net/base/x509_certificate.h - Issue 10857020: Do not perform online revocation checking when the user has explicitly disabled it, except for when…

Side by Side Diff: net/base/x509_certificate.h

Issue 10857020: Do not perform online revocation checking when the user has explicitly disabled it, except for when… (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Review feedback Created 8 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_BASE_X509_CERTIFICATE_H_	5 #ifndef NET_BASE_X509_CERTIFICATE_H_

6 #define NET_BASE_X509_CERTIFICATE_H_	6 #define NET_BASE_X509_CERTIFICATE_H_

7	7

8 #include <string.h>	8 #include <string.h>

9	9

10 #include <string>	10 #include <string>

(...skipping 71 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
82 kPublicKeyTypeECDH	82 kPublicKeyTypeECDH

83 };	83 };

84	84

85 // Predicate functor used in maps when X509Certificate is used as the key.	85 // Predicate functor used in maps when X509Certificate is used as the key.

86 class NET_EXPORT LessThan {	86 class NET_EXPORT LessThan {

87 public:	87 public:

88 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const;	88 bool operator() (X509Certificate* lhs, X509Certificate* rhs) const;

89 };	89 };

90	90

91 enum VerifyFlags {	91 enum VerifyFlags {

	92 // If set, enables online revocation checking via CRLs and OCSP for the

	93 // certificate chain.

92 VERIFY_REV_CHECKING_ENABLED = 1 << 0,	94 VERIFY_REV_CHECKING_ENABLED = 1 << 0,

	95

	96 // If set, and the certificate being verified may be an EV certificate,

	97 // attempt to verify the certificate according to the EV processing

	98 // guidelines. In order to successfully verify a certificate as EV,

	99 // either an online or offline revocation check must be successfully

	100 // completed. To ensure it's possible to complete a revocation check,

	101 // callers should also specify either VERIFY_REV_CHECKING_ENABLED or

	102 // VERIFY_REV_CHECKING_ENABLED_EV_ONLY (to enable online checks), and

	103 // VERIFY_CERT_IO_ENABLED (to enable network fetches for online checks).

93 VERIFY_EV_CERT = 1 << 1,	104 VERIFY_EV_CERT = 1 << 1,

	105

	106 // If set, permits NSS to use the network when verifying certificates,

	107 // such as to fetch missing intermediates or to check OCSP or CRLs.

	108 // TODO(rsleevi): http://crbug.com/143300 - Define this flag for all

	109 // verification engines with well-defined semantics, rather than being

	110 // NSS only.

94 VERIFY_CERT_IO_ENABLED = 1 << 2,	111 VERIFY_CERT_IO_ENABLED = 1 << 2,

	112

	113 // If set, enables online revocation checking via CRLs or OCSP, but only

	114 // for certificates which may be EV, and only when VERIFY_EV_CERT is also

	115 // set.

	116 VERIFY_REV_CHECKING_ENABLED_EV_ONLY = 1 << 3,
	wtc 2012/08/17 00:34:44 Nit: the fact that this flag is tacked on by CertV Nit: the fact that this flag is tacked on by CertVerifyProc::Verify() internally probably should be described. Perhaps this flag should be considered as an internal flag? Ryan Sleevi 2012/08/17 00:37:18 The intent is to make it not an internal-only flag Show quoted text On 2012/08/17 00:34:44, wtc wrote: > > Nit: the fact that this flag is tacked on by CertVerifyProc::Verify() > internally probably should be described. Perhaps > this flag should be considered as an internal flag? The intent is to make it not an internal-only flag; http://crbug.com/142974
95 };	117 };

96	118

97 enum Format {	119 enum Format {

98 // The data contains a single DER-encoded certificate, or a PEM-encoded	120 // The data contains a single DER-encoded certificate, or a PEM-encoded

99 // DER certificate with the PEM encoding block name of "CERTIFICATE".	121 // DER certificate with the PEM encoding block name of "CERTIFICATE".

100 // Any subsequent blocks will be ignored.	122 // Any subsequent blocks will be ignored.

101 FORMAT_SINGLE_CERTIFICATE = 1 << 0,	123 FORMAT_SINGLE_CERTIFICATE = 1 << 0,

102	124

103 // The data contains a sequence of one or more PEM-encoded, DER	125 // The data contains a sequence of one or more PEM-encoded, DER

104 // certificates, with the PEM encoding block name of "CERTIFICATE".	126 // certificates, with the PEM encoding block name of "CERTIFICATE".

(...skipping 412 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
517 // based on the type of the certificate.	539 // based on the type of the certificate.

518 std::string default_nickname_;	540 std::string default_nickname_;

519 #endif	541 #endif

520	542

521 DISALLOW_COPY_AND_ASSIGN(X509Certificate);	543 DISALLOW_COPY_AND_ASSIGN(X509Certificate);

522 };	544 };

523	545

524 } // namespace net	546 } // namespace net

525	547

526 #endif // NET_BASE_X509_CERTIFICATE_H_	548 #endif // NET_BASE_X509_CERTIFICATE_H_

OLD	NEW

« no previous file with comments | « net/base/ev_root_ca_metadata_unittest.cc ('k') | net/base/x509_util_mac.h » ('j') | no next file with comments »