Home | History | Annotate | Download | only in cert 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_CERT_CRL_SET_H_
      6 #define NET_CERT_CRL_SET_H_
      7 
      8 #include <map>
      9 #include <string>
     10 #include <utility>
     11 #include <vector>
     12 
     13 #include "base/memory/ref_counted.h"
     14 #include "base/strings/string_piece.h"
     15 #include "net/base/net_export.h"
     16 #include "net/cert/x509_cert_types.h"
     17 
     18 namespace base {
     19 class DictionaryValue;
     20 }
     21 
     22 namespace net {
     23 
     24 // A CRLSet is a structure that lists the serial numbers of revoked
     25 // certificates from a number of issuers where issuers are identified by the
     26 // SHA256 of their SubjectPublicKeyInfo.
     27 class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
     28  public:
     29   enum Result {
     30     REVOKED,  // the certificate should be rejected.
     31     UNKNOWN,  // the CRL for the certificate is not included in the set.
     32     GOOD,     // the certificate is not listed.
     33   };
     34 
     35   // Parse parses the bytes in |data| and, on success, puts a new CRLSet in
     36   // |out_crl_set| and returns true.
     37   static bool Parse(base::StringPiece data,
     38                     scoped_refptr<CRLSet>* out_crl_set);
     39 
     40   // CheckSPKI checks whether the given SPKI has been listed as blocked.
     41   //   spki_hash: the SHA256 of the SubjectPublicKeyInfo of the certificate.
     42   Result CheckSPKI(const base::StringPiece& spki_hash) const;
     43 
     44   // CheckSerial returns the information contained in the set for a given
     45   // certificate:
     46   //   serial_number: the serial number of the certificate
     47   //   issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL
     48   //       signer
     49   Result CheckSerial(
     50       const base::StringPiece& serial_number,
     51       const base::StringPiece& issuer_spki_hash) const;
     52 
     53   // IsExpired returns true iff the current time is past the NotAfter time
     54   // specified in the CRLSet.
     55   bool IsExpired() const;
     56 
     57   // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of
     58   // updating the current CRL set with the delta information in |delta_bytes|.
     59   bool ApplyDelta(const base::StringPiece& delta_bytes,
     60                   scoped_refptr<CRLSet>* out_crl_set);
     61 
     62   // GetIsDeltaUpdate extracts the header from |bytes|, sets *is_delta to
     63   // whether |bytes| is a delta CRL set or not and returns true. In the event
     64   // of a parse error, it returns false.
     65   static bool GetIsDeltaUpdate(const base::StringPiece& bytes, bool *is_delta);
     66 
     67   // Serialize returns a string of bytes suitable for passing to Parse. Parsing
     68   // and serializing a CRLSet is a lossless operation - the resulting bytes
     69   // will be equal.
     70   std::string Serialize() const;
     71 
     72   // sequence returns the sequence number of this CRL set. CRL sets generated
     73   // by the same source are given strictly monotonically increasing sequence
     74   // numbers.
     75   uint32 sequence() const;
     76 
     77   // CRLList contains a list of (issuer SPKI hash, revoked serial numbers)
     78   // pairs.
     79   typedef std::vector< std::pair<std::string, std::vector<std::string> > >
     80       CRLList;
     81 
     82   // crls returns the internal state of this CRLSet. It should only be used in
     83   // testing.
     84   const CRLList& crls() const;
     85 
     86   // EmptyCRLSetForTesting returns a valid, but empty, CRLSet for unit tests.
     87   static CRLSet* EmptyCRLSetForTesting();
     88 
     89   // ExpiredCRLSetForTesting returns a expired, empty CRLSet for unit tests.
     90   static CRLSet* ExpiredCRLSetForTesting();
     91 
     92   // ForTesting returns a CRLSet for testing. If |is_expired| is true, calling
     93   // IsExpired on the result will return true. If |issuer_spki| is not NULL,
     94   // the CRLSet will cover certificates issued by that SPKI. If |serial_number|
     95   // is not emtpy, then that big-endian serial number will be considered to
     96   // have been revoked by |issuer_spki|.
     97   static CRLSet* ForTesting(bool is_expired,
     98                             const SHA256HashValue* issuer_spki,
     99                             const std::string& serial_number);
    100 
    101  private:
    102   CRLSet();
    103   ~CRLSet();
    104 
    105   friend class base::RefCountedThreadSafe<CRLSet>;
    106 
    107   // CopyBlockedSPKIsFromHeader sets |blocked_spkis_| to the list of values
    108   // from "BlockedSPKIs" in |header_dict|.
    109   bool CopyBlockedSPKIsFromHeader(base::DictionaryValue* header_dict);
    110 
    111   uint32 sequence_;
    112   CRLList crls_;
    113   // not_after_ contains the time, in UNIX epoch seconds, after which the
    114   // CRLSet should be considered stale, or 0 if no such time was given.
    115   uint64 not_after_;
    116   // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_|
    117   // where the information for that issuer can be found. We have both |crls_|
    118   // and |crls_index_by_issuer_| because, when applying a delta update, we need
    119   // to identify a CRL by index.
    120   std::map<std::string, size_t> crls_index_by_issuer_;
    121   // blocked_spkis_ contains the SHA256 hashes of SPKIs which are to be blocked
    122   // no matter where in a certificate chain they might appear.
    123   std::vector<std::string> blocked_spkis_;
    124 };
    125 
    126 }  // namespace net
    127 
    128 #endif  // NET_CERT_CRL_SET_H_
    129