token, "\n", 
193                 sizeof(token), line_nr) == -1)
194                 return NULL;
195         while(strlen(token) < 96) {
196                 /* read more b64 from the file, b64 split on multiple lines */
197                 if(ldns_fget_token_l(fp, token+strlen(token), "\n",
198                         sizeof(token)-strlen(token), line_nr) == -1)
199                         return NULL;
200         }
201         if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK)
202                 return NULL;
203         pp = (unsigned char*)ldns_rdf_data(b64rdf);
204         pkey = d2i_PrivateKey(gost_id, NULL, &pp, (int)ldns_rdf_size(b64rdf));
205         ldns_rdf_deep_free(b64rdf);
206         return pkey;
207 }
208 #endif
209
210 #ifdef USE_ECDSA
211 /** calculate public key from private key */
212 static int
213 ldns_EC_KEY_calc_public(EC_KEY* ec)
214 {
215         EC_POINT* pub_key;
216         const EC_GROUP* group;
217         group = EC_KEY_get0_group(ec);
218         pub_key = EC_POINT_new(group);
219         if(!pub_key) return 0;
220         if(!EC_POINT_copy(pub_key, EC_GROUP_get0_generator(group))) {
221                 EC_POINT_free(pub_key);
222                 return 0;
223         }
224         if(!EC_POINT_mul(group, pub_key, EC_KEY_get0_private_key(ec),
225                 NULL, NULL, NULL)) {
226                 EC_POINT_free(pub_key);
227                 return 0;
228         }
229         if(EC_KEY_set_public_key(ec, pub_key) == 0) {
230                 EC_POINT_free(pub_key);
231                 return 0;
232         }
233         EC_POINT_free(pub_key);
234         return 1;
235 }
236
237 /** read ECDSA private key */
238 static EVP_PKEY*
239 ldns_key_new_frm_fp_ecdsa_l(FILE* fp, ldns_algorithm alg, int* line_nr)
240 {
241         char token[16384];
242         ldns_rdf* b64rdf = NULL;
243         unsigned char* pp;
244         BIGNUM* bn;
245         EVP_PKEY* evp_key;
246         EC_KEY* ec;
247         if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n", 
248                 sizeof(token), line_nr) == -1)
249                 return NULL;
250         if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK)
251                 return NULL;
252         pp = (unsigned char*)ldns_rdf_data(b64rdf);
253
254         if(alg == LDNS_ECDSAP256SHA256)
255                 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
256         else if(alg == LDNS_ECDSAP384SHA384)
257                 ec = EC_KEY_new_by_curve_name(NID_secp384r1);
258         else    ec = NULL;
259         if(!ec) {
260                 ldns_rdf_deep_free(b64rdf);
261                 return NULL;
262         }
263         bn = BN_bin2bn(pp, (int)ldns_rdf_size(b64rdf), NULL);
264         ldns_rdf_deep_free(b64rdf);
265         if(!bn) {
266                 EC_KEY_free(ec);
267                 return NULL;
268         }
269         EC_KEY_set_private_key(ec, bn);
270         BN_free(bn);
271         if(!ldns_EC_KEY_calc_public(ec)) {
272                 EC_KEY_free(ec);
273                 return NULL;
274         }
275
276         evp_key = EVP_PKEY_new();
277         if(!evp_key) {
278                 EC_KEY_free(ec);
279                 return NULL;
280         }
281         if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
282                 EVP_PKEY_free(evp_key);
283                 EC_KEY_free(ec);
284                 return NULL;
285         }
286         return evp_key;
287 }
288 #endif
289         
290 ldns_status
291 ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr)
292 {
293         ldns_key *k;
294         char *d;
295         ldns_signing_algorithm alg;
296         ldns_rr *key_rr;
297 #ifdef HAVE_SSL
298         RSA *rsa;
299         DSA *dsa;
300         unsigned char *hmac;
301         size_t hmac_size;
302 #endif /* HAVE_SSL */
303
304         k = ldns_key_new();
305
306         d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
307         if (!k || !d) {
308                 ldns_key_free(k);
309                 LDNS_FREE(d);
310                 return LDNS_STATUS_MEM_ERR;
311         }
312
313         alg = 0;
314
315         /* the file is highly structured. Do this in sequence */
316         /* RSA:
317          * Private-key-format: v1.x.
318          * Algorithm: 1 (RSA)
319
320          */
321         /* get the key format version number */
322         if (ldns_fget_keyword_data_l(fp, "Private-key-format", ": ", d, "\n",
323                                 LDNS_MAX_LINELEN, line_nr) == -1) {
324                 /* no version information */
325                 ldns_key_free(k);
326                 LDNS_FREE(d);
327                 return LDNS_STATUS_SYNTAX_ERR;
328         }
329         if (strncmp(d, "v1.", 3) != 0) {
330                 ldns_key_free(k);
331                 LDNS_FREE(d);
332                 return LDNS_STATUS_SYNTAX_VERSION_ERR;
333         }
334
335         /* get the algorithm type, our file function strip ( ) so there are
336          * not in the return string! */
337         if (ldns_fget_keyword_data_l(fp, "Algorithm", ": ", d, "\n",
338                                 LDNS_MAX_LINELEN, line_nr) == -1) {
339                 /* no alg information */
340                 ldns_key_free(k);
341                 LDNS_FREE(d);
342                 return LDNS_STATUS_SYNTAX_ALG_ERR;
343         }
344
345         if (strncmp(d, "1 RSA", 2) == 0) {
346                 alg = LDNS_SIGN_RSAMD5;
347         }
348         if (strncmp(d, "2 DH", 2) == 0) {
349                 alg = (ldns_signing_algorithm)LDNS_DH;
350         }
351         if (strncmp(d, "3 DSA", 2) == 0) {
352                 alg = LDNS_SIGN_DSA;
353         }
354         if (strncmp(d, "4 ECC", 2) == 0) {
355                 alg = (ldns_signing_algorithm)LDNS_ECC;
356         }
357         if (strncmp(d, "5 RSASHA1", 2) == 0) {
358                 alg = LDNS_SIGN_RSASHA1;
359         }
360         if (strncmp(d, "6 DSA", 2) == 0) {
361                 alg = LDNS_SIGN_DSA_NSEC3;
362         }
363         if (strncmp(d, "7 RSASHA1", 2) == 0) {
364                 alg = LDNS_SIGN_RSASHA1_NSEC3;
365         }
366
367         if (strncmp(d, "8 RSASHA256", 2) == 0) {
368 #ifdef USE_SHA2
369                 alg = LDNS_SIGN_RSASHA256;
370 #else
371 # ifdef STDERR_MSGS
372                 fprintf(stderr, "Warning: SHA256 not compiled into this ");
373                 fprintf(stderr, "version of ldns\n");
374 # endif
375 #endif
376         }
377         if (strncmp(d, "10 RSASHA512", 3) == 0) {
378 #ifdef USE_SHA2
379                 alg = LDNS_SIGN_RSASHA512;
380 #else
381 # ifdef STDERR_MSGS
382                 fprintf(stderr, "Warning: SHA512 not compiled into this ");
383                 fprintf(stderr, "version of ldns\n");
384 # endif
385 #endif
386         }
387         if (strncmp(d, "12 ECC-GOST", 3) == 0) {
388 #ifdef USE_GOST
389                 alg = LDNS_SIGN_ECC_GOST;
390 #else
391 # ifdef STDERR_MSGS
392                 fprintf(stderr, "Warning: ECC-GOST not compiled into this ");
393                 fprintf(stderr, "version of ldns, use --enable-gost\n");
394 # endif
395 #endif
396         }
397         if (strncmp(d, "13 ECDSAP256SHA256", 3) == 0) {
398 #ifdef USE_ECDSA
399                 alg = LDNS_SIGN_ECDSAP256SHA256;
400 #else
401 # ifdef STDERR_MSGS
402                 fprintf(stderr, "Warning: ECDSA not compiled into this ");
403                 fprintf(stderr, "version of ldns, use --enable-ecdsa\n");
404 # endif
405 #endif
406         }
407         if (strncmp(d, "14 ECDSAP384SHA384", 3) == 0) {
408 #ifdef USE_ECDSA
409                 alg = LDNS_SIGN_ECDSAP384SHA384;
410 #else
411 # ifdef STDERR_MSGS
412                 fprintf(stderr, "Warning: ECDSA not compiled into this ");
413                 fprintf(stderr, "version of ldns, use --enable-ecdsa\n");
414 # endif
415 #endif
416         }
417         if (strncmp(d, "157 HMAC-MD5", 4) == 0) {
418                 alg = LDNS_SIGN_HMACMD5;
419         }
420         if (strncmp(d, "158 HMAC-SHA1", 4) == 0) {
421                 alg = LDNS_SIGN_HMACSHA1;
422         }
423         if (strncmp(d, "159 HMAC-SHA256", 4) == 0) {
424                 alg = LDNS_SIGN_HMACSHA256;
425         }
426
427         LDNS_FREE(d);
428
429         switch(alg) {
430                 case LDNS_SIGN_RSAMD5:
431                 case LDNS_SIGN_RSASHA1:
432                 case LDNS_SIGN_RSASHA1_NSEC3:
433 #ifdef USE_SHA2
434                 case LDNS_SIGN_RSASHA256:
435                 case LDNS_SIGN_RSASHA512:
436 #endif
437                         ldns_key_set_algorithm(k, alg);
438 #ifdef HAVE_SSL
439                         rsa = ldns_key_new_frm_fp_rsa_l(fp, line_nr);
440                         if (!rsa) {
441                                 ldns_key_free(k);
442                                 return LDNS_STATUS_ERR;
443                         }
444                         ldns_key_assign_rsa_key(k, rsa);
445 #endif /* HAVE_SSL */
446                         break;
447                 case LDNS_SIGN_DSA:
448                 case LDNS_SIGN_DSA_NSEC3:
449                         ldns_key_set_algorithm(k, alg);
450 #ifdef HAVE_SSL
451                         dsa = ldns_key_new_frm_fp_dsa_l(fp, line_nr);
452                         if (!dsa) {
453                                 ldns_key_free(k);
454                                 return LDNS_STATUS_ERR;
455                         }
456                         ldns_key_assign_dsa_key(k, dsa);
457 #endif /* HAVE_SSL */
458                         break;
459                 case LDNS_SIGN_HMACMD5:
460                 case LDNS_SIGN_HMACSHA1:
461                 case LDNS_SIGN_HMACSHA256:
462                         ldns_key_set_algorithm(k, alg);
463 #ifdef HAVE_SSL
464                         hmac = ldns_key_new_frm_fp_hmac_l(fp, line_nr, &hmac_size);
465                         if (!hmac) {
466                                 ldns_key_free(k);
467                                 return LDNS_STATUS_ERR;
468                         }
469                         ldns_key_set_hmac_size(k, hmac_size);
470                         ldns_key_set_hmac_key(k, hmac);
471 #endif /* HAVE_SSL */
472                         break;
473                 case LDNS_SIGN_ECC_GOST:
474                         ldns_key_set_algorithm(k, alg);
475 #if defined(HAVE_SSL) && defined(USE_GOST)
476                         if(!ldns_key_EVP_load_gost_id()) {
477                                 ldns_key_free(k);
478                                 return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL;
479                         }
480                         ldns_key_set_evp_key(k, 
481                                 ldns_key_new_frm_fp_gost_l(fp, line_nr));
482 #ifndef S_SPLINT_S
483                         if(!k->_key.key) {
484                                 ldns_key_free(k);
485                                 return LDNS_STATUS_ERR;
486                         }
487 #endif /* splint */
488 #endif
489                         break;
490 #ifdef USE_ECDSA
491                case LDNS_SIGN_ECDSAP256SHA256:
492                case LDNS_SIGN_ECDSAP384SHA384:
493                         ldns_key_set_algorithm(k, alg);
494                         ldns_key_set_evp_key(k,
495                                 ldns_key_new_frm_fp_ecdsa_l(fp, (ldns_algorithm)alg, line_nr));
496 #ifndef S_SPLINT_S
497                         if(!k->_key.key) {
498                                 ldns_key_free(k);
499                                 return LDNS_STATUS_ERR;
500                         }
501 #endif /* splint */
502                         break;
503 #endif
504                 default:
505                         ldns_key_free(k);
506                         return LDNS_STATUS_SYNTAX_ALG_ERR;
507         }
508         key_rr = ldns_key2rr(k);
509         ldns_key_set_keytag(k, ldns_calc_keytag(key_rr));
510         ldns_rr_free(key_rr);
511
512         if (key) {
513                 *key = k;
514                 return LDNS_STATUS_OK;
515         }
516         ldns_key_free(k);
517         return LDNS_STATUS_ERR;
518 }
519
520 #ifdef HAVE_SSL
521 RSA *
522 ldns_key_new_frm_fp_rsa(FILE *f)
523 {
524         return ldns_key_new_frm_fp_rsa_l(f, NULL);
525 }
526
527 RSA *
528 ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr)
529 {
530         /* we parse
531          * Modulus:
532          * PublicExponent:
533          * PrivateExponent:
534          * Prime1:
535          * Prime2:
536          * Exponent1:
537          * Exponent2:
538          * Coefficient:
539          *
540          * man 3 RSA:
541          *
542          * struct
543          *     {
544          *     BIGNUM *n;              // public modulus
545          *     BIGNUM *e;              // public exponent
546          *     BIGNUM *d;              // private exponent
547          *     BIGNUM *p;              // secret prime factor
548          *     BIGNUM *q;              // secret prime factor
549          *     BIGNUM *dmp1;           // d mod (p-1)
550          *     BIGNUM *dmq1;           // d mod (q-1)
551          *     BIGNUM *iqmp;           // q^-1 mod p
552          *     // ...
553          *
554          */
555         char *d;
556         RSA *rsa;
557         uint8_t *buf;
558         int i;
559
560         d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
561         buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN);
562         rsa = RSA_new();
563         if (!d || !rsa || !buf) {
564                 goto error;
565         }
566
567         /* I could use functions again, but that seems an overkill,
568          * allthough this also looks tedious
569          */
570
571         /* Modules, rsa->n */
572         if (ldns_fget_keyword_data_l(f, "Modulus", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
573                 goto error;
574         }
575         i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
576 #ifndef S_SPLINT_S
577         rsa->n = BN_bin2bn((const char unsigned*)buf, i, NULL);
578         if (!rsa->n) {
579                 goto error;
580         }
581
582         /* PublicExponent, rsa->e */
583         if (ldns_fget_keyword_data_l(f, "PublicExponent", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
584                 goto error;
585         }
586         i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
587         rsa->e = BN_bin2bn((const char unsigned*)buf, i, NULL);
588         if (!rsa->e) {
589                 goto error;
590         }
591
592         /* PrivateExponent, rsa->d */
593         if (ldns_fget_keyword_data_l(f, "PrivateExponent", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
594                 goto error;
595         }
596         i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
597         rsa->d = BN_bin2bn((const char unsigned*)buf, i, NULL);
598         if (!rsa->d) {
599                 goto error;
600         }
601
602         /* Prime1, rsa->p */
603         if (ldns_fget_keyword_data_l(f, "Prime1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
604                 goto error;
605         }
606         i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
607         rsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL);
608         if (!rsa->p) {
609                 goto error;
610         }
611
612         /* Prime2, rsa->q */
613         if (ldns_fget_keyword_data_l(f, "Prime2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
614                 goto error;
615         }
616         i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
617         rsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL);
618         if (!rsa->q) {
619                 goto error;
620         }
621
622         /* Exponent1, rsa->dmp1 */
623         if (ldns_fget_keyword_data_l(f, "Exponent1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
624                 goto error;
625         }
626         i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
627         rsa->dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL);
628         if (!rsa->dmp1) {
629                 goto error;
630         }
631
632         /* Exponent2, rsa->dmq1 */
633         if (ldns_fget_keyword_data_l(f, "Exponent2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
634                 goto error;
635         }
636         i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
637         rsa->dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL);
638         if (!rsa->dmq1) {
639                 goto error;
640         }
641
642         /* Coefficient, rsa->iqmp */
643         if (ldns_fget_keyword_data_l(f, "Coefficient", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
644                 goto error;
645         }
646         i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
647         rsa->iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL);
648         if (!rsa->iqmp) {
649                 goto error;
650         }
651 #endif /* splint */
652
653         LDNS_FREE(buf);
654         LDNS_FREE(d);
655         return rsa;
656
657 error:
658         RSA_free(rsa);
659         LDNS_FREE(d);
660         LDNS_FREE(buf);
661         return NULL;
662 }
663
664 DSA *
665 ldns_key_new_frm_fp_dsa(FILE *f)
666 {
667         return ldns_key_new_frm_fp_dsa_l(f, NULL);
668 }
669
670 DSA *
671 ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr))
672 {
673         int i;
674         char *d;
675         DSA *dsa;
676         uint8_t *buf;
677
678         d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
679         buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN);
680         dsa = DSA_new();
681         if (!d || !dsa || !buf) {
682                 goto error;
683         }
684
685         /* the line parser removes the () from the input... */
686
687         /* Prime, dsa->p */
688         if (ldns_fget_keyword_data_l(f, "Primep", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
689                 goto error;
690         }
691         i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
692 #ifndef S_SPLINT_S
693         dsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL);
694         if (!dsa->p) {
695                 goto error;
696         }
697
698         /* Subprime, dsa->q */
699         if (ldns_fget_keyword_data_l(f, "Subprimeq", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
700                 goto error;
701         }
702         i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
703         dsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL);
704         if (!dsa->q) {
705                 goto error;
706         }
707
708         /* Base, dsa->g */
709         if (ldns_fget_keyword_data_l(f, "Baseg", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
710                 goto error;
711         }
712         i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
713         dsa->g = BN_bin2bn((const char unsigned*)buf, i, NULL);
714         if (!dsa->g) {
715                 goto error;
716         }
717
718         /* Private key, dsa->priv_key */
719         if (ldns_fget_keyword_data_l(f, "Private_valuex", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
720                 goto error;
721         }
722         i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
723         dsa->priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL);
724         if (!dsa->priv_key) {
725                 goto error;
726         }
727
728         /* Public key, dsa->priv_key */
729         if (ldns_fget_keyword_data_l(f, "Public_valuey", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
730                 goto error;
731         }
732         i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
733         dsa->pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL);
734         if (!dsa->pub_key) {
735                 goto error;
736         }
737 #endif /* splint */
738
739         LDNS_FREE(buf);
740         LDNS_FREE(d);
741
742         return dsa;
743
744 error:
745         LDNS_FREE(d);
746         LDNS_FREE(buf);
747         DSA_free(dsa);
748         return NULL;
749 }
750
751 unsigned char *
752 ldns_key_new_frm_fp_hmac(FILE *f, size_t *hmac_size)
753 {
754         return ldns_key_new_frm_fp_hmac_l(f, NULL, hmac_size);
755 }
756
757 unsigned char *
758 ldns_key_new_frm_fp_hmac_l( FILE *f
759                           , ATTR_UNUSED(int *line_nr)
760                           , size_t *hmac_size
761                           )
762 {
763         size_t i, bufsz;
764         char d[LDNS_MAX_LINELEN];
765         unsigned char *buf = NULL;
766
767         if (ldns_fget_keyword_data_l(f, "Key", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
768                 goto error;
769         }
770         bufsz = ldns_b64_ntop_calculate_size(strlen(d));
771         buf = LDNS_XMALLOC(unsigned char, bufsz);
772         i = (size_t) ldns_b64_pton((const char*)d, buf, bufsz);
773
774         *hmac_size = i;
775         return buf;
776
777         error:
778         LDNS_FREE(buf);
779         *hmac_size = 0;
780         return NULL;
781 }
782 #endif /* HAVE_SSL */
783
784 #ifdef USE_GOST
785 static EVP_PKEY*
786 ldns_gen_gost_key(void)
787 {
788         EVP_PKEY_CTX* ctx;
789         EVP_PKEY* p = NULL;
790         int gost_id = ldns_key_EVP_load_gost_id();
791         if(!gost_id)
792                 return NULL;
793         ctx = EVP_PKEY_CTX_new_id(gost_id, NULL);
794         if(!ctx) {
795                 /* the id should be available now */
796                 return NULL;
797         }
798         if(EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0) {
799                 /* cannot set paramset */
800                 EVP_PKEY_CTX_free(ctx);
801                 return NULL;
802         }
803
804         if(EVP_PKEY_keygen_init(ctx) <= 0) {
805                 EVP_PKEY_CTX_free(ctx);
806                 return NULL;
807         }
808         if(EVP_PKEY_keygen(ctx, &p) <= 0) {
809                 EVP_PKEY_free(p);
810                 EVP_PKEY_CTX_free(ctx);
811                 return NULL;
812         }
813         EVP_PKEY_CTX_free(ctx);
814         return p;
815 }
816 #endif
817
818 ldns_key *
819 ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size)
820 {
821         ldns_key *k;
822 #ifdef HAVE_SSL
823         DSA *d;
824         RSA *r;
825 #  ifdef USE_ECDSA
826         EC_KEY *ec = NULL;
827 #  endif
828 #else
829         int i;
830         uint16_t offset = 0;
831 #endif
832         unsigned char *hmac;
833
834         k = ldns_key_new();
835         if (!k) {
836                 return NULL;
837         }
838         switch(alg) {
839                 case LDNS_SIGN_RSAMD5:
840                 case LDNS_SIGN_RSASHA1:
841                 case LDNS_SIGN_RSASHA1_NSEC3:
842                 case LDNS_SIGN_RSASHA256:
843                 case LDNS_SIGN_RSASHA512:
844 #ifdef HAVE_SSL
845                         r = RSA_generate_key((int)size, RSA_F4, NULL, NULL);
846                         if(!r) {
847                                 ldns_key_free(k);
848                                 return NULL;
849                         }
850                         if (RSA_check_key(r) != 1) {
851                                 ldns_key_free(k);
852                                 return NULL;
853                         }
854                         ldns_key_set_rsa_key(k, r);
855                         RSA_free(r);
856 #endif /* HAVE_SSL */
857                         break;
858                 case LDNS_SIGN_DSA:
859                 case LDNS_SIGN_DSA_NSEC3:
860 #ifdef HAVE_SSL
861                         d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL);
862                         if (!d) {
863                                 ldns_key_free(k);
864                                 return NULL;
865                         }
866                         if (DSA_generate_key(d) != 1) {
867                                 ldns_key_free(k);
868                                 return NULL;
869                         }
870                         ldns_key_set_dsa_key(k, d);
871                         DSA_free(d);
872 #endif /* HAVE_SSL */
873                         break;
874                 case LDNS_SIGN_HMACMD5:
875                 case LDNS_SIGN_HMACSHA1:
876                 case LDNS_SIGN_HMACSHA256:
877 #ifdef HAVE_SSL
878 #ifndef S_SPLINT_S
879                         k->_key.key = NULL;
880 #endif /* splint */
881 #endif /* HAVE_SSL */
882                         size = size / 8;
883                         ldns_key_set_hmac_size(k, size);
884
885                         hmac = LDNS_XMALLOC(unsigned char, size);
886                         if(!hmac) {
887                                 ldns_key_free(k);
888                                 return NULL;
889                         }
890 #ifdef HAVE_SSL
891                         if (RAND_bytes(hmac, (int) size) != 1) {
892                                 LDNS_FREE(hmac);
893                                 ldns_key_free(k);
894                                 return NULL;
895                         }
896 #else
897                         while (offset + sizeof(i) < size) {
898                           i = random();
899                           memcpy(&hmac[offset], &i, sizeof(i));
900                           offset += sizeof(i);
901                         }
902                         if (offset < size) {
903                           i = random();
904                           memcpy(&hmac[offset], &i, size - offset);
905                         }
906 #endif /* HAVE_SSL */
907                         ldns_key_set_hmac_key(k, hmac);
908
909                         ldns_key_set_flags(k, 0);
910                         break;
911                 case LDNS_SIGN_ECC_GOST:
912 #if defined(HAVE_SSL) && defined(USE_GOST)
913                         ldns_key_set_evp_key(k, ldns_gen_gost_key());
914 #ifndef S_SPLINT_S
915                         if(!k->_key.key) {
916                                 ldns_key_free(k);
917                                 return NULL;
918                         }
919 #endif /* splint */
920 #else
921                         ldns_key_free(k);
922                         return NULL;
923 #endif /* HAVE_SSL and USE_GOST */
924                         break;
925                 case LDNS_SIGN_ECDSAP256SHA256:
926                 case LDNS_SIGN_ECDSAP384SHA384:
927 #ifdef USE_ECDSA
928                         if(alg == LDNS_SIGN_ECDSAP256SHA256)
929                                 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
930                         else if(alg == LDNS_SIGN_ECDSAP384SHA384)
931                                 ec = EC_KEY_new_by_curve_name(NID_secp384r1);
932                         if(!ec) {
933                                 ldns_key_free(k);
934                                 return NULL;
935                         }
936                         if(!EC_KEY_generate_key(ec)) {
937                                 ldns_key_free(k);
938                                 EC_KEY_free(ec);
939                                 return NULL;
940                         }
941 #ifndef S_SPLINT_S
942                         k->_key.key = EVP_PKEY_new();
943                         if(!k->_key.key) {
944                                 ldns_key_free(k);
945                                 EC_KEY_free(ec);
946                                 return NULL;
947                         }
948                         if (!EVP_PKEY_assign_EC_KEY(k->_key.key, ec)) {
949                                 ldns_key_free(k);
950                                 EC_KEY_free(ec);
951                                 return NULL;
952                         }
953 #endif /* splint */
954 #else
955                         ldns_key_free(k);
956                         return NULL;
957 #endif /* ECDSA */
958                         break;
959         }
960         ldns_key_set_algorithm(k, alg);
961         return k;
962 }
963
964 void
965 ldns_key_print(FILE *output, const ldns_key *k)
966 {
967         char *str = ldns_key2str(k);
968         if (str) {
969                 fprintf(output, "%s", str);
970         } else {
971                 fprintf(output, "Unable to convert private key to string\n");
972         }
973         LDNS_FREE(str);
974 }
975
976
977 void
978 ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l)
979 {
980         k->_alg = l;
981 }
982
983 void
984 ldns_key_set_flags(ldns_key *k, uint16_t f)
985 {
986         k->_extra.dnssec.flags = f;
987 }
988
989 #ifdef HAVE_SSL
990 #ifndef S_SPLINT_S
991 void
992 ldns_key_set_evp_key(ldns_key *k, EVP_PKEY *e)
993 {
994         k->_key.key = e;
995 }
996
997 void
998 ldns_key_set_rsa_key(ldns_key *k, RSA *r)
999 {
1000         EVP_PKEY *key = EVP_PKEY_new();
1001         EVP_PKEY_set1_RSA(key, r);
1002         k->_key.key = key;
1003 }
1004
1005 void
1006 ldns_key_set_dsa_key(ldns_key *k, DSA *d)
1007 {
1008         EVP_PKEY *key = EVP_PKEY_new();
1009         EVP_PKEY_set1_DSA(key, d);
1010         k->_key.key  = key;
1011 }
1012
1013 void
1014 ldns_key_assign_rsa_key(ldns_key *k, RSA *r)
1015 {
1016         EVP_PKEY *key = EVP_PKEY_new();
1017         EVP_PKEY_assign_RSA(key, r);
1018         k->_key.key = key;
1019 }
1020
1021 void
1022 ldns_key_assign_dsa_key(ldns_key *k, DSA *d)
1023 {
1024         EVP_PKEY *key = EVP_PKEY_new();
1025         EVP_PKEY_assign_DSA(key, d);
1026         k->_key.key  = key;
1027 }
1028 #endif /* splint */
1029 #endif /* HAVE_SSL */
1030
1031 void
1032 ldns_key_set_hmac_key(ldns_key *k, unsigned char *hmac)
1033 {
1034         k->_key.hmac.key = hmac;
1035 }
1036
1037 void
1038 ldns_key_set_hmac_size(ldns_key *k, size_t hmac_size)
1039 {
1040         k->_key.hmac.size = hmac_size;
1041 }
1042
1043 void
1044 ldns_key_set_external_key(ldns_key *k, void *external_key)
1045 {
1046         k->_key.external_key = external_key;
1047 }
1048
1049 void
1050 ldns_key_set_origttl(ldns_key *k, uint32_t t)
1051 {
1052         k->_extra.dnssec.orig_ttl = t;
1053 }
1054
1055 void
1056 ldns_key_set_inception(ldns_key *k, uint32_t i)
1057 {
1058         k->_extra.dnssec.inception = i;
1059 }
1060
1061 void
1062 ldns_key_set_expiration(ldns_key *k, uint32_t e)
1063 {
1064         k->_extra.dnssec.expiration = e;
1065 }
1066
1067 void
1068 ldns_key_set_pubkey_owner(ldns_key *k, ldns_rdf *r)
1069 {
1070         k->_pubkey_owner = r;
1071 }
1072
1073 void
1074 ldns_key_set_keytag(ldns_key *k, uint16_t tag)
1075 {
1076         k->_extra.dnssec.keytag = tag;
1077 }
1078
1079 /* read */
1080 size_t
1081 ldns_key_list_key_count(const ldns_key_list *key_list)
1082 {
1083                 return key_list->_key_count;
1084 }       
1085
1086 ldns_key *
1087 ldns_key_list_key(const ldns_key_list *key, size_t nr)
1088 {       
1089         if (nr < ldns_key_list_key_count(key)) {
1090                 return key->_keys[nr];
1091         } else {
1092                 return NULL;
1093         }
1094 }
1095
1096 ldns_signing_algorithm
1097 ldns_key_algorithm(const ldns_key *k) 
1098 {
1099         return k->_alg;
1100 }
1101
1102 void
1103 ldns_key_set_use(ldns_key *k, bool v)
1104 {
1105         if (k) {
1106                 k->_use = v;
1107         }
1108 }
1109
1110 bool
1111 ldns_key_use(const ldns_key *k)
1112 {
1113         if (k) {
1114                 return k->_use;
1115         }
1116         return false;
1117 }
1118
1119 #ifdef HAVE_SSL
1120 #ifndef S_SPLINT_S
1121 EVP_PKEY *
1122 ldns_key_evp_key(const ldns_key *k)
1123 {
1124         return k->_key.key;
1125 }
1126
1127 RSA *
1128 ldns_key_rsa_key(const ldns_key *k)
1129 {
1130         if (k->_key.key) {
1131                 return EVP_PKEY_get1_RSA(k->_key.key);
1132         } else {
1133                 return NULL;
1134         }
1135 }
1136
1137 DSA *
1138 ldns_key_dsa_key(const ldns_key *k)
1139 {
1140         if (k->_key.key) {
1141                 return EVP_PKEY_get1_DSA(k->_key.key);
1142         } else {
1143                 return NULL;
1144         }
1145 }
1146 #endif /* splint */
1147 #endif /* HAVE_SSL */
1148
1149 unsigned char *
1150 ldns_key_hmac_key(const ldns_key *k)
1151 {
1152         if (k->_key.hmac.key) {
1153                 return k->_key.hmac.key;
1154         } else {
1155                 return NULL;
1156         }
1157 }
1158
1159 size_t
1160 ldns_key_hmac_size(const ldns_key *k)
1161 {
1162         if (k->_key.hmac.size) {
1163                 return k->_key.hmac.size;
1164         } else {
1165                 return 0;
1166         }
1167 }
1168
1169 void *
1170 ldns_key_external_key(const ldns_key *k)
1171 {
1172         return k->_key.external_key;
1173 }
1174
1175 uint32_t
1176 ldns_key_origttl(const ldns_key *k)
1177 {
1178         return k->_extra.dnssec.orig_ttl;
1179 }
1180
1181 uint16_t
1182 ldns_key_flags(const ldns_key *k)
1183 {
1184         return k->_extra.dnssec.flags;
1185 }
1186
1187 uint32_t
1188 ldns_key_inception(const ldns_key *k)
1189 {
1190         return k->_extra.dnssec.inception;
1191 }
1192
1193 uint32_t
1194 ldns_key_expiration(const ldns_key *k)
1195 {
1196         return k->_extra.dnssec.expiration;
1197 }
1198
1199 uint16_t
1200 ldns_key_keytag(const ldns_key *k)
1201 {
1202         return k->_extra.dnssec.keytag;
1203 }
1204
1205 ldns_rdf *
1206 ldns_key_pubkey_owner(const ldns_key *k)
1207 {
1208         return k->_pubkey_owner;
1209 }
1210
1211 /* write */
1212 void
1213 ldns_key_list_set_use(ldns_key_list *keys, bool v)
1214 {
1215         size_t i;
1216
1217         for (i = 0; i < ldns_key_list_key_count(keys); i++) {
1218                 ldns_key_set_use(ldns_key_list_key(keys, i), v);
1219         }
1220 }
1221
1222 void            
1223 ldns_key_list_set_key_count(ldns_key_list *key, size_t count)
1224 {
1225                 key->_key_count = count;
1226 }       
1227
1228 bool             
1229 ldns_key_list_push_key(ldns_key_list *key_list, ldns_key *key)
1230 {       
1231         size_t key_count;
1232         ldns_key **keys;
1233
1234         key_count = ldns_key_list_key_count(key_list);
1235
1236         /* grow the array */
1237         keys = LDNS_XREALLOC(
1238                 key_list->_keys, ldns_key *, key_count + 1);
1239         if (!keys) {
1240                 return false;
1241         }
1242
1243         /* add the new member */
1244         key_list->_keys = keys;
1245         key_list->_keys[key_count] = key;
1246
1247         ldns_key_list_set_key_count(key_list, key_count + 1);
1248         return true;
1249 }
1250
1251 ldns_key *
1252 ldns_key_list_pop_key(ldns_key_list *key_list)
1253 {                               
1254         size_t key_count;
1255         ldns_key** a;
1256         ldns_key *pop;
1257
1258         if (!key_list) {
1259                 return NULL;
1260         }
1261         
1262         key_count = ldns_key_list_key_count(key_list);
1263         if (key_count == 0) {
1264                 return NULL;
1265         }       
1266         
1267         pop = ldns_key_list_key(key_list, key_count);
1268         
1269         /* shrink the array */
1270         a = LDNS_XREALLOC(key_list->_keys, ldns_key *, key_count - 1);
1271         if(a) {
1272                 key_list->_keys = a;
1273         }
1274
1275         ldns_key_list_set_key_count(key_list, key_count - 1);
1276
1277         return pop;
1278 }       
1279
1280 #ifdef HAVE_SSL
1281 #ifndef S_SPLINT_S
1282 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */
1283 static bool
1284 ldns_key_rsa2bin(unsigned char *data, RSA *k, uint16_t *size)
1285 {
1286         int i,j;
1287         
1288         if (!k) {
1289                 return false;
1290         }
1291         
1292         if (BN_num_bytes(k->e) <= 256) {
1293                 /* normally only this path is executed (small factors are
1294                  * more common 
1295                  */
1296                 data[0] = (unsigned char) BN_num_bytes(k->e);
1297                 i = BN_bn2bin(k->e, data + 1);  
1298                 j = BN_bn2bin(k->n, data + i + 1);
1299                 *size = (uint16_t) i + j;
1300         } else if (BN_num_bytes(k->e) <= 65536) {
1301                 data[0] = 0;
1302                 /* BN_bn2bin does bigendian, _uint16 also */
1303                 ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(k->e)); 
1304
1305                 BN_bn2bin(k->e, data + 3); 
1306                 BN_bn2bin(k->n, data + 4 + BN_num_bytes(k->e));
1307                 *size = (uint16_t) BN_num_bytes(k->n) + 6;
1308         } else {
1309                 return false;
1310         }
1311         return true;
1312 }
1313
1314 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */
1315 static bool
1316 ldns_key_dsa2bin(unsigned char *data, DSA *k, uint16_t *size)
1317 {
1318         uint8_t T;
1319
1320         if (!k) {
1321                 return false;
1322         }
1323         
1324         /* See RFC2536 */
1325         *size = (uint16_t)BN_num_bytes(k->p);
1326         T = (*size - 64) / 8;
1327         memcpy(data, &T, 1);
1328
1329         if (T > 8) {
1330 #ifdef STDERR_MSGS
1331                 fprintf(stderr, "DSA key with T > 8 (ie. > 1024 bits)");
1332                 fprintf(stderr, " not implemented\n");
1333 #endif
1334                 return false;
1335         }
1336
1337         /* size = 64 + (T * 8); */
1338         data[0] = (unsigned char)T;
1339         BN_bn2bin(k->q, data + 1 );             /* 20 octects */
1340         BN_bn2bin(k->p, data + 21 );            /* offset octects */
1341         BN_bn2bin(k->g, data + 21 + *size);     /* offset octets */
1342         BN_bn2bin(k->pub_key, data + 21 + *size + *size); /* offset octets */
1343         *size = 21 + (*size * 3);
1344         return true;
1345 }
1346
1347 #ifdef USE_GOST
1348 static bool
1349 ldns_key_gost2bin(unsigned char* data, EVP_PKEY* k, uint16_t* size)
1350 {
1351         int i;
1352         unsigned char* pp = NULL;
1353         if(i2d_PUBKEY(k, &pp) != 37 + 64) {
1354                 /* expect 37 byte(ASN header) and 64 byte(X and Y) */
1355                 CRYPTO_free(pp);
1356                 return false;
1357         }
1358         /* omit ASN header */
1359         for(i=0; i<64; i++)
1360                 data[i] = pp[i+37];
1361         CRYPTO_free(pp);
1362         *size = 64;
1363         return true;
1364 }
1365 #endif /* USE_GOST */
1366 #endif /* splint */
1367 #endif /* HAVE_SSL */
1368
1369 ldns_rr *
1370 ldns_key2rr(const ldns_key *k)
1371 {
1372         /* this function will convert a the keydata contained in
1373          * rsa/dsa pointers to a DNSKEY rr. It will fill in as
1374          * much as it can, but it does not know about key-flags
1375          * for instance
1376          */
1377         ldns_rr *pubkey;
1378         ldns_rdf *keybin;
1379         unsigned char *bin = NULL;
1380         uint16_t size = 0;
1381 #ifdef HAVE_SSL
1382         RSA *rsa = NULL;
1383         DSA *dsa = NULL;
1384 #endif /* HAVE_SSL */
1385 #ifdef USE_ECDSA
1386         EC_KEY* ec;
1387 #endif
1388         int internal_data = 0;
1389
1390         if (!k) {
1391                 return NULL;
1392         }
1393         pubkey = ldns_rr_new();
1394
1395         switch (ldns_key_algorithm(k)) {
1396         case LDNS_SIGN_HMACMD5:
1397         case LDNS_SIGN_HMACSHA1:
1398         case LDNS_SIGN_HMACSHA256:
1399                 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_KEY);
1400                 break;
1401         default:
1402                 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_DNSKEY);
1403                 break;
1404         }
1405         /* zero-th rdf - flags */
1406         ldns_rr_push_rdf(pubkey,
1407                         ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
1408                                 ldns_key_flags(k)));
1409         /* first - proto */
1410         ldns_rr_push_rdf(pubkey,
1411                         ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, LDNS_DNSSEC_KEYPROTO));
1412
1413         if (ldns_key_pubkey_owner(k)) {
1414                 ldns_rr_set_owner(pubkey, ldns_rdf_clone(ldns_key_pubkey_owner(k)));
1415         }
1416
1417         /* third - da algorithm */
1418         switch(ldns_key_algorithm(k)) {
1419                 case LDNS_SIGN_RSAMD5:
1420                 case LDNS_SIGN_RSASHA1:
1421                 case LDNS_SIGN_RSASHA1_NSEC3:
1422                 case LDNS_SIGN_RSASHA256:
1423                 case LDNS_SIGN_RSASHA512:
1424                         ldns_rr_push_rdf(pubkey,
1425                                                   ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1426 #ifdef HAVE_SSL
1427                         rsa =  ldns_key_rsa_key(k);
1428                         if (rsa) {
1429                                 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1430                                 if (!bin) {
1431                                         ldns_rr_free(pubkey);
1432                                         return NULL;
1433                                 }
1434                                 if (!ldns_key_rsa2bin(bin, rsa, &size)) {
1435                                         LDNS_FREE(bin);
1436                                         ldns_rr_free(pubkey);
1437                                         return NULL;
1438                                 }
1439                                 RSA_free(rsa);
1440                                 internal_data = 1;
1441                         }
1442 #endif
1443                         size++;
1444                         break;
1445                 case LDNS_SIGN_DSA:
1446                         ldns_rr_push_rdf(pubkey,
1447                                         ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA));
1448 #ifdef HAVE_SSL
1449                         dsa = ldns_key_dsa_key(k);
1450                         if (dsa) {
1451                                 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1452                                 if (!bin) {
1453                                         ldns_rr_free(pubkey);
1454                                         return NULL;
1455                                 }
1456                                 if (!ldns_key_dsa2bin(bin, dsa, &size)) {
1457                                         LDNS_FREE(bin);
1458                                         ldns_rr_free(pubkey);
1459                                         return NULL;
1460                                 }
1461                                 DSA_free(dsa);
1462                                 internal_data = 1;
1463                         }
1464 #endif /* HAVE_SSL */
1465                         break;
1466                 case LDNS_SIGN_DSA_NSEC3:
1467                         ldns_rr_push_rdf(pubkey,
1468                                         ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA_NSEC3));
1469 #ifdef HAVE_SSL
1470                         dsa = ldns_key_dsa_key(k);
1471                         if (dsa) {
1472                                 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1473                                 if (!bin) {
1474                                         ldns_rr_free(pubkey);
1475                                         return NULL;
1476                                 }
1477                                 if (!ldns_key_dsa2bin(bin, dsa, &size)) {
1478                                         LDNS_FREE(bin);
1479                                         ldns_rr_free(pubkey);
1480                                         return NULL;
1481                                 }
1482                                 DSA_free(dsa);
1483                                 internal_data = 1;
1484                         }
1485 #endif /* HAVE_SSL */
1486                         break;
1487                 case LDNS_SIGN_ECC_GOST:
1488                         ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(
1489                                 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1490 #if defined(HAVE_SSL) && defined(USE_GOST)
1491                         bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1492                         if (!bin) {
1493                                 ldns_rr_free(pubkey);
1494                                 return NULL;
1495                         }
1496 #ifndef S_SPLINT_S
1497                         if (!ldns_key_gost2bin(bin, k->_key.key, &size)) {
1498                                 LDNS_FREE(bin);
1499                                 ldns_rr_free(pubkey);
1500                                 return NULL;
1501                         }
1502 #endif /* splint */
1503                         internal_data = 1;
1504 #else
1505                         ldns_rr_free(pubkey);
1506                         return NULL;
1507 #endif /* HAVE_SSL and USE_GOST */
1508                         break;
1509                 case LDNS_SIGN_ECDSAP256SHA256:
1510                 case LDNS_SIGN_ECDSAP384SHA384:
1511 #ifdef USE_ECDSA
1512                         ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(
1513                                 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1514                         bin = NULL;
1515 #ifndef S_SPLINT_S
1516                         ec = EVP_PKEY_get1_EC_KEY(k->_key.key);
1517 #endif
1518                         EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED);
1519                         size = (uint16_t)i2o_ECPublicKey(ec, NULL);
1520                         if(!i2o_ECPublicKey(ec, &bin)) {
1521                                 EC_KEY_free(ec);
1522                                 ldns_rr_free(pubkey);
1523                                 return NULL;
1524                         }
1525                         if(size > 1) {
1526                                 /* move back one byte to shave off the 0x02
1527                                  * 'uncompressed' indicator that openssl made
1528                                  * Actually its 0x04 (from implementation).
1529                                  */
1530                                 assert(bin[0] == POINT_CONVERSION_UNCOMPRESSED);
1531                                 size -= 1;
1532                                 memmove(bin, bin+1, size);
1533                         }
1534                         /* down the reference count for ec, its still assigned
1535                          * to the pkey */
1536                         EC_KEY_free(ec);
1537                         internal_data = 1;
1538 #else
1539                         ldns_rr_free(pubkey);
1540                         return NULL;
1541 #endif /* ECDSA */
1542                         break;
1543                 case LDNS_SIGN_HMACMD5:
1544                 case LDNS_SIGN_HMACSHA1:
1545                 case LDNS_SIGN_HMACSHA256:
1546                         bin = LDNS_XMALLOC(unsigned char, ldns_key_hmac_size(k));
1547                         if (!bin) {
1548                                 ldns_rr_free(pubkey);
1549                                 return NULL;
1550                         }
1551                         ldns_rr_push_rdf(pubkey,
1552                                          ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG,
1553                                          ldns_key_algorithm(k)));
1554                         size = ldns_key_hmac_size(k);
1555                         memcpy(bin, ldns_key_hmac_key(k), size);
1556                         internal_data = 1;
1557                         break;
1558         }
1559         /* fourth the key bin material */
1560         if (internal_data) {
1561                 keybin = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, size, bin);
1562                 LDNS_FREE(bin);
1563                 ldns_rr_push_rdf(pubkey, keybin);
1564         }
1565         return pubkey;
1566 }
1567
1568 void
1569 ldns_key_free(ldns_key *key)
1570 {
1571         LDNS_FREE(key);
1572 }
1573
1574 void
1575 ldns_key_deep_free(ldns_key *key)
1576 {
1577         unsigned char* hmac;
1578         if (ldns_key_pubkey_owner(key)) {
1579                 ldns_rdf_deep_free(ldns_key_pubkey_owner(key));
1580         }
1581 #ifdef HAVE_SSL
1582         if (ldns_key_evp_key(key)) {
1583                 EVP_PKEY_free(ldns_key_evp_key(key));
1584         }
1585 #endif /* HAVE_SSL */
1586         if (ldns_key_hmac_key(key)) {
1587                 hmac = ldns_key_hmac_key(key);
1588                 LDNS_FREE(hmac);
1589         }
1590         LDNS_FREE(key);
1591 }
1592
1593 void
1594 ldns_key_list_free(ldns_key_list *key_list)
1595 {
1596         size_t i;
1597         for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1598                 ldns_key_deep_free(ldns_key_list_key(key_list, i));
1599         }
1600         LDNS_FREE(key_list->_keys);
1601         LDNS_FREE(key_list);
1602 }
1603
1604 ldns_rr *
1605 ldns_read_anchor_file(const char *filename)
1606 {
1607         FILE *fp;
1608         /*char line[LDNS_MAX_PACKETLEN];*/
1609         char *line = LDNS_XMALLOC(char, LDNS_MAX_PACKETLEN);
1610         int c;
1611         size_t i = 0;
1612         ldns_rr *r;
1613         ldns_status status;
1614         if(!line) {
1615                 return NULL;
1616         }
1617
1618         fp = fopen(filename, "r");
1619         if (!fp) {
1620 #ifdef STDERR_MSGS
1621                 fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
1622 #endif
1623                 LDNS_FREE(line);
1624                 return NULL;
1625         }
1626         
1627         while ((c = fgetc(fp)) && i+1 < LDNS_MAX_PACKETLEN && c != EOF) {
1628                 line[i] = c;
1629                 i++;
1630         }
1631         line[i] = '\0';
1632         
1633         fclose(fp);
1634         
1635         if (i <= 0) {
1636 #ifdef STDERR_MSGS
1637                 fprintf(stderr, "nothing read from %s", filename);
1638 #endif
1639                 LDNS_FREE(line);
1640                 return NULL;
1641         } else {
1642                 status = ldns_rr_new_frm_str(&r, line, 0, NULL, NULL);
1643                 if (status == LDNS_STATUS_OK && (ldns_rr_get_type(r) == LDNS_RR_TYPE_DNSKEY || ldns_rr_get_type(r) == LDNS_RR_TYPE_DS)) {
1644                         LDNS_FREE(line);
1645                         return r;
1646                 } else {
1647 #ifdef STDERR_MSGS
1648                         fprintf(stderr, "Error creating DNSKEY or DS rr from %s: %s\n", filename, ldns_get_errorstr_by_id(status));
1649 #endif
1650                         LDNS_FREE(line);
1651                         return NULL;
1652                 }
1653         }
1654 }
1655
1656 char *
1657 ldns_key_get_file_base_name(ldns_key *key)
1658 {
1659         ldns_buffer *buffer;
1660         char *file_base_name;
1661         
1662         buffer = ldns_buffer_new(255);
1663         ldns_buffer_printf(buffer, "K");
1664         (void)ldns_rdf2buffer_str_dname(buffer, ldns_key_pubkey_owner(key));
1665         ldns_buffer_printf(buffer,
1666                            "+%03u+%05u",
1667                            ldns_key_algorithm(key),
1668                            ldns_key_keytag(key));
1669         file_base_name = ldns_buffer_export(buffer);
1670         ldns_buffer_free(buffer);
1671         return file_base_name;
1672 }
1673
1674 int ldns_key_algo_supported(int algo)
1675 {
1676         ldns_lookup_table *lt = ldns_signing_algorithms;
1677         while(lt->name) {
1678                 if(lt->id == algo)
1679                         return 1;
1680                 lt++;
1681         }
1682         return 0;
1683 }
1684
1685 ldns_signing_algorithm ldns_get_signing_algorithm_by_name(const char* name)
1686 {
1687         /* list of (signing algorithm id, alias_name) */
1688         ldns_lookup_table aliases[] = {
1689                 /* from bind dnssec-keygen */
1690                 {LDNS_SIGN_HMACMD5, "HMAC-MD5"},
1691                 {LDNS_SIGN_DSA_NSEC3, "NSEC3DSA"},
1692                 {LDNS_SIGN_RSASHA1_NSEC3, "NSEC3RSASHA1"},
1693                 /* old ldns usage, now RFC names */
1694                 {LDNS_SIGN_DSA_NSEC3, "DSA_NSEC3" },
1695                 {LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1_NSEC3" },
1696 #ifdef USE_GOST
1697                 {LDNS_SIGN_ECC_GOST, "GOST"},
1698 #endif
1699                 /* compat with possible output */
1700                 {LDNS_DH, "DH"},
1701                 {LDNS_ECC, "ECC"},
1702                 {LDNS_INDIRECT, "INDIRECT"},
1703                 {LDNS_PRIVATEDNS, "PRIVATEDNS"},
1704                 {LDNS_PRIVATEOID, "PRIVATEOID"},
1705                 {0, NULL}};
1706         ldns_lookup_table* lt = ldns_signing_algorithms;
1707         while(lt->name) {
1708                 if(strcasecmp(lt->name, name) == 0)
1709                         return lt->id;
1710                 lt++;
1711         }
1712         lt = aliases;
1713         while(lt->name) {
1714                 if(strcasecmp(lt->name, name) == 0)
1715                         return lt->id;
1716                 lt++;
1717         }
1718         if(atoi(name) != 0)
1719                 return atoi(name);
1720         return 0;
1721 }
10.2-RELEASE