Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(112)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: components/cast_certificate/cast_cert_validator.h

Issue 2050983002: Cast device revocation checking. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Bypass serial number range revocation check for serials > 64b Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « components/cast_certificate/DEPS ('k') | components/cast_certificate/cast_cert_validator.cc » ('j') | components/cast_certificate/cast_crl.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: components/cast_certificate/cast_cert_validator.h
diff --git a/components/cast_certificate/cast_cert_validator.h b/components/cast_certificate/cast_cert_validator.h
index 1c335ae6530b446a86bf234d00ac39f5774a0c7f..824920f0cf40887f1099b1a7326e9cd8406bfdfc 100644
--- a/components/cast_certificate/cast_cert_validator.h
+++ b/components/cast_certificate/cast_cert_validator.h
@@ -16,6 +16,8 @@
namespace cast_certificate {
+class CastCRL;
+
// Describes the policy for a Device certificate.
enum class CastDeviceCertPolicy {
// The device certificate is unrestricted.
@@ -25,6 +27,13 @@ enum class CastDeviceCertPolicy {
AUDIO_ONLY,
};
+struct CRLOptions {
+ // If set to false, then revocation is only checked if a CRL is provided.
+ // If set to true, then revocation is always checked. An empty CRL results
+ // in failure.
+ bool crl_required = true;
+};
+
// An object of this type is returned by the VerifyDeviceCert function, and can
// be used for additional certificate-related operations, using the verified
// certificate.
@@ -61,6 +70,14 @@ class CertVerificationContext {
// * |time| is the UTC time to use for determining if the certificate
// is expired.
//
+// * |crl| is the CRL to check for certificate revocation status.
+// If this is a nullptr, then revocation checking is currently disabled.
+//
+//
+// * |crl_options| is for choosing how to handle the absence of a CRL.
+// If crl_required is set to true, then an empty |crl| input would result
+// in a failed verification. Otherwise, |crl| is ignored if it is absent.
+//
// Outputs:
//
// Returns true on success, false on failure. On success the output
@@ -74,7 +91,9 @@ class CertVerificationContext {
bool VerifyDeviceCert(const std::vector<std::string>& certs,
const base::Time::Exploded& time,
std::unique_ptr<CertVerificationContext>* context,
- CastDeviceCertPolicy* policy) WARN_UNUSED_RESULT;
+ CastDeviceCertPolicy* policy,
+ const CastCRL* crl,
+ CRLOptions crl_options) WARN_UNUSED_RESULT;
sheretov 2016/07/08 18:07:07 Why is structure being passed by value?
ryanchung 2016/07/08 22:49:29 Done.
// Exposed only for unit-tests, not for use in production code.
// Production code would get a context from VerifyDeviceCert().
@@ -89,9 +108,10 @@ std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest(
// Injects trusted root certificates into the CastTrustStore.
// |data| must remain valid and not be mutated throughout the lifetime of
// the program.
+// Any existing trust anchors are cleared.
// Warning: Using this function concurrently with VerifyDeviceCert()
// is not thread safe.
-bool AddTrustAnchorForTest(const uint8_t* data,
+bool SetTrustAnchorForTest(const uint8_t* data,
size_t length) WARN_UNUSED_RESULT;
} // namespace cast_certificate
« no previous file with comments | « components/cast_certificate/DEPS ('k') | components/cast_certificate/cast_cert_validator.cc » ('j') | components/cast_certificate/cast_crl.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698