• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2020 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_TEST_REVOCATION_BUILDER_H_
6 #define NET_TEST_REVOCATION_BUILDER_H_
7 
8 #include <string>
9 #include <vector>
10 
11 #include "base/time/time.h"
12 #include "net/cert/ocsp_revocation_status.h"
13 #include "net/cert/pki/ocsp.h"
14 #include "net/cert/pki/signature_algorithm.h"
15 #include "third_party/abseil-cpp/absl/types/optional.h"
16 #include "third_party/boringssl/src/include/openssl/evp.h"
17 
18 namespace net {
19 
20 struct OCSPBuilderSingleResponse {
21   // OCSP allows the OCSP responder and certificate issuer to be different,
22   // but this implementation currently assumes they are the same, thus issuer
23   // is not specified here.
24   //
25   // This implementation currently requires serial to be an unsigned 64 bit
26   // integer.
27   uint64_t serial;
28   OCSPRevocationStatus cert_status;
29   base::Time revocation_time;  // Only used if |cert_status|==REVOKED.
30   base::Time this_update;
31   // nextUpdate is optional, but this implementation currently always encodes
32   // it.
33   base::Time next_update;
34   // singleExtensions not currently supported.
35 };
36 
37 // Creates an OCSPResponse indicating a |response_status| error, which must
38 // not be ResponseStatus::SUCCESSFUL.
39 std::string BuildOCSPResponseError(
40     OCSPResponse::ResponseStatus response_status);
41 
42 // Creates an OCSPResponse from responder with DER subject |responder_subject|
43 // and public key |responder_key|, containing |responses|.
44 std::string BuildOCSPResponse(
45     const std::string& responder_subject,
46     EVP_PKEY* responder_key,
47     base::Time produced_at,
48     const std::vector<OCSPBuilderSingleResponse>& responses);
49 
50 // Creates an OCSPResponse signed by |responder_key| with |tbs_response_data|
51 // as the to-be-signed ResponseData. If |signature_algorithm| is nullopt, a
52 // default algorithm will be chosen based on the key type.
53 std::string BuildOCSPResponseWithResponseData(
54     EVP_PKEY* responder_key,
55     const std::string& response_data,
56     absl::optional<SignatureAlgorithm> signature_algorithm = absl::nullopt);
57 
58 // Creates a CRL issued by |crl_issuer_subject| and signed by |crl_issuer_key|,
59 // marking |revoked_serials| as revoked. If |signature_algorithm| is nullopt, a
60 // default algorithm will be chosen based on the key type.
61 // Returns the DER-encoded CRL.
62 std::string BuildCrl(
63     const std::string& crl_issuer_subject,
64     EVP_PKEY* crl_issuer_key,
65     const std::vector<uint64_t>& revoked_serials,
66     absl::optional<SignatureAlgorithm> signature_algorithm = absl::nullopt);
67 
68 std::string BuildCrlWithAlgorithmTlvAndDigest(
69     const std::string& crl_issuer_subject,
70     EVP_PKEY* crl_issuer_key,
71     const std::vector<uint64_t>& revoked_serials,
72     const std::string& signature_algorithm_tlv,
73     const EVP_MD* digest);
74 
75 }  // namespace net
76 
77 #endif  // NET_TEST_REVOCATION_BUILDER_H_
78