diff options
Diffstat (limited to 'src/libdnssec/sign.h')
-rw-r--r-- | src/libdnssec/sign.h | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/src/libdnssec/sign.h b/src/libdnssec/sign.h new file mode 100644 index 0000000..4313533 --- /dev/null +++ b/src/libdnssec/sign.h @@ -0,0 +1,137 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ +/*! + * \file + * + * \addtogroup sign + * + * \brief DNSSEC signing API + * + * The module provides the low level DNSSEC signing and verification. + * + * Example of signature validation: + * + * ~~~~~ {.c} + * + * dnssec_key_t *dnskey = // ... ; + * dnssec_binary_t *rrsig_header = // ... ; + * dnssec_binary_t *covered_rdata = // ... ; + * dnssec_binary_t *signature = // ... ; + * + * int result; + * dnssec_sign_ctx_t *ctx = NULL; + * + * result = dnssec_sign_new(&ctx, dnskey); + * if (result != DNSSEC_EOK) { + * return result; + * } + * + * dnssec_sign_add(ctx, rrsig_header); + * dnssec_sign_add(ctx, covered_rdata); + * + * result = dnssec_sign_verify(ctx, signature); + * if (result == DNSSEC_EOK) { + * // valid signature + * } else if (result == DNSSEC_INVALID_SIGNATURE) { + * // invalid signature + * } else { + * // error + * } + * + * dnssec_sign_free(ctx); + * + * ~~~~~ + * + * + * @{ + */ + +#pragma once + +#include <stdint.h> +#include <stdlib.h> + +#include <libdnssec/binary.h> +#include <libdnssec/key.h> + +struct dnssec_sign_ctx; + +/*! + * DNSSEC signing context. + */ +typedef struct dnssec_sign_ctx dnssec_sign_ctx_t; + +/*! + * Create new DNSSEC signing context. + * + * \note \ref dnssec_sign_init is called as a part of this function. + * + * \param ctx_ptr Pointer to context to be allocated. + * \param key DNSSEC key to be used. + * + * \return Error code, DNSSEC_EOK if successful. + */ +int dnssec_sign_new(dnssec_sign_ctx_t **ctx_ptr, const dnssec_key_t *key); + +/*! + * Free DNSSEC signing context. + * + * \param ctx Signing context to be freed. + */ +void dnssec_sign_free(dnssec_sign_ctx_t *ctx); + +/*! + * Reinitialize DNSSEC signing context to start a new operation. + * + * \param ctx Signing context. + * + * \return Error code, DNSSEC_EOK if successful. + */ +int dnssec_sign_init(dnssec_sign_ctx_t *ctx); + +/*! + * Add data to be covered by DNSSEC signature. + * + * \param ctx Signing context. + * \param data Data to be signed. + * + * \return Error code, DNSSEC_EOK if successful. + */ +int dnssec_sign_add(dnssec_sign_ctx_t *ctx, const dnssec_binary_t *data); + +/*! + * Write down the DNSSEC signature. + * + * \param ctx Signing context. + * \param signature Signature to be allocated and written. + * + * \return Error code, DNSSEC_EOK if successful. + */ +int dnssec_sign_write(dnssec_sign_ctx_t *ctx, dnssec_binary_t *signature); + +/*! + * Verify DNSSEC signature. + * + * \param ctx Signing context. + * \param signature Signature to be verified. + * + * \return Error code. + * \retval DNSSEC_EOK Validation successful, valid signature. + * \retval DNSSEC_INVALID_SIGNATURE Validation successful, invalid signature. + */ +int dnssec_sign_verify(dnssec_sign_ctx_t *ctx, const dnssec_binary_t *signature); + +/** @} */ |