net: support SHA512 hashes in DNSSEC chains.

net/base/dnssec_keyset.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/dnssec_keyset.h"
 
 #include <cryptohi.h>
 #include <cryptoht.h>
 #include <keyhi.h>
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/time.h"
 #include "crypto/nss_util.h"
 #include "net/base/dns_util.h"
 
 namespace {
 
-// These are encoded AlgorithmIdentifiers for the given signature algorithm.
+// These are encoded AlgorithmIdentifiers for the given signature algorithm
+// from RFC 4055.
+
+// 1.2.840.113549.1.1.5
 const unsigned char kRSAWithSHA1[] = {
-  0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x5, 5, 0
+  0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86,
+  0xf7, 0xd, 0x1, 0x1, 0x5, 0x5, 0x0,
 };
 
+// 1.2.840.113549.1.1.11
 const unsigned char kRSAWithSHA256[] = {
-  0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xb, 5, 0
+  0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86,
+  0xf7, 0xd, 0x1, 0x1, 0xb, 0x5, 0x0,
+};
+
+// 1.2.840.113549.1.1.13
+const unsigned char kRSAWithSHA512[] = {
+  0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86,
+  0xf7, 0xd, 0x1, 0x1, 0xd, 0x5, 0x0,
 };
 
 }  // namespace
 
 namespace net {
 
 DNSSECKeySet::DNSSECKeySet()
     : ignore_timestamps_(false) {
 }
 
@@ skipping 100 matching lines @@
   base::StringPiece signature_algorithm;
   if (algorithm == kDNSSEC_RSA_SHA1 ||
       algorithm == kDNSSEC_RSA_SHA1_NSEC3) {
     signature_algorithm = base::StringPiece(
         reinterpret_cast<const char*>(kRSAWithSHA1),
         sizeof(kRSAWithSHA1));
   } else if (algorithm == kDNSSEC_RSA_SHA256) {
     signature_algorithm = base::StringPiece(
         reinterpret_cast<const char*>(kRSAWithSHA256),
         sizeof(kRSAWithSHA256));
+  } else if (algorithm == kDNSSEC_RSA_SHA512) {
+    signature_algorithm = base::StringPiece(
+        reinterpret_cast<const char*>(kRSAWithSHA512),
+        sizeof(kRSAWithSHA512));
   } else {
     // Unknown algorithm.
     return false;
   }
 
   // Check the signature with each trusted key which has a matching keyid.
   DCHECK_EQ(public_keys_.size(), keyids_.size());
   for (unsigned i = 0; i < public_keys_.size(); i++) {
     if (keyids_[i] != keyid)
       continue;
@@ skipping 167 matching lines @@
 //       subjectPublicKey     BIT STRING  }
 std::string DNSSECKeySet::ASN1WrapDNSKEY(const base::StringPiece& dnskey) {
   const unsigned char* data =
     reinterpret_cast<const unsigned char*>(dnskey.data());
 
   if (dnskey.size() < 5 || dnskey.size() > 32767)
     return "";
   const uint8 algorithm = data[3];
   if (algorithm != kDNSSEC_RSA_SHA1 &&
       algorithm != kDNSSEC_RSA_SHA1_NSEC3 &&
-      algorithm != kDNSSEC_RSA_SHA256) {
+      algorithm != kDNSSEC_RSA_SHA256 &&
+      algorithm != kDNSSEC_RSA_SHA512) {
     return "";
   }
 
   unsigned exp_length;
   unsigned exp_offset;
   // First we extract the public exponent.
   if (data[4] == 0) {
     if (dnskey.size() < 7)
       return "";
     exp_length = static_cast<unsigned>(data[5]) << 8 |
@@ skipping 108 matching lines @@
     out[j++] = exp >> (8 * i);
     length--;
   }
 
   DCHECK_EQ(0u, length);
 
   return std::string(reinterpret_cast<char*>(out.get()), j);
 }
 
 }  // namespace net