net/base/dnssec_chain_verifier.h - Issue 11184027: net: add DANE support for DNSSEC stapled certificates.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/base/dnssec_chain_verifier.h

Issue 11184027: net: add DANE support for DNSSEC stapled certificates. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Syncing with trunk in order to land. Created 8 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/base/dnssec_chain_verifier.h

diff --git a/net/base/dnssec_chain_verifier.h b/net/base/dnssec_chain_verifier.h

index 9fa80b8761ee7f63a954c04637aae0253b979fee..f5a066bd9077a9e97f74f477a40038b37b17dd2f 100644

--- a/net/base/dnssec_chain_verifier.h

+++ b/net/base/dnssec_chain_verifier.h

@@ -78,6 +78,7 @@ class NET_EXPORT_PRIVATE DNSSECChainVerifier {

uint8 algorithm);

Error EnterRoot();

+ static bool IsValidTerminalRRType(uint16 rrtype);

Error EnterZone(const base::StringPiece& zone);

Error LeaveZone(base::StringPiece* next_name);

Error ReadDSSet(std::vector<base::StringPiece>*,

@@ -103,6 +104,7 @@ class NET_EXPORT_PRIVATE DNSSECChainVerifier {

// Authority Authorization records. These are DNS records which can express

// limitations regarding acceptable certificates for a domain. See

// http://tools.ietf.org/html/draft-hallambaker-donotissue-04

+// TODO(agl): remove once DANE support has been released.

class NET_EXPORT_PRIVATE DnsCAARecord {

public:

enum ParseResult {

@@ -144,6 +146,32 @@ class NET_EXPORT_PRIVATE DnsCAARecord {

Policy* output);

};

+class NET_EXPORT_PRIVATE DnsTLSARecord {

+ public:

+ // A Match is an authorized certificate or public key from the TLSA records.

+ struct NET_EXPORT_PRIVATE Match {

+ // A HashTarget identifies the object that we are hashing.

+ enum HashTarget {

+ CERTIFICATE,

+ SUBJECT_PUBLIC_KEY_INFO,

+ };

+ HashTarget target; // what do we hash?

+ // algorithm is an NSS HASH_HashType (i.e. HASH_AlgSHA1). But note that

+ // it can also be HASH_AlgNULL to indicate that |data| isn't hashed at

+ // all.

+ int algorithm;

+ std::string data; // digest, or raw data if |algorithm == HASH_AlgNULL|.

+ };

+ // Parse parses a series of TLSA resource records and sets |output| to the

+ // result. Unknown or invalid records are ignored, as are records with a

+ // usage other than "domain-issued certificate" (type 3). See

+ // https://tools.ietf.org/html/rfc6698#section-2.1.1.

+ static void Parse(const std::vector<base::StringPiece>& rrdatas,

+ std::vector<Match>* output);

+};

} // namespace net

#endif // NET_BASE_DNSSEC_CHAIN_VERIFIER_H_

« no previous file with comments | « net/base/dns_util.h ('k') | net/base/dnssec_chain_verifier.cc » ('j') | no next file with comments »