warmcat
diff --git a/‎READMEs/README.cbor-cose.md‎
Lines changed: 5 additions & 5 deletions b/‎READMEs/README.cbor-cose.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎READMEs/README.crypto-apis.md‎
Lines changed: 4 additions & 0 deletions b/‎READMEs/README.crypto-apis.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎READMEs/README.crypto-dnssec.md‎
Lines changed: 12 additions & 0 deletions b/‎READMEs/README.crypto-dnssec.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎include/libwebsockets/lws-dht-dnssec.h‎
Lines changed: 7 additions & 0 deletions b/‎include/libwebsockets/lws-dht-dnssec.h‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎include/libwebsockets/lws-gencrypto.h‎
Lines changed: 11 additions & 1 deletion b/‎include/libwebsockets/lws-gencrypto.h‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎include/libwebsockets/lws-genec.h‎
Lines changed: 70 additions & 2 deletions b/‎include/libwebsockets/lws-genec.h‎
Lines changed: 70 additions & 2 deletions
diff --git a/‎include/libwebsockets/lws-jose.h‎
Lines changed: 2 additions & 0 deletions b/‎include/libwebsockets/lws-jose.h‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎include/libwebsockets/lws-jwk.h‎
Lines changed: 1 addition & 1 deletion b/‎include/libwebsockets/lws-jwk.h‎
Lines changed: 1 addition & 1 deletion
@@ -15,9 +15,9 @@ also supported.
 
 |type|operations|algs|
 |---|---|---|
-|lws_cose_key_t|import, export, generation|EC / RSA / SYMMETRIC|
-|cose_sign1|sign, validate|ES256/384/512, RS256/384/512|
-|cose_sign|sign, validate|ES256/384/512, RS256/384/512|
+|lws_cose_key_t|import, export, generation|EC / RSA / SYMMETRIC / OKP|
+|cose_sign1|sign, validate|ES256/384/512, RS256/384/512, EdDSA|
+|cose_sign|sign, validate|ES256/384/512, RS256/384/512, EdDSA|
 |cose_mac0|sign, validate|HS256/HS256_64/384/512|
 |cose_mac|validate only|HS256/HS256_64/384/512|
 
@@ -29,7 +29,7 @@ An increasing number of higher-level IETF specifications use COSE underneath.
 ## cose_key and sets
 
 Lws provides an `lws_cose_key_t` object to contain a single key's metadata and
-key material for EC, RSA and SYMMETRIC key types.
+key material for EC, RSA, SYMMETRIC and OKP key types.
 
 There is a commandline tool wrapping the key dumping and generation apis
 available at `./minimal-examples/crypto/lws-crypto-cose-key`
@@ -77,7 +77,7 @@ it and returns a pointer to it.
 
 `cose_kty` is one of `LWSCOSE_WKKTV_OKP`, `LWSCOSE_WKKTV_EC2`, `LWSCOSE_WKKTV_RSA`,
 or `LWSCOSE_WKKTV_SYMMETRIC`.  `bits` is valid for RSA keys and for EC keys,
-`curve` should be a well-known curve name, one of `P-256`, `P-384` and `P-521`
+`curve` should be a well-known curve name, one of `P-256`, `P-384`, `P-521`, `Ed25519` or `Ed448`
 currently.  `use_mask` is a bitfield made up of  (1 << LWSCOSE_WKKO_...) set to
 enable the usage on the key.
 
 
@@ -64,7 +64,9 @@ combinations are acceptable by querying the parsed JW structs).
 
  - ECDH
  - ECDSA
+ - EdDSA (requires building with OpenSSL `LWS_WITH_OPENSSL`)
  - P256 / P384 / P521 (sic) curves
+ - Ed25519 / Ed448 curves (requires building with OpenSSL `LWS_WITH_OPENSSL`)
 
 ## Using the generic layer
 
@@ -94,6 +96,7 @@ length of the array is defined by the cipher... it's one of
 |`LWS_COUNT_OCT_KEY_ELEMENTS`|1|
 |`LWS_COUNT_RSA_KEY_ELEMENTS`|8|
 |`LWS_COUNT_EC_KEY_ELEMENTS`|4|
+|`LWS_COUNT_OKP_KEY_ELEMENTS`|4|
 |`LWS_COUNT_AES_KEY_ELEMENTS`|1|
 
 `struct lws_jwk_elements` is a simple pointer / length combination used to
@@ -145,6 +148,7 @@ The JOSE RFCs define specific short names for different algorithms
 ---|---|---
 |RS256, RS384, RS512|SHA256/384/512|RSA
 |ES256, ES384, ES521|SHA256/384/512|EC
+|EdDSA|None|Ed25519 or Ed448 (Requires OpenSSL)
 
 ### JWE
 
 
@@ -65,6 +65,18 @@ This generates:
 
 *Note: You can specify other curves such as `P-384` or `P-521` using the `--curve` argument.*
 
+### Step 2.5: Importing Existing NSD/BIND Keys (Optional)
+
+If you are migrating an existing domain from standard BIND or NSD setups, you can import your existing DNSSEC keys directly into the `lws` JWK format without generating new ones.
+
+The `importnsd` command takes your domain and the file prefixes of your existing `.private` and `.key` files (usually named like `Kmydomain.com.+013+12345`).
+
+```bash
+lws-crypto-dnssec importnsd mydomain.com Kmydomain.com.+013+12345 Kmydomain.com.+013+67890
+```
+
+The utility automatically parses the `DNSKEY` flags (256 for ZSK, 257 for KSK) to assign the correct roles, extracts the cryptographic parameters, and exports standard `mydomain.com.ksk.private.jwk` and `mydomain.com.zsk.private.jwk` files. It also generates a `mydomain.com.dnssec.txt` summarizing your DS records.
+
 ### Step 3: Extract DS Information for the Registrar
 
 To establish the chain of trust, the parent zone (e.g., the `.com` registry) must publish a Delegation Signer (DS) record containing a cryptographic hash of your public KSK.
 
@@ -44,6 +44,12 @@ struct lws_dht_dnssec_signzone_args {
 	uint32_t sign_validity_duration;
 };
 
+struct lws_dht_dnssec_importnsd_args {
+	const char *domain;
+	const char *key1_prefix;
+	const char *key2_prefix; /* optional if only importing 1 key */
+};
+
 typedef void (*lws_dht_dnssec_fetch_cb_t)(void *opaque, const char *domain, int status);
 
 struct lws_dht_dnssec_fetch_zone_args {
@@ -59,6 +65,7 @@ struct lws_dht_dnssec_ops {
 	int (*keygen)(struct lws_context *context, struct lws_dht_dnssec_keygen_args *args);
 	int (*dsfromkey)(struct lws_context *context, struct lws_dht_dnssec_dsfromkey_args *args);
 	int (*signzone)(struct lws_context *context, struct lws_dht_dnssec_signzone_args *args);
+	int (*importnsd)(struct lws_context *context, struct lws_dht_dnssec_importnsd_args *args);
 
 	int (*add_temp_zone)(struct lws_context *context, const char *domain, const char *zone_str, int ttl_secs);
 	int (*publish_jws)(struct lws_context *context, const char *jws_filepath);
 
@@ -33,7 +33,8 @@ enum lws_gencrypto_kty {
 
 	LWS_GENCRYPTO_KTY_OCT,
 	LWS_GENCRYPTO_KTY_RSA,
-	LWS_GENCRYPTO_KTY_EC
+	LWS_GENCRYPTO_KTY_EC,
+	LWS_GENCRYPTO_KTY_OKP
 };
 
 /*
@@ -86,6 +87,15 @@ enum lws_gencrypto_aes_tok {
 	LWS_GENCRYPTO_AES_KEYEL_COUNT
 };
 
+enum lws_gencrypto_okp_tok {
+	LWS_GENCRYPTO_OKP_KEYEL_CRV,
+	LWS_GENCRYPTO_OKP_KEYEL_X,
+	/* note... same offset as RSA D */
+	LWS_GENCRYPTO_OKP_KEYEL_D = LWS_GENCRYPTO_RSA_KEYEL_D,
+
+	LWS_GENCRYPTO_OKP_KEYEL_COUNT
+};
+
 /* largest number of key elements for any algorithm */
 #define LWS_GENCRYPTO_MAX_KEYEL_COUNT LWS_GENCRYPTO_RSA_KEYEL_COUNT
 
 
@@ -26,7 +26,8 @@ enum enum_genec_alg {
 	LEGENEC_UNKNOWN,
 
 	LEGENEC_ECDH,
-	LEGENEC_ECDSA
+	LEGENEC_ECDSA,
+	LEGENEC_EDDSA
 };
 
 struct lws_genec_ctx {
@@ -208,7 +209,74 @@ lws_genecdsa_hash_sign_jws(struct lws_genec_ctx *ctx, const uint8_t *in,
 			   uint8_t *sig, size_t sig_len);
 
 
-/* Apis that apply to both ECDH and ECDSA */
+/* EdDSA-specific apis */
+
+/** lws_geneddsa_create() - Create a geneddsa
+ *
+ * \param ctx: your genec context
+ * \param context: your lws_context (for RNG access)
+ * \param curve_table: NULL, enabling ED25519 and ED448, or a replacement
+ *		       struct lws_ec_curves array, terminated by an entry with
+ *		       .name = NULL, of curves you want to allow
+ *
+ * Initializes a geneddsa
+ */
+LWS_VISIBLE int
+lws_geneddsa_create(struct lws_genec_ctx *ctx, struct lws_context *context,
+		    const struct lws_ec_curves *curve_table);
+
+/** lws_geneddsa_new_keypair() - Create a geneddsa with a new public / private key
+ *
+ * \param ctx: your genec context
+ * \param curve_name: an EdDSA curve name, like "ED25519"
+ * \param el: array pf LWS_GENCRYPTO_OKP_KEYEL_COUNT key elements to take the new key
+ *
+ * Creates a geneddsa with a newly minted EdDSA public / private key
+ */
+LWS_VISIBLE LWS_EXTERN int
+lws_geneddsa_new_keypair(struct lws_genec_ctx *ctx, const char *curve_name,
+			 struct lws_gencrypto_keyelem *el);
+
+/** lws_geneddsa_set_key() - Apply an OKP key to an eddsa context
+ *
+ * \param ctx: your geneddsa context
+ * \param el: your key elements
+ *
+ * Applies an OKP key to an eddsa context
+ */
+LWS_VISIBLE LWS_EXTERN int
+lws_geneddsa_set_key(struct lws_genec_ctx *ctx,
+		     const struct lws_gencrypto_keyelem *el);
+
+/** lws_geneddsa_hash_sig_verify_jws() - Verifies a JWS EdDSA signature on a given payload
+ *
+ * \param ctx: your struct lws_genrsa_ctx
+ * \param in: raw payload
+ * \param in_len: raw payload length
+ * \param sig: pointer to the signature we received with the payload
+ * \param sig_len: length of the signature we are checking in bytes
+ *
+ * Returns <0 for error, or 0 if signature matches the payload + key..
+ */
+LWS_VISIBLE LWS_EXTERN int
+lws_geneddsa_hash_sig_verify_jws(struct lws_genec_ctx *ctx, const uint8_t *in,
+				 size_t in_len, const uint8_t *sig, size_t sig_len);
+
+/** lws_geneddsa_hash_sign_jws() - Creates a JWS EdDSA signature for a payload you provide
+ *
+ * \param ctx: your struct lws_genrsa_ctx
+ * \param in: raw payload to sign
+ * \param in_len: length of the payload
+ * \param sig: pointer to buffer to take signature
+ * \param sig_len: length of the buffer
+ *
+ * Returns <0 for error, or >=0 for success.
+ */
+LWS_VISIBLE LWS_EXTERN int
+lws_geneddsa_hash_sign_jws(struct lws_genec_ctx *ctx, const uint8_t *in,
+			   size_t in_len, uint8_t *sig, size_t sig_len);
+
+/* Apis that apply to ECDH, ECDSA and EdDSA */
 
 LWS_VISIBLE LWS_EXTERN void
 lws_genec_destroy(struct lws_genec_ctx *ctx);
 
@@ -65,6 +65,8 @@ enum lws_jose_algtype {
 	LWS_JOSE_ENCTYPE_ECDSA,
 	LWS_JOSE_ENCTYPE_ECDHES,
 
+	LWS_JOSE_ENCTYPE_EDDSA,
+
 	LWS_JOSE_ENCTYPE_AES_CBC,
 	LWS_JOSE_ENCTYPE_AES_CFB128,
 	LWS_JOSE_ENCTYPE_AES_CFB8,
 
@@ -66,7 +66,7 @@ struct lws_jwk_parse_state {
 	int pos;
 	int cose_state;
 	int seen;
-	unsigned short possible;
+	unsigned int possible;
 };
 
 /** lws_jwk_import() - Create a JSON Web key from the textual representation