Perform online revocation checks when EV certificates aren't covered by a fresh CRLSet.

Previously a fresh CRLSet was sufficient to suppress online revocation checking
for EV certificates because we aimed to have full EV coverage in the CRLSet.

With this change, we'll only suppress online revocation checking for EV
certificates when a fresh CRLSet actually covers the chain in question. We
determine coverage by seeing if the CRLSet contains the issuer SPKI.

There are no changes to the OS X certificate code as I believe that OS X
already does online revocation checking for EV certs no matter what we do in
Chrome.

BUG=none

Review URL: https://chromiumcodereview.appspot.com/11260018

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@214825 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 10 insertions, 0 deletions

diff --git a/net/cert/crl_set.h b/net/cert/crl_set.h
index 511654d..348005f 100644
--- a/net/cert/crl_set.h
+++ b/net/cert/crl_set.h
@@ -13,6 +13,7 @@
 #include "base/memory/ref_counted.h"
 #include "base/strings/string_piece.h"
 #include "net/base/net_export.h"
+#include "net/cert/x509_cert_types.h"
 
 namespace base {
 class DictionaryValue;
@@ -88,6 +89,15 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
   // ExpiredCRLSetForTesting returns a expired, empty CRLSet for unit tests.
   static CRLSet* ExpiredCRLSetForTesting();
 
+  // ForTesting returns a CRLSet for testing. If |is_expired| is true, calling
+  // IsExpired on the result will return true. If |issuer_spki| is not NULL,
+  // the CRLSet will cover certificates issued by that SPKI. If |serial_number|
+  // is not emtpy, then that big-endian serial number will be considered to
+  // have been revoked by |issuer_spki|.
+  static CRLSet* ForTesting(bool is_expired,
+                            const SHA256HashValue* issuer_spki,
+                            const std::string& serial_number);
+
  private:
   CRLSet();
   ~CRLSet();