diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-03-20 20:04:01 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-03-20 20:04:01 +0000 |
| commit | 05454a435deac9bce39960ea21e218ebde7d17b5 (patch) | |
| tree | 45960c1d2bec94ee1b9b3ec54d9467ba7e1f4b1a /net/base/crl_set.h | |
| parent | 86cd1df6450f0838b670fdff392dd0d8401fc5ae (diff) | |
| download | chromium_src-05454a435deac9bce39960ea21e218ebde7d17b5.zip chromium_src-05454a435deac9bce39960ea21e218ebde7d17b5.tar.gz chromium_src-05454a435deac9bce39960ea21e218ebde7d17b5.tar.bz2 | |
net: fallback to online revocation checks for EV status when CRLSet has expired.
After this change our CRLSet logic is:
* If we have a fresh CRLSet then we don't do online revocation checks unless the
user has configured them. (It can be configured either via the settings UI,
or with the EnableOnlineRevocationChecks policy option.)
* If we don't have a CRLSet, or if it has expired, and we're trying EV verification,
then we require a positive online revocation check in order to show the EV badge.
An invalid revocation check reply will prevent the EV badge, but not hard-fail
the whole verification.
BUG=none
TEST=net_unittests
Review URL: https://chromiumcodereview.appspot.com/9699043
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@127757 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base/crl_set.h')
| -rw-r--r-- | net/base/crl_set.h | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/net/base/crl_set.h b/net/base/crl_set.h index 04d7203..b75e11a 100644 --- a/net/base/crl_set.h +++ b/net/base/crl_set.h @@ -32,7 +32,6 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { REVOKED, // the certificate should be rejected. UNKNOWN, // the CRL for the certificate is not included in the set. GOOD, // the certificate is not listed. - CRL_SET_EXPIRED, // the CRLSet has expired. }; ~CRLSet(); @@ -55,6 +54,10 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { const base::StringPiece& serial_number, const base::StringPiece& issuer_spki_hash) const; + // IsExpired returns true iff the current time is past the NotAfter time + // specified in the CRLSet. + bool IsExpired() const; + // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of // updating the current CRL set with the delta information in |delta_bytes|. bool ApplyDelta(const base::StringPiece& delta_bytes, @@ -84,6 +87,12 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { // testing. const CRLList& crls() const; + // EmptyCRLSetForTesting returns a valid, but empty, CRLSet for unit tests. + static CRLSet* EmptyCRLSetForTesting(); + + // ExpiredCRLSetForTesting returns a expired, empty CRLSet for unit tests. + static CRLSet* ExpiredCRLSetForTesting(); + private: CRLSet(); @@ -91,11 +100,6 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { // from "BlockedSPKIs" in |header_dict|. bool CopyBlockedSPKIsFromHeader(base::DictionaryValue* header_dict); - // CheckSerialIsRevoked is a helper function for |CheckSerial|. - Result CheckSerialIsRevoked( - const base::StringPiece& serial_number, - const base::StringPiece& issuer_spki_hash) const; - uint32 sequence_; CRLList crls_; // not_after_ contains the time, in UNIX epoch seconds, after which the |