OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_BASE_CRL_SET_H_ | 5 #ifndef NET_BASE_CRL_SET_H_ |
6 #define NET_BASE_CRL_SET_H_ | 6 #define NET_BASE_CRL_SET_H_ |
7 #pragma once | 7 #pragma once |
8 | 8 |
9 #include <map> | 9 #include <map> |
10 #include <string> | 10 #include <string> |
11 #include <utility> | 11 #include <utility> |
12 #include <vector> | 12 #include <vector> |
13 | 13 |
14 #include "base/memory/ref_counted.h" | 14 #include "base/memory/ref_counted.h" |
15 #include "base/memory/scoped_ptr.h" | 15 #include "base/memory/scoped_ptr.h" |
16 #include "base/string_piece.h" | 16 #include "base/string_piece.h" |
17 #include "base/time.h" | 17 #include "base/time.h" |
18 #include "net/base/net_export.h" | 18 #include "net/base/net_export.h" |
19 | 19 |
20 namespace base { | |
21 class DictionaryValue; | |
22 } | |
23 | |
20 namespace net { | 24 namespace net { |
21 | 25 |
22 // A CRLSet is a structure that lists the serial numbers of revoked | 26 // A CRLSet is a structure that lists the serial numbers of revoked |
23 // certificates from a number of issuers where issuers are identified by the | 27 // certificates from a number of issuers where issuers are identified by the |
24 // SHA256 of their SubjectPublicKeyInfo. | 28 // SHA256 of their SubjectPublicKeyInfo. |
25 class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { | 29 class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { |
26 public: | 30 public: |
27 enum Result { | 31 enum Result { |
28 REVOKED, // the certificate should be rejected. | 32 REVOKED, // the certificate should be rejected. |
29 UNKNOWN, // the CRL for the certificate is not included in the set. | 33 UNKNOWN, // the CRL for the certificate is not included in the set. |
30 GOOD, // the certificate is not listed. | 34 GOOD, // the certificate is not listed. |
31 }; | 35 }; |
32 | 36 |
33 ~CRLSet(); | 37 ~CRLSet(); |
34 | 38 |
35 // Parse parses the bytes in |data| and, on success, puts a new CRLSet in | 39 // Parse parses the bytes in |data| and, on success, puts a new CRLSet in |
36 // |out_crl_set| and returns true. | 40 // |out_crl_set| and returns true. |
37 static bool Parse(base::StringPiece data, | 41 static bool Parse(base::StringPiece data, |
38 scoped_refptr<CRLSet>* out_crl_set); | 42 scoped_refptr<CRLSet>* out_crl_set); |
39 | 43 |
40 // CheckCertificate returns the information contained in the set for a given | 44 // CheckCertificate returns the information contained in the set for a given |
41 // certificate: | 45 // certificate: |
46 // spki_hash: the SHA256 of the SubjectPublicKeyInfo | |
wtc
2012/01/10 00:50:59
Nit: add "of the certificate".
agl
2012/01/10 16:15:29
Done.
| |
42 // serial_number: the serial number of the certificate | 47 // serial_number: the serial number of the certificate |
43 // issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL | 48 // issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL |
wtc
2012/01/10 00:50:59
You should describe what happens if issuer_spki_ha
agl
2012/01/10 16:15:29
(Have split the function to hopefully make it clea
| |
44 // signer | 49 // signer |
45 Result CheckCertificate( | 50 Result CheckCertificate( |
51 const base::StringPiece& spki_hash, | |
46 const base::StringPiece& serial_number, | 52 const base::StringPiece& serial_number, |
47 const base::StringPiece& issuer_spki_hash) const; | 53 const base::StringPiece& issuer_spki_hash) const; |
48 | 54 |
49 // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of | 55 // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of |
50 // updating the current CRL set with the delta information in |delta_bytes|. | 56 // updating the current CRL set with the delta information in |delta_bytes|. |
51 bool ApplyDelta(const base::StringPiece& delta_bytes, | 57 bool ApplyDelta(const base::StringPiece& delta_bytes, |
52 scoped_refptr<CRLSet>* out_crl_set); | 58 scoped_refptr<CRLSet>* out_crl_set); |
53 | 59 |
54 // GetIsDeltaUpdate extracts the header from |bytes|, sets *is_delta to | 60 // GetIsDeltaUpdate extracts the header from |bytes|, sets *is_delta to |
55 // whether |bytes| is a delta CRL set or not and returns true. In the event | 61 // whether |bytes| is a delta CRL set or not and returns true. In the event |
(...skipping 15 matching lines...) Expand all Loading... | |
71 typedef std::vector< std::pair<std::string, std::vector<std::string> > > | 77 typedef std::vector< std::pair<std::string, std::vector<std::string> > > |
72 CRLList; | 78 CRLList; |
73 | 79 |
74 // crls returns the internal state of this CRLSet. It should only be used in | 80 // crls returns the internal state of this CRLSet. It should only be used in |
75 // testing. | 81 // testing. |
76 const CRLList& crls() const; | 82 const CRLList& crls() const; |
77 | 83 |
78 private: | 84 private: |
79 CRLSet(); | 85 CRLSet(); |
80 | 86 |
81 static CRLSet* CRLSetFromHeader(base::StringPiece header); | 87 bool CopyBlockedSPKIsFromHeader(base::DictionaryValue* header_dict); |
wtc
2012/01/10 00:50:59
Nit: perhaps call these "revoked SPKIs" rather tha
agl
2012/01/10 16:15:29
(See other comment for why I want to stick with "b
| |
82 | 88 |
83 uint32 sequence_; | 89 uint32 sequence_; |
84 CRLList crls_; | 90 CRLList crls_; |
85 // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_| | 91 // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_| |
86 // where the information for that issuer can be found. We have both |crls_| | 92 // where the information for that issuer can be found. We have both |crls_| |
87 // and |crls_index_by_issuer_| because, when applying a delta update, we need | 93 // and |crls_index_by_issuer_| because, when applying a delta update, we need |
88 // to identify a CRL by index. | 94 // to identify a CRL by index. |
89 std::map<std::string, size_t> crls_index_by_issuer_; | 95 std::map<std::string, size_t> crls_index_by_issuer_; |
96 // blocked_spkis_ contains the SHA256 hash of SPKIs which are to be blocked no | |
wtc
2012/01/10 00:50:59
Nit: hash => hashes ?
agl
2012/01/10 16:15:29
On 2012/01/10 00:50:59, wtc wrote:
>
> Nit: hash
| |
97 // matter where in a certificate chain they might appear. | |
98 std::vector<std::string> blocked_spkis_; | |
90 }; | 99 }; |
91 | 100 |
92 } // namespace net | 101 } // namespace net |
93 | 102 |
94 #endif // NET_BASE_CRL_SET_H_ | 103 #endif // NET_BASE_CRL_SET_H_ |
OLD | NEW |