diff options
Diffstat (limited to 'net/base/crl_set.h')
-rw-r--r-- | net/base/crl_set.h | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/net/base/crl_set.h b/net/base/crl_set.h new file mode 100644 index 0000000..99a39c6 --- /dev/null +++ b/net/base/crl_set.h @@ -0,0 +1,97 @@ +// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_BASE_CRL_SET_H_ +#define NET_BASE_CRL_SET_H_ +#pragma once + +#include <map> +#include <string> +#include <utility> +#include <vector> + +#include "base/memory/ref_counted.h" +#include "base/memory/scoped_ptr.h" +#include "base/string_piece.h" +#include "base/time.h" +#include "net/base/net_export.h" + +namespace net { + +// A CRLSet is a structure that lists the serial numbers of revoked +// certificates from a number of issuers where issuers are identified by the +// SHA256 of their SubjectPublicKeyInfo. +class NET_EXPORT_PRIVATE CRLSet : public base::RefCounted<CRLSet> { + public: + enum Result { + REVOKED, // the certificate should be rejected. + UNKNOWN, // there was an error in processing. + GOOD, // the certificate is not listed. + }; + + ~CRLSet(); + + // Parse parses the bytes in |data| and, on success, puts a new CRLSet in + // |out_crl_set| and returns true. + static bool Parse(base::StringPiece data, + scoped_refptr<CRLSet>* out_crl_set); + + // CheckCertificate returns the information contained in the set for a given + // certificate: + // serial_number: the serial number of the certificate + // issuer_spki_hash: the SubjectPublicKeyInfo of the CRL signer + // + // This does not check that the CRLSet is timely. See |next_update|. + Result CheckCertificate( + const base::StringPiece& serial_number, + const base::StringPiece& issuer_spki_hash) const; + + // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of + // updating the current CRL set with the delta information in |delta_bytes|. + bool ApplyDelta(base::StringPiece delta_bytes, + scoped_refptr<CRLSet>* out_crl_set); + + // next_update returns the time at which a new CRLSet may be availible. + base::Time next_update() const; + + // update_window returns the number of seconds in the update window. Once the + // |next_update| time has occured, the client should schedule a fetch, + // uniformly at random, within |update_window|. This aims to smooth the load + // on the server. + base::TimeDelta update_window() const; + + // sequence returns the sequence number of this CRL set. CRL sets generated + // by the same source are given strictly monotonically increasing sequence + // numbers. + uint32 sequence() const; + + // CRLList contains a list of (issuer SPKI hash, revoked serial numbers) + // pairs. + typedef std::vector< std::pair<std::string, std::vector<std::string> > > + CRLList; + + // crls returns the internal state of this CRLSet. It should only be used in + // testing. + const CRLList& crls() const; + + private: + CRLSet(); + + static CRLSet* CRLSetFromHeader(base::StringPiece header); + + base::Time next_update_; + base::TimeDelta update_window_; + uint32 sequence_; + + CRLList crls_; + // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_| + // where the information for that issuer can be found. We have both |crls_| + // and |crls_index_by_issuer_| because, when applying a delta update, we need + // to identify a CRL by index. + std::map<std::string, size_t> crls_index_by_issuer_; +}; + +} // namespace net + +#endif // NET_BASE_CRL_SET_H_ |