summaryrefslogtreecommitdiffstats
path: root/net/base/dnssec_chain_verifier.h
Commit message (Collapse)AuthorAgeFilesLines
* https: add support for DNS exclusion and switch to TXT records.agl@chromium.org2010-08-281-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | (This code has no effect unless --enable-dnssec-certs is given.) The existing DNSSEC code will process embeded chains in certificates and validate CERT records there in. The format of the CERT record was just something made up as a proof of concept. This change switches that code to using TXT records which are at least used by some other code. Additionally, when --enable-dnssec-certs is given. TXT record lookups are triggered for each HTTPS connection. If DNSSEC secure, these lookups can validate a HTTPS certificate. Even without DNSSEC, they can by used for exclusion: if TLS fingerprints are given, but the certificate doesn't match any of them, then the certificate is rejected. The next step in this series will be to perform the TXT lookup for some percentage of dev channel users in order to measure the latency impact. For this experiment, all behavioural changes will be disabled. BUG=none TEST=net_unittests http://codereview.chromium.org/3148037/show git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57787 0039d316-1c4b-4281-b951-d872f2087c98
* net: add embedded DNSSEC chain support.agl@chromium.org2010-08-111-0/+107
Now that the DNS root is signed we have a good trust path in several TLDs (including .org). This patch enables self-signed certificates to include a DNSSEC chain as an extension which proves a CERT record, containing the fingerprint of the public key. The format of the chain is still undecided, so this is only enabled with --enable-dnssec-certs. BUG=none TEST=net_unittests http://codereview.chromium.org/2806076 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@55771 0039d316-1c4b-4281-b951-d872f2087c98
generated by cgit v1.1 at 2025-02-01 11:55:05 +0000