OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_BASE_DNSSEC_CHAIN_VERIFIER_H_ | 5 #ifndef NET_BASE_DNSSEC_CHAIN_VERIFIER_H_ |
6 #define NET_BASE_DNSSEC_CHAIN_VERIFIER_H_ | 6 #define NET_BASE_DNSSEC_CHAIN_VERIFIER_H_ |
7 | 7 |
8 #include <map> | 8 #include <map> |
9 #include <string> | 9 #include <string> |
10 #include <vector> | 10 #include <vector> |
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
71 bool ReadAheadKey(base::StringPiece*, uint8 entry_key); | 71 bool ReadAheadKey(base::StringPiece*, uint8 entry_key); |
72 bool ReadDNSKEYs(std::vector<base::StringPiece>*, bool is_root); | 72 bool ReadDNSKEYs(std::vector<base::StringPiece>*, bool is_root); |
73 bool DigestKey(base::StringPiece* digest, | 73 bool DigestKey(base::StringPiece* digest, |
74 const base::StringPiece& name, | 74 const base::StringPiece& name, |
75 const base::StringPiece& dnskey, | 75 const base::StringPiece& dnskey, |
76 uint8 digest_type, | 76 uint8 digest_type, |
77 uint16 keyid, | 77 uint16 keyid, |
78 uint8 algorithm); | 78 uint8 algorithm); |
79 | 79 |
80 Error EnterRoot(); | 80 Error EnterRoot(); |
81 static bool IsValidTerminalRRType(uint16 rrtype); | |
81 Error EnterZone(const base::StringPiece& zone); | 82 Error EnterZone(const base::StringPiece& zone); |
82 Error LeaveZone(base::StringPiece* next_name); | 83 Error LeaveZone(base::StringPiece* next_name); |
83 Error ReadDSSet(std::vector<base::StringPiece>*, | 84 Error ReadDSSet(std::vector<base::StringPiece>*, |
84 const base::StringPiece& next_name); | 85 const base::StringPiece& next_name); |
85 Error ReadGenericRRs(std::vector<base::StringPiece>*); | 86 Error ReadGenericRRs(std::vector<base::StringPiece>*); |
86 Error ReadCNAME(std::vector<base::StringPiece>*); | 87 Error ReadCNAME(std::vector<base::StringPiece>*); |
87 | 88 |
88 Zone* current_zone_; | 89 Zone* current_zone_; |
89 std::string target_; | 90 std::string target_; |
90 base::StringPiece chain_; | 91 base::StringPiece chain_; |
91 bool ignore_timestamps_; | 92 bool ignore_timestamps_; |
92 bool valid_; | 93 bool valid_; |
93 // already_entered_zone_ is set to true when we unwind a Zone chain and start | 94 // already_entered_zone_ is set to true when we unwind a Zone chain and start |
94 // off from a point where we have already entered a zone. | 95 // off from a point where we have already entered a zone. |
95 bool already_entered_zone_; | 96 bool already_entered_zone_; |
96 uint16 rrtype_; | 97 uint16 rrtype_; |
97 std::vector<base::StringPiece> rrdatas_; | 98 std::vector<base::StringPiece> rrdatas_; |
98 // A list of pointers which need to be free()ed on destruction. | 99 // A list of pointers which need to be free()ed on destruction. |
99 std::vector<void*> scratch_pool_; | 100 std::vector<void*> scratch_pool_; |
100 }; | 101 }; |
101 | 102 |
102 // DnsCAARecord encapsulates code and types for dealing with Certificate | 103 // DnsCAARecord encapsulates code and types for dealing with Certificate |
103 // Authority Authorization records. These are DNS records which can express | 104 // Authority Authorization records. These are DNS records which can express |
104 // limitations regarding acceptable certificates for a domain. See | 105 // limitations regarding acceptable certificates for a domain. See |
105 // http://tools.ietf.org/html/draft-hallambaker-donotissue-04 | 106 // http://tools.ietf.org/html/draft-hallambaker-donotissue-04 |
107 // TODO(agl): remove once DANE support has been released. | |
106 class NET_EXPORT_PRIVATE DnsCAARecord { | 108 class NET_EXPORT_PRIVATE DnsCAARecord { |
107 public: | 109 public: |
108 enum ParseResult { | 110 enum ParseResult { |
109 SUCCESS, // parse successful. | 111 SUCCESS, // parse successful. |
110 DISCARD, // no policies applying to this client were found. | 112 DISCARD, // no policies applying to this client were found. |
111 SYNTAX_ERROR, // the record was syntactically invalid. | 113 SYNTAX_ERROR, // the record was syntactically invalid. |
112 UNKNOWN_CRITICAL, // a critical record was not understood. | 114 UNKNOWN_CRITICAL, // a critical record was not understood. |
113 }; | 115 }; |
114 | 116 |
115 // A CAAPolicy is the result of parsing a set of CAA records. It describes a | 117 // A CAAPolicy is the result of parsing a set of CAA records. It describes a |
(...skipping 21 matching lines...) Expand all Loading... | |
137 | 139 |
138 std::vector<Hash> authorized_hashes; | 140 std::vector<Hash> authorized_hashes; |
139 }; | 141 }; |
140 | 142 |
141 // Parse parses a series of DNS resource records and sets |output| to the | 143 // Parse parses a series of DNS resource records and sets |output| to the |
142 // result. | 144 // result. |
143 static ParseResult Parse(const std::vector<base::StringPiece>& rrdatas, | 145 static ParseResult Parse(const std::vector<base::StringPiece>& rrdatas, |
144 Policy* output); | 146 Policy* output); |
145 }; | 147 }; |
146 | 148 |
149 class NET_EXPORT_PRIVATE DnsTLSARecord { | |
150 public: | |
151 // A Match is an authorized certificate or public key from the TLSA records. | |
152 struct NET_EXPORT_PRIVATE Match { | |
153 // A HashTarget identifies the object that we are hashing. | |
154 enum HashTarget { | |
155 CERTIFICATE, | |
156 SUBJECT_PUBLIC_KEY_INFO, | |
157 }; | |
158 | |
159 HashTarget target; // what do we hash? | |
160 // algorithm is an NSS HASH_HashType (i.e. HASH_AlgSHA1). But note that | |
161 // it can also be HASH_AlgNULL to indicate that |data| isn't hashed at | |
162 // all. | |
163 int algorithm; | |
164 std::string data; // digest, or raw data if |algorithm == HASH_AlgNULL|. | |
165 }; | |
166 | |
167 // Parse parses a series of TLSA resource records and sets |output| to the | |
168 // result. Unknown or invalid records are ignored, as are records with a | |
169 // usage other than "domain-issued certificate". See | |
Ryan Sleevi
2012/10/18 23:21:13
nit: mention the specific value (usage 3), since t
agl
2012/10/29 15:41:56
Done.
| |
170 // https://tools.ietf.org/html/rfc6698#section-2.1.1. | |
171 static void Parse(const std::vector<base::StringPiece>& rrdatas, | |
Ryan Sleevi
2012/10/18 23:21:13
DESIGN: Usage types 0 - 2 are used to establish pi
| |
172 std::vector<Match>* output); | |
173 }; | |
174 | |
147 } // namespace net | 175 } // namespace net |
148 | 176 |
149 #endif // NET_BASE_DNSSEC_CHAIN_VERIFIER_H_ | 177 #endif // NET_BASE_DNSSEC_CHAIN_VERIFIER_H_ |
OLD | NEW |