Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(79)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/base/dnssec_chain_verifier.h

Issue 11184027: net: add DANE support for DNSSEC stapled certificates. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 8 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/base/dns_util.h ('k') | net/base/dnssec_chain_verifier.cc » ('j') | net/base/dnssec_chain_verifier.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/base/dnssec_chain_verifier.h
diff --git a/net/base/dnssec_chain_verifier.h b/net/base/dnssec_chain_verifier.h
index 9fa80b8761ee7f63a954c04637aae0253b979fee..48d40bf64121701660a33a534689db792c6c83bd 100644
--- a/net/base/dnssec_chain_verifier.h
+++ b/net/base/dnssec_chain_verifier.h
@@ -78,6 +78,7 @@ class NET_EXPORT_PRIVATE DNSSECChainVerifier {
uint8 algorithm);
Error EnterRoot();
+ static bool IsValidTerminalRRType(uint16 rrtype);
Error EnterZone(const base::StringPiece& zone);
Error LeaveZone(base::StringPiece* next_name);
Error ReadDSSet(std::vector<base::StringPiece>*,
@@ -103,6 +104,7 @@ class NET_EXPORT_PRIVATE DNSSECChainVerifier {
// Authority Authorization records. These are DNS records which can express
// limitations regarding acceptable certificates for a domain. See
// http://tools.ietf.org/html/draft-hallambaker-donotissue-04
+// TODO(agl): remove once DANE support has been released.
class NET_EXPORT_PRIVATE DnsCAARecord {
public:
enum ParseResult {
@@ -144,6 +146,32 @@ class NET_EXPORT_PRIVATE DnsCAARecord {
Policy* output);
};
+class NET_EXPORT_PRIVATE DnsTLSARecord {
+ public:
+ // A Match is an authorized certificate or public key from the TLSA records.
+ struct NET_EXPORT_PRIVATE Match {
+ // A HashTarget identifies the object that we are hashing.
+ enum HashTarget {
+ CERTIFICATE,
+ SUBJECT_PUBLIC_KEY_INFO,
+ };
+
+ HashTarget target; // what do we hash?
+ // algorithm is an NSS HASH_HashType (i.e. HASH_AlgSHA1). But note that
+ // it can also be HASH_AlgNULL to indicate that |data| isn't hashed at
+ // all.
+ int algorithm;
+ std::string data; // digest, or raw data if |algorithm == HASH_AlgNULL|.
+ };
+
+ // Parse parses a series of TLSA resource records and sets |output| to the
+ // result. Unknown or invalid records are ignored, as are records with a
+ // usage other than "domain-issued certificate". See
Ryan Sleevi 2012/10/18 23:21:13 nit: mention the specific value (usage 3), since t
agl 2012/10/29 15:41:56 Done.
+ // https://tools.ietf.org/html/rfc6698#section-2.1.1.
+ static void Parse(const std::vector<base::StringPiece>& rrdatas,
Ryan Sleevi 2012/10/18 23:21:13 DESIGN: Usage types 0 - 2 are used to establish pi
+ std::vector<Match>* output);
+};
+
} // namespace net
#endif // NET_BASE_DNSSEC_CHAIN_VERIFIER_H_
« no previous file with comments | « net/base/dns_util.h ('k') | net/base/dnssec_chain_verifier.cc » ('j') | net/base/dnssec_chain_verifier.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698