summaryrefslogtreecommitdiffstats
path: root/net/base/dnssec_keyset.h
blob: 0db4d968f6ea0a0e28ab393e8735e085194c4290 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef NET_BASE_DNSSEC_KEYSET_H_
#define NET_BASE_DNSSEC_KEYSET_H_

#include <string>
#include <vector>

#include "base/string_piece.h"
#include "net/base/net_export.h"

namespace net {

// DNSSECKeySet function wraps crypto/signature_verifier.h to accept
// DNSSEC encodings. (See RFC 4043)
class NET_EXPORT_PRIVATE DNSSECKeySet {
 public:
  DNSSECKeySet();
  ~DNSSECKeySet();

  // AddKey adds a key to the trusted set.
  //   dnskey: the RRDATA of a DNSKEY.
  bool AddKey(const base::StringPiece& dnskey);

  // CheckSignature checks the DNSSEC signature on set of resource records.
  //   name: the domain that the records are from
  //   zone: the signing zone
  //   signature: the RRSIG signature, not include the signing zone.
  //   rrtype: the type of the resource records
  //   rrdatas: the RRDATA of the signed resource records, in canonical order.
  bool CheckSignature(const base::StringPiece& name,
                      const base::StringPiece& zone,
                      const base::StringPiece& signature,
                      uint16 rrtype,
                      const std::vector<base::StringPiece>& rrdatas);

  // DNSKEYToKeyID converts the RRDATA of a DNSKEY to its key id. See RFC 4043,
  // app B.
  static uint16 DNSKEYToKeyID(const base::StringPiece& dnskey);

  // Used for testing: the timestamps on signatures will be ignored to allow
  // golden data to remain valid.
  void IgnoreTimestamps();

 private:
  bool VerifySignature(
      base::StringPiece signature_algorithm,
      base::StringPiece signature,
      base::StringPiece public_key,
      base::StringPiece signed_data);

  std::string ASN1WrapDNSKEY(const base::StringPiece& dnskey);

  bool ignore_timestamps_;
  std::vector<uint16> keyids_;
  std::vector<std::string> public_keys_;
};

}  // namespace net

#endif  // NET_BASE_DNSSEC_KEYSET_H_