net: change from CRL filters to CRL sets.

CRL filters are probabalistic data structures. However, it doesn't appear that
they are going to work given the size and number of CRLs in the world and the
uptime of OCSP servers.

CRL sets are not probabilistic and simply contain a compresses representation
of a number of CRLs.

BUG=none
TEST=net_unittests

Review URL: http://codereview.chromium.org/7461088

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@97640 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 97 insertions, 0 deletions

diff --git a/net/base/crl_set.h b/net/base/crl_set.h
new file mode 100644
index 0000000..99a39c6
--- /dev/null
+++ b/net/base/crl_set.h
@@ -0,0 +1,97 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_CRL_SET_H_
+#define NET_BASE_CRL_SET_H_
+#pragma once
+
+#include <map>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "base/memory/ref_counted.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/string_piece.h"
+#include "base/time.h"
+#include "net/base/net_export.h"
+
+namespace net {
+
+// A CRLSet is a structure that lists the serial numbers of revoked
+// certificates from a number of issuers where issuers are identified by the
+// SHA256 of their SubjectPublicKeyInfo.
+class NET_EXPORT_PRIVATE CRLSet : public base::RefCounted<CRLSet> {
+ public:
+  enum Result {
+    REVOKED,  // the certificate should be rejected.
+    UNKNOWN,  // there was an error in processing.
+    GOOD,  // the certificate is not listed.
+  };
+
+  ~CRLSet();
+
+  // Parse parses the bytes in |data| and, on success, puts a new CRLSet in
+  // |out_crl_set| and returns true.
+  static bool Parse(base::StringPiece data,
+                    scoped_refptr<CRLSet>* out_crl_set);
+
+  // CheckCertificate returns the information contained in the set for a given
+  // certificate:
+  //   serial_number: the serial number of the certificate
+  //   issuer_spki_hash: the SubjectPublicKeyInfo of the CRL signer
+  //
+  // This does not check that the CRLSet is timely. See |next_update|.
+  Result CheckCertificate(
+      const base::StringPiece& serial_number,
+      const base::StringPiece& issuer_spki_hash) const;
+
+  // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of
+  // updating the current CRL set with the delta information in |delta_bytes|.
+  bool ApplyDelta(base::StringPiece delta_bytes,
+                  scoped_refptr<CRLSet>* out_crl_set);
+
+  // next_update returns the time at which a new CRLSet may be availible.
+  base::Time next_update() const;
+
+  // update_window returns the number of seconds in the update window. Once the
+  // |next_update| time has occured, the client should schedule a fetch,
+  // uniformly at random, within |update_window|. This aims to smooth the load
+  // on the server.
+  base::TimeDelta update_window() const;
+
+  // sequence returns the sequence number of this CRL set. CRL sets generated
+  // by the same source are given strictly monotonically increasing sequence
+  // numbers.
+  uint32 sequence() const;
+
+  // CRLList contains a list of (issuer SPKI hash, revoked serial numbers)
+  // pairs.
+  typedef std::vector< std::pair<std::string, std::vector<std::string> > >
+      CRLList;
+
+  // crls returns the internal state of this CRLSet. It should only be used in
+  // testing.
+  const CRLList& crls() const;
+
+ private:
+  CRLSet();
+
+  static CRLSet* CRLSetFromHeader(base::StringPiece header);
+
+  base::Time next_update_;
+  base::TimeDelta update_window_;
+  uint32 sequence_;
+
+  CRLList crls_;
+  // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_|
+  // where the information for that issuer can be found. We have both |crls_|
+  // and |crls_index_by_issuer_| because, when applying a delta update, we need
+  // to identify a CRL by index.
+  std::map<std::string, size_t> crls_index_by_issuer_;
+};
+
+}  // namespace net
+
+#endif  // NET_BASE_CRL_SET_H_