1 files changed, 97 insertions, 0 deletions
diff --git a/net/base/crl_set.h b/net/base/crl_set.h
new file mode 100644
index 0000000..99a39c6
--- /dev/null
+++ b/net/base/crl_set.h
@@ -0,0 +1,97 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_CRL_SET_H_
+#define NET_BASE_CRL_SET_H_
+#pragma once
+
+#include <map>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "base/memory/ref_counted.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/string_piece.h"
+#include "base/time.h"
+#include "net/base/net_export.h"
+
+namespace net {
+
+// A CRLSet is a structure that lists the serial numbers of revoked
+// certificates from a number of issuers where issuers are identified by the
+// SHA256 of their SubjectPublicKeyInfo.
+class NET_EXPORT_PRIVATE CRLSet : public base::RefCounted<CRLSet> {
+ public:
+  enum Result {
+    REVOKED,  // the certificate should be rejected.
+    UNKNOWN,  // there was an error in processing.
+    GOOD,  // the certificate is not listed.
+  };
+
+  ~CRLSet();
+
+  // Parse parses the bytes in |data| and, on success, puts a new CRLSet in
+  // |out_crl_set| and returns true.
+  static bool Parse(base::StringPiece data,
+                    scoped_refptr<CRLSet>* out_crl_set);
+
+  // CheckCertificate returns the information contained in the set for a given
+  // certificate:
+  //   serial_number: the serial number of the certificate
+  //   issuer_spki_hash: the SubjectPublicKeyInfo of the CRL signer
+  //
+  // This does not check that the CRLSet is timely. See |next_update|.
+  Result CheckCertificate(
+      const base::StringPiece& serial_number,
+      const base::StringPiece& issuer_spki_hash) const;
+
+  // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of
+  // updating the current CRL set with the delta information in |delta_bytes|.
+  bool ApplyDelta(base::StringPiece delta_bytes,
+                  scoped_refptr<CRLSet>* out_crl_set);
+
+  // next_update returns the time at which a new CRLSet may be availible.
+  base::Time next_update() const;
+
+  // update_window returns the number of seconds in the update window. Once the
+  // |next_update| time has occured, the client should schedule a fetch,
+  // uniformly at random, within |update_window|. This aims to smooth the load
+  // on the server.
+  base::TimeDelta update_window() const;
+
+  // sequence returns the sequence number of this CRL set. CRL sets generated
+  // by the same source are given strictly monotonically increasing sequence
+  // numbers.
+  uint32 sequence() const;
+
+  // CRLList contains a list of (issuer SPKI hash, revoked serial numbers)
+  // pairs.
+  typedef std::vector< std::pair<std::string, std::vector<std::string> > >
+      CRLList;
+
+  // crls returns the internal state of this CRLSet. It should only be used in
+  // testing.
+  const CRLList& crls() const;
+
+ private:
+  CRLSet();
+
+  static CRLSet* CRLSetFromHeader(base::StringPiece header);
+
+  base::Time next_update_;
+  base::TimeDelta update_window_;
+  uint32 sequence_;
+
+  CRLList crls_;
+  // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_|
+  // where the information for that issuer can be found. We have both |crls_|
+  // and |crls_index_by_issuer_| because, when applying a delta update, we need
+  // to identify a CRL by index.
+  std::map<std::string, size_t> crls_index_by_issuer_;
+};
+
+}  // namespace net
+
+#endif  // NET_BASE_CRL_SET_H_