1// Copyright (c) 2011 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef NET_BASE_DNSSEC_KEYSET_H_ 6#define NET_BASE_DNSSEC_KEYSET_H_ 7 8#include <string> 9#include <vector> 10 11#include "base/string_piece.h" 12 13namespace net { 14 15// DNSSECKeySet function wraps crypto/signature_verifier.h to accept 16// DNSSEC encodings. (See RFC 4043) 17class DNSSECKeySet { 18 public: 19 DNSSECKeySet(); 20 ~DNSSECKeySet(); 21 22 // AddKey adds a key to the trusted set. 23 // dnskey: the RRDATA of a DNSKEY. 24 bool AddKey(const base::StringPiece& dnskey); 25 26 // CheckSignature checks the DNSSEC signature on set of resource records. 27 // name: the domain that the records are from 28 // zone: the signing zone 29 // signature: the RRSIG signature, not include the signing zone. 30 // rrtype: the type of the resource records 31 // rrdatas: the RRDATA of the signed resource records, in canonical order. 32 bool CheckSignature(const base::StringPiece& name, 33 const base::StringPiece& zone, 34 const base::StringPiece& signature, 35 uint16 rrtype, 36 const std::vector<base::StringPiece>& rrdatas); 37 38 // DNSKEYToKeyID converts the RRDATA of a DNSKEY to its key id. See RFC 4043, 39 // app B. 40 static uint16 DNSKEYToKeyID(const base::StringPiece& dnskey); 41 42 // Used for testing: the timestamps on signatures will be ignored to allow 43 // golden data to remain valid. 44 void IgnoreTimestamps(); 45 46 private: 47 bool VerifySignature( 48 base::StringPiece signature_algorithm, 49 base::StringPiece signature, 50 base::StringPiece public_key, 51 base::StringPiece signed_data); 52 53 std::string ASN1WrapDNSKEY(const base::StringPiece& dnskey); 54 55 bool ignore_timestamps_; 56 std::vector<uint16> keyids_; 57 std::vector<std::string> public_keys_; 58}; 59 60} // namespace net 61 62#endif // NET_BASE_DNSSEC_KEYSET_H_ 63