2 * This file is part of PowerDNS or dnsdist.
3 * Copyright -- PowerDNS.COM B.V. and its contributors
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of version 2 of the GNU General Public License as
7 * published by the Free Software Foundation.
9 * In addition, for the avoidance of any doubt, permission is granted to
10 * link this program with OpenSSL and to (re)distribute the binaries
11 * produced as the result of such linking.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 #include "dnsrecords.hh"
33 // rules of the road: Algorithm must be set in 'make' for each KeyEngine, and will NEVER change!
35 class DNSCryptoKeyEngine
38 explicit DNSCryptoKeyEngine(unsigned int algorithm) : d_algorithm(algorithm) {}
39 virtual ~DNSCryptoKeyEngine() {};
40 [[nodiscard]] virtual string getName() const = 0;
42 using stormap_t = std::map<std::string, std::string>;
43 using storvector_t = std::vector<std::pair<std::string, std::string>>;
44 virtual void create(unsigned int bits)=0;
46 virtual void createFromPEMFile(DNSKEYRecordContent& /* drc */, std::FILE& /* inputFile */, const std::optional<std::reference_wrapper<const std::string>> filename = std::nullopt)
48 if (filename.has_value()) {
49 throw std::runtime_error("Can't create key from PEM file `" + filename->get() + "`");
52 throw std::runtime_error("Can't create key from PEM contents");
56 * \brief Creates a key engine from a PEM string.
58 * Receives PEM contents and creates a key engine.
60 * \param[in] drc Key record contents to be populated.
62 * \param[in] contents The PEM string contents.
64 * \return A key engine populated with the contents of the PEM string.
66 void createFromPEMString(DNSKEYRecordContent& drc, const std::string& contents)
68 // NOLINTNEXTLINE(*-cast): POSIX APIs.
69 unique_ptr<std::FILE, decltype(&std::fclose)> inputFile{fmemopen(const_cast<char*>(contents.data()), contents.length(), "r"), &std::fclose};
70 createFromPEMFile(drc, *inputFile);
73 [[nodiscard]] virtual storvector_t convertToISCVector() const =0;
74 [[nodiscard]] std::string convertToISC() const ;
76 virtual void convertToPEMFile(std::FILE& /* outputFile */) const
78 throw std::runtime_error(getName() + ": Conversion to PEM not supported");
82 * \brief Converts the key into a PEM string.
84 * \return A string containing the key's PEM contents.
86 [[nodiscard]] auto convertToPEMString() const -> std::string
88 const size_t buflen = 4096;
91 output.resize(buflen);
92 unique_ptr<std::FILE, decltype(&std::fclose)> outputFile{fmemopen(output.data(), output.length() - 1, "w"), &std::fclose};
93 convertToPEMFile(*outputFile);
94 std::fflush(outputFile.get());
95 output.resize(std::ftell(outputFile.get()));
100 [[nodiscard]] virtual std::string sign(const std::string& msg) const =0;
102 [[nodiscard]] virtual std::string hash(const std::string& msg) const
104 throw std::runtime_error("hash() function not implemented");
108 [[nodiscard]] virtual bool verify(const std::string& msg, const std::string& signature) const =0;
110 [[nodiscard]] virtual std::string getPublicKeyString()const =0;
111 [[nodiscard]] virtual int getBits() const =0;
112 [[nodiscard]] virtual unsigned int getAlgorithm() const
117 virtual void fromISCMap(DNSKEYRecordContent& drc, stormap_t& stormap) = 0;
118 virtual void fromPublicKeyString(const std::string& content) = 0;
120 [[nodiscard]] virtual bool checkKey(std::optional<std::reference_wrapper<std::vector<std::string>>> /* errorMessages */ = std::nullopt) const
125 static std::unique_ptr<DNSCryptoKeyEngine> makeFromISCFile(DNSKEYRecordContent& drc, const char* fname);
128 * \brief Creates a key engine from a PEM file.
130 * Receives an open file handle with PEM contents and creates a key engine
131 * corresponding to the algorithm requested.
133 * \param[in] drc Key record contents to be populated.
135 * \param[in] algorithm Which algorithm to use. See
136 * https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
138 * \param[in] fp An open file handle to a file containing PEM contents.
140 * \param[in] filename Only used for providing filename information in error messages.
142 * \return A key engine corresponding to the requested algorithm and populated with
143 * the contents of the PEM file.
145 static std::unique_ptr<DNSCryptoKeyEngine> makeFromPEMFile(DNSKEYRecordContent& drc, uint8_t algorithm, std::FILE& inputFile, const std::string& filename);
148 * \brief Creates a key engine from a PEM string.
150 * Receives PEM contents and creates a key engine corresponding to the algorithm
153 * \param[in] drc Key record contents to be populated.
155 * \param[in] algorithm Which algorithm to use. See
156 * https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
158 * \param[in] contents The PEM contents.
160 * \return A key engine corresponding to the requested algorithm and populated with
161 * the contents of the PEM string.
163 static std::unique_ptr<DNSCryptoKeyEngine> makeFromPEMString(DNSKEYRecordContent& drc, uint8_t algorithm, const std::string& contents);
165 static std::unique_ptr<DNSCryptoKeyEngine> makeFromISCString(DNSKEYRecordContent& drc, const std::string& content);
166 static std::unique_ptr<DNSCryptoKeyEngine> makeFromPublicKeyString(unsigned int algorithm, const std::string& raw);
167 static std::unique_ptr<DNSCryptoKeyEngine> make(unsigned int algorithm);
168 static bool isAlgorithmSupported(unsigned int algo);
169 static bool isAlgorithmSwitchedOff(unsigned int algo);
170 static void switchOffAlgorithm(unsigned int algo);
171 static bool isDigestSupported(uint8_t digest);
173 using maker_t = std::unique_ptr<DNSCryptoKeyEngine> (unsigned int);
175 static void report(unsigned int algorithm, maker_t* maker, bool fallback=false);
176 static void testMakers(unsigned int algorithm, maker_t* creator, maker_t* signer, maker_t* verifier);
177 static vector<pair<uint8_t, string>> listAllAlgosWithBackend();
178 static bool testAll();
179 static bool testOne(int algo);
180 static bool verifyOne(unsigned int algo);
181 static bool testVerify(unsigned int algo, maker_t* verifier);
182 static string listSupportedAlgoNames();
185 using makers_t = std::map<unsigned int, maker_t *>;
186 using allmakers_t = std::map<unsigned int, vector<maker_t *>>;
187 static makers_t& getMakers()
189 static makers_t s_makers;
192 static allmakers_t& getAllMakers()
194 static allmakers_t s_allmakers;
197 // Must be set before going multi-threaded and not changed after that
198 static std::unordered_set<unsigned int> s_switchedOff;
201 const unsigned int d_algorithm;
204 struct DNSSECPrivateKey
206 uint16_t getTag() const
208 return getDNSKEY().getTag();
211 const std::shared_ptr<DNSCryptoKeyEngine>& getKey() const
216 // be aware that calling setKey() will also set the algorithm
217 void setKey(std::shared_ptr<DNSCryptoKeyEngine>& key, uint16_t flags, std::optional<uint8_t> algorithm = std::nullopt)
221 d_algorithm = algorithm ? *algorithm : d_key->getAlgorithm();
225 // be aware that calling setKey() will also set the algorithm
226 void setKey(std::unique_ptr<DNSCryptoKeyEngine>&& key, uint16_t flags, std::optional<uint8_t> algorithm = std::nullopt)
228 d_key = std::move(key);
230 d_algorithm = algorithm ? *algorithm : d_key->getAlgorithm();
234 const DNSKEYRecordContent& getDNSKEY() const;
236 uint16_t getFlags() const
241 uint8_t getAlgorithm() const
247 void computeDNSKEY();
249 DNSKEYRecordContent d_dnskey;
250 std::shared_ptr<DNSCryptoKeyEngine> d_key;
252 uint8_t d_algorithm{0};
257 struct CanonicalCompare
259 bool operator()(const std::string& a, const std::string& b) {
260 std::vector<std::string> avect, bvect;
262 stringtok(avect, a, ".");
263 stringtok(bvect, b, ".");
265 reverse(avect.begin(), avect.end());
266 reverse(bvect.begin(), bvect.end());
268 return avect < bvect;
272 struct sharedDNSSECRecordCompare {
273 bool operator() (const shared_ptr<const DNSRecordContent>& a, const shared_ptr<const DNSRecordContent>& b) const {
274 return a->serialize(g_rootdnsname, true, true) < b->serialize(g_rootdnsname, true, true);
278 typedef std::set<std::shared_ptr<const DNSRecordContent>, sharedDNSSECRecordCompare> sortedRecords_t;
280 string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, const sortedRecords_t& signRecords, bool processRRSIGLabels = false, bool includeRRSIG_RDATA = true);
282 DSRecordContent makeDSFromDNSKey(const DNSName& qname, const DNSKEYRecordContent& drc, uint8_t digest);
286 uint32_t getStartOfWeek();
288 string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname);
289 string hashQNameWithSalt(const std::string& salt, unsigned int iterations, const DNSName& qname);
291 void incrementHash(std::string& raw);
292 void decrementHash(std::string& raw);
294 void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<DNSName>& authMap, vector<DNSZoneRecord>& rrs);
296 void addTSIG(DNSPacketWriter& pw, TSIGRecordContent& trc, const DNSName& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly);
297 bool validateTSIG(const std::string& packet, size_t sigPos, const TSIGTriplet& tt, const TSIGRecordContent& trc, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly, unsigned int dnsHeaderOffset=0);
299 uint64_t signatureCacheSize(const std::string& str);