• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2019 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef CAST_COMMON_CERTIFICATE_CAST_CRL_H_
6 #define CAST_COMMON_CERTIFICATE_CAST_CRL_H_
7 
8 #include <openssl/x509.h>
9 
10 #include <memory>
11 #include <string>
12 #include <unordered_map>
13 #include <unordered_set>
14 #include <vector>
15 
16 #include "cast/common/certificate/cast_cert_validator.h"
17 #include "cast/common/certificate/proto/revocation.pb.h"
18 #include "platform/base/macros.h"
19 
20 namespace openscreen {
21 namespace cast {
22 
23 // TODO(crbug.com/openscreen/90): Remove these after Chromium is migrated to
24 // openscreen::cast
25 using CrlBundle = ::cast::certificate::CrlBundle;
26 using Crl = ::cast::certificate::Crl;
27 using TbsCrl = ::cast::certificate::TbsCrl;
28 using SerialNumberRange = ::cast::certificate::SerialNumberRange;
29 
30 // This class represents the certificate revocation list information parsed from
31 // the binary in a protobuf message.
32 class CastCRL {
33  public:
34   CastCRL(const TbsCrl& tbs_crl, const DateTime& overall_not_after);
35   ~CastCRL();
36 
37   // Verifies the revocation status of a cast device certificate given a chain
38   // of X.509 certificates.
39   //
40   // Inputs:
41   // * |trusted_chain| is the chain of verified certificates, starting with
42   //   trust anchor.
43   //
44   // * |time| is the timestamp to use for determining if the certificate is
45   //   revoked.
46   //
47   // Output:
48   // Returns true if no certificate in the chain was revoked.
49   bool CheckRevocation(const std::vector<X509*>& trusted_chain,
50                        const DateTime& time) const;
51 
52  private:
53   struct SerialNumberRange {
54     uint64_t first_serial;
55     uint64_t last_serial;
56   };
57 
58   DateTime not_before_;
59   DateTime not_after_;
60 
61   // Revoked public key hashes.
62   // The values consist of the SHA256 hash of the SubjectPublicKeyInfo.
63   std::unordered_set<std::string> revoked_hashes_;
64 
65   // Revoked serial number ranges indexed by issuer public key hash.
66   // The key is the SHA256 hash of issuer's SubjectPublicKeyInfo.
67   // The value is a list of revoked serial number ranges.
68   std::unordered_map<std::string, std::vector<SerialNumberRange>>
69       revoked_serial_numbers_;
70 
71   OSP_DISALLOW_COPY_AND_ASSIGN(CastCRL);
72 };
73 
74 struct TrustStore;
75 
76 // Parses and verifies the CRL used to verify the revocation status of
77 // Cast device certificates, using the built-in Cast CRL trust anchors.
78 //
79 // Inputs:
80 // * |crl_proto| is a serialized cast_certificate.CrlBundle proto.
81 // * |time| is the timestamp to use for determining if the CRL is valid.
82 // * |trust_store| is the set of trust anchors to use.  This should be nullptr
83 //   in production, but can be overridden in tests.
84 //
85 // Output:
86 // Returns the CRL object if success, nullptr otherwise.
87 std::unique_ptr<CastCRL> ParseAndVerifyCRL(const std::string& crl_proto,
88                                            const DateTime& time,
89                                            TrustStore* trust_store = nullptr);
90 
91 }  // namespace cast
92 }  // namespace openscreen
93 
94 #endif  // CAST_COMMON_CERTIFICATE_CAST_CRL_H_
95