/* if rr is null, take the first from the rrset */
ldns_dnssec_trust_tree *
-ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr)
+ldns_dnssec_derive_trust_tree_time(
+ ldns_dnssec_data_chain *data_chain,
+ ldns_rr *rr,
+ time_t check_time
+ )
{
ldns_rr_list *cur_rrset;
ldns_rr_list *cur_sigs;
}
/* option 1 */
if (data_chain->parent) {
- ldns_dnssec_derive_trust_tree_normal_rrset(
+ ldns_dnssec_derive_trust_tree_normal_rrset_time(
new_tree,
data_chain,
- cur_sig_rr);
+ cur_sig_rr,
+ check_time);
}
/* option 2 */
- ldns_dnssec_derive_trust_tree_dnskey_rrset(
+ ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
new_tree,
data_chain,
cur_rr,
- cur_sig_rr);
+ cur_sig_rr,
+ check_time);
}
- ldns_dnssec_derive_trust_tree_ds_rrset(new_tree,
- data_chain,
- cur_rr);
+ ldns_dnssec_derive_trust_tree_ds_rrset_time(
+ new_tree, data_chain,
+ cur_rr, check_time);
} else {
/* no signatures? maybe it's nsec data */
/* just add every rr from parent as new parent */
- ldns_dnssec_derive_trust_tree_no_sig(new_tree, data_chain);
+ ldns_dnssec_derive_trust_tree_no_sig_time(
+ new_tree, data_chain, check_time);
}
}
}
return new_tree;
}
+ldns_dnssec_trust_tree *
+ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr)
+{
+ return ldns_dnssec_derive_trust_tree_time(data_chain, rr, ldns_time(NULL));
+}
+
void
-ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree,
- ldns_dnssec_data_chain *data_chain,
- ldns_rr *cur_sig_rr)
+ldns_dnssec_derive_trust_tree_normal_rrset_time(
+ ldns_dnssec_trust_tree *new_tree,
+ ldns_dnssec_data_chain *data_chain,
+ ldns_rr *cur_sig_rr,
+ time_t check_time)
{
size_t i, j;
ldns_rr_list *cur_rrset = ldns_rr_list_clone(data_chain->rrset);
ldns_rr_list_pop_rrset(cur_rrset);
}
}
- cur_status = ldns_verify_rrsig(tmp_rrset,
- cur_sig_rr,
- cur_parent_rr);
+ cur_status = ldns_verify_rrsig_time(
+ tmp_rrset,
+ cur_sig_rr,
+ cur_parent_rr,
+ check_time);
/* avoid dupes */
for (i = 0; i < new_tree->parent_count; i++) {
if (cur_parent_rr == new_tree->parents[i]->rr) {
}
cur_parent_tree =
- ldns_dnssec_derive_trust_tree(data_chain->parent,
- cur_parent_rr);
+ ldns_dnssec_derive_trust_tree_time(
+ data_chain->parent,
+ cur_parent_rr,
+ check_time);
(void)ldns_dnssec_trust_tree_add_parent(new_tree,
cur_parent_tree,
cur_sig_rr,
}
void
-ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree,
+ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree,
ldns_dnssec_data_chain *data_chain,
- ldns_rr *cur_rr,
ldns_rr *cur_sig_rr)
+{
+ ldns_dnssec_derive_trust_tree_normal_rrset_time(
+ new_tree, data_chain, cur_sig_rr, ldns_time(NULL));
+}
+
+void
+ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
+ ldns_dnssec_trust_tree *new_tree,
+ ldns_dnssec_data_chain *data_chain,
+ ldns_rr *cur_rr,
+ ldns_rr *cur_sig_rr,
+ time_t check_time)
{
size_t j;
ldns_rr_list *cur_rrset = data_chain->rrset;
cur_parent_tree = ldns_dnssec_trust_tree_new();
cur_parent_tree->rr = cur_parent_rr;
cur_parent_tree->rrset = cur_rrset;
- cur_status = ldns_verify_rrsig(cur_rrset,
- cur_sig_rr,
- cur_parent_rr);
+ cur_status = ldns_verify_rrsig_time(
+ cur_rrset, cur_sig_rr,
+ cur_parent_rr, check_time);
(void) ldns_dnssec_trust_tree_add_parent(new_tree,
cur_parent_tree, cur_sig_rr, cur_status);
}
}
void
-ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree,
- ldns_dnssec_data_chain *data_chain,
- ldns_rr *cur_rr)
+ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree,
+ ldns_dnssec_data_chain *data_chain,
+ ldns_rr *cur_rr,
+ ldns_rr *cur_sig_rr)
+{
+ ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
+ new_tree, data_chain, cur_rr, cur_sig_rr, ldns_time(NULL));
+}
+
+void
+ldns_dnssec_derive_trust_tree_ds_rrset_time(
+ ldns_dnssec_trust_tree *new_tree,
+ ldns_dnssec_data_chain *data_chain,
+ ldns_rr *cur_rr,
+ time_t check_time)
{
size_t j, h;
ldns_rr_list *cur_rrset = data_chain->rrset;
cur_rr = ldns_rr_list_rr(cur_rrset, h);
if (ldns_rr_compare_ds(cur_rr, cur_parent_rr)) {
cur_parent_tree =
- ldns_dnssec_derive_trust_tree(
- data_chain->parent, cur_parent_rr);
+ ldns_dnssec_derive_trust_tree_time(
+ data_chain->parent,
+ cur_parent_rr,
+ check_time);
(void) ldns_dnssec_trust_tree_add_parent(
new_tree,
cur_parent_tree,
}
void
-ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree,
- ldns_dnssec_data_chain *data_chain)
+ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree,
+ ldns_dnssec_data_chain *data_chain,
+ ldns_rr *cur_rr)
+{
+ return ldns_dnssec_derive_trust_tree_ds_rrset_time(
+ new_tree, data_chain, cur_rr, ldns_time(NULL));
+}
+
+void
+ldns_dnssec_derive_trust_tree_no_sig_time(
+ ldns_dnssec_trust_tree *new_tree,
+ ldns_dnssec_data_chain *data_chain,
+ time_t check_time)
{
size_t i;
ldns_rr_list *cur_rrset;
for (i = 0; i < ldns_rr_list_rr_count(cur_rrset); i++) {
cur_parent_rr = ldns_rr_list_rr(cur_rrset, i);
cur_parent_tree =
- ldns_dnssec_derive_trust_tree(data_chain->parent,
- cur_parent_rr);
+ ldns_dnssec_derive_trust_tree_time(
+ data_chain->parent,
+ cur_parent_rr,
+ check_time);
(void) ldns_dnssec_trust_tree_add_parent(new_tree,
cur_parent_tree, NULL, result);
}
}
}
+void
+ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree,
+ ldns_dnssec_data_chain *data_chain)
+{
+ return ldns_dnssec_derive_trust_tree_no_sig_time(
+ new_tree, data_chain, ldns_time(NULL));
+}
+
/*
* returns OK if there is a path from tree to key with only OK
* the (first) error in between otherwise
}
ldns_status
-ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys,
- ldns_rr_list *good_keys)
+ldns_verify_time(
+ ldns_rr_list *rrset,
+ ldns_rr_list *rrsig,
+ const ldns_rr_list *keys,
+ time_t check_time,
+ ldns_rr_list *good_keys
+ )
{
uint16_t i;
ldns_status verify_result = LDNS_STATUS_ERR;
verify_result = LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY;
} else {
for (i = 0; i < ldns_rr_list_rr_count(rrsig); i++) {
- ldns_status s = ldns_verify_rrsig_keylist(rrset,
- ldns_rr_list_rr(rrsig, i), keys, good_keys);
+ ldns_status s = ldns_verify_rrsig_keylist_time(
+ rrset, ldns_rr_list_rr(rrsig, i),
+ keys, check_time, good_keys);
/* try a little to get more descriptive error */
if(s == LDNS_STATUS_OK) {
verify_result = LDNS_STATUS_OK;
return verify_result;
}
+ldns_status
+ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys,
+ ldns_rr_list *good_keys)
+{
+ return ldns_verify_time(rrset, rrsig, keys, ldns_time(NULL), good_keys);
+}
+
ldns_status
ldns_verify_notime(ldns_rr_list *rrset, ldns_rr_list *rrsig,
const ldns_rr_list *keys, ldns_rr_list *good_keys)
}
ldns_rr_list *
-ldns_fetch_valid_domain_keys(const ldns_resolver *res,
+ldns_fetch_valid_domain_keys_time(const ldns_resolver *res,
const ldns_rdf *domain,
const ldns_rr_list *keys,
+ time_t check_time,
ldns_status *status)
{
ldns_rr_list * trusted_keys = NULL;
if (res && domain && keys) {
- if ((trusted_keys = ldns_validate_domain_dnskey(res,
- domain,
- keys))) {
+ if ((trusted_keys = ldns_validate_domain_dnskey_time(res,
+ domain, keys, check_time))) {
*status = LDNS_STATUS_OK;
} else {
/* No trusted keys in this domain, we'll have to find some in the parent domain */
/* Fail if we are at the root */
if ((parent_keys =
- ldns_fetch_valid_domain_keys(res,
+ ldns_fetch_valid_domain_keys_time(res,
parent_domain,
keys,
+ check_time,
status))) {
/* Check DS records */
if ((ds_keys =
- ldns_validate_domain_ds(res,
+ ldns_validate_domain_ds_time(res,
domain,
- parent_keys))) {
+ parent_keys,
+ check_time))) {
trusted_keys =
- ldns_fetch_valid_domain_keys(res,
- domain,
- ds_keys,
- status);
+ ldns_fetch_valid_domain_keys_time(
+ res,
+ domain,
+ ds_keys,
+ check_time,
+ status);
ldns_rr_list_deep_free(ds_keys);
} else {
/* No valid DS at the parent -- fail */
}
ldns_rr_list *
-ldns_validate_domain_dnskey(const ldns_resolver * res,
- const ldns_rdf * domain,
- const ldns_rr_list * keys)
+ldns_fetch_valid_domain_keys(const ldns_resolver *res,
+ const ldns_rdf *domain,
+ const ldns_rr_list *keys,
+ ldns_status *status)
+{
+ return ldns_fetch_valid_domain_keys_time(
+ res, domain, keys, ldns_time(NULL), status);
+}
+
+ldns_rr_list *
+ldns_validate_domain_dnskey_time(
+ const ldns_resolver * res,
+ const ldns_rdf * domain,
+ const ldns_rr_list * keys,
+ time_t check_time
+ )
{
ldns_pkt * keypkt;
ldns_rr * cur_key;
if (ldns_rdf2native_int16(
ldns_rr_rrsig_keytag(cur_sig))
== ldns_calc_keytag(cur_key)) {
- if (ldns_verify_rrsig(domain_keys,
- cur_sig,
- cur_key)
+ if (ldns_verify_rrsig_time(
+ domain_keys,
+ cur_sig,
+ cur_key,
+ check_time)
== LDNS_STATUS_OK) {
/* Push the whole rrset
}
ldns_rr_list *
-ldns_validate_domain_ds(const ldns_resolver *res,
- const ldns_rdf * domain,
- const ldns_rr_list * keys)
+ldns_validate_domain_dnskey(const ldns_resolver * res,
+ const ldns_rdf * domain,
+ const ldns_rr_list * keys)
+{
+ return ldns_validate_domain_dnskey_time(
+ res, domain, keys, ldns_time(NULL));
+}
+
+ldns_rr_list *
+ldns_validate_domain_ds_time(
+ const ldns_resolver *res,
+ const ldns_rdf * domain,
+ const ldns_rr_list * keys,
+ time_t check_time)
{
ldns_pkt * dspkt;
uint16_t key_i;
LDNS_SECTION_ANSWER);
/* Validate sigs */
- if (ldns_verify(rrset, sigs, keys, NULL) == LDNS_STATUS_OK) {
+ if (ldns_verify_time(rrset, sigs, keys, check_time, NULL)
+ == LDNS_STATUS_OK) {
trusted_keys = ldns_rr_list_new();
for (key_i=0; key_i<ldns_rr_list_rr_count(rrset); key_i++) {
ldns_rr_list_push_rr(trusted_keys,
return trusted_keys;
}
+ldns_rr_list *
+ldns_validate_domain_ds(const ldns_resolver *res,
+ const ldns_rdf * domain,
+ const ldns_rr_list * keys)
+{
+ return ldns_validate_domain_ds_time(res, domain, keys, ldns_time(NULL));
+}
+
ldns_status
-ldns_verify_trusted(ldns_resolver *res,
- ldns_rr_list *rrset,
- ldns_rr_list * rrsigs,
- ldns_rr_list * validating_keys)
+ldns_verify_trusted_time(
+ ldns_resolver *res,
+ ldns_rr_list *rrset,
+ ldns_rr_list * rrsigs,
+ time_t check_time,
+ ldns_rr_list * validating_keys
+ )
{
uint16_t sig_i; uint16_t key_i;
ldns_rr * cur_sig; ldns_rr * cur_key;
cur_sig = ldns_rr_list_rr(rrsigs, sig_i);
/* Get a valid signer key and validate the sig */
- if ((trusted_keys = ldns_fetch_valid_domain_keys(
- res,
- ldns_rr_rrsig_signame(cur_sig),
- ldns_resolver_dnssec_anchors(res),
- &result))) {
+ if ((trusted_keys = ldns_fetch_valid_domain_keys_time(
+ res,
+ ldns_rr_rrsig_signame(cur_sig),
+ ldns_resolver_dnssec_anchors(res),
+ check_time,
+ &result))) {
for (key_i = 0;
key_i < ldns_rr_list_rr_count(trusted_keys);
key_i++) {
cur_key = ldns_rr_list_rr(trusted_keys, key_i);
- if ((result = ldns_verify_rrsig(rrset,
- cur_sig,
- cur_key))
+ if ((result = ldns_verify_rrsig_time(rrset,
+ cur_sig,
+ cur_key,
+ check_time))
== LDNS_STATUS_OK) {
if (validating_keys) {
ldns_rr_list_push_rr(validating_keys,
return result;
}
+ldns_status
+ldns_verify_trusted(
+ ldns_resolver *res,
+ ldns_rr_list *rrset,
+ ldns_rr_list * rrsigs,
+ ldns_rr_list * validating_keys)
+{
+ return ldns_verify_trusted_time(
+ res, rrset, rrsigs, ldns_time(NULL), validating_keys);
+}
+
+
ldns_status
ldns_dnssec_verify_denial(ldns_rr *rr,
ldns_rr_list *nsecs,
* @return status code LDNS_STATUS_OK if all is fine.
*/
static ldns_status
-ldns_rrsig_check_timestamps(ldns_rr* rrsig, int32_t now)
+ldns_rrsig_check_timestamps(ldns_rr* rrsig, time_t now)
{
int32_t inception, expiration;
* - verify the rrset+sig, with the b64 data and the b64 key data
*/
ldns_status
-ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
- ldns_rr *rrsig,
- const ldns_rr_list *keys,
- ldns_rr_list *good_keys)
+ldns_verify_rrsig_keylist_time(
+ ldns_rr_list *rrset,
+ ldns_rr *rrsig,
+ const ldns_rr_list *keys,
+ time_t check_time,
+ ldns_rr_list *good_keys)
{
ldns_status result;
ldns_rr_list *valid = ldns_rr_list_new();
}
/* check timestamps last; its OK except time */
- result = ldns_rrsig_check_timestamps(rrsig, (int32_t)time(NULL));
+ result = ldns_rrsig_check_timestamps(rrsig, check_time);
if(result != LDNS_STATUS_OK) {
ldns_rr_list_free(valid);
return result;
return LDNS_STATUS_OK;
}
+/*
+ * to verify:
+ * - create the wire fmt of the b64 key rdata
+ * - create the wire fmt of the sorted rrset
+ * - create the wire fmt of the b64 sig rdata
+ * - create the wire fmt of the sig without the b64 rdata
+ * - cat the sig data (without b64 rdata) to the rrset
+ * - verify the rrset+sig, with the b64 data and the b64 key data
+ */
+ldns_status
+ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
+ ldns_rr *rrsig,
+ const ldns_rr_list *keys,
+ ldns_rr_list *good_keys)
+{
+ return ldns_verify_rrsig_keylist_time(
+ rrset, rrsig, keys, ldns_time(NULL), good_keys);
+}
+
ldns_status
ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset,
ldns_rr *rrsig,
}
ldns_status
-ldns_verify_rrsig(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key)
+ldns_verify_rrsig_time(
+ ldns_rr_list *rrset,
+ ldns_rr *rrsig,
+ ldns_rr *key,
+ time_t check_time)
{
ldns_buffer *rawsig_buf;
ldns_buffer *verify_buf;
/* check timestamp last, apart from time its OK */
if(result == LDNS_STATUS_OK)
- result = ldns_rrsig_check_timestamps(rrsig,
- (int32_t)time(NULL));
+ result = ldns_rrsig_check_timestamps(rrsig, check_time);
return result;
}
+ldns_status
+ldns_verify_rrsig(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key)
+{
+ return ldns_verify_rrsig_time(rrset, rrsig, key, ldns_time(NULL));
+}
+
+
ldns_status
ldns_verify_rrsig_evp(ldns_buffer *sig,
ldns_buffer *rrset,
ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree(
ldns_dnssec_data_chain *data_chain,
ldns_rr *rr);
+/**
+ * Generates a dnssec_trust_ttree for the given rr from the
+ * given data_chain
+ *
+ * This does not clone the actual data; Don't free the
+ * data_chain before you are done with this tree
+ *
+ * \param[in] *data_chain The chain to derive the trust tree from
+ * \param[in] *rr The RR this tree will be about
+ * \param[in] check_time the time for which the validation is performed
+ * \return ldns_dnssec_trust_tree *
+ */
+ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time(
+ ldns_dnssec_data_chain *data_chain,
+ ldns_rr *rr, time_t check_time);
+
/**
* Sub function for derive_trust_tree that is used for a 'normal' rrset
ldns_dnssec_data_chain *data_chain,
ldns_rr *cur_sig_rr);
+/**
+ * Sub function for derive_trust_tree that is used for a 'normal' rrset
+ *
+ * \param[in] new_tree The trust tree that we are building
+ * \param[in] data_chain The data chain containing the data for the trust tree
+ * \param[in] cur_sig_rr The currently relevant signature
+ * \param[in] check_time the time for which the validation is performed
+ */
+void ldns_dnssec_derive_trust_tree_normal_rrset_time(
+ ldns_dnssec_trust_tree *new_tree,
+ ldns_dnssec_data_chain *data_chain,
+ ldns_rr *cur_sig_rr, time_t check_time);
+
+
/**
* Sub function for derive_trust_tree that is used for DNSKEY rrsets
*
ldns_rr *cur_rr,
ldns_rr *cur_sig_rr);
+/**
+ * Sub function for derive_trust_tree that is used for DNSKEY rrsets
+ *
+ * \param[in] new_tree The trust tree that we are building
+ * \param[in] data_chain The data chain containing the data for the trust tree
+ * \param[in] cur_rr The currently relevant DNSKEY RR
+ * \param[in] cur_sig_rr The currently relevant signature
+ * \param[in] check_time the time for which the validation is performed
+ */
+void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
+ ldns_dnssec_trust_tree *new_tree,
+ ldns_dnssec_data_chain *data_chain,
+ ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
+ time_t check_time);
+
+
+/**
+ * Sub function for derive_trust_tree that is used for DNSKEY rrsets
+ *
+ * \param[in] new_tree The trust tree that we are building
+ * \param[in] data_chain The data chain containing the data for the trust tree
+ * \param[in] cur_rr The currently relevant DNSKEY RR
+ * \param[in] cur_sig_rr The currently relevant signature
+ * \param[in] check_time the time for which the validation is performed
+ */
+void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
+ ldns_dnssec_trust_tree *new_tree,
+ ldns_dnssec_data_chain *data_chain,
+ ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
+ time_t check_time);
+
+
/**
* Sub function for derive_trust_tree that is used for DS rrsets
*
ldns_dnssec_data_chain *data_chain,
ldns_rr *cur_rr);
+/**
+ * Sub function for derive_trust_tree that is used for DS rrsets
+ *
+ * \param[in] new_tree The trust tree that we are building
+ * \param[in] data_chain The data chain containing the data for the trust tree
+ * \param[in] cur_rr The currently relevant DS RR
+ * \param[in] check_time the time for which the validation is performed
+ */
+void ldns_dnssec_derive_trust_tree_ds_rrset_time(
+ ldns_dnssec_trust_tree *new_tree,
+ ldns_dnssec_data_chain *data_chain,
+ ldns_rr *cur_rr, time_t check_time);
+
/**
* Sub function for derive_trust_tree that is used when there are no
* signatures
ldns_dnssec_trust_tree *new_tree,
ldns_dnssec_data_chain *data_chain);
+/**
+ * Sub function for derive_trust_tree that is used when there are no
+ * signatures
+ *
+ * \param[in] new_tree The trust tree that we are building
+ * \param[in] data_chain The data chain containing the data for the trust tree
+ * \param[in] check_time the time for which the validation is performed
+ */
+void ldns_dnssec_derive_trust_tree_no_sig_time(
+ ldns_dnssec_trust_tree *new_tree,
+ ldns_dnssec_data_chain *data_chain,
+ time_t check_time);
+
+
/**
* Returns OK if there is a trusted path in the tree to one of
* the DNSKEY or DS RRs in the given list
const ldns_rr_list *keys,
ldns_rr_list *good_keys);
+/**
+ * Verifies a list of signatures for one rrset.
+ *
+ * \param[in] rrset the rrset to verify
+ * \param[in] rrsig a list of signatures to check
+ * \param[in] keys a list of keys to check with
+ * \param[in] check_time the time for which the validation is performed
+ * \param[out] good_keys if this is a (initialized) list, the pointer to keys
+ * from keys that validate one of the signatures
+ * are added to it
+ * \return status LDNS_STATUS_OK if there is at least one correct key
+ */
+ldns_status ldns_verify_time(ldns_rr_list *rrset,
+ ldns_rr_list *rrsig,
+ const ldns_rr_list *keys,
+ time_t check_time,
+ ldns_rr_list *good_keys);
+
+
/**
* Verifies a list of signatures for one rrset, but disregard the time.
* Inception and Expiration are not checked.
const ldns_rr_list * keys,
ldns_status *status);
+/**
+ * Tries to build an authentication chain from the given
+ * keys down to the queried domain.
+ *
+ * If we find a valid trust path, return the valid keys for the domain.
+ *
+ * \param[in] res the current resolver
+ * \param[in] domain the domain we want valid keys for
+ * \param[in] keys the current set of trusted keys
+ * \param[in] check_time the time for which the validation is performed
+ * \param[out] status pointer to the status variable where the result
+ * code will be stored
+ * \return the set of trusted keys for the domain, or NULL if no
+ * trust path could be built.
+ */
+ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res,
+ const ldns_rdf * domain, const ldns_rr_list * keys,
+ time_t check_time, ldns_status *status);
+
+
/**
* Validates the DNSKEY RRset for the given domain using the provided
* trusted keys.
const ldns_rdf *domain,
const ldns_rr_list *keys);
+/**
+ * Validates the DNSKEY RRset for the given domain using the provided
+ * trusted keys.
+ *
+ * \param[in] res the current resolver
+ * \param[in] domain the domain we want valid keys for
+ * \param[in] keys the current set of trusted keys
+ * \param[in] check_time the time for which the validation is performed
+ * \return the set of trusted keys for the domain, or NULL if the RRSET
+ * could not be validated
+ */
+ldns_rr_list *ldns_validate_domain_dnskey_time(
+ const ldns_resolver *res, const ldns_rdf *domain,
+ const ldns_rr_list *keys, time_t check_time);
+
+
/**
* Validates the DS RRset for the given domain using the provided trusted keys.
*
domain,
const ldns_rr_list * keys);
+/**
+ * Validates the DS RRset for the given domain using the provided trusted keys.
+ *
+ * \param[in] res the current resolver
+ * \param[in] domain the domain we want valid keys for
+ * \param[in] keys the current set of trusted keys
+ * \param[in] check_time the time for which the validation is performed
+ * \return the set of trusted keys for the domain, or NULL if the RRSET could not be validated
+ */
+ldns_rr_list *ldns_validate_domain_ds_time(
+ const ldns_resolver *res, const ldns_rdf *domain,
+ const ldns_rr_list * keys, time_t check_time);
+
+
/**
* Verifies a list of signatures for one RRset using a valid trust path.
*
ldns_rr_list *rrsigs,
ldns_rr_list *validating_keys);
+/**
+ * Verifies a list of signatures for one RRset using a valid trust path.
+ *
+ * \param[in] res the current resolver
+ * \param[in] rrset the rrset to verify
+ * \param[in] rrsigs a list of signatures to check
+ * \param[in] check_time the time for which the validation is performed
+ * \param[out] validating_keys if this is a (initialized) list, the
+ * keys from keys that validate one of
+ * the signatures are added to it
+ * \return status LDNS_STATUS_OK if there is at least one correct key
+ */
+ldns_status ldns_verify_trusted_time(
+ ldns_resolver *res, ldns_rr_list *rrset,
+ ldns_rr_list *rrsigs, time_t check_time,
+ ldns_rr_list *validating_keys);
+
+
/**
* denial is not just a river in egypt
*
const ldns_rr_list *keys,
ldns_rr_list *good_keys);
+/**
+ * Verifies an rrsig. All keys in the keyset are tried.
+ * \param[in] rrset the rrset to check
+ * \param[in] rrsig the signature of the rrset
+ * \param[in] keys the keys to try
+ * \param[in] check_time the time for which the validation is performed
+ * \param[out] good_keys if this is a (initialized) list, the pointer to keys
+ * from keys that validate one of the signatures
+ * are added to it
+ * \return a list of keys which validate the rrsig + rrset. Returns
+ * status LDNS_STATUS_OK if at least one key matched. Else an error.
+ */
+ldns_status ldns_verify_rrsig_keylist_time(
+ ldns_rr_list *rrset, ldns_rr *rrsig,
+ const ldns_rr_list *keys, time_t check_time,
+ ldns_rr_list *good_keys);
+
+
/**
* Verifies an rrsig. All keys in the keyset are tried. Time is not checked.
* \param[in] rrset the rrset to check
ldns_rr *rrsig,
ldns_rr *key);
+
+/**
+ * verify an rrsig with 1 key
+ * \param[in] rrset the rrset
+ * \param[in] rrsig the rrsig to verify
+ * \param[in] key the key to use
+ * \param[in] check_time the time for which the validation is performed
+ * \return status message wether verification succeeded.
+ */
+ldns_status ldns_verify_rrsig_time(
+ ldns_rr_list *rrset, ldns_rr *rrsig,
+ ldns_rr *key, time_t check_time);
+
+
#if LDNS_BUILD_CONFIG_HAVE_SSL
/**
* verifies a buffer with signature data for a buffer with rrset data
projects / thirdparty / ldns.git / commitdiff
