1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_BASE_CRL_SET_H_
#define NET_BASE_CRL_SET_H_
#pragma once
#include <map>
#include <string>
#include <utility>
#include <vector>
#include "base/memory/ref_counted.h"
#include "base/memory/scoped_ptr.h"
#include "base/string_piece.h"
#include "base/time.h"
#include "net/base/net_export.h"
namespace net {
// A CRLSet is a structure that lists the serial numbers of revoked
// certificates from a number of issuers where issuers are identified by the
// SHA256 of their SubjectPublicKeyInfo.
class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
public:
enum Result {
REVOKED, // the certificate should be rejected.
UNKNOWN, // there was an error in processing.
GOOD, // the certificate is not listed.
};
~CRLSet();
// Parse parses the bytes in |data| and, on success, puts a new CRLSet in
// |out_crl_set| and returns true.
static bool Parse(base::StringPiece data,
scoped_refptr<CRLSet>* out_crl_set);
// CheckCertificate returns the information contained in the set for a given
// certificate:
// serial_number: the serial number of the certificate
// issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL
// signer
//
// This does not check that the CRLSet is timely. See |next_update|.
Result CheckCertificate(
const base::StringPiece& serial_number,
const base::StringPiece& issuer_spki_hash) const;
// ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of
// updating the current CRL set with the delta information in |delta_bytes|.
bool ApplyDelta(base::StringPiece delta_bytes,
scoped_refptr<CRLSet>* out_crl_set);
// next_update returns the time at which a new CRLSet may be availible.
base::Time next_update() const;
// update_window returns the length of the update window. Once the
// |next_update| time has occured, the client should schedule a fetch,
// uniformly at random, within |update_window|. This aims to smooth the load
// on the server.
base::TimeDelta update_window() const;
// sequence returns the sequence number of this CRL set. CRL sets generated
// by the same source are given strictly monotonically increasing sequence
// numbers.
uint32 sequence() const;
// CRLList contains a list of (issuer SPKI hash, revoked serial numbers)
// pairs.
typedef std::vector< std::pair<std::string, std::vector<std::string> > >
CRLList;
// crls returns the internal state of this CRLSet. It should only be used in
// testing.
const CRLList& crls() const;
private:
CRLSet();
static CRLSet* CRLSetFromHeader(base::StringPiece header);
base::Time next_update_;
base::TimeDelta update_window_;
uint32 sequence_;
CRLList crls_;
// crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_|
// where the information for that issuer can be found. We have both |crls_|
// and |crls_index_by_issuer_| because, when applying a delta update, we need
// to identify a CRL by index.
std::map<std::string, size_t> crls_index_by_issuer_;
};
} // namespace net
#endif // NET_BASE_CRL_SET_H_
|
