diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-28 15:53:50 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-28 15:53:50 +0000 |
| commit | 899c3e93acbd41bcd3c5ce5d09eddef8f45ab3ff (patch) | |
| tree | 38b3e5caabeb273244b348e1bd101181aa6ce576 /chrome/browser/ssl | |
| parent | 40251a21ba6eea816755b1bcb9edf305c782aeda (diff) | |
| download | chromium_src-899c3e93acbd41bcd3c5ce5d09eddef8f45ab3ff.zip chromium_src-899c3e93acbd41bcd3c5ce5d09eddef8f45ab3ff.tar.gz chromium_src-899c3e93acbd41bcd3c5ce5d09eddef8f45ab3ff.tar.bz2 | |
https: add support for DNS exclusion and switch to TXT records.
(This code has no effect unless --enable-dnssec-certs is given.)
The existing DNSSEC code will process embeded chains in certificates
and validate CERT records there in. The format of the CERT record was
just something made up as a proof of concept. This change switches
that code to using TXT records which are at least used by some other
code.
Additionally, when --enable-dnssec-certs is given. TXT record lookups
are triggered for each HTTPS connection. If DNSSEC secure, these
lookups can validate a HTTPS certificate. Even without DNSSEC, they
can by used for exclusion: if TLS fingerprints are given, but the
certificate doesn't match any of them, then the certificate is
rejected.
The next step in this series will be to perform the TXT lookup for
some percentage of dev channel users in order to measure the latency
impact. For this experiment, all behavioural changes will be disabled.
BUG=none
TEST=net_unittests
http://codereview.chromium.org/3148037/show
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57787 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser/ssl')
| -rw-r--r-- | chrome/browser/ssl/ssl_error_info.cc | 10 | ||||
| -rw-r--r-- | chrome/browser/ssl/ssl_error_info.h | 1 | ||||
| -rw-r--r-- | chrome/browser/ssl/ssl_policy.cc | 1 |
3 files changed, 12 insertions, 0 deletions
diff --git a/chrome/browser/ssl/ssl_error_info.cc b/chrome/browser/ssl/ssl_error_info.cc index 14ffa4b..674a64b 100644 --- a/chrome/browser/ssl/ssl_error_info.cc +++ b/chrome/browser/ssl/ssl_error_info.cc @@ -167,6 +167,14 @@ SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type, l10n_util::GetString( IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_EXTRA_INFO_2)); break; + case CERT_NOT_IN_DNS: + title = l10n_util::GetString(IDS_CERT_ERROR_NOT_IN_DNS_TITLE); + details = l10n_util::GetString(IDS_CERT_ERROR_NOT_IN_DNS_DETAILS); + short_description = l10n_util::GetString( + IDS_CERT_ERROR_NOT_IN_DNS_DESCRIPTION); + extra_info.push_back( + l10n_util::GetString(IDS_CERT_ERROR_NOT_IN_DNS_EXTRA_INFO)); + break; case UNKNOWN: title = l10n_util::GetString(IDS_CERT_ERROR_UNKNOWN_ERROR_TITLE); details = l10n_util::GetString(IDS_CERT_ERROR_UNKNOWN_ERROR_DETAILS); @@ -203,6 +211,8 @@ SSLErrorInfo::ErrorType SSLErrorInfo::NetErrorToErrorType(int net_error) { return CERT_INVALID; case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM: return CERT_WEAK_SIGNATURE_ALGORITHM; + case net::ERR_CERT_NOT_IN_DNS: + return CERT_NOT_IN_DNS; default: NOTREACHED(); return UNKNOWN; diff --git a/chrome/browser/ssl/ssl_error_info.h b/chrome/browser/ssl/ssl_error_info.h index 177c6d0..225ccf6 100644 --- a/chrome/browser/ssl/ssl_error_info.h +++ b/chrome/browser/ssl/ssl_error_info.h @@ -29,6 +29,7 @@ class SSLErrorInfo { CERT_REVOKED, CERT_INVALID, CERT_WEAK_SIGNATURE_ALGORITHM, + CERT_NOT_IN_DNS, UNKNOWN }; diff --git a/chrome/browser/ssl/ssl_policy.cc b/chrome/browser/ssl/ssl_policy.cc index b98726b..767d743 100644 --- a/chrome/browser/ssl/ssl_policy.cc +++ b/chrome/browser/ssl/ssl_policy.cc @@ -71,6 +71,7 @@ void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) { case net::ERR_CERT_CONTAINS_ERRORS: case net::ERR_CERT_REVOKED: case net::ERR_CERT_INVALID: + case net::ERR_CERT_NOT_IN_DNS: OnCertErrorInternal(handler, SSLBlockingPage::ERROR_FATAL); break; default: |