summaryrefslogtreecommitdiffstats
path: root/src/libdnssec/keystore.h
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/libdnssec/keystore.h297
1 files changed, 297 insertions, 0 deletions
diff --git a/src/libdnssec/keystore.h b/src/libdnssec/keystore.h
new file mode 100644
index 0000000..2382518
--- /dev/null
+++ b/src/libdnssec/keystore.h
@@ -0,0 +1,297 @@
+/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+/*!
+ * \file
+ *
+ * \addtogroup keystore
+ *
+ * \brief Private key store access.
+ *
+ * The module provides abstraction for private key store. Basically, PKCS #8
+ * and PKCS #11 interfaces are supported.
+ *
+ * PKCS #8 uses unencrypted PEM, and allows implementation of custom stores.
+ *
+ * PKCS #11 provides access Hardware Security Modules.
+ *
+ * Example of using default PKCS #8 and to generate an RSA key:
+ *
+ * ~~~~~ {.c}
+ *
+ * int result;
+ * dnssec_keystore_t *store = NULL;
+ *
+ * // create key store access context
+ * dnssec_keystore_init_pkcs8_dir(&store);
+ *
+ * // open the key store
+ * result = dnssec_keystore_open(&store, "/path/to/keydb");
+ * if (result != DNSSEC_EOK) {
+ * return result;
+ * }
+ *
+ * // generate new private key in the key store
+ * int algorithm = DNSSEC_KEY_ALGORITHM_RSA_SHA256;
+ * unsigned bits = 2048;
+ * char *id = NULL;
+ * int dnssec_keystore_generate_key(store, algorithm, bits, &key_id);
+ * if (result != DNSSEC_EOK) {
+ * dnssec_keystore_close(store);
+ * return result;
+ * }
+ * printf("ID of the new key: %s\n", key_id);
+ *
+ * // create new signing key
+ * dnssec_key_t *key = NULL;
+ * result = dnssec_key_new(&key);
+ * if (result != DNSSEC_EOK) {
+ * free(key_id);
+ * dnssec_keystore_close(store);
+ * return result;
+ * }
+ *
+ * // import the key from the key store
+ * result = dnssec_key_import_keystore(key, store, key_id, algorithm);
+ * if (result != DNSSEC_EOK) {
+ * free(key_id);
+ * dnssec_key_free(key);
+ * dnssec_keystore_close(store);
+ * return result;
+ * }
+ *
+ * // use the key for signing ...
+ *
+ * // cleanup
+ * free(key_id);
+ * dnssec_key_free(key);
+ * dnssec_keystore_close(store);
+ * dnssec_keystore_deinit(store);
+ *
+ * ~~~~~
+ * @{
+ */
+
+#pragma once
+
+#include <libdnssec/binary.h>
+#include <libdnssec/key.h>
+#include <libdnssec/list.h>
+
+struct dnssec_keystore;
+
+/*!
+ * DNSSEC private keys store.
+ */
+typedef struct dnssec_keystore dnssec_keystore_t;
+
+/*!
+ * PKCS #8 key store callback functions for custom providers.
+ */
+typedef struct dnssec_keystore_pkcs8_functions {
+ /*!
+ * Callback to allocate key store handle.
+ *
+ * \param[out] handle_ptr Allocated key store handle.
+ */
+ int (*handle_new)(void **handle_ptr);
+
+ /*!
+ * Callback to deallocate key store handle.
+ *
+ * \param handle Key store handle.
+ */
+ int (*handle_free)(void *handle);
+
+ /*!
+ * Callback to initialize the key store.
+ *
+ * \param handle Key store handle.
+ * \param config Configuration string.
+ */
+ int (*init)(void *handle, const char *config);
+
+ /*!
+ * Callback to open the key store.
+ *
+ * \param[out] handle Key store handle.
+ * \param[in] config Configuration string.
+ */
+ int (*open)(void *handle, const char *config);
+
+ /*!
+ * Callback to close the key store.
+ *
+ * \param handle Key store handle.
+ */
+ int (*close)(void *handle);
+
+ /*!
+ * Callback to read a PEM key.
+ *
+ * \param[in] handle Key store handle.
+ * \param[in] id Key ID of the key to be retrieved (ASCII form).
+ * \param[out] pem Key material in uncencrypted PEM format.
+ */
+ int (*read)(void *handle, const char *id, dnssec_binary_t *pem);
+
+ /*!
+ * Callback to write a PEM key.
+ *
+ * \param handle Key store handle.
+ * \param id Key ID of the key to be saved (ASCII form).
+ * \param pem Key material in unencrypted PEM format.
+ */
+ int (*write)(void *handle, const char *id, const dnssec_binary_t *pem);
+
+ /*!
+ * Callback to get a list of all PEM key IDs.
+ *
+ * \param[in] handle Key store handle.
+ * \param[out] list Allocated list of key IDs.
+ */
+ int (*list)(void *handle, dnssec_list_t **list);
+
+ /*!
+ * Callback to remove a PEM key.
+ *
+ * \param handle Key store handle.
+ * \param id Key ID of the key to be removed (ASCII form).
+ */
+ int (*remove)(void *handle, const char *id);
+} dnssec_keystore_pkcs8_functions_t;
+
+/*!
+ * Create default PKCS #8 private key store context.
+ *
+ * The default store maintains the private keys in one directory on the file
+ * system. The private keys are stored in unencrypted PEM format, named
+ * key-id.pem. The configuration string is a path to the directory.
+ *
+ * \param[out] store Opened key store.
+ *
+ * \return Error code, DNSSEC_EOK if successful.
+ */
+int dnssec_keystore_init_pkcs8_dir(dnssec_keystore_t **store);
+
+/*!
+ * Create custom PKCS #8 private key store context.
+ *
+ * \param[out] store Opened key store.
+ * \param[in] impl Implementation of the key store provider.
+ *
+ * \return Error code, DNSSEC_EOK if successful.
+ */
+int dnssec_keystore_init_pkcs8_custom(dnssec_keystore_t **store,
+ const dnssec_keystore_pkcs8_functions_t *impl);
+
+/*!
+ * Crate new PKCS #11 private key store context.
+ *
+ * \param[out] store Opened key store.
+ *
+ * \return Error code, DNSSEC_EOK if successful.
+ */
+int dnssec_keystore_init_pkcs11(dnssec_keystore_t **store);
+
+/*!
+ * Deinitialize private key store context.
+ *
+ * \param store Key store to be deinitialized.
+ */
+int dnssec_keystore_deinit(dnssec_keystore_t *store);
+
+/*!
+ * Initialize new private key store.
+ */
+int dnssec_keystore_init(dnssec_keystore_t *store, const char *config);
+
+/*!
+ * Open private key store.
+ */
+int dnssec_keystore_open(dnssec_keystore_t *store, const char *config);
+
+/*!
+ * Close private key store.
+ *
+ * \param store Key store to be closed.
+ *
+ * \return Error code, DNSSEC_EOK if successful.
+ */
+int dnssec_keystore_close(dnssec_keystore_t *store);
+
+/*!
+ * Get a list of key IDs stored in the key store.
+ *
+ * \todo Not implemented.
+ *
+ * \param[in] store Key store.
+ * \param[out] list Resulting list of key IDs.
+ *
+ * \return Error code, DNSSEC_EOK if successful.
+ */
+int dnssec_keystore_list_keys(dnssec_keystore_t *store, dnssec_list_t **list);
+
+/*!
+ * Generate a new key in the key store.
+ *
+ * \param[in] store Key store.
+ * \param[in] algorithm Algorithm.
+ * \param[in] bits Bit length of the key to be generated.
+ * \param[out] id_ptr ID of the generated key. Must be freed by the caller.
+ *
+ * \return Error code, DNSSEC_EOK if successful.
+ */
+int dnssec_keystore_generate_key(dnssec_keystore_t *store,
+ dnssec_key_algorithm_t algorithm,
+ unsigned bits, char **id_ptr);
+
+/*!
+ * Import an existing key into the key store.
+ *
+ * \param[in] store Key store.
+ * \param[in] pem Private key material in PEM format.
+ * \param[out] id_ptr ID of the imported key. Must be freed by the caller.
+ *
+ * \return Error code, DNSSEC_EOK if successful.
+ */
+int dnssec_keystore_import(dnssec_keystore_t *store, const dnssec_binary_t *pem,
+ char **id_ptr);
+
+/*!
+ * Remove a private key from the key store.
+ *
+ * \param store Key store.
+ * \param id ID of the private key to be deleted.
+ *
+ * \return Error code, DNSSEC_EOK if successful.
+ */
+int dnssec_keystore_remove_key(dnssec_keystore_t *store, const char *id);
+
+/*!
+ * Import public and/or private key from the key store into a DNSSEC key.
+ *
+ * The key algorithm has to be set before calling this function.
+ *
+ * \param key DNSSEC key to be initialized.
+ * \param keystore Private key store.
+ * \param id ID of the key.
+ *
+ * \return Error code, DNSSEC_EOK if successful.
+ */
+int dnssec_key_import_keystore(dnssec_key_t *key, dnssec_keystore_t *keystore,
+ const char *id);
+
+/*! @} */