virtual storvector_t convertToISCVector() const =0;
std::string convertToISC() const ;
virtual std::string sign(const std::string& msg) const =0;
- virtual std::string hash(const std::string& msg) const =0;
+ virtual std::string hash(const std::string& msg) const
+ {
+ throw std::runtime_error("hash() function not implemented");
+ return msg;
+ }
virtual bool verify(const std::string& msg, const std::string& signature) const =0;
virtual std::string getPubKeyHash()const =0;
virtual std::string getPublicKeyString()const =0;
virtual int getBits() const =0;
+ virtual unsigned int getAlgorithm() const
+ {
+ return d_algorithm;
+ }
virtual void fromISCMap(DNSKEYRecordContent& drc, stormap_t& stormap)=0;
virtual void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw)
throw std::runtime_error("Can't import from PEM string");
}
virtual void fromPublicKeyString(const std::string& content) = 0;
- virtual bool checkKey() const
+ virtual bool checkKey(vector<string> *errorMessages = nullptr) const
{
return true;
}
- static DNSCryptoKeyEngine* makeFromISCFile(DNSKEYRecordContent& drc, const char* fname);
- static DNSCryptoKeyEngine* makeFromISCString(DNSKEYRecordContent& drc, const std::string& content);
- static DNSCryptoKeyEngine* makeFromPEMString(DNSKEYRecordContent& drc, const std::string& raw);
- static DNSCryptoKeyEngine* makeFromPublicKeyString(unsigned int algorithm, const std::string& raw);
- static DNSCryptoKeyEngine* make(unsigned int algorithm);
+ static shared_ptr<DNSCryptoKeyEngine> makeFromISCFile(DNSKEYRecordContent& drc, const char* fname);
+ static shared_ptr<DNSCryptoKeyEngine> makeFromISCString(DNSKEYRecordContent& drc, const std::string& content);
+ static shared_ptr<DNSCryptoKeyEngine> makeFromPEMString(DNSKEYRecordContent& drc, const std::string& raw);
+ static shared_ptr<DNSCryptoKeyEngine> makeFromPublicKeyString(unsigned int algorithm, const std::string& raw);
+ static shared_ptr<DNSCryptoKeyEngine> make(unsigned int algorithm);
+ static bool isAlgorithmSupported(unsigned int algo);
+ static bool isDigestSupported(uint8_t digest);
- typedef DNSCryptoKeyEngine* maker_t(unsigned int algorithm);
+ typedef shared_ptr<DNSCryptoKeyEngine> maker_t(unsigned int algorithm);
static void report(unsigned int algorithm, maker_t* maker, bool fallback=false);
static std::pair<unsigned int, unsigned int> testMakers(unsigned int algorithm, maker_t* creator, maker_t* signer, maker_t* verifier);
struct DNSSECPrivateKey
{
- uint16_t getTag();
+ uint16_t getTag() const
+ {
+ return getDNSKEY().getTag();
+ }
- const DNSCryptoKeyEngine* getKey() const
+ const shared_ptr<DNSCryptoKeyEngine> getKey() const
{
- return d_key.get();
+ return d_key;
}
void setKey(const shared_ptr<DNSCryptoKeyEngine> key)
{
d_key = key;
+ d_algorithm = key->getAlgorithm();
}
DNSKEYRecordContent getDNSKEY() const;
}
};
-bool sharedDNSSECCompare(const std::shared_ptr<DNSRecordContent>& a, const shared_ptr<DNSRecordContent>& b);
string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, std::vector<std::shared_ptr<DNSRecordContent> >& signRecords, bool processRRSIGLabels = false);
-DSRecordContent makeDSFromDNSKey(const DNSName& qname, const DNSKEYRecordContent& drc, int digest=1);
-
+DSRecordContent makeDSFromDNSKey(const DNSName& qname, const DNSKEYRecordContent& drc, uint8_t digest);
-class RSAContext;
class DNSSECKeeper;
-struct DNSSECPrivateKey;
-void fillOutRRSIG(DNSSECPrivateKey& dpk, const DNSName& signQName, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign);
uint32_t getStartOfWeek();
-void addSignature(DNSSECKeeper& dk, UeberBackend& db, const DNSName& signer, const DNSName signQName, const DNSName& wildcardname, uint16_t signQType, uint32_t signTTL, DNSResourceRecord::Place signPlace,
- vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned, uint32_t origTTL);
-int getRRSIGsForRRSET(DNSSECKeeper& dk, const DNSName& signer, const DNSName signQName, uint16_t signQType, uint32_t signTTL,
- vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent> &rrc);
string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname);
string hashQNameWithSalt(const std::string& salt, unsigned int iterations, const DNSName& qname);
-void decodeDERIntegerSequence(const std::string& input, vector<string>& output);
-class DNSPacket;
+
+void incrementHash(std::string& raw);
+void decrementHash(std::string& raw);
+
void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<DNSName>& authMap, vector<DNSZoneRecord>& rrs);
-string calculateHMAC(const std::string& key, const std::string& text, TSIGHashEnum hash);
-bool constantTimeStringEquals(const std::string& a, const std::string& b);
+void addTSIG(DNSPacketWriter& pw, TSIGRecordContent& trc, const DNSName& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly);
+bool validateTSIG(const std::string& packet, size_t sigPos, const TSIGTriplet& tt, const TSIGRecordContent& trc, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly, unsigned int dnsHeaderOffset=0);
-string makeTSIGMessageFromTSIGPacket(const string& opacket, unsigned int tsigoffset, const DNSName& keyname, const TSIGRecordContent& trc, const string& previous, bool timersonly, unsigned int dnsHeaderOffset=0);
-void addTSIG(DNSPacketWriter& pw, TSIGRecordContent* trc, const DNSName& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly);
uint64_t signatureCacheSize(const std::string& str);
#endif