net/base/dnssec_keyset.cc - Issue 10082010: net: support SHA512 hashes in DNSSEC chains.

Side by Side Diff: net/base/dnssec_keyset.cc

Issue 10082010: net: support SHA512 hashes in DNSSEC chains. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 8 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/base/dnssec_keyset.h"	5 #include "net/base/dnssec_keyset.h"

6	6

7 #include <cryptohi.h>	7 #include <cryptohi.h>

8 #include <cryptoht.h>	8 #include <cryptoht.h>

9 #include <keyhi.h>	9 #include <keyhi.h>

10	10

11 #include "base/logging.h"	11 #include "base/logging.h"

12 #include "base/memory/scoped_ptr.h"	12 #include "base/memory/scoped_ptr.h"

13 #include "base/time.h"	13 #include "base/time.h"

14 #include "crypto/nss_util.h"	14 #include "crypto/nss_util.h"

15 #include "net/base/dns_util.h"	15 #include "net/base/dns_util.h"

16	16

17 namespace {	17 namespace {

18	18

19 // These are encoded AlgorithmIdentifiers for the given signature algorithm.	19 // These are encoded AlgorithmIdentifiers for the given signature algorithm.

20 const unsigned char kRSAWithSHA1[] = {	20 const unsigned char kRSAWithSHA1[] = {

21 0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x5, 5, 0	21 0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x5, 5, 0

22 };	22 };

23	23

24 const unsigned char kRSAWithSHA256[] = {	24 const unsigned char kRSAWithSHA256[] = {

25 0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xb, 5, 0	25 0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xb, 5, 0

26 };	26 };

27	27

	28 const unsigned char kRSAWithSHA512[] = {
	Ryan Sleevi 2012/04/13 19:35:43 nit: It'd be nice to list the OID to save a little nit: It'd be nice to list the OID to save a little spec hunting, since I always forget where they're defined. These are the RFC 4055 OIDs, right? { id-pkcs-1 13 } 1.2.840.113549.1.1.13 agl 2012/04/17 15:16:36 Done. Show quoted text On 2012/04/13 19:35:43, Ryan Sleevi wrote: > nit: It'd be nice to list the OID to save a little spec hunting, since I always > forget where they're defined. These are the RFC 4055 OIDs, right? > > { id-pkcs-1 13 } > 1.2.840.113549.1.1.13 Done.
	29 0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xd, 5, 0
	Ryan Sleevi 2012/04/13 19:35:43 nit: 0x5 0x0 ? nit: 0x5 0x0 ? agl 2012/04/17 15:16:36 Done. Show quoted text On 2012/04/13 19:35:43, Ryan Sleevi wrote: > nit: 0x5 0x0 ? Done.
	30 };

	31

28 } // namespace	32 } // namespace

29	33

30 namespace net {	34 namespace net {

31	35

32 DNSSECKeySet::DNSSECKeySet()	36 DNSSECKeySet::DNSSECKeySet()

33 : ignore_timestamps_(false) {	37 : ignore_timestamps_(false) {

34 }	38 }

35	39

36 DNSSECKeySet::~DNSSECKeySet() {	40 DNSSECKeySet::~DNSSECKeySet() {

37 }	41 }

(...skipping 98 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
136 base::StringPiece signature_algorithm;	140 base::StringPiece signature_algorithm;

137 if (algorithm == kDNSSEC_RSA_SHA1 \|\|	141 if (algorithm == kDNSSEC_RSA_SHA1 \|\|

138 algorithm == kDNSSEC_RSA_SHA1_NSEC3) {	142 algorithm == kDNSSEC_RSA_SHA1_NSEC3) {

139 signature_algorithm = base::StringPiece(	143 signature_algorithm = base::StringPiece(

140 reinterpret_cast<const char*>(kRSAWithSHA1),	144 reinterpret_cast<const char*>(kRSAWithSHA1),

141 sizeof(kRSAWithSHA1));	145 sizeof(kRSAWithSHA1));

142 } else if (algorithm == kDNSSEC_RSA_SHA256) {	146 } else if (algorithm == kDNSSEC_RSA_SHA256) {

143 signature_algorithm = base::StringPiece(	147 signature_algorithm = base::StringPiece(

144 reinterpret_cast<const char*>(kRSAWithSHA256),	148 reinterpret_cast<const char*>(kRSAWithSHA256),

145 sizeof(kRSAWithSHA256));	149 sizeof(kRSAWithSHA256));

	150 } else if (algorithm == kDNSSEC_RSA_SHA512) {

	151 signature_algorithm = base::StringPiece(

	152 reinterpret_cast<const char*>(kRSAWithSHA512),

	153 sizeof(kRSAWithSHA512));
	Ryan Sleevi 2012/04/13 19:35:43 minor nit: arraysize (here and 145/149) minor nit: arraysize (here and 145/149) agl 2012/04/17 15:16:36 I really do want the number of bytes here. Show quoted text On 2012/04/13 19:35:43, Ryan Sleevi wrote: > minor nit: arraysize (here and 145/149) I really do want the number of bytes here.
146 } else {	154 } else {

147 // Unknown algorithm.	155 // Unknown algorithm.

148 return false;	156 return false;

149 }	157 }

150	158

151 // Check the signature with each trusted key which has a matching keyid.	159 // Check the signature with each trusted key which has a matching keyid.

152 DCHECK_EQ(public_keys_.size(), keyids_.size());	160 DCHECK_EQ(public_keys_.size(), keyids_.size());

153 for (unsigned i = 0; i < public_keys_.size(); i++) {	161 for (unsigned i = 0; i < public_keys_.size(); i++) {

154 if (keyids_[i] != keyid)	162 if (keyids_[i] != keyid)

155 continue;	163 continue;

(...skipping 41 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
197 // crypto::SignatureVerifier to always use NSS because we want the ability to	205 // crypto::SignatureVerifier to always use NSS because we want the ability to

198 // be FIPS 140-2 compliant. However, we can't use crypto::SignatureVerifier	206 // be FIPS 140-2 compliant. However, we can't use crypto::SignatureVerifier

199 // here because some platforms don't support SHA256 signatures. Therefore, we	207 // here because some platforms don't support SHA256 signatures. Therefore, we

200 // use NSS directly.	208 // use NSS directly.

201	209

202 crypto::EnsureNSSInit();	210 crypto::EnsureNSSInit();

203	211

204 CERTSubjectPublicKeyInfo* spki = NULL;	212 CERTSubjectPublicKeyInfo* spki = NULL;

205 SECItem spki_der;	213 SECItem spki_der;

206 spki_der.type = siBuffer;	214 spki_der.type = siBuffer;

207 spki_der.data = (uint8*) public_key.data();	215 spki_der.data = (uint8*) public_key.data();
	Ryan Sleevi 2012/04/13 19:35:43 minor nit: These casts (here, line 233, 248, 269) minor nit: These casts (here, line 233, 248, 269) feel wrong and are non-compliant w/r/t the open source style guide, although I understand the motivation for them. agl 2012/04/17 15:16:36 Right. The alternative is such a mess. If you feel Show quoted text On 2012/04/13 19:35:43, Ryan Sleevi wrote: > minor nit: These casts (here, line 233, 248, 269) feel wrong and are > non-compliant w/r/t the open source style guide, although I understand the > motivation for them. Right. The alternative is such a mess. If you feel strongly, I'll LGTM a change. But otherwise I'd rather keep the code readable.
208 spki_der.len = public_key.size();	216 spki_der.len = public_key.size();

209 spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_der);	217 spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_der);

210 if (!spki)	218 if (!spki)

211 return false;	219 return false;

212 SECKEYPublicKey* pub_key = SECKEY_ExtractPublicKey(spki);	220 SECKEYPublicKey* pub_key = SECKEY_ExtractPublicKey(spki);

213 SECKEY_DestroySubjectPublicKeyInfo(spki); // Done with spki.	221 SECKEY_DestroySubjectPublicKeyInfo(spki); // Done with spki.

214 if (!pub_key)	222 if (!pub_key)

215 return false;	223 return false;

216	224

217 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);	225 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

(...skipping 105 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
323 // subjectPublicKey BIT STRING }	331 // subjectPublicKey BIT STRING }

324 std::string DNSSECKeySet::ASN1WrapDNSKEY(const base::StringPiece& dnskey) {	332 std::string DNSSECKeySet::ASN1WrapDNSKEY(const base::StringPiece& dnskey) {

325 const unsigned char* data =	333 const unsigned char* data =

326 reinterpret_cast<const unsigned char*>(dnskey.data());	334 reinterpret_cast<const unsigned char*>(dnskey.data());

327	335

328 if (dnskey.size() < 5 \|\| dnskey.size() > 32767)	336 if (dnskey.size() < 5 \|\| dnskey.size() > 32767)

329 return "";	337 return "";

330 const uint8 algorithm = data[3];	338 const uint8 algorithm = data[3];

331 if (algorithm != kDNSSEC_RSA_SHA1 &&	339 if (algorithm != kDNSSEC_RSA_SHA1 &&

332 algorithm != kDNSSEC_RSA_SHA1_NSEC3 &&	340 algorithm != kDNSSEC_RSA_SHA1_NSEC3 &&

333 algorithm != kDNSSEC_RSA_SHA256) {	341 algorithm != kDNSSEC_RSA_SHA256 &&

	342 algorithm != kDNSSEC_RSA_SHA512) {

334 return "";	343 return "";

335 }	344 }

336	345

337 unsigned exp_length;	346 unsigned exp_length;

338 unsigned exp_offset;	347 unsigned exp_offset;

339 // First we extract the public exponent.	348 // First we extract the public exponent.

340 if (data[4] == 0) {	349 if (data[4] == 0) {

341 if (dnskey.size() < 7)	350 if (dnskey.size() < 7)

342 return "";	351 return "";

343 exp_length = static_cast<unsigned>(data[5]) << 8 \|	352 exp_length = static_cast<unsigned>(data[5]) << 8 \|

(...skipping 108 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
452 out[j++] = exp >> (8 * i);	461 out[j++] = exp >> (8 * i);

453 length--;	462 length--;

454 }	463 }

455	464

456 DCHECK_EQ(0u, length);	465 DCHECK_EQ(0u, length);

457	466

458 return std::string(reinterpret_cast<char*>(out.get()), j);	467 return std::string(reinterpret_cast<char*>(out.get()), j);

459 }	468 }

460	469

461 } // namespace net	470 } // namespace net

OLD	NEW

« no previous file with comments | « net/base/dns_util.h ('k') | no next file » | no next file with comments »