freebsd-nq/ldns/dnssec_verify.h
Dag-Erling Smørgrav 2f10c3e258 import ldns 1.6.16
2013-02-15 13:51:54 +00:00

875 lines
30 KiB
C

/** dnssec_verify */
#ifndef LDNS_DNSSEC_VERIFY_H
#define LDNS_DNSSEC_VERIFY_H
#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10
#include <ldns/dnssec.h>
#include <ldns/host2str.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Chain structure that contains all DNSSEC data needed to
* verify an rrset
*/
typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain;
struct ldns_dnssec_data_chain_struct
{
ldns_rr_list *rrset;
ldns_rr_list *signatures;
ldns_rr_type parent_type;
ldns_dnssec_data_chain *parent;
ldns_pkt_rcode packet_rcode;
ldns_rr_type packet_qtype;
bool packet_nodata;
};
/**
* Creates a new dnssec_chain structure
* \return ldns_dnssec_data_chain *
*/
ldns_dnssec_data_chain *ldns_dnssec_data_chain_new();
/**
* Frees a dnssec_data_chain structure
*
* \param[in] *chain The chain to free
*/
void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain);
/**
* Frees a dnssec_data_chain structure, and all data
* contained therein
*
* \param[in] *chain The dnssec_data_chain to free
*/
void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain);
/**
* Prints the dnssec_data_chain to the given file stream
*
* \param[in] *out The file stream to print to
* \param[in] *chain The dnssec_data_chain to print
*/
void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain);
/**
* Prints the dnssec_data_chain to the given file stream
*
* \param[in] *out The file stream to print to
* \param[in] *fmt The format of the textual representation
* \param[in] *chain The dnssec_data_chain to print
*/
void ldns_dnssec_data_chain_print_fmt(FILE *out,
const ldns_output_format *fmt,
const ldns_dnssec_data_chain *chain);
/**
* Build an ldns_dnssec_data_chain, which contains all
* DNSSEC data that is needed to derive the trust tree later
*
* The data_set will be cloned
*
* \param[in] *res resolver structure for further needed queries
* \param[in] qflags resolution flags
* \param[in] *data_set The original rrset where the chain ends
* \param[in] *pkt optional, can contain the original packet
* (and hence the sigs and maybe the key)
* \param[in] *orig_rr The original Resource Record
*
* \return the DNSSEC data chain
*/
ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res,
const uint16_t qflags,
const ldns_rr_list *data_set,
const ldns_pkt *pkt,
ldns_rr *orig_rr);
/**
* Tree structure that contains the relation of DNSSEC data,
* and their cryptographic status.
*
* This tree is derived from a data_chain, and can be used
* to look whether there is a connection between an RRSET
* and a trusted key. The tree only contains pointers to the
* data_chain, and therefore one should *never* free() the
* data_chain when there is still a trust tree derived from
* that chain.
*
* Example tree:
* key key key
* \ | /
* \ | /
* \ | /
* ds
* |
* key
* |
* key
* |
* rr
*
* For each signature there is a parent; if the parent
* pointer is null, it couldn't be found and there was no
* denial; otherwise is a tree which contains either a
* DNSKEY, a DS, or a NSEC rr
*/
typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree;
struct ldns_dnssec_trust_tree_struct
{
ldns_rr *rr;
/* the complete rrset this rr was in */
ldns_rr_list *rrset;
ldns_dnssec_trust_tree *parents[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
ldns_status parent_status[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
/** for debugging, add signatures too (you might want
those if they contain errors) */
ldns_rr *parent_signature[LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS];
size_t parent_count;
};
/**
* Creates a new (empty) dnssec_trust_tree structure
*
* \return ldns_dnssec_trust_tree *
*/
ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new();
/**
* Frees the dnssec_trust_tree recursively
*
* There is no deep free; all data in the trust tree
* consists of pointers to a data_chain
*
* \param[in] tree The tree to free
*/
void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree);
/**
* returns the depth of the trust tree
*
* \param[in] tree tree to calculate the depth of
* \return The depth of the tree
*/
size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree);
/**
* Prints the dnssec_trust_tree structure to the given file
* stream.
*
* If a link status is not LDNS_STATUS_OK; the status and
* relevant signatures are printed too
*
* \param[in] *out The file stream to print to
* \param[in] tree The trust tree to print
* \param[in] tabs Prepend each line with tabs*2 spaces
* \param[in] extended If true, add little explanation lines to the output
*/
void ldns_dnssec_trust_tree_print(FILE *out,
ldns_dnssec_trust_tree *tree,
size_t tabs,
bool extended);
/**
* Prints the dnssec_trust_tree structure to the given file
* stream.
*
* If a link status is not LDNS_STATUS_OK; the status and
* relevant signatures are printed too
*
* \param[in] *out The file stream to print to
* \param[in] *fmt The format of the textual representation
* \param[in] tree The trust tree to print
* \param[in] tabs Prepend each line with tabs*2 spaces
* \param[in] extended If true, add little explanation lines to the output
*/
void ldns_dnssec_trust_tree_print_fmt(FILE *out,
const ldns_output_format *fmt,
ldns_dnssec_trust_tree *tree,
size_t tabs,
bool extended);
/**
* Adds a trust tree as a parent for the given trust tree
*
* \param[in] *tree The tree to add the parent to
* \param[in] *parent The parent tree to add
* \param[in] *parent_signature The RRSIG relevant to this parent/child
* connection
* \param[in] parent_status The DNSSEC status for this parent, child and RRSIG
* \return LDNS_STATUS_OK if the addition succeeds, error otherwise
*/
ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree,
const ldns_dnssec_trust_tree *parent,
const ldns_rr *parent_signature,
const ldns_status parent_status);
/**
* Generates a dnssec_trust_tree for the given rr from the
* given data_chain
*
* This does not clone the actual data; Don't free the
* data_chain before you are done with this tree
*
* \param[in] *data_chain The chain to derive the trust tree from
* \param[in] *rr The RR this tree will be about
* \return ldns_dnssec_trust_tree *
*/
ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree(
ldns_dnssec_data_chain *data_chain,
ldns_rr *rr);
/**
* Generates a dnssec_trust_tree for the given rr from the
* given data_chain
*
* This does not clone the actual data; Don't free the
* data_chain before you are done with this tree
*
* \param[in] *data_chain The chain to derive the trust tree from
* \param[in] *rr The RR this tree will be about
* \param[in] check_time the time for which the validation is performed
* \return ldns_dnssec_trust_tree *
*/
ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time(
ldns_dnssec_data_chain *data_chain,
ldns_rr *rr, time_t check_time);
/**
* Sub function for derive_trust_tree that is used for a 'normal' rrset
*
* \param[in] new_tree The trust tree that we are building
* \param[in] data_chain The data chain containing the data for the trust tree
* \param[in] cur_sig_rr The currently relevant signature
*/
void ldns_dnssec_derive_trust_tree_normal_rrset(
ldns_dnssec_trust_tree *new_tree,
ldns_dnssec_data_chain *data_chain,
ldns_rr *cur_sig_rr);
/**
* Sub function for derive_trust_tree that is used for a 'normal' rrset
*
* \param[in] new_tree The trust tree that we are building
* \param[in] data_chain The data chain containing the data for the trust tree
* \param[in] cur_sig_rr The currently relevant signature
* \param[in] check_time the time for which the validation is performed
*/
void ldns_dnssec_derive_trust_tree_normal_rrset_time(
ldns_dnssec_trust_tree *new_tree,
ldns_dnssec_data_chain *data_chain,
ldns_rr *cur_sig_rr, time_t check_time);
/**
* Sub function for derive_trust_tree that is used for DNSKEY rrsets
*
* \param[in] new_tree The trust tree that we are building
* \param[in] data_chain The data chain containing the data for the trust tree
* \param[in] cur_rr The currently relevant DNSKEY RR
* \param[in] cur_sig_rr The currently relevant signature
*/
void ldns_dnssec_derive_trust_tree_dnskey_rrset(
ldns_dnssec_trust_tree *new_tree,
ldns_dnssec_data_chain *data_chain,
ldns_rr *cur_rr,
ldns_rr *cur_sig_rr);
/**
* Sub function for derive_trust_tree that is used for DNSKEY rrsets
*
* \param[in] new_tree The trust tree that we are building
* \param[in] data_chain The data chain containing the data for the trust tree
* \param[in] cur_rr The currently relevant DNSKEY RR
* \param[in] cur_sig_rr The currently relevant signature
* \param[in] check_time the time for which the validation is performed
*/
void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
ldns_dnssec_trust_tree *new_tree,
ldns_dnssec_data_chain *data_chain,
ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
time_t check_time);
/**
* Sub function for derive_trust_tree that is used for DNSKEY rrsets
*
* \param[in] new_tree The trust tree that we are building
* \param[in] data_chain The data chain containing the data for the trust tree
* \param[in] cur_rr The currently relevant DNSKEY RR
* \param[in] cur_sig_rr The currently relevant signature
* \param[in] check_time the time for which the validation is performed
*/
void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
ldns_dnssec_trust_tree *new_tree,
ldns_dnssec_data_chain *data_chain,
ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
time_t check_time);
/**
* Sub function for derive_trust_tree that is used for DS rrsets
*
* \param[in] new_tree The trust tree that we are building
* \param[in] data_chain The data chain containing the data for the trust tree
* \param[in] cur_rr The currently relevant DS RR
*/
void ldns_dnssec_derive_trust_tree_ds_rrset(
ldns_dnssec_trust_tree *new_tree,
ldns_dnssec_data_chain *data_chain,
ldns_rr *cur_rr);
/**
* Sub function for derive_trust_tree that is used for DS rrsets
*
* \param[in] new_tree The trust tree that we are building
* \param[in] data_chain The data chain containing the data for the trust tree
* \param[in] cur_rr The currently relevant DS RR
* \param[in] check_time the time for which the validation is performed
*/
void ldns_dnssec_derive_trust_tree_ds_rrset_time(
ldns_dnssec_trust_tree *new_tree,
ldns_dnssec_data_chain *data_chain,
ldns_rr *cur_rr, time_t check_time);
/**
* Sub function for derive_trust_tree that is used when there are no
* signatures
*
* \param[in] new_tree The trust tree that we are building
* \param[in] data_chain The data chain containing the data for the trust tree
*/
void ldns_dnssec_derive_trust_tree_no_sig(
ldns_dnssec_trust_tree *new_tree,
ldns_dnssec_data_chain *data_chain);
/**
* Sub function for derive_trust_tree that is used when there are no
* signatures
*
* \param[in] new_tree The trust tree that we are building
* \param[in] data_chain The data chain containing the data for the trust tree
* \param[in] check_time the time for which the validation is performed
*/
void ldns_dnssec_derive_trust_tree_no_sig_time(
ldns_dnssec_trust_tree *new_tree,
ldns_dnssec_data_chain *data_chain,
time_t check_time);
/**
* Returns OK if there is a trusted path in the tree to one of
* the DNSKEY or DS RRs in the given list
*
* \param *tree The trust tree so search
* \param *keys A ldns_rr_list of DNSKEY and DS rrs to look for
*
* \return LDNS_STATUS_OK if there is a trusted path to one of
* the keys, or the *first* error encountered
* if there were no paths
*/
ldns_status ldns_dnssec_trust_tree_contains_keys(
ldns_dnssec_trust_tree *tree,
ldns_rr_list *keys);
/**
* Verifies a list of signatures for one rrset.
*
* \param[in] rrset the rrset to verify
* \param[in] rrsig a list of signatures to check
* \param[in] keys a list of keys to check with
* \param[out] good_keys if this is a (initialized) list, the pointer to keys
* from keys that validate one of the signatures
* are added to it
* \return status LDNS_STATUS_OK if there is at least one correct key
*/
ldns_status ldns_verify(ldns_rr_list *rrset,
ldns_rr_list *rrsig,
const ldns_rr_list *keys,
ldns_rr_list *good_keys);
/**
* Verifies a list of signatures for one rrset.
*
* \param[in] rrset the rrset to verify
* \param[in] rrsig a list of signatures to check
* \param[in] keys a list of keys to check with
* \param[in] check_time the time for which the validation is performed
* \param[out] good_keys if this is a (initialized) list, the pointer to keys
* from keys that validate one of the signatures
* are added to it
* \return status LDNS_STATUS_OK if there is at least one correct key
*/
ldns_status ldns_verify_time(ldns_rr_list *rrset,
ldns_rr_list *rrsig,
const ldns_rr_list *keys,
time_t check_time,
ldns_rr_list *good_keys);
/**
* Verifies a list of signatures for one rrset, but disregard the time.
* Inception and Expiration are not checked.
*
* \param[in] rrset the rrset to verify
* \param[in] rrsig a list of signatures to check
* \param[in] keys a list of keys to check with
* \param[out] good_keys if this is a (initialized) list, the pointer to keys
* from keys that validate one of the signatures
* are added to it
* \return status LDNS_STATUS_OK if there is at least one correct key
*/
ldns_status ldns_verify_notime(ldns_rr_list *rrset,
ldns_rr_list *rrsig,
const ldns_rr_list *keys,
ldns_rr_list *good_keys);
/**
* Tries to build an authentication chain from the given
* keys down to the queried domain.
*
* If we find a valid trust path, return the valid keys for the domain.
*
* \param[in] res the current resolver
* \param[in] domain the domain we want valid keys for
* \param[in] keys the current set of trusted keys
* \param[out] status pointer to the status variable where the result
* code will be stored
* \return the set of trusted keys for the domain, or NULL if no
* trust path could be built.
*/
ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res,
const ldns_rdf * domain,
const ldns_rr_list * keys,
ldns_status *status);
/**
* Tries to build an authentication chain from the given
* keys down to the queried domain.
*
* If we find a valid trust path, return the valid keys for the domain.
*
* \param[in] res the current resolver
* \param[in] domain the domain we want valid keys for
* \param[in] keys the current set of trusted keys
* \param[in] check_time the time for which the validation is performed
* \param[out] status pointer to the status variable where the result
* code will be stored
* \return the set of trusted keys for the domain, or NULL if no
* trust path could be built.
*/
ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res,
const ldns_rdf * domain, const ldns_rr_list * keys,
time_t check_time, ldns_status *status);
/**
* Validates the DNSKEY RRset for the given domain using the provided
* trusted keys.
*
* \param[in] res the current resolver
* \param[in] domain the domain we want valid keys for
* \param[in] keys the current set of trusted keys
* \return the set of trusted keys for the domain, or NULL if the RRSET
* could not be validated
*/
ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res,
const ldns_rdf *domain,
const ldns_rr_list *keys);
/**
* Validates the DNSKEY RRset for the given domain using the provided
* trusted keys.
*
* \param[in] res the current resolver
* \param[in] domain the domain we want valid keys for
* \param[in] keys the current set of trusted keys
* \param[in] check_time the time for which the validation is performed
* \return the set of trusted keys for the domain, or NULL if the RRSET
* could not be validated
*/
ldns_rr_list *ldns_validate_domain_dnskey_time(
const ldns_resolver *res, const ldns_rdf *domain,
const ldns_rr_list *keys, time_t check_time);
/**
* Validates the DS RRset for the given domain using the provided trusted keys.
*
* \param[in] res the current resolver
* \param[in] domain the domain we want valid keys for
* \param[in] keys the current set of trusted keys
* \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
*/
ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res,
const ldns_rdf *
domain,
const ldns_rr_list * keys);
/**
* Validates the DS RRset for the given domain using the provided trusted keys.
*
* \param[in] res the current resolver
* \param[in] domain the domain we want valid keys for
* \param[in] keys the current set of trusted keys
* \param[in] check_time the time for which the validation is performed
* \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
*/
ldns_rr_list *ldns_validate_domain_ds_time(
const ldns_resolver *res, const ldns_rdf *domain,
const ldns_rr_list * keys, time_t check_time);
/**
* Verifies a list of signatures for one RRset using a valid trust path.
*
* \param[in] res the current resolver
* \param[in] rrset the rrset to verify
* \param[in] rrsigs a list of signatures to check
* \param[out] validating_keys if this is a (initialized) list, the
* keys from keys that validate one of
* the signatures are added to it
* \return status LDNS_STATUS_OK if there is at least one correct key
*/
ldns_status ldns_verify_trusted(ldns_resolver *res,
ldns_rr_list *rrset,
ldns_rr_list *rrsigs,
ldns_rr_list *validating_keys);
/**
* Verifies a list of signatures for one RRset using a valid trust path.
*
* \param[in] res the current resolver
* \param[in] rrset the rrset to verify
* \param[in] rrsigs a list of signatures to check
* \param[in] check_time the time for which the validation is performed
* \param[out] validating_keys if this is a (initialized) list, the
* keys from keys that validate one of
* the signatures are added to it
* \return status LDNS_STATUS_OK if there is at least one correct key
*/
ldns_status ldns_verify_trusted_time(
ldns_resolver *res, ldns_rr_list *rrset,
ldns_rr_list *rrsigs, time_t check_time,
ldns_rr_list *validating_keys);
/**
* denial is not just a river in egypt
*
* \param[in] rr The (query) RR to check the denial of existence for
* \param[in] nsecs The list of NSEC RRs that are supposed to deny the
* existence of the RR
* \param[in] rrsigs The RRSIG RR covering the NSEC RRs
* \return LDNS_STATUS_OK if the NSEC RRs deny the existence, error code
* containing the reason they do not otherwise
*/
ldns_status ldns_dnssec_verify_denial(ldns_rr *rr,
ldns_rr_list *nsecs,
ldns_rr_list *rrsigs);
/**
* Denial of existence using NSEC3 records
* Since NSEC3 is a bit more complicated than normal denial, some
* context arguments are needed
*
* \param[in] rr The (query) RR to check the denial of existence for
* \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
* existence of the RR
* \param[in] rrsigs The RRSIG rr covering the NSEC RRs
* \param[in] packet_rcode The RCODE value of the packet that provided the
* NSEC3 RRs
* \param[in] packet_qtype The original query RR type
* \param[in] packet_nodata True if the providing packet had an empty ANSWER
* section
* \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
* containing the reason they do not otherwise
*/
ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
ldns_rr_list *nsecs,
ldns_rr_list *rrsigs,
ldns_pkt_rcode packet_rcode,
ldns_rr_type packet_qtype,
bool packet_nodata);
/**
* Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns
* the nsec rr that matched.
*
* \param[in] rr The (query) RR to check the denial of existence for
* \param[in] nsecs The list of NSEC3 RRs that are supposed to deny the
* existence of the RR
* \param[in] rrsigs The RRSIG rr covering the NSEC RRs
* \param[in] packet_rcode The RCODE value of the packet that provided the
* NSEC3 RRs
* \param[in] packet_qtype The original query RR type
* \param[in] packet_nodata True if the providing packet had an empty ANSWER
* section
* \param[in] match On match, the given (reference to a) pointer will be set
* to point to the matching nsec resource record.
* \return LDNS_STATUS_OK if the NSEC3 RRs deny the existence, error code
* containing the reason they do not otherwise
*/
ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr,
ldns_rr_list *nsecs,
ldns_rr_list *rrsigs,
ldns_pkt_rcode packet_rcode,
ldns_rr_type packet_qtype,
bool packet_nodata,
ldns_rr **match);
/**
* Verifies the already processed data in the buffers
* This function should probably not be used directly.
*
* \param[in] rawsig_buf Buffer containing signature data to use
* \param[in] verify_buf Buffer containing data to verify
* \param[in] key_buf Buffer containing key data to use
* \param[in] algo Signing algorithm
* \return status LDNS_STATUS_OK if the data verifies. Error if not.
*/
ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf,
ldns_buffer *verify_buf,
ldns_buffer *key_buf,
uint8_t algo);
/**
* Like ldns_verify_rrsig_buffers, but uses raw data.
*
* \param[in] sig signature data to use
* \param[in] siglen length of signature data to use
* \param[in] verify_buf Buffer containing data to verify
* \param[in] key key data to use
* \param[in] keylen length of key data to use
* \param[in] algo Signing algorithm
* \return status LDNS_STATUS_OK if the data verifies. Error if not.
*/
ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig,
size_t siglen,
ldns_buffer *verify_buf,
unsigned char* key,
size_t keylen,
uint8_t algo);
/**
* Verifies an rrsig. All keys in the keyset are tried.
* \param[in] rrset the rrset to check
* \param[in] rrsig the signature of the rrset
* \param[in] keys the keys to try
* \param[out] good_keys if this is a (initialized) list, the pointer to keys
* from keys that validate one of the signatures
* are added to it
* \return a list of keys which validate the rrsig + rrset. Returns
* status LDNS_STATUS_OK if at least one key matched. Else an error.
*/
ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
ldns_rr *rrsig,
const ldns_rr_list *keys,
ldns_rr_list *good_keys);
/**
* Verifies an rrsig. All keys in the keyset are tried.
* \param[in] rrset the rrset to check
* \param[in] rrsig the signature of the rrset
* \param[in] keys the keys to try
* \param[in] check_time the time for which the validation is performed
* \param[out] good_keys if this is a (initialized) list, the pointer to keys
* from keys that validate one of the signatures
* are added to it
* \return a list of keys which validate the rrsig + rrset. Returns
* status LDNS_STATUS_OK if at least one key matched. Else an error.
*/
ldns_status ldns_verify_rrsig_keylist_time(
ldns_rr_list *rrset, ldns_rr *rrsig,
const ldns_rr_list *keys, time_t check_time,
ldns_rr_list *good_keys);
/**
* Verifies an rrsig. All keys in the keyset are tried. Time is not checked.
* \param[in] rrset the rrset to check
* \param[in] rrsig the signature of the rrset
* \param[in] keys the keys to try
* \param[out] good_keys if this is a (initialized) list, the pointer to keys
* from keys that validate one of the signatures
* are added to it
* \return a list of keys which validate the rrsig + rrset. Returns
* status LDNS_STATUS_OK if at least one key matched. Else an error.
*/
ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset,
ldns_rr *rrsig,
const ldns_rr_list *keys,
ldns_rr_list *good_keys);
/**
* verify an rrsig with 1 key
* \param[in] rrset the rrset
* \param[in] rrsig the rrsig to verify
* \param[in] key the key to use
* \return status message wether verification succeeded.
*/
ldns_status ldns_verify_rrsig(ldns_rr_list *rrset,
ldns_rr *rrsig,
ldns_rr *key);
/**
* verify an rrsig with 1 key
* \param[in] rrset the rrset
* \param[in] rrsig the rrsig to verify
* \param[in] key the key to use
* \param[in] check_time the time for which the validation is performed
* \return status message wether verification succeeded.
*/
ldns_status ldns_verify_rrsig_time(
ldns_rr_list *rrset, ldns_rr *rrsig,
ldns_rr *key, time_t check_time);
#if LDNS_BUILD_CONFIG_HAVE_SSL
/**
* verifies a buffer with signature data for a buffer with rrset data
* with an EVP_PKEY
*
* \param[in] sig the signature data
* \param[in] rrset the rrset data, sorted and processed for verification
* \param[in] key the EVP key structure
* \param[in] digest_type The digest type of the signature
*/
ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig,
ldns_buffer *rrset,
EVP_PKEY *key,
const EVP_MD *digest_type);
/**
* Like ldns_verify_rrsig_evp, but uses raw signature data.
* \param[in] sig the signature data, wireformat uncompressed
* \param[in] siglen length of the signature data
* \param[in] rrset the rrset data, sorted and processed for verification
* \param[in] key the EVP key structure
* \param[in] digest_type The digest type of the signature
*/
ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig,
size_t siglen,
ldns_buffer *rrset,
EVP_PKEY *key,
const EVP_MD *digest_type);
#endif
/**
* verifies a buffer with signature data (DSA) for a buffer with rrset data
* with a buffer with key data.
*
* \param[in] sig the signature data
* \param[in] rrset the rrset data, sorted and processed for verification
* \param[in] key the key data
*/
ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig,
ldns_buffer *rrset,
ldns_buffer *key);
/**
* verifies a buffer with signature data (RSASHA1) for a buffer with rrset data
* with a buffer with key data.
*
* \param[in] sig the signature data
* \param[in] rrset the rrset data, sorted and processed for verification
* \param[in] key the key data
*/
ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig,
ldns_buffer *rrset,
ldns_buffer *key);
/**
* verifies a buffer with signature data (RSAMD5) for a buffer with rrset data
* with a buffer with key data.
*
* \param[in] sig the signature data
* \param[in] rrset the rrset data, sorted and processed for verification
* \param[in] key the key data
*/
ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig,
ldns_buffer *rrset,
ldns_buffer *key);
/**
* Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
* \param[in] sig raw uncompressed wireformat signature data
* \param[in] siglen length of signature data
* \param[in] rrset ldns buffer with prepared rrset data.
* \param[in] key raw uncompressed wireformat key data
* \param[in] keylen length of key data
*/
ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig,
size_t siglen,
ldns_buffer* rrset,
unsigned char* key,
size_t keylen);
/**
* Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
* \param[in] sig raw uncompressed wireformat signature data
* \param[in] siglen length of signature data
* \param[in] rrset ldns buffer with prepared rrset data.
* \param[in] key raw uncompressed wireformat key data
* \param[in] keylen length of key data
*/
ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig,
size_t siglen,
ldns_buffer* rrset,
unsigned char* key,
size_t keylen);
/**
* Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
* \param[in] sig raw uncompressed wireformat signature data
* \param[in] siglen length of signature data
* \param[in] rrset ldns buffer with prepared rrset data.
* \param[in] key raw uncompressed wireformat key data
* \param[in] keylen length of key data
*/
ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig,
size_t siglen,
ldns_buffer* rrset,
unsigned char* key,
size_t keylen);
/**
* Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
* \param[in] sig raw uncompressed wireformat signature data
* \param[in] siglen length of signature data
* \param[in] rrset ldns buffer with prepared rrset data.
* \param[in] key raw uncompressed wireformat key data
* \param[in] keylen length of key data
*/
ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig,
size_t siglen,
ldns_buffer* rrset,
unsigned char* key,
size_t keylen);
/**
* Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
* \param[in] sig raw uncompressed wireformat signature data
* \param[in] siglen length of signature data
* \param[in] rrset ldns buffer with prepared rrset data.
* \param[in] key raw uncompressed wireformat key data
* \param[in] keylen length of key data
*/
ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,
size_t siglen,
ldns_buffer* rrset,
unsigned char* key,
size_t keylen);
#ifdef __cplusplus
}
#endif
#endif