Cast device revocation checking.

components/cast_certificate/cast_cert_validator.cc

Index: components/cast_certificate/cast_cert_validator.cc
diff --git a/components/cast_certificate/cast_cert_validator.cc b/components/cast_certificate/cast_cert_validator.cc
index 6a81c84d562b56aa48c2fcbcc3e7d9e1e312578b..820596778ce16f8b1874744da32edbfad18fd0cf 100644
--- a/components/cast_certificate/cast_cert_validator.cc
+++ b/components/cast_certificate/cast_cert_validator.cc
@@ -13,6 +13,7 @@
 
 #include "base/memory/ptr_util.h"
 #include "base/memory/singleton.h"
+#include "components/cast_certificate/cast_crl.h"
 #include "net/cert/internal/certificate_policies.h"
 #include "net/cert/internal/extended_key_usage.h"
 #include "net/cert/internal/parse_certificate.h"
@@ -280,7 +281,9 @@ net::ParseCertificateOptions GetCertParsingOptions() {
 bool VerifyDeviceCert(const std::vector<std::string>& certs,
                       const base::Time::Exploded& time,
                       std::unique_ptr<CertVerificationContext>* context,
-                      CastDeviceCertPolicy* policy) {
+                      CastDeviceCertPolicy* policy,
+                      const CastCRL* crl,
+                      CRLOptions crl_options) {
   // The underlying verification function expects a sequence of
   // ParsedCertificate.
   std::vector<scoped_refptr<net::ParsedCertificate>> input_chain;
@@ -304,15 +307,26 @@ bool VerifyDeviceCert(const std::vector<std::string>& certs,
 
   // Do RFC 5280 compatible certificate verification using the two Cast
   // trust anchors and Cast signature policy.
+  std::vector<scoped_refptr<net::ParsedCertificate>> trusted_chain;
   if (!net::VerifyCertificateChain(input_chain, CastTrustStore::Get(),
                                    signature_policy.get(),
-                                   ConvertExplodedTime(time), nullptr)) {
+                                   ConvertExplodedTime(time), &trusted_chain)) {
     return false;
   }
 
   // Check properties of the leaf certificate (key usage, policy), and construct
   // a CertVerificationContext that uses its public key.
-  return CheckTargetCertificate(input_chain[0].get(), context, policy);
+  if (!CheckTargetCertificate(input_chain[0].get(), context, policy))
+    return false;
+
+  // Check if a CRL is available.
+  if (!crl) {
+    if (crl_options.crl_required) {
+      return false;
+    }
+    return true;
+  }
+  return crl->CheckRevocation(trusted_chain, time);
 }
 
 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest(