net: enable CRL sets behind a command line flag.

net/base/cert_verifier.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_CERT_VERIFIER_H_
 #define NET_BASE_CERT_VERIFIER_H_
 #pragma once
 
 #include <map>
 #include <string>
 
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/threading/non_thread_safe.h"
 #include "base/time.h"
 #include "net/base/cert_database.h"
 #include "net/base/cert_verify_result.h"
 #include "net/base/completion_callback.h"
 #include "net/base/net_export.h"
 #include "net/base/x509_cert_types.h"
 
 namespace net {
 
 class BoundNetLog;
 class CertVerifierJob;
 class CertVerifierWorker;
+class CRLSet;
 class X509Certificate;
 
 // CachedCertVerifyResult contains the result of a certificate verification.
 struct CachedCertVerifyResult {
   CachedCertVerifyResult();
   ~CachedCertVerifyResult();
 
   // Returns true if |current_time| is greater than or equal to |expiry|.
   bool HasExpired(base::Time current_time) const;
 
@@ skipping 48 matching lines @@
   //
   // |flags| is bitwise OR'd of X509Certificate::VerifyFlags.
   // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, certificate revocation
   // checking is performed.
   //
   // If VERIFY_EV_CERT is set in |flags| too, EV certificate verification is
   // performed.  If |flags| is VERIFY_EV_CERT (that is,
   // VERIFY_REV_CHECKING_ENABLED is not set), EV certificate verification will
   // not be performed.
   //
+  // |crl_set| points to an optional CRLSet structure which can be used to
+  // avoid revocation checks over the network.
+  //
   // |callback| must not be null.  ERR_IO_PENDING is returned if the operation
   // could not be completed synchronously, in which case the result code will
   // be passed to the callback when available.
   //
   // If |out_req| is non-NULL, then |*out_req| will be filled with a handle to
   // the async request. This handle is not valid after the request has
   // completed.
   int Verify(X509Certificate* cert,
              const std::string& hostname,
              int flags,
+             CRLSet* crl_set,
              CertVerifyResult* verify_result,
              const CompletionCallback& callback,
              RequestHandle* out_req,
              const BoundNetLog& net_log);
 
   // Cancels the specified request. |req| is the handle returned by Verify().
   // After a request is canceled, its completion callback will not be called.
   void CancelRequest(RequestHandle req);
 
   // Clears the verification result cache.
@@ skipping 80 matching lines @@
   // If a completion callback is pending when the verifier is destroyed, the
   // certificate verification is canceled, and the completion callback will
   // not be called.
   ~SingleRequestCertVerifier();
 
   // Verifies the given certificate, filling out the |verify_result| object
   // upon success. See CertVerifier::Verify() for details.
   int Verify(X509Certificate* cert,
              const std::string& hostname,
              int flags,
+             CRLSet* crl_set,
              CertVerifyResult* verify_result,
              const CompletionCallback& callback,
              const BoundNetLog& net_log);
 
  private:
   // Callback for when the request to |cert_verifier_| completes, so we
   // dispatch to the user's callback.
   void OnVerifyCompletion(int result);
 
   // The actual certificate verifier that will handle the request.
   CertVerifier* const cert_verifier_;
 
   // The current request (if any).
   CertVerifier::RequestHandle cur_request_;
   CompletionCallback cur_request_callback_;
 
   DISALLOW_COPY_AND_ASSIGN(SingleRequestCertVerifier);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_CERT_VERIFIER_H_