summaryrefslogtreecommitdiffstats
path: root/net/base/crl_set.h
diff options
context:
space:
mode:
Diffstat (limited to 'net/base/crl_set.h')
-rw-r--r--net/base/crl_set.h97
1 files changed, 97 insertions, 0 deletions
diff --git a/net/base/crl_set.h b/net/base/crl_set.h
new file mode 100644
index 0000000..99a39c6
--- /dev/null
+++ b/net/base/crl_set.h
@@ -0,0 +1,97 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_CRL_SET_H_
+#define NET_BASE_CRL_SET_H_
+#pragma once
+
+#include <map>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "base/memory/ref_counted.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/string_piece.h"
+#include "base/time.h"
+#include "net/base/net_export.h"
+
+namespace net {
+
+// A CRLSet is a structure that lists the serial numbers of revoked
+// certificates from a number of issuers where issuers are identified by the
+// SHA256 of their SubjectPublicKeyInfo.
+class NET_EXPORT_PRIVATE CRLSet : public base::RefCounted<CRLSet> {
+ public:
+ enum Result {
+ REVOKED, // the certificate should be rejected.
+ UNKNOWN, // there was an error in processing.
+ GOOD, // the certificate is not listed.
+ };
+
+ ~CRLSet();
+
+ // Parse parses the bytes in |data| and, on success, puts a new CRLSet in
+ // |out_crl_set| and returns true.
+ static bool Parse(base::StringPiece data,
+ scoped_refptr<CRLSet>* out_crl_set);
+
+ // CheckCertificate returns the information contained in the set for a given
+ // certificate:
+ // serial_number: the serial number of the certificate
+ // issuer_spki_hash: the SubjectPublicKeyInfo of the CRL signer
+ //
+ // This does not check that the CRLSet is timely. See |next_update|.
+ Result CheckCertificate(
+ const base::StringPiece& serial_number,
+ const base::StringPiece& issuer_spki_hash) const;
+
+ // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of
+ // updating the current CRL set with the delta information in |delta_bytes|.
+ bool ApplyDelta(base::StringPiece delta_bytes,
+ scoped_refptr<CRLSet>* out_crl_set);
+
+ // next_update returns the time at which a new CRLSet may be availible.
+ base::Time next_update() const;
+
+ // update_window returns the number of seconds in the update window. Once the
+ // |next_update| time has occured, the client should schedule a fetch,
+ // uniformly at random, within |update_window|. This aims to smooth the load
+ // on the server.
+ base::TimeDelta update_window() const;
+
+ // sequence returns the sequence number of this CRL set. CRL sets generated
+ // by the same source are given strictly monotonically increasing sequence
+ // numbers.
+ uint32 sequence() const;
+
+ // CRLList contains a list of (issuer SPKI hash, revoked serial numbers)
+ // pairs.
+ typedef std::vector< std::pair<std::string, std::vector<std::string> > >
+ CRLList;
+
+ // crls returns the internal state of this CRLSet. It should only be used in
+ // testing.
+ const CRLList& crls() const;
+
+ private:
+ CRLSet();
+
+ static CRLSet* CRLSetFromHeader(base::StringPiece header);
+
+ base::Time next_update_;
+ base::TimeDelta update_window_;
+ uint32 sequence_;
+
+ CRLList crls_;
+ // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_|
+ // where the information for that issuer can be found. We have both |crls_|
+ // and |crls_index_by_issuer_| because, when applying a delta update, we need
+ // to identify a CRL by index.
+ std::map<std::string, size_t> crls_index_by_issuer_;
+};
+
+} // namespace net
+
+#endif // NET_BASE_CRL_SET_H_