pdns/dnssecinfra.hh

   1 /*
   2  * This file is part of PowerDNS or dnsdist.
   3  * Copyright -- PowerDNS.COM B.V. and its contributors
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of version 2 of the GNU General Public License as
   7  * published by the Free Software Foundation.
   8  *
   9  * In addition, for the avoidance of any doubt, permission is granted to
  10  * link this program with OpenSSL and to (re)distribute the binaries
  11  * produced as the result of such linking.
  12  *
  13  * This program is distributed in the hope that it will be useful,
  14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  * GNU General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with this program; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21  */
  22 #ifndef PDNS_DNSSECINFRA_HH
  23 #define PDNS_DNSSECINFRA_HH
  24
  25 #include "dnsrecords.hh"
  26
  27 #include <string>
  28 #include <vector>
  29 #include <map>
  30 #include "misc.hh"
  31
  32 class UeberBackend;
  33
  34 // rules of the road: Algorithm must be set in 'make' for each KeyEngine, and will NEVER change!
  35
  36 class DNSCryptoKeyEngine
  37 {
  38   public:
  39     explicit DNSCryptoKeyEngine(unsigned int algorithm) : d_algorithm(algorithm) {}
  40     virtual ~DNSCryptoKeyEngine() {};
  41     virtual string getName() const = 0;
  42
  43     typedef std::map<std::string, std::string> stormap_t;
  44     typedef std::vector<std::pair<std::string, std::string > > storvector_t;
  45     virtual void create(unsigned int bits)=0;
  46     virtual storvector_t convertToISCVector() const =0;
  47     std::string convertToISC() const ;
  48     virtual std::string sign(const std::string& msg) const =0;
  49     virtual std::string hash(const std::string& msg) const =0;
  50     virtual bool verify(const std::string& msg, const std::string& signature) const =0;
  51
  52     virtual std::string getPubKeyHash()const =0;
  53     virtual std::string getPublicKeyString()const =0;
  54     virtual int getBits() const =0;
  55
  56     virtual void fromISCMap(DNSKEYRecordContent& drc, stormap_t& stormap)=0;
  57     virtual void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw)
  58     {
  59       throw std::runtime_error("Can't import from PEM string");
  60     }
  61     virtual void fromPublicKeyString(const std::string& content) = 0;
  62     virtual bool checkKey() const
  63     {
  64       return true;
  65     }
  66     static DNSCryptoKeyEngine* makeFromISCFile(DNSKEYRecordContent& drc, const char* fname);
  67     static DNSCryptoKeyEngine* makeFromISCString(DNSKEYRecordContent& drc, const std::string& content);
  68     static DNSCryptoKeyEngine* makeFromPEMString(DNSKEYRecordContent& drc, const std::string& raw);
  69     static DNSCryptoKeyEngine* makeFromPublicKeyString(unsigned int algorithm, const std::string& raw);
  70     static DNSCryptoKeyEngine* make(unsigned int algorithm);
  71
  72     typedef DNSCryptoKeyEngine* maker_t(unsigned int algorithm);
  73
  74     static void report(unsigned int algorithm, maker_t* maker, bool fallback=false);
  75     static std::pair<unsigned int, unsigned int> testMakers(unsigned int algorithm, maker_t* creator, maker_t* signer, maker_t* verifier);
  76     static vector<pair<uint8_t, string>> listAllAlgosWithBackend();
  77     static bool testAll();
  78     static bool testOne(int algo);
  79   private:
  80
  81     typedef std::map<unsigned int, maker_t*> makers_t;
  82     typedef std::map<unsigned int, vector<maker_t*> > allmakers_t;
  83     static makers_t& getMakers()
  84     {
  85       static makers_t s_makers;
  86       return s_makers;
  87     }
  88     static allmakers_t& getAllMakers()
  89     {
  90       static allmakers_t s_allmakers;
  91       return s_allmakers;
  92     }
  93   protected:
  94     const unsigned int d_algorithm;
  95 };
  96
  97 struct DNSSECPrivateKey
  98 {
  99   uint16_t getTag();
 100
 101   const DNSCryptoKeyEngine* getKey() const
 102   {
 103     return d_key.get();
 104   }
 105
 106   void setKey(const shared_ptr<DNSCryptoKeyEngine> key)
 107   {
 108     d_key = key;
 109   }
 110   DNSKEYRecordContent getDNSKEY() const;
 111
 112   uint16_t d_flags;
 113   uint8_t d_algorithm;
 114
 115 private:
 116   shared_ptr<DNSCryptoKeyEngine> d_key;
 117 };
 118
 119
 120
 121 struct CanonicalCompare: public std::binary_function<string, string, bool>
 122 {
 123   bool operator()(const std::string& a, const std::string& b) {
 124     std::vector<std::string> avect, bvect;
 125
 126     stringtok(avect, a, ".");
 127     stringtok(bvect, b, ".");
 128
 129     reverse(avect.begin(), avect.end());
 130     reverse(bvect.begin(), bvect.end());
 131
 132     return avect < bvect;
 133   }
 134 };
 135
 136 bool sharedDNSSECCompare(const std::shared_ptr<DNSRecordContent>& a, const shared_ptr<DNSRecordContent>& b);
 137 string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, std::vector<std::shared_ptr<DNSRecordContent> >& signRecords, bool processRRSIGLabels = false);
 138
 139 DSRecordContent makeDSFromDNSKey(const DNSName& qname, const DNSKEYRecordContent& drc, int digest=1);
 140
 141
 142 class RSAContext;
 143 class DNSSECKeeper;
 144 struct DNSSECPrivateKey;
 145
 146 void fillOutRRSIG(DNSSECPrivateKey& dpk, const DNSName& signQName, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign);
 147 uint32_t getStartOfWeek();
 148 void addSignature(DNSSECKeeper& dk, UeberBackend& db, const DNSName& signer, const DNSName signQName, const DNSName& wildcardname, uint16_t signQType, uint32_t signTTL, DNSResourceRecord::Place signPlace,
 149   vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned, uint32_t origTTL);
 150 int getRRSIGsForRRSET(DNSSECKeeper& dk, const DNSName& signer, const DNSName signQName, uint16_t signQType, uint32_t signTTL,
 151   vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent> &rrc);
 152
 153 string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname);
 154 string hashQNameWithSalt(const std::string& salt, unsigned int iterations, const DNSName& qname);
 155 void decodeDERIntegerSequence(const std::string& input, vector<string>& output);
 156 class DNSPacket;
 157 void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<DNSName>& authMap, vector<DNSZoneRecord>& rrs);
 158
 159 void addTSIG(DNSPacketWriter& pw, TSIGRecordContent& trc, const DNSName& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly);
 160 bool validateTSIG(const std::string& packet, size_t sigPos, const TSIGTriplet& tt, const TSIGRecordContent& trc, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly, unsigned int dnsHeaderOffset=0);
 161
 162 uint64_t signatureCacheSize(const std::string& str);
 163 #endif