1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_BASE_DNSSEC_KEYSET_H_
6 #define NET_BASE_DNSSEC_KEYSET_H_
11 #include "base/string_piece.h"
12 #include "net/base/net_export.h"
16 // DNSSECKeySet function wraps crypto/signature_verifier.h to accept
17 // DNSSEC encodings. (See RFC 4043)
18 class NET_EXPORT_PRIVATE DNSSECKeySet
{
23 // AddKey adds a key to the trusted set.
24 // dnskey: the RRDATA of a DNSKEY.
25 bool AddKey(const base::StringPiece
& dnskey
);
27 // CheckSignature checks the DNSSEC signature on set of resource records.
28 // name: the domain that the records are from
29 // zone: the signing zone
30 // signature: the RRSIG signature, not include the signing zone.
31 // rrtype: the type of the resource records
32 // rrdatas: the RRDATA of the signed resource records, in canonical order.
33 bool CheckSignature(const base::StringPiece
& name
,
34 const base::StringPiece
& zone
,
35 const base::StringPiece
& signature
,
37 const std::vector
<base::StringPiece
>& rrdatas
);
39 // DNSKEYToKeyID converts the RRDATA of a DNSKEY to its key id. See RFC 4043,
41 static uint16
DNSKEYToKeyID(const base::StringPiece
& dnskey
);
43 // Used for testing: the timestamps on signatures will be ignored to allow
44 // golden data to remain valid.
45 void IgnoreTimestamps();
49 base::StringPiece signature_algorithm
,
50 base::StringPiece signature
,
51 base::StringPiece public_key
,
52 base::StringPiece signed_data
);
54 std::string
ASN1WrapDNSKEY(const base::StringPiece
& dnskey
);
56 bool ignore_timestamps_
;
57 std::vector
<uint16
> keyids_
;
58 std::vector
<std::string
> public_keys_
;
63 #endif // NET_BASE_DNSSEC_KEYSET_H_