net: support SHA512 hashes in DNSSEC chains.

net/base/dnssec_keyset.cc

Index: net/base/dnssec_keyset.cc
diff --git a/net/base/dnssec_keyset.cc b/net/base/dnssec_keyset.cc
index 9d81f9dd3c189ec624afedcb0697fcbdfd1266a0..fbb8da97ab6d590f180f4a4e8f0f01372f63fcb8 100644
--- a/net/base/dnssec_keyset.cc
+++ b/net/base/dnssec_keyset.cc
@@ -25,6 +25,10 @@ const unsigned char kRSAWithSHA256[] = {
   0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xb, 5, 0
 };
 
+const unsigned char kRSAWithSHA512[] = {

[Ryan Sleevi, 2012/04/13 19:35:43]

nit: It'd be nice to list the OID to save a little spec hunting, since I always
forget where they're defined. These are the RFC 4055 OIDs, right?

{ id-pkcs-1 13 }
1.2.840.113549.1.1.13

[agl, 2012/04/17 15:16:36]

Done.

+  0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xd, 5, 0

[Ryan Sleevi, 2012/04/13 19:35:43]

nit: 0x5 0x0 ?

[agl, 2012/04/17 15:16:36]

Done.

+};
+
 }  // namespace
 
 namespace net {
@@ -143,6 +147,10 @@ bool DNSSECKeySet::CheckSignature(
     signature_algorithm = base::StringPiece(
         reinterpret_cast<const char*>(kRSAWithSHA256),
         sizeof(kRSAWithSHA256));
+  } else if (algorithm == kDNSSEC_RSA_SHA512) {
+    signature_algorithm = base::StringPiece(
+        reinterpret_cast<const char*>(kRSAWithSHA512),
+        sizeof(kRSAWithSHA512));

[Ryan Sleevi, 2012/04/13 19:35:43]

minor nit: arraysize (here and 145/149)

[agl, 2012/04/17 15:16:36]

I really do want the number of bytes here.

   } else {
     // Unknown algorithm.
     return false;
@@ -330,7 +338,8 @@ std::string DNSSECKeySet::ASN1WrapDNSKEY(const base::StringPiece& dnskey) {
   const uint8 algorithm = data[3];
   if (algorithm != kDNSSEC_RSA_SHA1 &&
       algorithm != kDNSSEC_RSA_SHA1_NSEC3 &&
-      algorithm != kDNSSEC_RSA_SHA256) {
+      algorithm != kDNSSEC_RSA_SHA256 &&
+      algorithm != kDNSSEC_RSA_SHA512) {
     return "";
   }