net/base/crl_set.cc - Issue 9699043: net: fallback to online revocation checks for EV status when CRLSet has expired.

Side by Side Diff: net/base/crl_set.cc

Issue 9699043: net: fallback to online revocation checks for EV status when CRLSet has expired. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: ... Created 8 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "base/base64.h"	5 #include "base/base64.h"

6 #include "base/format_macros.h"	6 #include "base/format_macros.h"

7 #include "base/json/json_reader.h"	7 #include "base/json/json_reader.h"

8 #include "base/logging.h"	8 #include "base/logging.h"

9 #include "base/stl_util.h"	9 #include "base/stl_util.h"

10 #include "base/string_util.h"	10 #include "base/string_util.h"

(...skipping 522 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
533 return REVOKED;	533 return REVOKED;

534 }	534 }

535 }	535 }

536	536

537 return GOOD;	537 return GOOD;

538 }	538 }

539	539

540 CRLSet::Result CRLSet::CheckSerial(	540 CRLSet::Result CRLSet::CheckSerial(

541 const base::StringPiece& serial_number,	541 const base::StringPiece& serial_number,

542 const base::StringPiece& issuer_spki_hash) const {	542 const base::StringPiece& issuer_spki_hash) const {

543 Result result = CheckSerialIsRevoked(serial_number, issuer_spki_hash);

544 // If we get a revoked signal then we return that no matter how old the

545 // CRLSet is.

546 if (result == REVOKED)

547 return result;

548 if (not_after_ > 0) {

549 uint64 now = base::Time::Now().ToTimeT();

550 if (now > not_after_)

551 return CRL_SET_EXPIRED;

552 }

553 return result;

554 }

555

556 CRLSet::Result CRLSet::CheckSerialIsRevoked(

557 const base::StringPiece& serial_number,

558 const base::StringPiece& issuer_spki_hash) const {

559 base::StringPiece serial(serial_number);	543 base::StringPiece serial(serial_number);

560	544

561 if (!serial.empty() && (serial[0] & 0x80) != 0) {	545 if (!serial.empty() && (serial[0] & 0x80) != 0) {

562 // This serial number is negative but the process which generates CRL sets	546 // This serial number is negative but the process which generates CRL sets

563 // will reject any certificates with negative serial numbers as invalid.	547 // will reject any certificates with negative serial numbers as invalid.

564 return UNKNOWN;	548 return UNKNOWN;

565 }	549 }

566	550

567 // Remove any leading zero bytes.	551 // Remove any leading zero bytes.

568 while (serial.size() > 1 && serial[0] == 0x00)	552 while (serial.size() > 1 && serial[0] == 0x00)

569 serial.remove_prefix(1);	553 serial.remove_prefix(1);

570	554

571 std::map<std::string, size_t>::const_iterator i =	555 std::map<std::string, size_t>::const_iterator i =

572 crls_index_by_issuer_.find(issuer_spki_hash.as_string());	556 crls_index_by_issuer_.find(issuer_spki_hash.as_string());

573 if (i == crls_index_by_issuer_.end())	557 if (i == crls_index_by_issuer_.end())

574 return UNKNOWN;	558 return UNKNOWN;

575 const std::vector<std::string>& serials = crls_[i->second].second;	559 const std::vector<std::string>& serials = crls_[i->second].second;

576	560

577 for (std::vector<std::string>::const_iterator i = serials.begin();	561 for (std::vector<std::string>::const_iterator i = serials.begin();

578 i != serials.end(); ++i) {	562 i != serials.end(); ++i) {

579 if (base::StringPiece(*i) == serial)	563 if (base::StringPiece(*i) == serial)

580 return REVOKED;	564 return REVOKED;

581 }	565 }

582	566

583 return GOOD;	567 return GOOD;

584 }	568 }

585	569

	570 bool CRLSet::IsExpired() const {

	571 if (not_after_ == 0)
	Ryan Sleevi 2012/03/16 00:50:52 is 0 some magic value for "never expires" ? I noti is 0 some magic value for "never expires" ? I notice it was in the original code at line 548, but perhaps this is non-obvious, especially since not_after_ will generally be zero-initialized when creating a new CRLSet. agl 2012/03/20 20:02:19 Yes, this is for backwards compatibility was CRLSe Show quoted text On 2012/03/16 00:50:52, Ryan Sleevi wrote: > is 0 some magic value for "never expires" ? I notice it was in the original code > at line 548, but perhaps this is non-obvious, especially since not_after_ will > generally be zero-initialized when creating a new CRLSet. Yes, this is for backwards compatibility was CRLSets that were generated prior to the addition of the NotAfter field.
	572 return false;

	573

	574 uint64 now = base::Time::Now().ToTimeT();

	575 return now > not_after_;

	576 }

	577

586 uint32 CRLSet::sequence() const {	578 uint32 CRLSet::sequence() const {

587 return sequence_;	579 return sequence_;

588 }	580 }

589	581

590 const CRLSet::CRLList& CRLSet::crls() const {	582 const CRLSet::CRLList& CRLSet::crls() const {

591 return crls_;	583 return crls_;

592 }	584 }

593	585

	586 // static

	587 CRLSet* CRLSet::EmptyCRLSetForTesting() {

	588 return new CRLSet;

	589 }

	590

	591 CRLSet* CRLSet::ExpiredCRLSetForTesting() {

	592 CRLSet* crl_set = new CRLSet;

	593 crl_set->not_after_ = 1;

	594 return crl_set;

	595 }

	596

594 } // namespace net	597 } // namespace net

OLD	NEW

« net/base/crl_set.h ('K') | « net/base/crl_set.h ('k') | net/base/crl_set_unittest.cc » ('j') | net/base/x509_certificate.cc » ('J')