diff options
author | Thiago Macieira <thiago.macieira@intel.com> | 2024-04-17 11:09:58 -0700 |
---|---|---|
committer | Thiago Macieira <thiago.macieira@intel.com> | 2024-05-08 21:13:47 -0700 |
commit | 4503dabfbd11c084c2781a679c9af12d5fb8f763 (patch) | |
tree | 276b12b705d46ad6c9b3343cae16eeca0e5eed78 /src/network/kernel/qdnslookup.cpp | |
parent | 503fd609881fb220ac5abe7da2fe367efd90ed4b (diff) |
QDnsLookup: add support for TLSA records
[ChangeLog][QtNetwork][QDnsLookup] Added support for querying records of
type TLSA, which are useful in DNS-based Authentication of Named
Entities (DANE).
Change-Id: I455fe22ef4ad4b2f9b01fffd17c723aa6ab7f278
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
Diffstat (limited to 'src/network/kernel/qdnslookup.cpp')
-rw-r--r-- | src/network/kernel/qdnslookup.cpp | 234 |
1 files changed, 234 insertions, 0 deletions
diff --git a/src/network/kernel/qdnslookup.cpp b/src/network/kernel/qdnslookup.cpp index a3ebbe04db..1b4db7130b 100644 --- a/src/network/kernel/qdnslookup.cpp +++ b/src/network/kernel/qdnslookup.cpp @@ -257,6 +257,8 @@ static void qt_qdnsservicerecord_sort(QList<QDnsServiceRecord> &records) \value SRV service records. + \value[since 6.8] TLSA TLS association records. + \value TXT text records. */ @@ -704,6 +706,21 @@ QList<QDnsTextRecord> QDnsLookup::textRecords() const return d_func()->reply.textRecords; } +/*! + \since 6.8 + Returns the list of TLS association records associated with this lookup. + + According to the standards relating to DNS-based Authentication of Named + Entities (DANE), this field should be ignored and must not be used for + verifying the authentity of a given server if the authenticity of the DNS + reply cannot itself be confirmed. See isAuthenticData() for more + information. + */ +QList<QDnsTlsAssociationRecord> QDnsLookup::tlsAssociationRecords() const +{ + return d_func()->reply.tlsAssociationRecords; +} + #if QT_CONFIG(ssl) /*! \since 6.8 @@ -1261,6 +1278,223 @@ QDnsTextRecord &QDnsTextRecord::operator=(const QDnsTextRecord &other) very fast and never fails. */ +/*! + \class QDnsTlsAssociationRecord + \since 6.8 + \brief The QDnsTlsAssociationRecord class stores information about a DNS TLSA record. + + \inmodule QtNetwork + \ingroup network + \ingroup shared + + When performing a text lookup, zero or more records will be returned. Each + record is represented by a QDnsTlsAssociationRecord instance. + + The meaning of the fields is defined in \l{RFC 6698}. + + \sa QDnsLookup +*/ + +QT_DEFINE_QSDP_SPECIALIZATION_DTOR(QDnsTlsAssociationRecordPrivate) + +/*! + \enum QDnsTlsAssociationRecord::CertificateUsage + + This enumeration contains valid values for the certificate usage field of + TLS Association queries. The following list is up-to-date with \l{RFC 6698} + section 2.1.1 and RFC 7218 section 2.1. Please refer to those documents for + authoritative instructions on interpreting this enumeration. + + \value CertificateAuthorityConstrait + Indicates the record includes an association to a specific Certificate + Authority that must be found in the TLS server's certificate chain and + must pass PKIX validation. + + \value ServiceCertificateConstraint + Indicates the record includes an association to a certificate that must + match the end entity certificate provided by the TLS server and must + pass PKIX validation. + + \value TrustAnchorAssertion + Indicates the record includes an association to a certificate that MUST + be used as the ultimate trust anchor to validate the TLS server's + certificate and must pass PKIX validation. + + \value DomainIssuedCertificate + Indicates the record includes an association to a certificate that must + match the end entity certificate provided by the TLS server. PKIX + validation is not tested. + + \value PrivateUse + No standard meaning applied. + + \value PKIX_TA + Alias; mnemonic for Public Key Infrastructure Trust Anchor + + \value PKIX_EE + Alias; mnemonic for Public Key Infrastructure End Entity + + \value DANE_TA + Alias; mnemonic for DNS-based Authentication of Named Entities Trust Anchor + + \value DANE_EE + Alias; mnemonic for DNS-based Authentication of Named Entities End Entity + + \value PrivCert + Alias + + Other values are currently reserved, but may be unreserved by future + standards. This enumeration can be used for those values even if no + enumerator is provided. + + \sa certificateUsage() +*/ + +/*! + \enum QDnsTlsAssociationRecord::Selector + + This enumeration contains valid values for the selector field of TLS + Association queries. The following list is up-to-date with \l{RFC 6698} + section 2.1.2 and RFC 7218 section 2.2. Please refer to those documents for + authoritative instructions on interpreting this enumeration. + + \value FullCertificate + Indicates this record refers to the full certificate in its binary + structure form. + + \value SubjectPublicKeyInfo + Indicates the record refers to the certificate's subject and public + key information, in DER-encoded binary structure form. + + \value PrivateUse + No standard meaning applied. + + \value Cert + Alias + + \value SPKI + Alias + + \value PrivSel + Alias + + Other values are currently reserved, but may be unreserved by future + standards. This enumeration can be used for those values even if no + enumerator is provided. + + \sa selector() +*/ + +/*! + \enum QDnsTlsAssociationRecord::MatchingType + + This enumeration contains valid values for the matching type field of TLS + Association queries. The following list is up-to-date with \l{RFC 6698} + section 2.1.3 and RFC 7218 section 2.3. Please refer to those documents for + authoritative instructions on interpreting this enumeration. + + \value Exact + Indicates this the certificate or SPKI data is stored verbatim in this + record. + + \value Sha256 + Indicates this a SHA-256 checksum of the the certificate or SPKI data + present in this record. + + \value Sha512 + Indicates this a SHA-512 checksum of the the certificate or SPKI data + present in this record. + + \value PrivateUse + No standard meaning applied. + + \value PrivMatch + Alias + + Other values are currently reserved, but may be unreserved by future + standards. This enumeration can be used for those values even if no + enumerator is provided. + + \sa matchingType() +*/ + +/*! + Constructs an empty TLS Association record. + */ +QDnsTlsAssociationRecord::QDnsTlsAssociationRecord() + : d(new QDnsTlsAssociationRecordPrivate) +{ +} + +/*! + Constructs a copy of \a other. + */ +QDnsTlsAssociationRecord::QDnsTlsAssociationRecord(const QDnsTlsAssociationRecord &other) = default; + +/*! + Moves the content of \a other into this object. + */ +QDnsTlsAssociationRecord & +QDnsTlsAssociationRecord::operator=(const QDnsTlsAssociationRecord &other) = default; + +/*! + Destroys this TLS Association record object. + */ +QDnsTlsAssociationRecord::~QDnsTlsAssociationRecord() = default; + +/*! + Returns the name of this record. +*/ +QString QDnsTlsAssociationRecord::name() const +{ + return d->name; +} + +/*! + Returns the duration in seconds for which this record is valid. +*/ +quint32 QDnsTlsAssociationRecord::timeToLive() const +{ + return d->timeToLive; +} + +/*! + Returns the certificate usage field for this record. + */ +QDnsTlsAssociationRecord::CertificateUsage QDnsTlsAssociationRecord::usage() const +{ + return d->usage; +} + +/*! + Returns the selector field for this record. + */ +QDnsTlsAssociationRecord::Selector QDnsTlsAssociationRecord::selector() const +{ + return d->selector; +} + +/*! + Returns the match type field for this record. + */ +QDnsTlsAssociationRecord::MatchingType QDnsTlsAssociationRecord::matchType() const +{ + return d->matchType; +} + +/*! + Returns the binary data field for this record. The interpretation of this + binary data depends on the three numeric fields provided by + certificateUsage(), selector(), and matchType(). + + Do note this is a binary field, even for the checksums, similar to what + QCyrptographicHash::result() returns. + */ +QByteArray QDnsTlsAssociationRecord::value() const +{ + return d->value; +} + static QDnsLookupRunnable::EncodedLabel encodeLabel(const QString &label) { QDnsLookupRunnable::EncodedLabel::value_type rootDomain = u'.'; |