Lines Matching refs:key
59 assert(dnskey->key->type == DNS_TYPE_DNSKEY);
68 p = dnskey->dnskey.key;
225 "(public-key (rsa (n %m) (e %m)))",
275 if (*(uint8_t*) dnskey->dnskey.key == 0) {
278 exponent = (uint8_t*) dnskey->dnskey.key + 3;
280 ((size_t) (((uint8_t*) dnskey->dnskey.key)[1]) << 8) |
281 ((size_t) ((uint8_t*) dnskey->dnskey.key)[2]);
289 modulus = (uint8_t*) dnskey->dnskey.key + 3 + exponent_size;
295 exponent = (uint8_t*) dnskey->dnskey.key + 1;
296 exponent_size = (size_t) ((uint8_t*) dnskey->dnskey.key)[0];
304 modulus = (uint8_t*) dnskey->dnskey.key + 1 + exponent_size;
322 const void *key, size_t key_size) {
343 ge = gcry_mpi_scan(&q, GCRYMPI_FMT_USG, key, key_size, NULL);
372 "(public-key (ecc (curve %s) (q %m)))",
438 q[0] = 0x04; /* Prepend 0x04 to indicate an uncompressed key */
439 memcpy(q+1, dnskey->dnskey.key, key_size*2);
473 assert(rrsig->key->type == DNS_TYPE_RRSIG);
482 name = DNS_RESOURCE_KEY_NAME(rrsig->key);
519 assert(rrsig->key->type == DNS_TYPE_RRSIG);
615 const DnsResourceKey *key,
631 assert(key);
635 assert(rrsig->key->type == DNS_TYPE_RRSIG);
636 assert(dnskey->key->type == DNS_TYPE_DNSKEY);
638 /* Verifies the the RRSet matching the specified "key" in "a",
639 * using the signature "rrsig" and the key "dnskey". It's
666 name = DNS_RESOURCE_KEY_NAME(key);
716 r = dns_resource_key_equal(key, rr->key);
777 md_add_uint16(md, rr->key->type);
778 md_add_uint16(md, rr->key->class);
844 /* Checks if the specified DNSKEY RR matches the key used for
847 if (rrsig->key->type != DNS_TYPE_RRSIG)
850 if (dnskey->key->type != DNS_TYPE_DNSKEY)
852 if (dnskey->key->class != rrsig->key->class)
866 return dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), rrsig->rrsig.signer);
869 int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig) {
870 assert(key);
873 /* Checks if the specified RRSIG RR protects the RRSet of the specified RR key. */
875 if (rrsig->key->type != DNS_TYPE_RRSIG)
877 if (rrsig->key->class != key->class)
879 if (rrsig->rrsig.type_covered != key->type)
882 return dns_name_equal(DNS_RESOURCE_KEY_NAME(rrsig->key), DNS_RESOURCE_KEY_NAME(key));
887 const DnsResourceKey *key,
897 assert(key);
900 /* Verifies all RRs from "a" that match the key "key" against DNSKEYs in "validated_dnskeys" */
910 /* Is this an RRSIG RR that applies to RRs matching our key? */
911 r = dnssec_key_match_rrsig(key, rrsig);
919 /* Look for a matching key */
926 /* Is this a DNSKEY RR that matches they key of our RRSIG? */
944 r = dnssec_verify_rrset(a, key, rrsig, dnskey, realtime, &one_result);
962 key and/or signature. After all they
969 /* If the key algorithm is
1008 int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key) {
1012 /* Checks whether there's at least one RRSIG in 'a' that proctects RRs of the specified key */
1015 r = dnssec_key_match_rrsig(key, rr);
1057 if (dnskey->key->type != DNS_TYPE_DNSKEY)
1059 if (ds->key->type != DNS_TYPE_DS)
1085 r = dnssec_canonicalize(DNS_RESOURCE_KEY_NAME(dnskey->key), owner_name, sizeof(owner_name));
1100 gcry_md_write(md, dnskey->dnskey.key, dnskey->dnskey.key_size);
1122 if (dnskey->key->type != DNS_TYPE_DNSKEY)
1130 if (ds->key->type != DNS_TYPE_DS)
1132 if (ds->key->class != dnskey->key->class)
1135 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), DNS_RESOURCE_KEY_NAME(ds->key));
1180 if (nsec3->key->type != DNS_TYPE_NSEC3)
1246 if (rr->key->type != DNS_TYPE_NSEC3)
1276 if (rr->key->class != nsec3->key->class)
1287 a = DNS_RESOURCE_KEY_NAME(rr->key);
1294 b = DNS_RESOURCE_KEY_NAME(nsec3->key);
1348 * Based on this we can prove either the existence of the record in @key, or NXDOMAIN or NODATA, or
1352 static int dnssec_test_nsec3(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl) {
1360 assert(key);
1368 zone = DNS_RESOURCE_KEY_NAME(key);
1377 r = dns_name_equal_skip(DNS_RESOURCE_KEY_NAME(zone_rr->key), 1, zone);
1396 /* Second step, find the closest encloser NSEC3 RR in 'answer' that matches 'key' */
1397 p = DNS_RESOURCE_KEY_NAME(key);
1420 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(enclosure_rr->key), hashed_domain);
1454 if (key->type == DNS_TYPE_DS) {
1463 /* No next closer NSEC3 RR. That means there's a direct NSEC3 RR for our key. */
1464 if (bitmap_isset(enclosure_rr->nsec3.types, key->type))
1519 r = dns_name_between(DNS_RESOURCE_KEY_NAME(rr->key), next_closer_domain, next_hashed_domain);
1531 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(rr->key), wildcard_domain);
1540 r = dns_name_between(DNS_RESOURCE_KEY_NAME(rr->key), wildcard_domain, next_hashed_domain);
1573 else if (bitmap_isset(wildcard_rr->nsec3.types, key->type))
1612 assert(rr->key->type == DNS_TYPE_NSEC);
1619 n = DNS_RESOURCE_KEY_NAME(rr->key);
1634 assert(rr->key->type == DNS_TYPE_NSEC);
1658 r = dns_name_common_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rr->nsec.next_domain_name, &common_suffix);
1669 assert(rr->key->type == DNS_TYPE_NSEC);
1677 r = dns_name_equal(name, DNS_RESOURCE_KEY_NAME(rr->key));
1696 assert(rr->key->type == DNS_TYPE_NSEC);
1700 r = dns_name_common_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rr->nsec.next_domain_name, &common_suffix);
1721 return dns_name_between(DNS_RESOURCE_KEY_NAME(rr->key), p, rr->nsec.next_domain_name);
1729 assert(rr->key->type == DNS_TYPE_NSEC);
1740 r = dns_name_common_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rr->nsec.next_domain_name, &common_suffix);
1750 return dns_name_between(DNS_RESOURCE_KEY_NAME(rr->key), wc, rr->nsec.next_domain_name);
1753 int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl) {
1760 assert(key);
1763 /* Look for any NSEC/NSEC3 RRs that say something about the specified key. */
1765 name = DNS_RESOURCE_KEY_NAME(key);
1769 if (rr->key->class != key->class)
1772 have_nsec3 = have_nsec3 || (rr->key->type == DNS_TYPE_NSEC3);
1774 if (rr->key->type != DNS_TYPE_NSEC)
1785 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(rr->key), name);
1795 if (key->type == DNS_TYPE_DS) {
1808 if (bitmap_isset(rr->nsec.types, key->type))
1880 return dnssec_test_nsec3(answer, key, result, authenticated, ttl);
1901 if (rr->key->type != type && type != DNS_TYPE_ANY)
1904 switch (rr->key->type) {
1915 r = dns_name_between(DNS_RESOURCE_KEY_NAME(rr->key), name, rr->nsec.next_domain_name);
1958 r = dns_name_between(DNS_RESOURCE_KEY_NAME(rr->key), hashed_domain, next_hashed_domain);
1994 * Note a key difference between the NSEC3 and NSEC versions of the proof. NSEC RRs don't have to exist for
2123 const DnsResourceKey *key,
2137 int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig) {
2144 const DnsResourceKey *key,
2153 int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key) {
2173 int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl) {
2197 [DNSSEC_MISSING_KEY] = "missing-key",