Cast device revocation checking.

components/cast_certificate/cast_crl.h

Index: components/cast_certificate/cast_crl.h
diff --git a/components/cast_certificate/cast_crl.h b/components/cast_certificate/cast_crl.h
new file mode 100644
index 0000000000000000000000000000000000000000..d7cd02d979fe7597c0fd3ca58fe7992f7d12b8e0
--- /dev/null
+++ b/components/cast_certificate/cast_crl.h
@@ -0,0 +1,72 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_CAST_CERTIFICATE_CAST_CRL_H_
+#define COMPONENTS_CAST_CERTIFICATE_CAST_CRL_H_
+
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "base/compiler_specific.h"
+#include "base/memory/ref_counted.h"
+#include "base/time/time.h"
+
+namespace net {
+class ParsedCertificate;
+}  // namespace net
+
+namespace cast_certificate {
+
+// This class represents the CRL information parsed from the binary proto.
+class CastCRL {
+ public:
+  virtual ~CastCRL(){};
+
+  // Verifies the revocation status of a cast device certificate given a chain
+  // of DER-encoded certificates.
+  //
+  // Inputs:
+  // * |certs| is the verified chain of DER-encoded certificates:
+  //   * |certs[0]| is the target certificate (i.e. the device certificate)
+  //   * |certs[i]| is the certificate that issued certs[i-1]
+  //   * |certs.back()| must be trusted anchor.
+  //
+  // * |time| is the UTC time to use for determining if the certificate
+  //   is revoked.
+  virtual bool CheckRevocation(
+      const std::vector<scoped_refptr<net::ParsedCertificate>>& certs,
+      const base::Time::Exploded& time) const = 0;
+};
+
+// Parse and verify the CRL used to verify the revocation status of
+// Cast device certificates.
+//
+// Inputs:
+// * |crl_proto| is the byte representation of the Cast CRL proto.

[sheretov, 2016/07/08 18:07:07]

How about: "is a serialized cast.CrlBundle proto.

[ryanchung, 2016/07/08 22:49:29]

Done.

+// * |time| is the UTC time to use for determining if the CRL is valid.
+// Output:
+// Returns the CRL object if success, nullptr otherwise.
+std::unique_ptr<CastCRL> ParseAndVerifyCRL(const std::string& crl_proto,
+                                           const base::Time::Exploded& time);
+
+// Exposed only for testing, not for use in production code.
+//
+// Injects trusted root certificates into the CastCRLTrustStore.
+// |data| must remain valid and not be mutated throughout the lifetime of
+// the program.
+// Any existing trust anchors are cleared.
+// Warning: Using this function concurrently with CheckRevocation()
+//          is not thread safe.
+bool SetCRLTrustAnchorForTest(const uint8_t* data,
+                              size_t length) WARN_UNUSED_RESULT;
+
+// Exposed only for testing, not for use in production code.
+//
+// Clears trusted root certificates from CastCRLTrustStore
+void ClearCRLTrustAnchorForTest();
+
+}  // namespace cast_certificate
+
+#endif  // COMPONENTS_CAST_CERTIFICATE_CAST_CRL_H_