| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Review URL: http://codereview.chromium.org/7529043
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@96560 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
| |
BUG=76997
TEST=none
Review URL: http://codereview.chromium.org/7058052
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@87885 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
| |
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@87686 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
| |
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@87684 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The format of the keys-in-DNS record has started to solidify into CAA.
This change starts to switch over to using CAA records. None of this
code is enabled by default in Chrome.
BUG=none
TEST=net_unittests
Review URL: http://codereview.chromium.org/6281012
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@87677 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
| |
BUG=76997
TEST=NONE
Review URL: http://codereview.chromium.org/6969077
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@85785 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
| |
BUG=none
TEST=compiles
Review URL: http://codereview.chromium.org/3412016
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@60208 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds support for DNSSEC chains with CNAMEs. I.e. it's not
possible to prove records about $domain where $domain is a CNAME.
It also adds a tiny, standalone tool to run the verification code from
the command line.
BUG=none
TEST=net_unittests
http://codereview.chromium.org/3301015/show
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@58986 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(This code has no effect unless --enable-dnssec-certs is given.)
The existing DNSSEC code will process embeded chains in certificates
and validate CERT records there in. The format of the CERT record was
just something made up as a proof of concept. This change switches
that code to using TXT records which are at least used by some other
code.
Additionally, when --enable-dnssec-certs is given. TXT record lookups
are triggered for each HTTPS connection. If DNSSEC secure, these
lookups can validate a HTTPS certificate. Even without DNSSEC, they
can by used for exclusion: if TLS fingerprints are given, but the
certificate doesn't match any of them, then the certificate is
rejected.
The next step in this series will be to perform the TXT lookup for
some percentage of dev channel users in order to measure the latency
impact. For this experiment, all behavioural changes will be disabled.
BUG=none
TEST=net_unittests
http://codereview.chromium.org/3148037/show
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57787 0039d316-1c4b-4281-b951-d872f2087c98
|
|
|
Now that the DNS root is signed we have a good trust path in several
TLDs (including .org). This patch enables self-signed certificates to
include a DNSSEC chain as an extension which proves a CERT record,
containing the fingerprint of the public key.
The format of the chain is still undecided, so this is only enabled
with --enable-dnssec-certs.
BUG=none
TEST=net_unittests
http://codereview.chromium.org/2806076
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@55771 0039d316-1c4b-4281-b951-d872f2087c98
|
