Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(416)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/crl_set.h

Issue 13006020: net: extract net/cert out of net/base (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: rebase Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/base/cert_verify_result.cc ('k') | net/base/crl_set.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifndef NET_BASE_CRL_SET_H_
6 #define NET_BASE_CRL_SET_H_
7
8 #include <map>
9 #include <string>
10 #include <utility>
11 #include <vector>
12
13 #include "base/memory/ref_counted.h"
14 #include "base/string_piece.h"
15 #include "net/base/net_export.h"
16
17 namespace base {
18 class DictionaryValue;
19 }
20
21 namespace net {
22
23 // A CRLSet is a structure that lists the serial numbers of revoked
24 // certificates from a number of issuers where issuers are identified by the
25 // SHA256 of their SubjectPublicKeyInfo.
26 class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
27 public:
28 enum Result {
29 REVOKED, // the certificate should be rejected.
30 UNKNOWN, // the CRL for the certificate is not included in the set.
31 GOOD, // the certificate is not listed.
32 };
33
34 // Parse parses the bytes in |data| and, on success, puts a new CRLSet in
35 // |out_crl_set| and returns true.
36 static bool Parse(base::StringPiece data,
37 scoped_refptr<CRLSet>* out_crl_set);
38
39 // CheckSPKI checks whether the given SPKI has been listed as blocked.
40 // spki_hash: the SHA256 of the SubjectPublicKeyInfo of the certificate.
41 Result CheckSPKI(const base::StringPiece& spki_hash) const;
42
43 // CheckSerial returns the information contained in the set for a given
44 // certificate:
45 // serial_number: the serial number of the certificate
46 // issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL
47 // signer
48 Result CheckSerial(
49 const base::StringPiece& serial_number,
50 const base::StringPiece& issuer_spki_hash) const;
51
52 // IsExpired returns true iff the current time is past the NotAfter time
53 // specified in the CRLSet.
54 bool IsExpired() const;
55
56 // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of
57 // updating the current CRL set with the delta information in |delta_bytes|.
58 bool ApplyDelta(const base::StringPiece& delta_bytes,
59 scoped_refptr<CRLSet>* out_crl_set);
60
61 // GetIsDeltaUpdate extracts the header from |bytes|, sets *is_delta to
62 // whether |bytes| is a delta CRL set or not and returns true. In the event
63 // of a parse error, it returns false.
64 static bool GetIsDeltaUpdate(const base::StringPiece& bytes, bool *is_delta);
65
66 // Serialize returns a string of bytes suitable for passing to Parse. Parsing
67 // and serializing a CRLSet is a lossless operation - the resulting bytes
68 // will be equal.
69 std::string Serialize() const;
70
71 // sequence returns the sequence number of this CRL set. CRL sets generated
72 // by the same source are given strictly monotonically increasing sequence
73 // numbers.
74 uint32 sequence() const;
75
76 // CRLList contains a list of (issuer SPKI hash, revoked serial numbers)
77 // pairs.
78 typedef std::vector< std::pair<std::string, std::vector<std::string> > >
79 CRLList;
80
81 // crls returns the internal state of this CRLSet. It should only be used in
82 // testing.
83 const CRLList& crls() const;
84
85 // EmptyCRLSetForTesting returns a valid, but empty, CRLSet for unit tests.
86 static CRLSet* EmptyCRLSetForTesting();
87
88 // ExpiredCRLSetForTesting returns a expired, empty CRLSet for unit tests.
89 static CRLSet* ExpiredCRLSetForTesting();
90
91 private:
92 CRLSet();
93 ~CRLSet();
94
95 friend class base::RefCountedThreadSafe<CRLSet>;
96
97 // CopyBlockedSPKIsFromHeader sets |blocked_spkis_| to the list of values
98 // from "BlockedSPKIs" in |header_dict|.
99 bool CopyBlockedSPKIsFromHeader(base::DictionaryValue* header_dict);
100
101 uint32 sequence_;
102 CRLList crls_;
103 // not_after_ contains the time, in UNIX epoch seconds, after which the
104 // CRLSet should be considered stale, or 0 if no such time was given.
105 uint64 not_after_;
106 // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_|
107 // where the information for that issuer can be found. We have both |crls_|
108 // and |crls_index_by_issuer_| because, when applying a delta update, we need
109 // to identify a CRL by index.
110 std::map<std::string, size_t> crls_index_by_issuer_;
111 // blocked_spkis_ contains the SHA256 hashes of SPKIs which are to be blocked
112 // no matter where in a certificate chain they might appear.
113 std::vector<std::string> blocked_spkis_;
114 };
115
116 } // namespace net
117
118 #endif // NET_BASE_CRL_SET_H_
OLDNEW
« no previous file with comments | « net/base/cert_verify_result.cc ('k') | net/base/crl_set.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698