net: add DANE support for DNSSEC stapled certificates.

net/base/dnssec_chain_verifier.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/dnssec_chain_verifier.h"
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/sha1.h"
 #include "base/string_util.h"
@@ skipping 525 matching lines @@
   // Add all the keys as trusted.
   for (unsigned i = 0; i < dnskeys.size(); i++) {
     if (i == entry_key)
       continue;
     current_zone_->trusted_keys.AddKey(dnskeys[i]);
   }
 
   return OK;
 }
 
+// IsValidTerminalRRType returns true if the given RR type is one that we
+// accept as the terminal record in a DNSSEC chain.
+bool DNSSECChainVerifier::IsValidTerminalRRType(uint16 rrtype) {
+  switch (rrtype) {
+  case kDNS_CAA:
+  case kDNS_CERT:
+  case kDNS_TLSA:
+  case kDNS_TXT:
+    return true;
+  }
+
+  return false;
+}
+
 // LeaveZone transitions out of the current zone, either by following DS
 // records to validate the entry key of the next zone, or because the final
 // resource records are given.
 DNSSECChainVerifier::Error DNSSECChainVerifier::LeaveZone(
     base::StringPiece* next_name) {
   base::StringPiece sig;
   uint16 rrtype;
   Error err;
 
   if (!ReadName(next_name) ||
       !U16(&rrtype) ||
       !VariableLength16(&sig)) {
     return BAD_DATA;
   }
 
   std::vector<base::StringPiece> rrdatas;
 
   if (rrtype == kDNS_DS) {
     err = ReadDSSet(&rrdatas, *next_name);
-  } else if (rrtype == kDNS_CERT || rrtype == kDNS_TXT || rrtype == kDNS_CAA) {
+  } else if (IsValidTerminalRRType(rrtype)) {
     err = ReadGenericRRs(&rrdatas);
   } else if (rrtype == kDNS_CNAME) {
     err = ReadCNAME(&rrdatas);
   } else {
     return UNKNOWN_TERMINAL_RRTYPE;
   }
   if (err != OK)
     return err;
 
   if (!current_zone_->trusted_keys.CheckSignature(
       *next_name, current_zone_->name, sig, rrtype, rrdatas)) {
     return BAD_SIGNATURE;
   }
 
   if (rrtype == kDNS_DS) {
     // If we are transitioning to another zone then the next zone must be
     // 'closer' to the target than the current zone.
     if (MatchingLabels(target_, *next_name) <= current_zone_->matching_labels)
       return OFF_COURSE;
-  } else if (rrtype == kDNS_CERT || rrtype == kDNS_TXT || rrtype == kDNS_CAA) {
+  } else if (IsValidTerminalRRType(rrtype)) {
     // If this is the final entry in the chain then the name must match target_
     if (next_name->size() != target_.size() ||
         memcmp(next_name->data(), target_.data(), target_.size())) {
       return BAD_TARGET;
     }
     rrdatas_ = rrdatas;
     valid_ = true;
     rrtype_ = rrtype;
   } else if (rrtype == kDNS_CNAME) {
     // A CNAME must match the current target. Then we update the current target
@@ skipping 141 matching lines @@
 
 struct CAAHashFunctionOID {
   uint8 length;
   uint8 bytes[12];
   int value;
 };
 
 // The values here are taken from NSS's freebl/hasht.h. Sadly, we cannot
 // include it because it pulls in #defines that conflict with Chromium headers.
 // However, these values are part of NSS's public API and so are stable.
+static const int kHashNone = 0;
 static const int kHashSHA256 = 4;
 static const int kHashSHA384 = 5;
 static const int kHashSHA512 = 6;
 
 // kCAAHashFunctions maps from the DER encoding of hash function OIDs to NSS's
 // hash function enumeration.
 static CAAHashFunctionOID kCAAHashFunctions[] = {
   { 11, "\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01", kHashSHA256 },
   { 11, "\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02", kHashSHA384 },
   { 11, "\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03", kHashSHA512 },
@@ skipping 152 matching lines @@
       return UNKNOWN_CRITICAL;
     }
   }
 
   if (output->authorized_hashes.empty())
     return DISCARD;
 
   return SUCCESS;
 }
 
+void DnsTLSARecord::Parse(
+    const std::vector<base::StringPiece>& rrdatas,
+    std::vector<DnsTLSARecord::Match>* output) {
+  // see https://tools.ietf.org/html/rfc6698#section-2.1
+  output->clear();
+
+  for (std::vector<base::StringPiece>::const_iterator
+       ii = rrdatas.begin(); ii != rrdatas.end(); ++ii) {
+    base::StringPiece i = *ii;
+
+    if (i.size() < 3)
+      continue;
+
+    const uint8 cert_usage = i[0];
+    const uint8 selector = i[1];
+    const uint8 match_type = i[2];
+    i.remove_prefix(3);
+
+    if (cert_usage != 3) {
+      // Type 3 is a "domain issued certificate" - i.e. a certificate (or
+      // public key) which is granted authority by the TLSA record.
+      continue;
+    }
+
+    Match match;
+
+    switch (selector) {
+    case 0:
+      match.target = Match::CERTIFICATE;
+      break;
+    case 1:
+      match.target = Match::SUBJECT_PUBLIC_KEY_INFO;
+      break;
+    default:
+      continue;
+    }

[Ryan Sleevi, 2012/10/18 23:21:13]

style nit: indent 'case' to two spaces, inner blocks to four spaces,
http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Loops_...

same below

[agl, 2012/10/29 15:41:56]

Done.

+
+    switch (match_type) {
+    case 0:
+      match.algorithm = kHashNone;
+      break;
+    case 1:
+      match.algorithm = kHashSHA256;
+      break;
+    case 2:
+      match.algorithm = kHashSHA512;
+      break;
+    default:
+      continue;
+    }
+
+    if (match.algorithm != kHashNone &&
+        i.size() != DigestLength(match.algorithm)) {
+      continue;
+    }
+
+    match.data = i.as_string();
+    output->push_back(match);
+  }
+}
+
 }  // namespace net