diff options
| author | dgrogan@chromium.org <dgrogan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-03-20 20:43:12 +0000 |
|---|---|---|
| committer | dgrogan@chromium.org <dgrogan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-03-20 20:43:12 +0000 |
| commit | 3db41215d4528adfe590e02b3f7907adec4d9e4b (patch) | |
| tree | 1e79dbf6f5c364ac0648dfe9b01e0422020b9a80 /net/base/crl_set.h | |
| parent | 40caa4c2b0101f6c0fb88db9dd82bfdb2ad8f11b (diff) | |
| download | chromium_src-3db41215d4528adfe590e02b3f7907adec4d9e4b.zip chromium_src-3db41215d4528adfe590e02b3f7907adec4d9e4b.tar.gz chromium_src-3db41215d4528adfe590e02b3f7907adec4d9e4b.tar.bz2 | |
Revert 127757 - net: fallback to online revocation checks for EV status when CRLSet has expired.
After this change our CRLSet logic is:
* If we have a fresh CRLSet then we don't do online revocation checks unless the
user has configured them. (It can be configured either via the settings UI,
or with the EnableOnlineRevocationChecks policy option.)
* If we don't have a CRLSet, or if it has expired, and we're trying EV verification,
then we require a positive online revocation check in order to show the EV badge.
An invalid revocation check reply will prevent the EV badge, but not hard-fail
the whole verification.
BUG=none
TEST=net_unittests
Review URL: https://chromiumcodereview.appspot.com/9699043
TBR=agl@chromium.org
Review URL: https://chromiumcodereview.appspot.com/9783001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@127773 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base/crl_set.h')
| -rw-r--r-- | net/base/crl_set.h | 16 |
1 files changed, 6 insertions, 10 deletions
diff --git a/net/base/crl_set.h b/net/base/crl_set.h index b75e11a..04d7203 100644 --- a/net/base/crl_set.h +++ b/net/base/crl_set.h @@ -32,6 +32,7 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { REVOKED, // the certificate should be rejected. UNKNOWN, // the CRL for the certificate is not included in the set. GOOD, // the certificate is not listed. + CRL_SET_EXPIRED, // the CRLSet has expired. }; ~CRLSet(); @@ -54,10 +55,6 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { const base::StringPiece& serial_number, const base::StringPiece& issuer_spki_hash) const; - // IsExpired returns true iff the current time is past the NotAfter time - // specified in the CRLSet. - bool IsExpired() const; - // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of // updating the current CRL set with the delta information in |delta_bytes|. bool ApplyDelta(const base::StringPiece& delta_bytes, @@ -87,12 +84,6 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { // testing. const CRLList& crls() const; - // EmptyCRLSetForTesting returns a valid, but empty, CRLSet for unit tests. - static CRLSet* EmptyCRLSetForTesting(); - - // ExpiredCRLSetForTesting returns a expired, empty CRLSet for unit tests. - static CRLSet* ExpiredCRLSetForTesting(); - private: CRLSet(); @@ -100,6 +91,11 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { // from "BlockedSPKIs" in |header_dict|. bool CopyBlockedSPKIsFromHeader(base::DictionaryValue* header_dict); + // CheckSerialIsRevoked is a helper function for |CheckSerial|. + Result CheckSerialIsRevoked( + const base::StringPiece& serial_number, + const base::StringPiece& issuer_spki_hash) const; + uint32 sequence_; CRLList crls_; // not_after_ contains the time, in UNIX epoch seconds, after which the |