From b2471359cfbd4f7b9621ba2542b947841bfadb27 Mon Sep 17 00:00:00 2001 From: "agl@chromium.org" Date: Wed, 11 Aug 2010 19:50:02 +0000 Subject: net: add embedded DNSSEC chain support. Now that the DNS root is signed we have a good trust path in several TLDs (including .org). This patch enables self-signed certificates to include a DNSSEC chain as an extension which proves a CERT record, containing the fingerprint of the public key. The format of the chain is still undecided, so this is only enabled with --enable-dnssec-certs. BUG=none TEST=net_unittests http://codereview.chromium.org/2806076 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@55771 0039d316-1c4b-4281-b951-d872f2087c98 --- chrome/browser/browser_main.cc | 3 +++ chrome/browser/net/ssl_config_service_manager_pref.cc | 1 + chrome/common/chrome_switches.cc | 2 ++ chrome/common/chrome_switches.h | 1 + 4 files changed, 7 insertions(+) (limited to 'chrome') diff --git a/chrome/browser/browser_main.cc b/chrome/browser/browser_main.cc index 6b29674..fc6511b 100644 --- a/chrome/browser/browser_main.cc +++ b/chrome/browser/browser_main.cc @@ -175,6 +175,9 @@ void BrowserMainParts::EarlyInitialization() { PrefetchFieldTrial(); InitializeSSL(); + if (parsed_command_line().HasSwitch(switches::kEnableDNSSECCerts)) + net::SSLConfigService::EnableDNSSEC(); + PostEarlyInitialization(); } diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc index a89f025..c729d0e 100644 --- a/chrome/browser/net/ssl_config_service_manager_pref.cc +++ b/chrome/browser/net/ssl_config_service_manager_pref.cc @@ -145,6 +145,7 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs( config->ssl2_enabled = ssl2_enabled_.GetValue(); config->ssl3_enabled = ssl3_enabled_.GetValue(); config->tls1_enabled = tls1_enabled_.GetValue(); + config->dnssec_enabled = net::SSLConfigService::dnssec_enabled(); } //////////////////////////////////////////////////////////////////////////////// diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc index 5293e62..3f8b0f5 100644 --- a/chrome/common/chrome_switches.cc +++ b/chrome/common/chrome_switches.cc @@ -333,6 +333,8 @@ const char kEnableDeviceMotion[] = "enable-device-motion"; // Enables device orientation events. const char kEnableDeviceOrientation[] = "enable-device-orientation"; +const char kEnableDNSSECCerts[] = "enable-dnssec-certs"; + // Enables extension APIs that are in development. const char kEnableExperimentalExtensionApis[] = "enable-experimental-extension-apis"; diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h index fba6d71..dde93de 100644 --- a/chrome/common/chrome_switches.h +++ b/chrome/common/chrome_switches.h @@ -110,6 +110,7 @@ extern const char kEnableContentPrefetch[]; extern const char kEnableCookiePrompt[]; extern const char kEnableDeviceMotion[]; extern const char kEnableDeviceOrientation[]; +extern const char kEnableDNSSECCerts[]; extern const char kEnableExperimentalExtensionApis[]; extern const char kEnableExperimentalWebGL[]; extern const char kEnableExtensionTimelineApi[]; -- cgit v1.1