1*00b67f09SDavid van Moolenbroek /* $NetBSD: dst.h,v 1.10 2015/09/03 07:33:34 christos Exp $ */ 2*00b67f09SDavid van Moolenbroek 3*00b67f09SDavid van Moolenbroek /* 4*00b67f09SDavid van Moolenbroek * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") 5*00b67f09SDavid van Moolenbroek * Copyright (C) 2000-2002 Internet Software Consortium. 6*00b67f09SDavid van Moolenbroek * 7*00b67f09SDavid van Moolenbroek * Permission to use, copy, modify, and/or distribute this software for any 8*00b67f09SDavid van Moolenbroek * purpose with or without fee is hereby granted, provided that the above 9*00b67f09SDavid van Moolenbroek * copyright notice and this permission notice appear in all copies. 10*00b67f09SDavid van Moolenbroek * 11*00b67f09SDavid van Moolenbroek * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 12*00b67f09SDavid van Moolenbroek * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 13*00b67f09SDavid van Moolenbroek * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 14*00b67f09SDavid van Moolenbroek * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 15*00b67f09SDavid van Moolenbroek * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 16*00b67f09SDavid van Moolenbroek * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 17*00b67f09SDavid van Moolenbroek * PERFORMANCE OF THIS SOFTWARE. 18*00b67f09SDavid van Moolenbroek */ 19*00b67f09SDavid van Moolenbroek 20*00b67f09SDavid van Moolenbroek /* Id: dst.h,v 1.34 2011/10/20 21:20:02 marka Exp */ 21*00b67f09SDavid van Moolenbroek 22*00b67f09SDavid van Moolenbroek #ifndef DST_DST_H 23*00b67f09SDavid van Moolenbroek #define DST_DST_H 1 24*00b67f09SDavid van Moolenbroek 25*00b67f09SDavid van Moolenbroek /*! \file dst/dst.h */ 26*00b67f09SDavid van Moolenbroek 27*00b67f09SDavid van Moolenbroek #include <isc/lang.h> 28*00b67f09SDavid van Moolenbroek #include <isc/stdtime.h> 29*00b67f09SDavid van Moolenbroek 30*00b67f09SDavid van Moolenbroek #include <dns/types.h> 31*00b67f09SDavid van Moolenbroek #include <dns/log.h> 32*00b67f09SDavid van Moolenbroek #include <dns/name.h> 33*00b67f09SDavid van Moolenbroek #include <dns/secalg.h> 34*00b67f09SDavid van Moolenbroek #include <dns/ds.h> 35*00b67f09SDavid van Moolenbroek #include <dns/dsdigest.h> 36*00b67f09SDavid van Moolenbroek 37*00b67f09SDavid van Moolenbroek #include <dst/gssapi.h> 38*00b67f09SDavid van Moolenbroek 39*00b67f09SDavid van Moolenbroek ISC_LANG_BEGINDECLS 40*00b67f09SDavid van Moolenbroek 41*00b67f09SDavid van Moolenbroek /*** 42*00b67f09SDavid van Moolenbroek *** Types 43*00b67f09SDavid van Moolenbroek ***/ 44*00b67f09SDavid van Moolenbroek 45*00b67f09SDavid van Moolenbroek /*% 46*00b67f09SDavid van Moolenbroek * The dst_key structure is opaque. Applications should use the accessor 47*00b67f09SDavid van Moolenbroek * functions provided to retrieve key attributes. If an application needs 48*00b67f09SDavid van Moolenbroek * to set attributes, new accessor functions will be written. 49*00b67f09SDavid van Moolenbroek */ 50*00b67f09SDavid van Moolenbroek 51*00b67f09SDavid van Moolenbroek typedef struct dst_key dst_key_t; 52*00b67f09SDavid van Moolenbroek typedef struct dst_context dst_context_t; 53*00b67f09SDavid van Moolenbroek 54*00b67f09SDavid van Moolenbroek /* DST algorithm codes */ 55*00b67f09SDavid van Moolenbroek #define DST_ALG_UNKNOWN 0 56*00b67f09SDavid van Moolenbroek #define DST_ALG_RSAMD5 1 57*00b67f09SDavid van Moolenbroek #define DST_ALG_RSA DST_ALG_RSAMD5 /*%< backwards compatibility */ 58*00b67f09SDavid van Moolenbroek #define DST_ALG_DH 2 59*00b67f09SDavid van Moolenbroek #define DST_ALG_DSA 3 60*00b67f09SDavid van Moolenbroek #define DST_ALG_ECC 4 61*00b67f09SDavid van Moolenbroek #define DST_ALG_RSASHA1 5 62*00b67f09SDavid van Moolenbroek #define DST_ALG_NSEC3DSA 6 63*00b67f09SDavid van Moolenbroek #define DST_ALG_NSEC3RSASHA1 7 64*00b67f09SDavid van Moolenbroek #define DST_ALG_RSASHA256 8 65*00b67f09SDavid van Moolenbroek #define DST_ALG_RSASHA512 10 66*00b67f09SDavid van Moolenbroek #define DST_ALG_ECCGOST 12 67*00b67f09SDavid van Moolenbroek #define DST_ALG_ECDSA256 13 68*00b67f09SDavid van Moolenbroek #define DST_ALG_ECDSA384 14 69*00b67f09SDavid van Moolenbroek #define DST_ALG_HMACMD5 157 70*00b67f09SDavid van Moolenbroek #define DST_ALG_GSSAPI 160 71*00b67f09SDavid van Moolenbroek #define DST_ALG_HMACSHA1 161 /* XXXMPA */ 72*00b67f09SDavid van Moolenbroek #define DST_ALG_HMACSHA224 162 /* XXXMPA */ 73*00b67f09SDavid van Moolenbroek #define DST_ALG_HMACSHA256 163 /* XXXMPA */ 74*00b67f09SDavid van Moolenbroek #define DST_ALG_HMACSHA384 164 /* XXXMPA */ 75*00b67f09SDavid van Moolenbroek #define DST_ALG_HMACSHA512 165 /* XXXMPA */ 76*00b67f09SDavid van Moolenbroek #define DST_ALG_INDIRECT 252 77*00b67f09SDavid van Moolenbroek #define DST_ALG_PRIVATE 254 78*00b67f09SDavid van Moolenbroek #define DST_ALG_EXPAND 255 79*00b67f09SDavid van Moolenbroek #define DST_MAX_ALGS 255 80*00b67f09SDavid van Moolenbroek 81*00b67f09SDavid van Moolenbroek /*% A buffer of this size is large enough to hold any key */ 82*00b67f09SDavid van Moolenbroek #define DST_KEY_MAXSIZE 1280 83*00b67f09SDavid van Moolenbroek 84*00b67f09SDavid van Moolenbroek /*% 85*00b67f09SDavid van Moolenbroek * A buffer of this size is large enough to hold the textual representation 86*00b67f09SDavid van Moolenbroek * of any key 87*00b67f09SDavid van Moolenbroek */ 88*00b67f09SDavid van Moolenbroek #define DST_KEY_MAXTEXTSIZE 2048 89*00b67f09SDavid van Moolenbroek 90*00b67f09SDavid van Moolenbroek /*% 'Type' for dst_read_key() */ 91*00b67f09SDavid van Moolenbroek #define DST_TYPE_KEY 0x1000000 /* KEY key */ 92*00b67f09SDavid van Moolenbroek #define DST_TYPE_PRIVATE 0x2000000 93*00b67f09SDavid van Moolenbroek #define DST_TYPE_PUBLIC 0x4000000 94*00b67f09SDavid van Moolenbroek 95*00b67f09SDavid van Moolenbroek /* Key timing metadata definitions */ 96*00b67f09SDavid van Moolenbroek #define DST_TIME_CREATED 0 97*00b67f09SDavid van Moolenbroek #define DST_TIME_PUBLISH 1 98*00b67f09SDavid van Moolenbroek #define DST_TIME_ACTIVATE 2 99*00b67f09SDavid van Moolenbroek #define DST_TIME_REVOKE 3 100*00b67f09SDavid van Moolenbroek #define DST_TIME_INACTIVE 4 101*00b67f09SDavid van Moolenbroek #define DST_TIME_DELETE 5 102*00b67f09SDavid van Moolenbroek #define DST_TIME_DSPUBLISH 6 103*00b67f09SDavid van Moolenbroek #define DST_MAX_TIMES 6 104*00b67f09SDavid van Moolenbroek 105*00b67f09SDavid van Moolenbroek /* Numeric metadata definitions */ 106*00b67f09SDavid van Moolenbroek #define DST_NUM_PREDECESSOR 0 107*00b67f09SDavid van Moolenbroek #define DST_NUM_SUCCESSOR 1 108*00b67f09SDavid van Moolenbroek #define DST_NUM_MAXTTL 2 109*00b67f09SDavid van Moolenbroek #define DST_NUM_ROLLPERIOD 3 110*00b67f09SDavid van Moolenbroek #define DST_MAX_NUMERIC 3 111*00b67f09SDavid van Moolenbroek 112*00b67f09SDavid van Moolenbroek /* 113*00b67f09SDavid van Moolenbroek * Current format version number of the private key parser. 114*00b67f09SDavid van Moolenbroek * 115*00b67f09SDavid van Moolenbroek * When parsing a key file with the same major number but a higher minor 116*00b67f09SDavid van Moolenbroek * number, the key parser will ignore any fields it does not recognize. 117*00b67f09SDavid van Moolenbroek * Thus, DST_MINOR_VERSION should be incremented whenever new 118*00b67f09SDavid van Moolenbroek * fields are added to the private key file (such as new metadata). 119*00b67f09SDavid van Moolenbroek * 120*00b67f09SDavid van Moolenbroek * When rewriting these keys, those fields will be dropped, and the 121*00b67f09SDavid van Moolenbroek * format version set back to the current one.. 122*00b67f09SDavid van Moolenbroek * 123*00b67f09SDavid van Moolenbroek * When a key is seen with a higher major number, the key parser will 124*00b67f09SDavid van Moolenbroek * reject it as invalid. Thus, DST_MAJOR_VERSION should be incremented 125*00b67f09SDavid van Moolenbroek * and DST_MINOR_VERSION set to zero whenever there is a format change 126*00b67f09SDavid van Moolenbroek * which is not backward compatible to previous versions of the dst_key 127*00b67f09SDavid van Moolenbroek * parser, such as change in the syntax of an existing field, the removal 128*00b67f09SDavid van Moolenbroek * of a currently mandatory field, or a new field added which would 129*00b67f09SDavid van Moolenbroek * alter the functioning of the key if it were absent. 130*00b67f09SDavid van Moolenbroek */ 131*00b67f09SDavid van Moolenbroek #define DST_MAJOR_VERSION 1 132*00b67f09SDavid van Moolenbroek #define DST_MINOR_VERSION 3 133*00b67f09SDavid van Moolenbroek 134*00b67f09SDavid van Moolenbroek /*** 135*00b67f09SDavid van Moolenbroek *** Functions 136*00b67f09SDavid van Moolenbroek ***/ 137*00b67f09SDavid van Moolenbroek 138*00b67f09SDavid van Moolenbroek isc_result_t 139*00b67f09SDavid van Moolenbroek dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags); 140*00b67f09SDavid van Moolenbroek 141*00b67f09SDavid van Moolenbroek isc_result_t 142*00b67f09SDavid van Moolenbroek dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, 143*00b67f09SDavid van Moolenbroek const char *engine, unsigned int eflags); 144*00b67f09SDavid van Moolenbroek /*%< 145*00b67f09SDavid van Moolenbroek * Initializes the DST subsystem. 146*00b67f09SDavid van Moolenbroek * 147*00b67f09SDavid van Moolenbroek * Requires: 148*00b67f09SDavid van Moolenbroek * \li "mctx" is a valid memory context 149*00b67f09SDavid van Moolenbroek * \li "ectx" is a valid entropy context 150*00b67f09SDavid van Moolenbroek * 151*00b67f09SDavid van Moolenbroek * Returns: 152*00b67f09SDavid van Moolenbroek * \li ISC_R_SUCCESS 153*00b67f09SDavid van Moolenbroek * \li ISC_R_NOMEMORY 154*00b67f09SDavid van Moolenbroek * \li DST_R_NOENGINE 155*00b67f09SDavid van Moolenbroek * 156*00b67f09SDavid van Moolenbroek * Ensures: 157*00b67f09SDavid van Moolenbroek * \li DST is properly initialized. 158*00b67f09SDavid van Moolenbroek */ 159*00b67f09SDavid van Moolenbroek 160*00b67f09SDavid van Moolenbroek void 161*00b67f09SDavid van Moolenbroek dst_lib_destroy(void); 162*00b67f09SDavid van Moolenbroek /*%< 163*00b67f09SDavid van Moolenbroek * Releases all resources allocated by DST. 164*00b67f09SDavid van Moolenbroek */ 165*00b67f09SDavid van Moolenbroek 166*00b67f09SDavid van Moolenbroek isc_boolean_t 167*00b67f09SDavid van Moolenbroek dst_algorithm_supported(unsigned int alg); 168*00b67f09SDavid van Moolenbroek /*%< 169*00b67f09SDavid van Moolenbroek * Checks that a given algorithm is supported by DST. 170*00b67f09SDavid van Moolenbroek * 171*00b67f09SDavid van Moolenbroek * Returns: 172*00b67f09SDavid van Moolenbroek * \li ISC_TRUE 173*00b67f09SDavid van Moolenbroek * \li ISC_FALSE 174*00b67f09SDavid van Moolenbroek */ 175*00b67f09SDavid van Moolenbroek 176*00b67f09SDavid van Moolenbroek isc_boolean_t 177*00b67f09SDavid van Moolenbroek dst_ds_digest_supported(unsigned int digest_type); 178*00b67f09SDavid van Moolenbroek /*%< 179*00b67f09SDavid van Moolenbroek * Checks that a given digest algorithm is supported by DST. 180*00b67f09SDavid van Moolenbroek * 181*00b67f09SDavid van Moolenbroek * Returns: 182*00b67f09SDavid van Moolenbroek * \li ISC_TRUE 183*00b67f09SDavid van Moolenbroek * \li ISC_FALSE 184*00b67f09SDavid van Moolenbroek */ 185*00b67f09SDavid van Moolenbroek 186*00b67f09SDavid van Moolenbroek isc_result_t 187*00b67f09SDavid van Moolenbroek dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp); 188*00b67f09SDavid van Moolenbroek 189*00b67f09SDavid van Moolenbroek isc_result_t 190*00b67f09SDavid van Moolenbroek dst_context_create2(dst_key_t *key, isc_mem_t *mctx, 191*00b67f09SDavid van Moolenbroek isc_logcategory_t *category, dst_context_t **dctxp); 192*00b67f09SDavid van Moolenbroek 193*00b67f09SDavid van Moolenbroek isc_result_t 194*00b67f09SDavid van Moolenbroek dst_context_create3(dst_key_t *key, isc_mem_t *mctx, 195*00b67f09SDavid van Moolenbroek isc_logcategory_t *category, isc_boolean_t useforsigning, 196*00b67f09SDavid van Moolenbroek dst_context_t **dctxp); 197*00b67f09SDavid van Moolenbroek 198*00b67f09SDavid van Moolenbroek isc_result_t 199*00b67f09SDavid van Moolenbroek dst_context_create4(dst_key_t *key, isc_mem_t *mctx, 200*00b67f09SDavid van Moolenbroek isc_logcategory_t *category, isc_boolean_t useforsigning, 201*00b67f09SDavid van Moolenbroek int maxbits, dst_context_t **dctxp); 202*00b67f09SDavid van Moolenbroek /*%< 203*00b67f09SDavid van Moolenbroek * Creates a context to be used for a sign or verify operation. 204*00b67f09SDavid van Moolenbroek * 205*00b67f09SDavid van Moolenbroek * Requires: 206*00b67f09SDavid van Moolenbroek * \li "key" is a valid key. 207*00b67f09SDavid van Moolenbroek * \li "mctx" is a valid memory context. 208*00b67f09SDavid van Moolenbroek * \li dctxp != NULL && *dctxp == NULL 209*00b67f09SDavid van Moolenbroek * 210*00b67f09SDavid van Moolenbroek * Returns: 211*00b67f09SDavid van Moolenbroek * \li ISC_R_SUCCESS 212*00b67f09SDavid van Moolenbroek * \li ISC_R_NOMEMORY 213*00b67f09SDavid van Moolenbroek * 214*00b67f09SDavid van Moolenbroek * Ensures: 215*00b67f09SDavid van Moolenbroek * \li *dctxp will contain a usable context. 216*00b67f09SDavid van Moolenbroek */ 217*00b67f09SDavid van Moolenbroek 218*00b67f09SDavid van Moolenbroek void 219*00b67f09SDavid van Moolenbroek dst_context_destroy(dst_context_t **dctxp); 220*00b67f09SDavid van Moolenbroek /*%< 221*00b67f09SDavid van Moolenbroek * Destroys all memory associated with a context. 222*00b67f09SDavid van Moolenbroek * 223*00b67f09SDavid van Moolenbroek * Requires: 224*00b67f09SDavid van Moolenbroek * \li *dctxp != NULL && *dctxp == NULL 225*00b67f09SDavid van Moolenbroek * 226*00b67f09SDavid van Moolenbroek * Ensures: 227*00b67f09SDavid van Moolenbroek * \li *dctxp == NULL 228*00b67f09SDavid van Moolenbroek */ 229*00b67f09SDavid van Moolenbroek 230*00b67f09SDavid van Moolenbroek isc_result_t 231*00b67f09SDavid van Moolenbroek dst_context_adddata(dst_context_t *dctx, const isc_region_t *data); 232*00b67f09SDavid van Moolenbroek /*%< 233*00b67f09SDavid van Moolenbroek * Incrementally adds data to the context to be used in a sign or verify 234*00b67f09SDavid van Moolenbroek * operation. 235*00b67f09SDavid van Moolenbroek * 236*00b67f09SDavid van Moolenbroek * Requires: 237*00b67f09SDavid van Moolenbroek * \li "dctx" is a valid context 238*00b67f09SDavid van Moolenbroek * \li "data" is a valid region 239*00b67f09SDavid van Moolenbroek * 240*00b67f09SDavid van Moolenbroek * Returns: 241*00b67f09SDavid van Moolenbroek * \li ISC_R_SUCCESS 242*00b67f09SDavid van Moolenbroek * \li DST_R_SIGNFAILURE 243*00b67f09SDavid van Moolenbroek * \li all other errors indicate failure 244*00b67f09SDavid van Moolenbroek */ 245*00b67f09SDavid van Moolenbroek 246*00b67f09SDavid van Moolenbroek isc_result_t 247*00b67f09SDavid van Moolenbroek dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig); 248*00b67f09SDavid van Moolenbroek /*%< 249*00b67f09SDavid van Moolenbroek * Computes a signature using the data and key stored in the context. 250*00b67f09SDavid van Moolenbroek * 251*00b67f09SDavid van Moolenbroek * Requires: 252*00b67f09SDavid van Moolenbroek * \li "dctx" is a valid context. 253*00b67f09SDavid van Moolenbroek * \li "sig" is a valid buffer. 254*00b67f09SDavid van Moolenbroek * 255*00b67f09SDavid van Moolenbroek * Returns: 256*00b67f09SDavid van Moolenbroek * \li ISC_R_SUCCESS 257*00b67f09SDavid van Moolenbroek * \li DST_R_VERIFYFAILURE 258*00b67f09SDavid van Moolenbroek * \li all other errors indicate failure 259*00b67f09SDavid van Moolenbroek * 260*00b67f09SDavid van Moolenbroek * Ensures: 261*00b67f09SDavid van Moolenbroek * \li "sig" will contain the signature 262*00b67f09SDavid van Moolenbroek */ 263*00b67f09SDavid van Moolenbroek 264*00b67f09SDavid van Moolenbroek isc_result_t 265*00b67f09SDavid van Moolenbroek dst_context_verify(dst_context_t *dctx, isc_region_t *sig); 266*00b67f09SDavid van Moolenbroek 267*00b67f09SDavid van Moolenbroek isc_result_t 268*00b67f09SDavid van Moolenbroek dst_context_verify2(dst_context_t *dctx, unsigned int maxbits, 269*00b67f09SDavid van Moolenbroek isc_region_t *sig); 270*00b67f09SDavid van Moolenbroek /*%< 271*00b67f09SDavid van Moolenbroek * Verifies the signature using the data and key stored in the context. 272*00b67f09SDavid van Moolenbroek * 273*00b67f09SDavid van Moolenbroek * 'maxbits' specifies the maximum number of bits permitted in the RSA 274*00b67f09SDavid van Moolenbroek * exponent. 275*00b67f09SDavid van Moolenbroek * 276*00b67f09SDavid van Moolenbroek * Requires: 277*00b67f09SDavid van Moolenbroek * \li "dctx" is a valid context. 278*00b67f09SDavid van Moolenbroek * \li "sig" is a valid region. 279*00b67f09SDavid van Moolenbroek * 280*00b67f09SDavid van Moolenbroek * Returns: 281*00b67f09SDavid van Moolenbroek * \li ISC_R_SUCCESS 282*00b67f09SDavid van Moolenbroek * \li all other errors indicate failure 283*00b67f09SDavid van Moolenbroek * 284*00b67f09SDavid van Moolenbroek * Ensures: 285*00b67f09SDavid van Moolenbroek * \li "sig" will contain the signature 286*00b67f09SDavid van Moolenbroek */ 287*00b67f09SDavid van Moolenbroek 288*00b67f09SDavid van Moolenbroek isc_result_t 289*00b67f09SDavid van Moolenbroek dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv, 290*00b67f09SDavid van Moolenbroek isc_buffer_t *secret); 291*00b67f09SDavid van Moolenbroek /*%< 292*00b67f09SDavid van Moolenbroek * Computes a shared secret from two (Diffie-Hellman) keys. 293*00b67f09SDavid van Moolenbroek * 294*00b67f09SDavid van Moolenbroek * Requires: 295*00b67f09SDavid van Moolenbroek * \li "pub" is a valid key that can be used to derive a shared secret 296*00b67f09SDavid van Moolenbroek * \li "priv" is a valid private key that can be used to derive a shared secret 297*00b67f09SDavid van Moolenbroek * \li "secret" is a valid buffer 298*00b67f09SDavid van Moolenbroek * 299*00b67f09SDavid van Moolenbroek * Returns: 300*00b67f09SDavid van Moolenbroek * \li ISC_R_SUCCESS 301*00b67f09SDavid van Moolenbroek * \li any other result indicates failure 302*00b67f09SDavid van Moolenbroek * 303*00b67f09SDavid van Moolenbroek * Ensures: 304*00b67f09SDavid van Moolenbroek * \li If successful, secret will contain the derived shared secret. 305*00b67f09SDavid van Moolenbroek */ 306*00b67f09SDavid van Moolenbroek 307*00b67f09SDavid van Moolenbroek isc_result_t 308*00b67f09SDavid van Moolenbroek dst_key_fromfile(dns_name_t *name, dns_keytag_t id, unsigned int alg, int type, 309*00b67f09SDavid van Moolenbroek const char *directory, isc_mem_t *mctx, dst_key_t **keyp); 310*00b67f09SDavid van Moolenbroek /*%< 311*00b67f09SDavid van Moolenbroek * Reads a key from permanent storage. The key can either be a public or 312*00b67f09SDavid van Moolenbroek * private key, and is specified by name, algorithm, and id. If a private key 313*00b67f09SDavid van Moolenbroek * is specified, the public key must also be present. If directory is NULL, 314*00b67f09SDavid van Moolenbroek * the current directory is assumed. 315*00b67f09SDavid van Moolenbroek * 316*00b67f09SDavid van Moolenbroek * Requires: 317*00b67f09SDavid van Moolenbroek * \li "name" is a valid absolute dns name. 318*00b67f09SDavid van Moolenbroek * \li "id" is a valid key tag identifier. 319*00b67f09SDavid van Moolenbroek * \li "alg" is a supported key algorithm. 320*00b67f09SDavid van Moolenbroek * \li "type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union. 321*00b67f09SDavid van Moolenbroek * DST_TYPE_KEY look for a KEY record otherwise DNSKEY 322*00b67f09SDavid van Moolenbroek * \li "mctx" is a valid memory context. 323*00b67f09SDavid van Moolenbroek * \li "keyp" is not NULL and "*keyp" is NULL. 324*00b67f09SDavid van Moolenbroek * 325*00b67f09SDavid van Moolenbroek * Returns: 326*00b67f09SDavid van Moolenbroek * \li ISC_R_SUCCESS 327*00b67f09SDavid van Moolenbroek * \li any other result indicates failure 328*00b67f09SDavid van Moolenbroek * 329*00b67f09SDavid van Moolenbroek * Ensures: 330*00b67f09SDavid van Moolenbroek * \li If successful, *keyp will contain a valid key. 331*00b67f09SDavid van Moolenbroek */ 332*00b67f09SDavid van Moolenbroek 333*00b67f09SDavid van Moolenbroek isc_result_t 334*00b67f09SDavid van Moolenbroek dst_key_fromnamedfile(const char *filename, const char *dirname, 335*00b67f09SDavid van Moolenbroek int type, isc_mem_t *mctx, dst_key_t **keyp); 336*00b67f09SDavid van Moolenbroek /*%< 337*00b67f09SDavid van Moolenbroek * Reads a key from permanent storage. The key can either be a public or 338*00b67f09SDavid van Moolenbroek * key, and is specified by filename. If a private key is specified, the 339*00b67f09SDavid van Moolenbroek * public key must also be present. 340*00b67f09SDavid van Moolenbroek * 341*00b67f09SDavid van Moolenbroek * If 'dirname' is not NULL, and 'filename' is a relative path, 342*00b67f09SDavid van Moolenbroek * then the file is looked up relative to the given directory. 343*00b67f09SDavid van Moolenbroek * If 'filename' is an absolute path, 'dirname' is ignored. 344*00b67f09SDavid van Moolenbroek * 345*00b67f09SDavid van Moolenbroek * Requires: 346*00b67f09SDavid van Moolenbroek * \li "filename" is not NULL 347*00b67f09SDavid van Moolenbroek * \li "type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union 348*00b67f09SDavid van Moolenbroek * DST_TYPE_KEY look for a KEY record otherwise DNSKEY 349*00b67f09SDavid van Moolenbroek * \li "mctx" is a valid memory context 350*00b67f09SDavid van Moolenbroek * \li "keyp" is not NULL and "*keyp" is NULL. 351*00b67f09SDavid van Moolenbroek * 352*00b67f09SDavid van Moolenbroek * Returns: 353*00b67f09SDavid van Moolenbroek * \li ISC_R_SUCCESS 354*00b67f09SDavid van Moolenbroek * \li any other result indicates failure 355*00b67f09SDavid van Moolenbroek * 356*00b67f09SDavid van Moolenbroek * Ensures: 357*00b67f09SDavid van Moolenbroek * \li If successful, *keyp will contain a valid key. 358*00b67f09SDavid van Moolenbroek */ 359*00b67f09SDavid van Moolenbroek 360*00b67f09SDavid van Moolenbroek 361*00b67f09SDavid van Moolenbroek isc_result_t 362*00b67f09SDavid van Moolenbroek dst_key_read_public(const char *filename, int type, 363*00b67f09SDavid van Moolenbroek isc_mem_t *mctx, dst_key_t **keyp); 364*00b67f09SDavid van Moolenbroek /*%< 365*00b67f09SDavid van Moolenbroek * Reads a public key from permanent storage. The key must be a public key. 366*00b67f09SDavid van Moolenbroek * 367*00b67f09SDavid van Moolenbroek * Requires: 368*00b67f09SDavid van Moolenbroek * \li "filename" is not NULL 369*00b67f09SDavid van Moolenbroek * \li "type" is DST_TYPE_KEY look for a KEY record otherwise DNSKEY 370*00b67f09SDavid van Moolenbroek * \li "mctx" is a valid memory context 371*00b67f09SDavid van Moolenbroek * \li "keyp" is not NULL and "*keyp" is NULL. 372*00b67f09SDavid van Moolenbroek * 373*00b67f09SDavid van Moolenbroek * Returns: 374*00b67f09SDavid van Moolenbroek * \li ISC_R_SUCCESS 375*00b67f09SDavid van Moolenbroek * \li DST_R_BADKEYTYPE if the key type is not the expected one 376*00b67f09SDavid van Moolenbroek * \li ISC_R_UNEXPECTEDTOKEN if the file can not be parsed as a public key 377*00b67f09SDavid van Moolenbroek * \li any other result indicates failure 378*00b67f09SDavid van Moolenbroek * 379*00b67f09SDavid van Moolenbroek * Ensures: 380*00b67f09SDavid van Moolenbroek * \li If successful, *keyp will contain a valid key. 381*00b67f09SDavid van Moolenbroek */ 382*00b67f09SDavid van Moolenbroek 383*00b67f09SDavid van Moolenbroek isc_result_t 384*00b67f09SDavid van Moolenbroek dst_key_tofile(const dst_key_t *key, int type, const char *directory); 385*00b67f09SDavid van Moolenbroek /*%< 386*00b67f09SDavid van Moolenbroek * Writes a key to permanent storage. The key can either be a public or 387*00b67f09SDavid van Moolenbroek * private key. Public keys are written in DNS format and private keys 388*00b67f09SDavid van Moolenbroek * are written as a set of base64 encoded values. If directory is NULL, 389*00b67f09SDavid van Moolenbroek * the current directory is assumed. 390*00b67f09SDavid van Moolenbroek * 391*00b67f09SDavid van Moolenbroek * Requires: 392*00b67f09SDavid van Moolenbroek * \li "key" is a valid key. 393*00b67f09SDavid van Moolenbroek * \li "type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union 394*00b67f09SDavid van Moolenbroek * 395*00b67f09SDavid van Moolenbroek * Returns: 396*00b67f09SDavid van Moolenbroek * \li ISC_R_SUCCESS 397*00b67f09SDavid van Moolenbroek * \li any other result indicates failure 398*00b67f09SDavid van Moolenbroek */ 399*00b67f09SDavid van Moolenbroek 400*00b67f09SDavid van Moolenbroek isc_result_t 401*00b67f09SDavid van Moolenbroek dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass, 402*00b67f09SDavid van Moolenbroek isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp); 403*00b67f09SDavid van Moolenbroek /*%< 404*00b67f09SDavid van Moolenbroek * Converts a DNS KEY record into a DST key. 405*00b67f09SDavid van Moolenbroek * 406*00b67f09SDavid van Moolenbroek * Requires: 407*00b67f09SDavid van Moolenbroek * \li "name" is a valid absolute dns name. 408*00b67f09SDavid van Moolenbroek * \li "source" is a valid buffer. There must be at least 4 bytes available. 409*00b67f09SDavid van Moolenbroek * \li "mctx" is a valid memory context. 410*00b67f09SDavid van Moolenbroek * \li "keyp" is not NULL and "*keyp" is NULL. 411*00b67f09SDavid van Moolenbroek * 412*00b67f09SDavid van Moolenbroek * Returns: 413*00b67f09SDavid van Moolenbroek * \li ISC_R_SUCCESS 414*00b67f09SDavid van Moolenbroek * \li any other result indicates failure 415*00b67f09SDavid van Moolenbroek * 416*00b67f09SDavid van Moolenbroek * Ensures: 417*00b67f09SDavid van Moolenbroek * \li If successful, *keyp will contain a valid key, and the consumed 418*00b67f09SDavid van Moolenbroek * pointer in data will be advanced. 419*00b67f09SDavid van Moolenbroek */ 420*00b67f09SDavid van Moolenbroek 421*00b67f09SDavid van Moolenbroek isc_result_t 422*00b67f09SDavid van Moolenbroek dst_key_todns(const dst_key_t *key, isc_buffer_t *target); 423*00b67f09SDavid van Moolenbroek /*%< 424*00b67f09SDavid van Moolenbroek * Converts a DST key into a DNS KEY record. 425*00b67f09SDavid van Moolenbroek * 426*00b67f09SDavid van Moolenbroek * Requires: 427*00b67f09SDavid van Moolenbroek * \li "key" is a valid key. 428*00b67f09SDavid van Moolenbroek * \li "target" is a valid buffer. There must be at least 4 bytes unused. 429*00b67f09SDavid van Moolenbroek * 430*00b67f09SDavid van Moolenbroek * Returns: 431*00b67f09SDavid van Moolenbroek * \li ISC_R_SUCCESS 432*00b67f09SDavid van Moolenbroek * \li any other result indicates failure 433*00b67f09SDavid van Moolenbroek * 434*00b67f09SDavid van Moolenbroek * Ensures: 435*00b67f09SDavid van Moolenbroek * \li If successful, the used pointer in 'target' is advanced by at least 4. 436*00b67f09SDavid van Moolenbroek */ 437*00b67f09SDavid van Moolenbroek 438*00b67f09SDavid van Moolenbroek isc_result_t 439*00b67f09SDavid van Moolenbroek dst_key_frombuffer(dns_name_t *name, unsigned int alg, 440*00b67f09SDavid van Moolenbroek unsigned int flags, unsigned int protocol, 441*00b67f09SDavid van Moolenbroek dns_rdataclass_t rdclass, 442*00b67f09SDavid van Moolenbroek isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp); 443*00b67f09SDavid van Moolenbroek /*%< 444*00b67f09SDavid van Moolenbroek * Converts a buffer containing DNS KEY RDATA into a DST key. 445*00b67f09SDavid van Moolenbroek * 446*00b67f09SDavid van Moolenbroek * Requires: 447*00b67f09SDavid van Moolenbroek *\li "name" is a valid absolute dns name. 448*00b67f09SDavid van Moolenbroek *\li "alg" is a supported key algorithm. 449*00b67f09SDavid van Moolenbroek *\li "source" is a valid buffer. 450*00b67f09SDavid van Moolenbroek *\li "mctx" is a valid memory context. 451*00b67f09SDavid van Moolenbroek *\li "keyp" is not NULL and "*keyp" is NULL. 452*00b67f09SDavid van Moolenbroek * 453*00b67f09SDavid van Moolenbroek * Returns: 454*00b67f09SDavid van Moolenbroek *\li ISC_R_SUCCESS 455*00b67f09SDavid van Moolenbroek * \li any other result indicates failure 456*00b67f09SDavid van Moolenbroek * 457*00b67f09SDavid van Moolenbroek * Ensures: 458*00b67f09SDavid van Moolenbroek *\li If successful, *keyp will contain a valid key, and the consumed 459*00b67f09SDavid van Moolenbroek * pointer in source will be advanced. 460*00b67f09SDavid van Moolenbroek */ 461*00b67f09SDavid van Moolenbroek 462*00b67f09SDavid van Moolenbroek isc_result_t 463*00b67f09SDavid van Moolenbroek dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target); 464*00b67f09SDavid van Moolenbroek /*%< 465*00b67f09SDavid van Moolenbroek * Converts a DST key into DNS KEY RDATA format. 466*00b67f09SDavid van Moolenbroek * 467*00b67f09SDavid van Moolenbroek * Requires: 468*00b67f09SDavid van Moolenbroek *\li "key" is a valid key. 469*00b67f09SDavid van Moolenbroek *\li "target" is a valid buffer. 470*00b67f09SDavid van Moolenbroek * 471*00b67f09SDavid van Moolenbroek * Returns: 472*00b67f09SDavid van Moolenbroek *\li ISC_R_SUCCESS 473*00b67f09SDavid van Moolenbroek * \li any other result indicates failure 474*00b67f09SDavid van Moolenbroek * 475*00b67f09SDavid van Moolenbroek * Ensures: 476*00b67f09SDavid van Moolenbroek *\li If successful, the used pointer in 'target' is advanced. 477*00b67f09SDavid van Moolenbroek */ 478*00b67f09SDavid van Moolenbroek 479*00b67f09SDavid van Moolenbroek isc_result_t 480*00b67f09SDavid van Moolenbroek dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer); 481*00b67f09SDavid van Moolenbroek /*%< 482*00b67f09SDavid van Moolenbroek * Converts a public key into a private key, reading the private key 483*00b67f09SDavid van Moolenbroek * information from the buffer. The buffer should contain the same data 484*00b67f09SDavid van Moolenbroek * as the .private key file would. 485*00b67f09SDavid van Moolenbroek * 486*00b67f09SDavid van Moolenbroek * Requires: 487*00b67f09SDavid van Moolenbroek *\li "key" is a valid public key. 488*00b67f09SDavid van Moolenbroek *\li "buffer" is not NULL. 489*00b67f09SDavid van Moolenbroek * 490*00b67f09SDavid van Moolenbroek * Returns: 491*00b67f09SDavid van Moolenbroek *\li ISC_R_SUCCESS 492*00b67f09SDavid van Moolenbroek * \li any other result indicates failure 493*00b67f09SDavid van Moolenbroek * 494*00b67f09SDavid van Moolenbroek * Ensures: 495*00b67f09SDavid van Moolenbroek *\li If successful, key will contain a valid private key. 496*00b67f09SDavid van Moolenbroek */ 497*00b67f09SDavid van Moolenbroek 498*00b67f09SDavid van Moolenbroek gss_ctx_id_t 499*00b67f09SDavid van Moolenbroek dst_key_getgssctx(const dst_key_t *key); 500*00b67f09SDavid van Moolenbroek /*%< 501*00b67f09SDavid van Moolenbroek * Returns the opaque key data. 502*00b67f09SDavid van Moolenbroek * Be cautions when using this value unless you know what you are doing. 503*00b67f09SDavid van Moolenbroek * 504*00b67f09SDavid van Moolenbroek * Requires: 505*00b67f09SDavid van Moolenbroek *\li "key" is not NULL. 506*00b67f09SDavid van Moolenbroek * 507*00b67f09SDavid van Moolenbroek * Returns: 508*00b67f09SDavid van Moolenbroek *\li gssctx key data, possibly NULL. 509*00b67f09SDavid van Moolenbroek */ 510*00b67f09SDavid van Moolenbroek 511*00b67f09SDavid van Moolenbroek isc_result_t 512*00b67f09SDavid van Moolenbroek dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx, 513*00b67f09SDavid van Moolenbroek dst_key_t **keyp, isc_region_t *intoken); 514*00b67f09SDavid van Moolenbroek /*%< 515*00b67f09SDavid van Moolenbroek * Converts a GSSAPI opaque context id into a DST key. 516*00b67f09SDavid van Moolenbroek * 517*00b67f09SDavid van Moolenbroek * Requires: 518*00b67f09SDavid van Moolenbroek *\li "name" is a valid absolute dns name. 519*00b67f09SDavid van Moolenbroek *\li "gssctx" is a GSSAPI context id. 520*00b67f09SDavid van Moolenbroek *\li "mctx" is a valid memory context. 521*00b67f09SDavid van Moolenbroek *\li "keyp" is not NULL and "*keyp" is NULL. 522*00b67f09SDavid van Moolenbroek * 523*00b67f09SDavid van Moolenbroek * Returns: 524*00b67f09SDavid van Moolenbroek *\li ISC_R_SUCCESS 525*00b67f09SDavid van Moolenbroek * \li any other result indicates failure 526*00b67f09SDavid van Moolenbroek * 527*00b67f09SDavid van Moolenbroek * Ensures: 528*00b67f09SDavid van Moolenbroek *\li If successful, *keyp will contain a valid key and be responsible for 529*00b67f09SDavid van Moolenbroek * the context id. 530*00b67f09SDavid van Moolenbroek */ 531*00b67f09SDavid van Moolenbroek 532*00b67f09SDavid van Moolenbroek #ifdef DST_KEY_INTERNAL 533*00b67f09SDavid van Moolenbroek isc_result_t 534*00b67f09SDavid van Moolenbroek dst_key_buildinternal(dns_name_t *name, unsigned int alg, 535*00b67f09SDavid van Moolenbroek unsigned int bits, unsigned int flags, 536*00b67f09SDavid van Moolenbroek unsigned int protocol, dns_rdataclass_t rdclass, 537*00b67f09SDavid van Moolenbroek void *data, isc_mem_t *mctx, dst_key_t **keyp); 538*00b67f09SDavid van Moolenbroek #endif 539*00b67f09SDavid van Moolenbroek 540*00b67f09SDavid van Moolenbroek isc_result_t 541*00b67f09SDavid van Moolenbroek dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags, 542*00b67f09SDavid van Moolenbroek unsigned int protocol, dns_rdataclass_t rdclass, 543*00b67f09SDavid van Moolenbroek const char *engine, const char *label, const char *pin, 544*00b67f09SDavid van Moolenbroek isc_mem_t *mctx, dst_key_t **keyp); 545*00b67f09SDavid van Moolenbroek 546*00b67f09SDavid van Moolenbroek isc_result_t 547*00b67f09SDavid van Moolenbroek dst_key_generate(dns_name_t *name, unsigned int alg, 548*00b67f09SDavid van Moolenbroek unsigned int bits, unsigned int param, 549*00b67f09SDavid van Moolenbroek unsigned int flags, unsigned int protocol, 550*00b67f09SDavid van Moolenbroek dns_rdataclass_t rdclass, 551*00b67f09SDavid van Moolenbroek isc_mem_t *mctx, dst_key_t **keyp); 552*00b67f09SDavid van Moolenbroek 553*00b67f09SDavid van Moolenbroek isc_result_t 554*00b67f09SDavid van Moolenbroek dst_key_generate2(dns_name_t *name, unsigned int alg, 555*00b67f09SDavid van Moolenbroek unsigned int bits, unsigned int param, 556*00b67f09SDavid van Moolenbroek unsigned int flags, unsigned int protocol, 557*00b67f09SDavid van Moolenbroek dns_rdataclass_t rdclass, 558*00b67f09SDavid van Moolenbroek isc_mem_t *mctx, dst_key_t **keyp, 559*00b67f09SDavid van Moolenbroek void (*callback)(int)); 560*00b67f09SDavid van Moolenbroek 561*00b67f09SDavid van Moolenbroek /*%< 562*00b67f09SDavid van Moolenbroek * Generate a DST key (or keypair) with the supplied parameters. The 563*00b67f09SDavid van Moolenbroek * interpretation of the "param" field depends on the algorithm: 564*00b67f09SDavid van Moolenbroek * \code 565*00b67f09SDavid van Moolenbroek * RSA: exponent 566*00b67f09SDavid van Moolenbroek * 0 use exponent 3 567*00b67f09SDavid van Moolenbroek * !0 use Fermat4 (2^16 + 1) 568*00b67f09SDavid van Moolenbroek * DH: generator 569*00b67f09SDavid van Moolenbroek * 0 default - use well known prime if bits == 768 or 1024, 570*00b67f09SDavid van Moolenbroek * otherwise use 2 as the generator. 571*00b67f09SDavid van Moolenbroek * !0 use this value as the generator. 572*00b67f09SDavid van Moolenbroek * DSA: unused 573*00b67f09SDavid van Moolenbroek * HMACMD5: entropy 574*00b67f09SDavid van Moolenbroek * 0 default - require good entropy 575*00b67f09SDavid van Moolenbroek * !0 lack of good entropy is ok 576*00b67f09SDavid van Moolenbroek *\endcode 577*00b67f09SDavid van Moolenbroek * 578*00b67f09SDavid van Moolenbroek * Requires: 579*00b67f09SDavid van Moolenbroek *\li "name" is a valid absolute dns name. 580*00b67f09SDavid van Moolenbroek *\li "keyp" is not NULL and "*keyp" is NULL. 581*00b67f09SDavid van Moolenbroek * 582*00b67f09SDavid van Moolenbroek * Returns: 583*00b67f09SDavid van Moolenbroek *\li ISC_R_SUCCESS 584*00b67f09SDavid van Moolenbroek * \li any other result indicates failure 585*00b67f09SDavid van Moolenbroek * 586*00b67f09SDavid van Moolenbroek * Ensures: 587*00b67f09SDavid van Moolenbroek *\li If successful, *keyp will contain a valid key. 588*00b67f09SDavid van Moolenbroek */ 589*00b67f09SDavid van Moolenbroek 590*00b67f09SDavid van Moolenbroek isc_boolean_t 591*00b67f09SDavid van Moolenbroek dst_key_compare(const dst_key_t *key1, const dst_key_t *key2); 592*00b67f09SDavid van Moolenbroek /*%< 593*00b67f09SDavid van Moolenbroek * Compares two DST keys. Returns true if they match, false otherwise. 594*00b67f09SDavid van Moolenbroek * 595*00b67f09SDavid van Moolenbroek * Keys ARE NOT considered to match if one of them is the revoked version 596*00b67f09SDavid van Moolenbroek * of the other. 597*00b67f09SDavid van Moolenbroek * 598*00b67f09SDavid van Moolenbroek * Requires: 599*00b67f09SDavid van Moolenbroek *\li "key1" is a valid key. 600*00b67f09SDavid van Moolenbroek *\li "key2" is a valid key. 601*00b67f09SDavid van Moolenbroek * 602*00b67f09SDavid van Moolenbroek * Returns: 603*00b67f09SDavid van Moolenbroek *\li ISC_TRUE 604*00b67f09SDavid van Moolenbroek * \li ISC_FALSE 605*00b67f09SDavid van Moolenbroek */ 606*00b67f09SDavid van Moolenbroek 607*00b67f09SDavid van Moolenbroek isc_boolean_t 608*00b67f09SDavid van Moolenbroek dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2, 609*00b67f09SDavid van Moolenbroek isc_boolean_t match_revoked_key); 610*00b67f09SDavid van Moolenbroek /*%< 611*00b67f09SDavid van Moolenbroek * Compares only the public portions of two DST keys. Returns true 612*00b67f09SDavid van Moolenbroek * if they match, false otherwise. This allows us, for example, to 613*00b67f09SDavid van Moolenbroek * determine whether a public key found in a zone matches up with a 614*00b67f09SDavid van Moolenbroek * key pair found on disk. 615*00b67f09SDavid van Moolenbroek * 616*00b67f09SDavid van Moolenbroek * If match_revoked_key is TRUE, then keys ARE considered to match if one 617*00b67f09SDavid van Moolenbroek * of them is the revoked version of the other. Otherwise, they are not. 618*00b67f09SDavid van Moolenbroek * 619*00b67f09SDavid van Moolenbroek * Requires: 620*00b67f09SDavid van Moolenbroek *\li "key1" is a valid key. 621*00b67f09SDavid van Moolenbroek *\li "key2" is a valid key. 622*00b67f09SDavid van Moolenbroek * 623*00b67f09SDavid van Moolenbroek * Returns: 624*00b67f09SDavid van Moolenbroek *\li ISC_TRUE 625*00b67f09SDavid van Moolenbroek * \li ISC_FALSE 626*00b67f09SDavid van Moolenbroek */ 627*00b67f09SDavid van Moolenbroek 628*00b67f09SDavid van Moolenbroek isc_boolean_t 629*00b67f09SDavid van Moolenbroek dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2); 630*00b67f09SDavid van Moolenbroek /*%< 631*00b67f09SDavid van Moolenbroek * Compares the parameters of two DST keys. This is used to determine if 632*00b67f09SDavid van Moolenbroek * two (Diffie-Hellman) keys can be used to derive a shared secret. 633*00b67f09SDavid van Moolenbroek * 634*00b67f09SDavid van Moolenbroek * Requires: 635*00b67f09SDavid van Moolenbroek *\li "key1" is a valid key. 636*00b67f09SDavid van Moolenbroek *\li "key2" is a valid key. 637*00b67f09SDavid van Moolenbroek * 638*00b67f09SDavid van Moolenbroek * Returns: 639*00b67f09SDavid van Moolenbroek *\li ISC_TRUE 640*00b67f09SDavid van Moolenbroek * \li ISC_FALSE 641*00b67f09SDavid van Moolenbroek */ 642*00b67f09SDavid van Moolenbroek 643*00b67f09SDavid van Moolenbroek void 644*00b67f09SDavid van Moolenbroek dst_key_attach(dst_key_t *source, dst_key_t **target); 645*00b67f09SDavid van Moolenbroek /* 646*00b67f09SDavid van Moolenbroek * Attach to a existing key increasing the reference count. 647*00b67f09SDavid van Moolenbroek * 648*00b67f09SDavid van Moolenbroek * Requires: 649*00b67f09SDavid van Moolenbroek *\li 'source' to be a valid key. 650*00b67f09SDavid van Moolenbroek *\li 'target' to be non-NULL and '*target' to be NULL. 651*00b67f09SDavid van Moolenbroek */ 652*00b67f09SDavid van Moolenbroek 653*00b67f09SDavid van Moolenbroek void 654*00b67f09SDavid van Moolenbroek dst_key_free(dst_key_t **keyp); 655*00b67f09SDavid van Moolenbroek /*%< 656*00b67f09SDavid van Moolenbroek * Decrement the key's reference counter and, when it reaches zero, 657*00b67f09SDavid van Moolenbroek * release all memory associated with the key. 658*00b67f09SDavid van Moolenbroek * 659*00b67f09SDavid van Moolenbroek * Requires: 660*00b67f09SDavid van Moolenbroek *\li "keyp" is not NULL and "*keyp" is a valid key. 661*00b67f09SDavid van Moolenbroek *\li reference counter greater than zero. 662*00b67f09SDavid van Moolenbroek * 663*00b67f09SDavid van Moolenbroek * Ensures: 664*00b67f09SDavid van Moolenbroek *\li All memory associated with "*keyp" will be freed. 665*00b67f09SDavid van Moolenbroek *\li *keyp == NULL 666*00b67f09SDavid van Moolenbroek */ 667*00b67f09SDavid van Moolenbroek 668*00b67f09SDavid van Moolenbroek /*%< 669*00b67f09SDavid van Moolenbroek * Accessor functions to obtain key fields. 670*00b67f09SDavid van Moolenbroek * 671*00b67f09SDavid van Moolenbroek * Require: 672*00b67f09SDavid van Moolenbroek *\li "key" is a valid key. 673*00b67f09SDavid van Moolenbroek */ 674*00b67f09SDavid van Moolenbroek dns_name_t * 675*00b67f09SDavid van Moolenbroek dst_key_name(const dst_key_t *key); 676*00b67f09SDavid van Moolenbroek 677*00b67f09SDavid van Moolenbroek unsigned int 678*00b67f09SDavid van Moolenbroek dst_key_size(const dst_key_t *key); 679*00b67f09SDavid van Moolenbroek 680*00b67f09SDavid van Moolenbroek unsigned int 681*00b67f09SDavid van Moolenbroek dst_key_proto(const dst_key_t *key); 682*00b67f09SDavid van Moolenbroek 683*00b67f09SDavid van Moolenbroek unsigned int 684*00b67f09SDavid van Moolenbroek dst_key_alg(const dst_key_t *key); 685*00b67f09SDavid van Moolenbroek 686*00b67f09SDavid van Moolenbroek isc_uint32_t 687*00b67f09SDavid van Moolenbroek dst_key_flags(const dst_key_t *key); 688*00b67f09SDavid van Moolenbroek 689*00b67f09SDavid van Moolenbroek dns_keytag_t 690*00b67f09SDavid van Moolenbroek dst_key_id(const dst_key_t *key); 691*00b67f09SDavid van Moolenbroek 692*00b67f09SDavid van Moolenbroek dns_keytag_t 693*00b67f09SDavid van Moolenbroek dst_key_rid(const dst_key_t *key); 694*00b67f09SDavid van Moolenbroek 695*00b67f09SDavid van Moolenbroek dns_rdataclass_t 696*00b67f09SDavid van Moolenbroek dst_key_class(const dst_key_t *key); 697*00b67f09SDavid van Moolenbroek 698*00b67f09SDavid van Moolenbroek isc_boolean_t 699*00b67f09SDavid van Moolenbroek dst_key_isprivate(const dst_key_t *key); 700*00b67f09SDavid van Moolenbroek 701*00b67f09SDavid van Moolenbroek isc_boolean_t 702*00b67f09SDavid van Moolenbroek dst_key_iszonekey(const dst_key_t *key); 703*00b67f09SDavid van Moolenbroek 704*00b67f09SDavid van Moolenbroek isc_boolean_t 705*00b67f09SDavid van Moolenbroek dst_key_isnullkey(const dst_key_t *key); 706*00b67f09SDavid van Moolenbroek 707*00b67f09SDavid van Moolenbroek isc_result_t 708*00b67f09SDavid van Moolenbroek dst_key_buildfilename(const dst_key_t *key, int type, 709*00b67f09SDavid van Moolenbroek const char *directory, isc_buffer_t *out); 710*00b67f09SDavid van Moolenbroek /*%< 711*00b67f09SDavid van Moolenbroek * Generates the filename used by dst to store the specified key. 712*00b67f09SDavid van Moolenbroek * If directory is NULL, the current directory is assumed. 713*00b67f09SDavid van Moolenbroek * 714*00b67f09SDavid van Moolenbroek * Requires: 715*00b67f09SDavid van Moolenbroek *\li "key" is a valid key 716*00b67f09SDavid van Moolenbroek *\li "type" is either DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or 0 for no suffix. 717*00b67f09SDavid van Moolenbroek *\li "out" is a valid buffer 718*00b67f09SDavid van Moolenbroek * 719*00b67f09SDavid van Moolenbroek * Ensures: 720*00b67f09SDavid van Moolenbroek *\li the file name will be written to "out", and the used pointer will 721*00b67f09SDavid van Moolenbroek * be advanced. 722*00b67f09SDavid van Moolenbroek */ 723*00b67f09SDavid van Moolenbroek 724*00b67f09SDavid van Moolenbroek isc_result_t 725*00b67f09SDavid van Moolenbroek dst_key_sigsize(const dst_key_t *key, unsigned int *n); 726*00b67f09SDavid van Moolenbroek /*%< 727*00b67f09SDavid van Moolenbroek * Computes the size of a signature generated by the given key. 728*00b67f09SDavid van Moolenbroek * 729*00b67f09SDavid van Moolenbroek * Requires: 730*00b67f09SDavid van Moolenbroek *\li "key" is a valid key. 731*00b67f09SDavid van Moolenbroek *\li "n" is not NULL 732*00b67f09SDavid van Moolenbroek * 733*00b67f09SDavid van Moolenbroek * Returns: 734*00b67f09SDavid van Moolenbroek *\li #ISC_R_SUCCESS 735*00b67f09SDavid van Moolenbroek *\li DST_R_UNSUPPORTEDALG 736*00b67f09SDavid van Moolenbroek * 737*00b67f09SDavid van Moolenbroek * Ensures: 738*00b67f09SDavid van Moolenbroek *\li "n" stores the size of a generated signature 739*00b67f09SDavid van Moolenbroek */ 740*00b67f09SDavid van Moolenbroek 741*00b67f09SDavid van Moolenbroek isc_result_t 742*00b67f09SDavid van Moolenbroek dst_key_secretsize(const dst_key_t *key, unsigned int *n); 743*00b67f09SDavid van Moolenbroek /*%< 744*00b67f09SDavid van Moolenbroek * Computes the size of a shared secret generated by the given key. 745*00b67f09SDavid van Moolenbroek * 746*00b67f09SDavid van Moolenbroek * Requires: 747*00b67f09SDavid van Moolenbroek *\li "key" is a valid key. 748*00b67f09SDavid van Moolenbroek *\li "n" is not NULL 749*00b67f09SDavid van Moolenbroek * 750*00b67f09SDavid van Moolenbroek * Returns: 751*00b67f09SDavid van Moolenbroek *\li #ISC_R_SUCCESS 752*00b67f09SDavid van Moolenbroek *\li DST_R_UNSUPPORTEDALG 753*00b67f09SDavid van Moolenbroek * 754*00b67f09SDavid van Moolenbroek * Ensures: 755*00b67f09SDavid van Moolenbroek *\li "n" stores the size of a generated shared secret 756*00b67f09SDavid van Moolenbroek */ 757*00b67f09SDavid van Moolenbroek 758*00b67f09SDavid van Moolenbroek isc_uint16_t 759*00b67f09SDavid van Moolenbroek dst_region_computeid(const isc_region_t *source, unsigned int alg); 760*00b67f09SDavid van Moolenbroek isc_uint16_t 761*00b67f09SDavid van Moolenbroek dst_region_computerid(const isc_region_t *source, unsigned int alg); 762*00b67f09SDavid van Moolenbroek /*%< 763*00b67f09SDavid van Moolenbroek * Computes the (revoked) key id of the key stored in the provided 764*00b67f09SDavid van Moolenbroek * region with the given algorithm. 765*00b67f09SDavid van Moolenbroek * 766*00b67f09SDavid van Moolenbroek * Requires: 767*00b67f09SDavid van Moolenbroek *\li "source" contains a valid, non-NULL region. 768*00b67f09SDavid van Moolenbroek * 769*00b67f09SDavid van Moolenbroek * Returns: 770*00b67f09SDavid van Moolenbroek *\li the key id 771*00b67f09SDavid van Moolenbroek */ 772*00b67f09SDavid van Moolenbroek 773*00b67f09SDavid van Moolenbroek isc_uint16_t 774*00b67f09SDavid van Moolenbroek dst_key_getbits(const dst_key_t *key); 775*00b67f09SDavid van Moolenbroek /*%< 776*00b67f09SDavid van Moolenbroek * Get the number of digest bits required (0 == MAX). 777*00b67f09SDavid van Moolenbroek * 778*00b67f09SDavid van Moolenbroek * Requires: 779*00b67f09SDavid van Moolenbroek * "key" is a valid key. 780*00b67f09SDavid van Moolenbroek */ 781*00b67f09SDavid van Moolenbroek 782*00b67f09SDavid van Moolenbroek void 783*00b67f09SDavid van Moolenbroek dst_key_setbits(dst_key_t *key, isc_uint16_t bits); 784*00b67f09SDavid van Moolenbroek /*%< 785*00b67f09SDavid van Moolenbroek * Set the number of digest bits required (0 == MAX). 786*00b67f09SDavid van Moolenbroek * 787*00b67f09SDavid van Moolenbroek * Requires: 788*00b67f09SDavid van Moolenbroek * "key" is a valid key. 789*00b67f09SDavid van Moolenbroek */ 790*00b67f09SDavid van Moolenbroek 791*00b67f09SDavid van Moolenbroek void 792*00b67f09SDavid van Moolenbroek dst_key_setttl(dst_key_t *key, dns_ttl_t ttl); 793*00b67f09SDavid van Moolenbroek /*%< 794*00b67f09SDavid van Moolenbroek * Set the default TTL to use when converting the key 795*00b67f09SDavid van Moolenbroek * to a KEY or DNSKEY RR. 796*00b67f09SDavid van Moolenbroek * 797*00b67f09SDavid van Moolenbroek * Requires: 798*00b67f09SDavid van Moolenbroek * "key" is a valid key. 799*00b67f09SDavid van Moolenbroek */ 800*00b67f09SDavid van Moolenbroek 801*00b67f09SDavid van Moolenbroek dns_ttl_t 802*00b67f09SDavid van Moolenbroek dst_key_getttl(const dst_key_t *key); 803*00b67f09SDavid van Moolenbroek /*%< 804*00b67f09SDavid van Moolenbroek * Get the default TTL to use when converting the key 805*00b67f09SDavid van Moolenbroek * to a KEY or DNSKEY RR. 806*00b67f09SDavid van Moolenbroek * 807*00b67f09SDavid van Moolenbroek * Requires: 808*00b67f09SDavid van Moolenbroek * "key" is a valid key. 809*00b67f09SDavid van Moolenbroek */ 810*00b67f09SDavid van Moolenbroek 811*00b67f09SDavid van Moolenbroek isc_result_t 812*00b67f09SDavid van Moolenbroek dst_key_setflags(dst_key_t *key, isc_uint32_t flags); 813*00b67f09SDavid van Moolenbroek /* 814*00b67f09SDavid van Moolenbroek * Set the key flags, and recompute the key ID. 815*00b67f09SDavid van Moolenbroek * 816*00b67f09SDavid van Moolenbroek * Requires: 817*00b67f09SDavid van Moolenbroek * "key" is a valid key. 818*00b67f09SDavid van Moolenbroek */ 819*00b67f09SDavid van Moolenbroek 820*00b67f09SDavid van Moolenbroek isc_result_t 821*00b67f09SDavid van Moolenbroek dst_key_getnum(const dst_key_t *key, int type, isc_uint32_t *valuep); 822*00b67f09SDavid van Moolenbroek /*%< 823*00b67f09SDavid van Moolenbroek * Get a member of the numeric metadata array and place it in '*valuep'. 824*00b67f09SDavid van Moolenbroek * 825*00b67f09SDavid van Moolenbroek * Requires: 826*00b67f09SDavid van Moolenbroek * "key" is a valid key. 827*00b67f09SDavid van Moolenbroek * "type" is no larger than DST_MAX_NUMERIC 828*00b67f09SDavid van Moolenbroek * "timep" is not null. 829*00b67f09SDavid van Moolenbroek */ 830*00b67f09SDavid van Moolenbroek 831*00b67f09SDavid van Moolenbroek void 832*00b67f09SDavid van Moolenbroek dst_key_setnum(dst_key_t *key, int type, isc_uint32_t value); 833*00b67f09SDavid van Moolenbroek /*%< 834*00b67f09SDavid van Moolenbroek * Set a member of the numeric metadata array. 835*00b67f09SDavid van Moolenbroek * 836*00b67f09SDavid van Moolenbroek * Requires: 837*00b67f09SDavid van Moolenbroek * "key" is a valid key. 838*00b67f09SDavid van Moolenbroek * "type" is no larger than DST_MAX_NUMERIC 839*00b67f09SDavid van Moolenbroek */ 840*00b67f09SDavid van Moolenbroek 841*00b67f09SDavid van Moolenbroek void 842*00b67f09SDavid van Moolenbroek dst_key_unsetnum(dst_key_t *key, int type); 843*00b67f09SDavid van Moolenbroek /*%< 844*00b67f09SDavid van Moolenbroek * Flag a member of the numeric metadata array as "not set". 845*00b67f09SDavid van Moolenbroek * 846*00b67f09SDavid van Moolenbroek * Requires: 847*00b67f09SDavid van Moolenbroek * "key" is a valid key. 848*00b67f09SDavid van Moolenbroek * "type" is no larger than DST_MAX_NUMERIC 849*00b67f09SDavid van Moolenbroek */ 850*00b67f09SDavid van Moolenbroek 851*00b67f09SDavid van Moolenbroek isc_result_t 852*00b67f09SDavid van Moolenbroek dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep); 853*00b67f09SDavid van Moolenbroek /*%< 854*00b67f09SDavid van Moolenbroek * Get a member of the timing metadata array and place it in '*timep'. 855*00b67f09SDavid van Moolenbroek * 856*00b67f09SDavid van Moolenbroek * Requires: 857*00b67f09SDavid van Moolenbroek * "key" is a valid key. 858*00b67f09SDavid van Moolenbroek * "type" is no larger than DST_MAX_TIMES 859*00b67f09SDavid van Moolenbroek * "timep" is not null. 860*00b67f09SDavid van Moolenbroek */ 861*00b67f09SDavid van Moolenbroek 862*00b67f09SDavid van Moolenbroek void 863*00b67f09SDavid van Moolenbroek dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when); 864*00b67f09SDavid van Moolenbroek /*%< 865*00b67f09SDavid van Moolenbroek * Set a member of the timing metadata array. 866*00b67f09SDavid van Moolenbroek * 867*00b67f09SDavid van Moolenbroek * Requires: 868*00b67f09SDavid van Moolenbroek * "key" is a valid key. 869*00b67f09SDavid van Moolenbroek * "type" is no larger than DST_MAX_TIMES 870*00b67f09SDavid van Moolenbroek */ 871*00b67f09SDavid van Moolenbroek 872*00b67f09SDavid van Moolenbroek void 873*00b67f09SDavid van Moolenbroek dst_key_unsettime(dst_key_t *key, int type); 874*00b67f09SDavid van Moolenbroek /*%< 875*00b67f09SDavid van Moolenbroek * Flag a member of the timing metadata array as "not set". 876*00b67f09SDavid van Moolenbroek * 877*00b67f09SDavid van Moolenbroek * Requires: 878*00b67f09SDavid van Moolenbroek * "key" is a valid key. 879*00b67f09SDavid van Moolenbroek * "type" is no larger than DST_MAX_TIMES 880*00b67f09SDavid van Moolenbroek */ 881*00b67f09SDavid van Moolenbroek 882*00b67f09SDavid van Moolenbroek isc_result_t 883*00b67f09SDavid van Moolenbroek dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp); 884*00b67f09SDavid van Moolenbroek /*%< 885*00b67f09SDavid van Moolenbroek * Get the private key format version number. (If the key does not have 886*00b67f09SDavid van Moolenbroek * a private key associated with it, the version will be 0.0.) The major 887*00b67f09SDavid van Moolenbroek * version number is placed in '*majorp', and the minor version number in 888*00b67f09SDavid van Moolenbroek * '*minorp'. 889*00b67f09SDavid van Moolenbroek * 890*00b67f09SDavid van Moolenbroek * Requires: 891*00b67f09SDavid van Moolenbroek * "key" is a valid key. 892*00b67f09SDavid van Moolenbroek * "majorp" is not NULL. 893*00b67f09SDavid van Moolenbroek * "minorp" is not NULL. 894*00b67f09SDavid van Moolenbroek */ 895*00b67f09SDavid van Moolenbroek 896*00b67f09SDavid van Moolenbroek void 897*00b67f09SDavid van Moolenbroek dst_key_setprivateformat(dst_key_t *key, int major, int minor); 898*00b67f09SDavid van Moolenbroek /*%< 899*00b67f09SDavid van Moolenbroek * Set the private key format version number. 900*00b67f09SDavid van Moolenbroek * 901*00b67f09SDavid van Moolenbroek * Requires: 902*00b67f09SDavid van Moolenbroek * "key" is a valid key. 903*00b67f09SDavid van Moolenbroek */ 904*00b67f09SDavid van Moolenbroek 905*00b67f09SDavid van Moolenbroek #define DST_KEY_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + 7) 906*00b67f09SDavid van Moolenbroek 907*00b67f09SDavid van Moolenbroek void 908*00b67f09SDavid van Moolenbroek dst_key_format(const dst_key_t *key, char *cp, unsigned int size); 909*00b67f09SDavid van Moolenbroek /*%< 910*00b67f09SDavid van Moolenbroek * Write the uniquely identifying information about the key (name, 911*00b67f09SDavid van Moolenbroek * algorithm, key ID) into a string 'cp' of size 'size'. 912*00b67f09SDavid van Moolenbroek */ 913*00b67f09SDavid van Moolenbroek 914*00b67f09SDavid van Moolenbroek 915*00b67f09SDavid van Moolenbroek isc_buffer_t * 916*00b67f09SDavid van Moolenbroek dst_key_tkeytoken(const dst_key_t *key); 917*00b67f09SDavid van Moolenbroek /*%< 918*00b67f09SDavid van Moolenbroek * Return the token from the TKEY request, if any. If this key was 919*00b67f09SDavid van Moolenbroek * not negotiated via TKEY, return NULL. 920*00b67f09SDavid van Moolenbroek * 921*00b67f09SDavid van Moolenbroek * Requires: 922*00b67f09SDavid van Moolenbroek * "key" is a valid key. 923*00b67f09SDavid van Moolenbroek */ 924*00b67f09SDavid van Moolenbroek 925*00b67f09SDavid van Moolenbroek 926*00b67f09SDavid van Moolenbroek isc_result_t 927*00b67f09SDavid van Moolenbroek dst_key_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length); 928*00b67f09SDavid van Moolenbroek /*%< 929*00b67f09SDavid van Moolenbroek * Allocate 'buffer' and dump the key into it in base64 format. The buffer 930*00b67f09SDavid van Moolenbroek * is not NUL terminated. The length of the buffer is returned in *length. 931*00b67f09SDavid van Moolenbroek * 932*00b67f09SDavid van Moolenbroek * 'buffer' needs to be freed using isc_mem_put(mctx, buffer, length); 933*00b67f09SDavid van Moolenbroek * 934*00b67f09SDavid van Moolenbroek * Requires: 935*00b67f09SDavid van Moolenbroek * 'buffer' to be non NULL and *buffer to be NULL. 936*00b67f09SDavid van Moolenbroek * 'length' to be non NULL and *length to be zero. 937*00b67f09SDavid van Moolenbroek * 938*00b67f09SDavid van Moolenbroek * Returns: 939*00b67f09SDavid van Moolenbroek * ISC_R_SUCCESS 940*00b67f09SDavid van Moolenbroek * ISC_R_NOMEMORY 941*00b67f09SDavid van Moolenbroek * ISC_R_NOTIMPLEMENTED 942*00b67f09SDavid van Moolenbroek * others. 943*00b67f09SDavid van Moolenbroek */ 944*00b67f09SDavid van Moolenbroek 945*00b67f09SDavid van Moolenbroek isc_result_t 946*00b67f09SDavid van Moolenbroek dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags, 947*00b67f09SDavid van Moolenbroek unsigned int protocol, dns_rdataclass_t rdclass, 948*00b67f09SDavid van Moolenbroek isc_mem_t *mctx, const char *keystr, dst_key_t **keyp); 949*00b67f09SDavid van Moolenbroek 950*00b67f09SDavid van Moolenbroek isc_boolean_t 951*00b67f09SDavid van Moolenbroek dst_key_inactive(const dst_key_t *key); 952*00b67f09SDavid van Moolenbroek /*%< 953*00b67f09SDavid van Moolenbroek * Determines if the private key is missing due the key being deemed inactive. 954*00b67f09SDavid van Moolenbroek * 955*00b67f09SDavid van Moolenbroek * Requires: 956*00b67f09SDavid van Moolenbroek * 'key' to be valid. 957*00b67f09SDavid van Moolenbroek */ 958*00b67f09SDavid van Moolenbroek 959*00b67f09SDavid van Moolenbroek void 960*00b67f09SDavid van Moolenbroek dst_key_setinactive(dst_key_t *key, isc_boolean_t inactive); 961*00b67f09SDavid van Moolenbroek /*%< 962*00b67f09SDavid van Moolenbroek * Set key inactive state. 963*00b67f09SDavid van Moolenbroek * 964*00b67f09SDavid van Moolenbroek * Requires: 965*00b67f09SDavid van Moolenbroek * 'key' to be valid. 966*00b67f09SDavid van Moolenbroek */ 967*00b67f09SDavid van Moolenbroek 968*00b67f09SDavid van Moolenbroek void 969*00b67f09SDavid van Moolenbroek dst_key_setexternal(dst_key_t *key, isc_boolean_t value); 970*00b67f09SDavid van Moolenbroek 971*00b67f09SDavid van Moolenbroek isc_boolean_t 972*00b67f09SDavid van Moolenbroek dst_key_isexternal(dst_key_t *key); 973*00b67f09SDavid van Moolenbroek 974*00b67f09SDavid van Moolenbroek ISC_LANG_ENDDECLS 975*00b67f09SDavid van Moolenbroek 976*00b67f09SDavid van Moolenbroek #endif /* DST_DST_H */ 977