Cast device revocation checking.

components/cast_certificate/cast_cert_validator.h

Index: components/cast_certificate/cast_cert_validator.h
diff --git a/components/cast_certificate/cast_cert_validator.h b/components/cast_certificate/cast_cert_validator.h
index 23378cb684c65bd84371f04bfb2b26e7419796db..ab94e6df69333fe04a0ec4ac7c5d6a9ffabcb692 100644
--- a/components/cast_certificate/cast_cert_validator.h
+++ b/components/cast_certificate/cast_cert_validator.h
@@ -16,6 +16,8 @@
 
 namespace cast_certificate {
 
+class CastCRL;
+
 // Describes the policy for a Device certificate.
 enum class CastDeviceCertPolicy {
   // The device certificate is unrestricted.
@@ -25,6 +27,14 @@ enum class CastDeviceCertPolicy {
   AUDIO_ONLY,
 };
 
+enum class CRLPolicy {
+  // Revocation is only checked if a CRL is provided.
+  CRL_OPTIONAL,
+
+  // Revocation is always checked. A missing CRL results in failure.
+  CRL_REQUIRED,
+};
+
 // An object of this type is returned by the VerifyDeviceCert function, and can
 // be used for additional certificate-related operations, using the verified
 // certificate.
@@ -61,6 +71,13 @@ class CertVerificationContext {
 // * |time| is the UTC time to use for determining if the certificate

[eroman, 2016/07/19 01:54:59]

"UTC time" is no longer meaningful given it is a base::Time

[ryanchung, 2016/07/19 21:29:53]

Done.

 //   is expired.
 //
+// * |crl| is the CRL to check for certificate revocation status.
+//   If this is a nullptr, then revocation checking is currently disabled.
+//
+// * |crl_options| is for choosing how to handle the absence of a CRL.
+//   If crl_required is set to true, then an empty |crl| input would result
+//   in a failed verification. Otherwise, |crl| is ignored if it is absent.
+//
 // Outputs:
 //
 // Returns true on success, false on failure. On success the output
@@ -72,9 +89,11 @@ class CertVerificationContext {
 //   * |policy| is filled with an indication of the device certificate's policy
 //     (i.e. is it for audio-only devices or is it unrestricted?)
 bool VerifyDeviceCert(const std::vector<std::string>& certs,
-                      const base::Time::Exploded& time,
+                      const base::Time& time,
                       std::unique_ptr<CertVerificationContext>* context,
-                      CastDeviceCertPolicy* policy) WARN_UNUSED_RESULT;
+                      CastDeviceCertPolicy* policy,
+                      const CastCRL* crl,
+                      CRLPolicy crl_policy) WARN_UNUSED_RESULT;
 
 // Exposed only for unit-tests, not for use in production code.
 // Production code would get a context from VerifyDeviceCert().
@@ -86,13 +105,9 @@ std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest(
 
 // Exposed only for testing, not for use in production code.
 //
-// Injects trusted root certificates into the CastTrustStore.
-// |data| must remain valid and not be mutated throughout the lifetime of
-// the program.
-// Warning: Using this function concurrently with VerifyDeviceCert()
-//          is not thread safe.
-bool AddTrustAnchorForTest(const uint8_t* data,
-                           size_t length) WARN_UNUSED_RESULT;
+// Replaces trusted root certificates in the CastTrustStore.
+// Returns true if successful, false if nothing is changed.
+bool SetTrustAnchorForTest(const std::string& cert) WARN_UNUSED_RESULT;
 
 }  // namespace cast_certificate