net: add embedded DNSSEC chain support.

Now that the DNS root is signed we have a good trust path in several TLDs (including .org). This patch enables self-signed certificates to include a DNSSEC chain as an extension which proves a CERT record, containing the fingerprint of the public key. The format of the chain is still undecided, so this is only enabled with --enable-dnssec-certs. BUG=none TEST=net_unittests http://codereview.chromium.org/2806076 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@55771 0039d316-1c4b-4281-b951-d872f2087c98
author: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-08-11 19:50:02 +0000
committer: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-08-11 19:50:02 +0000
commit: b2471359cfbd4f7b9621ba2542b947841bfadb27 (patch)
tree: 241b1e8c58a26a5bbfb1df3c9f5d342c492ad693 /net/base/dnssec_chain_verifier.h
parent: 1b3db78c4451a755eeaadc4cedceccd9e91724c8 (diff)
download: chromium_src-b2471359cfbd4f7b9621ba2542b947841bfadb27.zip
chromium_src-b2471359cfbd4f7b9621ba2542b947841bfadb27.tar.gz
chromium_src-b2471359cfbd4f7b9621ba2542b947841bfadb27.tar.bz2
1 files changed, 107 insertions, 0 deletions
diff --git a/net/base/dnssec_chain_verifier.h b/net/base/dnssec_chain_verifier.h
new file mode 100644
index 0000000..2556564
--- /dev/null
+++ b/net/base/dnssec_chain_verifier.h
@@ -0,0 +1,107 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_DNSSEC_CHAIN_VERIFIER_H_
+#define NET_BASE_DNSSEC_CHAIN_VERIFIER_H_
+
+#include <string>
+#include <vector>
+
+#include "base/string_piece.h"
+#include "net/base/dnssec_keyset.h"
+
+namespace net {
+
+// DNSSECChainVerifier verifies a chain of DNSSEC records. These records
+// eventually prove the validity of a set of resource records for the target
+// name. For example, if the fingerprint of a certificate was stored in a CERT
+// record for a given domain, then a chain could prove the validity of that
+// fingerprint.
+class DNSSECChainVerifier {
+ public:
+  enum Error {
+    OK = 0,
+    BAD_DATA,  // The chain was corrupt in some fashion.
+    UNKNOWN_ROOT_KEY,  // The chain is assuming an unknown DNS root.
+    UNKNOWN_DIGEST,  // An omitted DS record used an unknown hash function.
+    UNKNOWN_TERMINAL_RRTYPE,  // The chain proved an unknown RRTYPE.
+    BAD_SIGNATURE,  // One of the signature was incorrect.
+    NO_DS_LINK,  // a DS set didn't include the next entry key.
+    OFF_COURSE,  // the chain is diverging from the target name.
+    BAD_TARGET,  // the chain didn't end up at the target.
+  };
+
+  // |target|: the target hostname. This must be in canonical (all
+  //     lower-case), length-prefixed DNS form. For example:
+  //     "\003www\007example\003com\000"
+  // |chain|: the contents of the chain.
+  DNSSECChainVerifier(const std::string& target,
+                      const base::StringPiece& chain);
+  ~DNSSECChainVerifier();
+
+  // If called, timestamps in the signatures will be ignored. This is for
+  // testing only.
+  void IgnoreTimestamps();
+
+  // Verify verifies the chain. Returns |OK| on success.
+  Error Verify();
+
+  // rrtype returns the RRTYPE of the proven resource records. Only call this
+  // after Verify has returned OK.
+  uint16 rrtype() const;
+  // rrdatas returns the contents of the proven resource records. Only call
+  // this after Verify has returned OK.
+  const std::vector<base::StringPiece>& rrdatas() const;
+
+  // Exposed for testing only.
+  static unsigned MatchingLabels(base::StringPiece a,
+                                 base::StringPiece b);
+
+ private:
+  struct Zone {
+    base::StringPiece name;
+    // The number of consecutive labels which |name| shares with |target_|,
+    // counting right-to-left from the root.
+    unsigned matching_labels;
+    DNSSECKeySet trusted_keys;
+    Zone* prev;
+  };
+
+  bool U8(uint8*);
+  bool U16(uint16*);
+  bool VariableLength16(base::StringPiece*);
+  bool ReadName(base::StringPiece*);
+
+  bool ReadAheadEntryKey(base::StringPiece*);
+  bool ReadAheadKey(base::StringPiece*, uint8 entry_key);
+  bool ReadDNSKEYs(std::vector<base::StringPiece>*, bool is_root);
+  bool DigestKey(base::StringPiece* digest,
+                 const base::StringPiece& name,
+                 const base::StringPiece& dnskey,
+                 uint8 digest_type,
+                 uint16 keyid,
+                 uint8 algorithm);
+
+  Error EnterRoot();
+  Error EnterZone(const base::StringPiece& zone);
+  Error LeaveZone(base::StringPiece* next_name);
+  Error ReadDSSet(std::vector<base::StringPiece>*,
+                  const base::StringPiece& next_name);
+  Error ReadCERTs(std::vector<base::StringPiece>*);
+
+
+  Zone* current_zone_;
+  const std::string target_;
+  base::StringPiece chain_;
+  bool ignore_timestamps_;
+  bool valid_;
+  uint16 rrtype_;
+  std::vector<base::StringPiece> rrdatas_;
+  // A list of pointers which need to be free()ed on destruction.
+  std::vector<void*> scratch_pool_;
+};
+
+}  // namespace net
+
+#endif  // NET_BASE_DNSSEC_CHAIN_VERIFIER_H_
author	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-08-11 19:50:02 +0000
committer	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-08-11 19:50:02 +0000
commit	b2471359cfbd4f7b9621ba2542b947841bfadb27 (patch)
tree	241b1e8c58a26a5bbfb1df3c9f5d342c492ad693 /net/base/dnssec_chain_verifier.h
parent	1b3db78c4451a755eeaadc4cedceccd9e91724c8 (diff)
download	chromium_src-b2471359cfbd4f7b9621ba2542b947841bfadb27.zip chromium_src-b2471359cfbd4f7b9621ba2542b947841bfadb27.tar.gz chromium_src-b2471359cfbd4f7b9621ba2542b947841bfadb27.tar.bz2