net/base/dnssec_chain_verifier.h - Issue 11184027: net: add DANE support for DNSSEC stapled certificates.

Side by Side Diff: net/base/dnssec_chain_verifier.h

Issue 11184027: net: add DANE support for DNSSEC stapled certificates. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: ... Created 8 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_BASE_DNSSEC_CHAIN_VERIFIER_H_	5 #ifndef NET_BASE_DNSSEC_CHAIN_VERIFIER_H_

6 #define NET_BASE_DNSSEC_CHAIN_VERIFIER_H_	6 #define NET_BASE_DNSSEC_CHAIN_VERIFIER_H_

7	7

8 #include <map>	8 #include <map>

9 #include <string>	9 #include <string>

10 #include <vector>	10 #include <vector>

(...skipping 60 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
71 bool ReadAheadKey(base::StringPiece*, uint8 entry_key);	71 bool ReadAheadKey(base::StringPiece*, uint8 entry_key);

72 bool ReadDNSKEYs(std::vector<base::StringPiece>*, bool is_root);	72 bool ReadDNSKEYs(std::vector<base::StringPiece>*, bool is_root);

73 bool DigestKey(base::StringPiece* digest,	73 bool DigestKey(base::StringPiece* digest,

74 const base::StringPiece& name,	74 const base::StringPiece& name,

75 const base::StringPiece& dnskey,	75 const base::StringPiece& dnskey,

76 uint8 digest_type,	76 uint8 digest_type,

77 uint16 keyid,	77 uint16 keyid,

78 uint8 algorithm);	78 uint8 algorithm);

79	79

80 Error EnterRoot();	80 Error EnterRoot();

	81 static bool IsValidTerminalRRType(uint16 rrtype);

81 Error EnterZone(const base::StringPiece& zone);	82 Error EnterZone(const base::StringPiece& zone);

82 Error LeaveZone(base::StringPiece* next_name);	83 Error LeaveZone(base::StringPiece* next_name);

83 Error ReadDSSet(std::vector<base::StringPiece>*,	84 Error ReadDSSet(std::vector<base::StringPiece>*,

84 const base::StringPiece& next_name);	85 const base::StringPiece& next_name);

85 Error ReadGenericRRs(std::vector<base::StringPiece>*);	86 Error ReadGenericRRs(std::vector<base::StringPiece>*);

86 Error ReadCNAME(std::vector<base::StringPiece>*);	87 Error ReadCNAME(std::vector<base::StringPiece>*);

87	88

88 Zone* current_zone_;	89 Zone* current_zone_;

89 std::string target_;	90 std::string target_;

90 base::StringPiece chain_;	91 base::StringPiece chain_;

91 bool ignore_timestamps_;	92 bool ignore_timestamps_;

92 bool valid_;	93 bool valid_;

93 // already_entered_zone_ is set to true when we unwind a Zone chain and start	94 // already_entered_zone_ is set to true when we unwind a Zone chain and start

94 // off from a point where we have already entered a zone.	95 // off from a point where we have already entered a zone.

95 bool already_entered_zone_;	96 bool already_entered_zone_;

96 uint16 rrtype_;	97 uint16 rrtype_;

97 std::vector<base::StringPiece> rrdatas_;	98 std::vector<base::StringPiece> rrdatas_;

98 // A list of pointers which need to be free()ed on destruction.	99 // A list of pointers which need to be free()ed on destruction.

99 std::vector<void*> scratch_pool_;	100 std::vector<void*> scratch_pool_;

100 };	101 };

101	102

102 // DnsCAARecord encapsulates code and types for dealing with Certificate	103 // DnsCAARecord encapsulates code and types for dealing with Certificate

103 // Authority Authorization records. These are DNS records which can express	104 // Authority Authorization records. These are DNS records which can express

104 // limitations regarding acceptable certificates for a domain. See	105 // limitations regarding acceptable certificates for a domain. See

105 // http://tools.ietf.org/html/draft-hallambaker-donotissue-04	106 // http://tools.ietf.org/html/draft-hallambaker-donotissue-04

	107 // TODO(agl): remove once DANE support has been released.

106 class NET_EXPORT_PRIVATE DnsCAARecord {	108 class NET_EXPORT_PRIVATE DnsCAARecord {

107 public:	109 public:

108 enum ParseResult {	110 enum ParseResult {

109 SUCCESS, // parse successful.	111 SUCCESS, // parse successful.

110 DISCARD, // no policies applying to this client were found.	112 DISCARD, // no policies applying to this client were found.

111 SYNTAX_ERROR, // the record was syntactically invalid.	113 SYNTAX_ERROR, // the record was syntactically invalid.

112 UNKNOWN_CRITICAL, // a critical record was not understood.	114 UNKNOWN_CRITICAL, // a critical record was not understood.

113 };	115 };

114	116

115 // A CAAPolicy is the result of parsing a set of CAA records. It describes a	117 // A CAAPolicy is the result of parsing a set of CAA records. It describes a

(...skipping 21 matching lines...) Expand all Loading...
137	139

138 std::vector<Hash> authorized_hashes;	140 std::vector<Hash> authorized_hashes;

139 };	141 };

140	142

141 // Parse parses a series of DNS resource records and sets \|output\| to the	143 // Parse parses a series of DNS resource records and sets \|output\| to the

142 // result.	144 // result.

143 static ParseResult Parse(const std::vector<base::StringPiece>& rrdatas,	145 static ParseResult Parse(const std::vector<base::StringPiece>& rrdatas,

144 Policy* output);	146 Policy* output);

145 };	147 };

146	148

	149 class NET_EXPORT_PRIVATE DnsTLSARecord {

	150 public:

	151 // A Match is an authorized certificate or public key from the TLSA records.

	152 struct NET_EXPORT_PRIVATE Match {

	153 // A HashTarget identifies the object that we are hashing.

	154 enum HashTarget {

	155 CERTIFICATE,

	156 SUBJECT_PUBLIC_KEY_INFO,

	157 };

	158

	159 HashTarget target; // what do we hash?

	160 // algorithm is an NSS HASH_HashType (i.e. HASH_AlgSHA1). But note that

	161 // it can also be HASH_AlgNULL to indicate that \|data\| isn't hashed at

	162 // all.

	163 int algorithm;

	164 std::string data; // digest, or raw data if \|algorithm == HASH_AlgNULL\|.

	165 };

	166

	167 // Parse parses a series of TLSA resource records and sets \|output\| to the

	168 // result. Unknown or invalid records are ignored, as are records with a

	169 // usage other than "domain-issued certificate". See
	Ryan Sleevi 2012/10/18 23:21:13 nit: mention the specific value (usage 3), since t nit: mention the specific value (usage 3), since the actual reference to "domain-issued certificate" doesn't appear until you've read all the inner usages text. agl 2012/10/29 15:41:56 Done. Show quoted text On 2012/10/18 23:21:13, Ryan Sleevi wrote: > nit: mention the specific value (usage 3), since the actual reference to > "domain-issued certificate" doesn't appear until you've read all the inner > usages text. Done.
	170 // https://tools.ietf.org/html/rfc6698#section-2.1.1.

	171 static void Parse(const std::vector<base::StringPiece>& rrdatas,
	Ryan Sleevi 2012/10/18 23:21:13 DESIGN: Usage types 0 - 2 are used to establish pi DESIGN: Usage types 0 - 2 are used to establish pinning data. While it's not necessary to support it yet, it will be important to think about how this structure may need to change to accomodate it, before it's too widely used.
	172 std::vector<Match>* output);

	173 };

	174

147 } // namespace net	175 } // namespace net

148	176

149 #endif // NET_BASE_DNSSEC_CHAIN_VERIFIER_H_	177 #endif // NET_BASE_DNSSEC_CHAIN_VERIFIER_H_

OLD	NEW

« no previous file with comments | « net/base/dns_util.h ('k') | net/base/dnssec_chain_verifier.cc » ('j') | net/base/dnssec_chain_verifier.cc » ('J')