1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_CRL_SET_H_ 6 #define NET_CERT_CRL_SET_H_ 7 8 #include <string> 9 #include <utility> 10 #include <vector> 11 12 #include "base/containers/hash_tables.h" 13 #include "base/memory/ref_counted.h" 14 #include "base/strings/string_piece.h" 15 #include "net/base/net_export.h" 16 #include "net/cert/x509_cert_types.h" 17 18 namespace net { 19 20 // A CRLSet is a structure that lists the serial numbers of revoked 21 // certificates from a number of issuers where issuers are identified by the 22 // SHA256 of their SubjectPublicKeyInfo. 23 // CRLSetStorage is responsible for creating CRLSet instances. 24 class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { 25 public: 26 enum Result { 27 REVOKED, // the certificate should be rejected. 28 UNKNOWN, // the CRL for the certificate is not included in the set. 29 GOOD, // the certificate is not listed. 30 }; 31 32 // CheckSPKI checks whether the given SPKI has been listed as blocked. 33 // spki_hash: the SHA256 of the SubjectPublicKeyInfo of the certificate. 34 Result CheckSPKI(const base::StringPiece& spki_hash) const; 35 36 // CheckSerial returns the information contained in the set for a given 37 // certificate: 38 // serial_number: the serial number of the certificate 39 // issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL 40 // signer 41 Result CheckSerial( 42 const base::StringPiece& serial_number, 43 const base::StringPiece& issuer_spki_hash) const; 44 45 // IsExpired returns true iff the current time is past the NotAfter time 46 // specified in the CRLSet. 47 bool IsExpired() const; 48 49 // sequence returns the sequence number of this CRL set. CRL sets generated 50 // by the same source are given strictly monotonically increasing sequence 51 // numbers. 52 uint32 sequence() const; 53 54 // CRLList contains a list of (issuer SPKI hash, revoked serial numbers) 55 // pairs. 56 typedef std::vector< std::pair<std::string, std::vector<std::string> > > 57 CRLList; 58 59 // crls returns the internal state of this CRLSet. It should only be used in 60 // testing. 61 const CRLList& crls() const; 62 63 // EmptyCRLSetForTesting returns a valid, but empty, CRLSet for unit tests. 64 static CRLSet* EmptyCRLSetForTesting(); 65 66 // ExpiredCRLSetForTesting returns a expired, empty CRLSet for unit tests. 67 static CRLSet* ExpiredCRLSetForTesting(); 68 69 // ForTesting returns a CRLSet for testing. If |is_expired| is true, calling 70 // IsExpired on the result will return true. If |issuer_spki| is not NULL, 71 // the CRLSet will cover certificates issued by that SPKI. If |serial_number| 72 // is not emtpy, then that big-endian serial number will be considered to 73 // have been revoked by |issuer_spki|. 74 static CRLSet* ForTesting(bool is_expired, 75 const SHA256HashValue* issuer_spki, 76 const std::string& serial_number); 77 78 private: 79 CRLSet(); 80 ~CRLSet(); 81 82 friend class base::RefCountedThreadSafe<CRLSet>; 83 friend class CRLSetStorage; 84 85 uint32 sequence_; 86 CRLList crls_; 87 // not_after_ contains the time, in UNIX epoch seconds, after which the 88 // CRLSet should be considered stale, or 0 if no such time was given. 89 uint64 not_after_; 90 // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_| 91 // where the information for that issuer can be found. We have both |crls_| 92 // and |crls_index_by_issuer_| because, when applying a delta update, we need 93 // to identify a CRL by index. 94 base::hash_map<std::string, size_t> crls_index_by_issuer_; 95 // blocked_spkis_ contains the SHA256 hashes of SPKIs which are to be blocked 96 // no matter where in a certificate chain they might appear. 97 std::vector<std::string> blocked_spkis_; 98 }; 99 100 } // namespace net 101 102 #endif // NET_CERT_CRL_SET_H_ 103