diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-11 19:50:02 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-11 19:50:02 +0000 |
| commit | b2471359cfbd4f7b9621ba2542b947841bfadb27 (patch) | |
| tree | 241b1e8c58a26a5bbfb1df3c9f5d342c492ad693 /net/base/dnssec_keyset.h | |
| parent | 1b3db78c4451a755eeaadc4cedceccd9e91724c8 (diff) | |
| download | chromium_src-b2471359cfbd4f7b9621ba2542b947841bfadb27.zip chromium_src-b2471359cfbd4f7b9621ba2542b947841bfadb27.tar.gz chromium_src-b2471359cfbd4f7b9621ba2542b947841bfadb27.tar.bz2 | |
net: add embedded DNSSEC chain support.
Now that the DNS root is signed we have a good trust path in several
TLDs (including .org). This patch enables self-signed certificates to
include a DNSSEC chain as an extension which proves a CERT record,
containing the fingerprint of the public key.
The format of the chain is still undecided, so this is only enabled
with --enable-dnssec-certs.
BUG=none
TEST=net_unittests
http://codereview.chromium.org/2806076
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@55771 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base/dnssec_keyset.h')
| -rw-r--r-- | net/base/dnssec_keyset.h | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/net/base/dnssec_keyset.h b/net/base/dnssec_keyset.h new file mode 100644 index 0000000..7a44916 --- /dev/null +++ b/net/base/dnssec_keyset.h @@ -0,0 +1,61 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_BASE_DNSSEC_KEYSET_H_ +#define NET_BASE_DNSSEC_KEYSET_H_ + +#include <string> +#include <vector> + +#include "base/string_piece.h" + +namespace net { + +// DNSSECKeySet function wraps base/crypto/signature_verifier.h to accept +// DNSSEC encodings. (See RFC 4043) +class DNSSECKeySet { + public: + DNSSECKeySet(); + + // AddKey adds a key to the trusted set. + // dnskey: the RRDATA of a DNSKEY. + bool AddKey(const base::StringPiece& dnskey); + + // CheckSignature checks the DNSSEC signature on set of resource records. + // name: the domain that the records are from + // zone: the signing zone + // signature: the RRSIG signature, not include the signing zone. + // rrtype: the type of the resource records + // rrdatas: the RRDATA of the signed resource records, in canonical order. + bool CheckSignature(const base::StringPiece& name, + const base::StringPiece& zone, + const base::StringPiece& signature, + uint16 rrtype, + const std::vector<base::StringPiece>& rrdatas); + + // DNSKEYToKeyID converts the RRDATA of a DNSKEY to its key id. See RFC 4043, + // app B. + static uint16 DNSKEYToKeyID(const base::StringPiece& dnskey); + + // Used for testing: the timestamps on signatures will be ignored to allow + // golden data to remain valid. + void IgnoreTimestamps(); + + private: + bool VerifySignature( + base::StringPiece signature_algorithm, + base::StringPiece signature, + base::StringPiece public_key, + base::StringPiece signed_data); + + std::string ASN1WrapDNSKEY(const base::StringPiece& dnskey); + + bool ignore_timestamps_; + std::vector<uint16> keyids_; + std::vector<std::string> public_keys_; +}; + +} // namespace net + +#endif // NET_BASE_DNSSEC_KEYSET_H_ |