Chromium Code Reviews Chromium Code Reviews
Issue 9699043:
net: fallback to online revocation checks for EV status when CRLSet has expired. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_BASE_CRL_SET_H_ | 5 #ifndef NET_BASE_CRL_SET_H_ |
| 6 #define NET_BASE_CRL_SET_H_ | 6 #define NET_BASE_CRL_SET_H_ |
| 7 #pragma once | 7 #pragma once |
| 8 | 8 |
| 9 #include <map> | 9 #include <map> |
| 10 #include <string> | 10 #include <string> |
| (...skipping 14 matching lines...) Expand all Loading... | |
| 25 | 25 |
| 26 // A CRLSet is a structure that lists the serial numbers of revoked | 26 // A CRLSet is a structure that lists the serial numbers of revoked |
| 27 // certificates from a number of issuers where issuers are identified by the | 27 // certificates from a number of issuers where issuers are identified by the |
| 28 // SHA256 of their SubjectPublicKeyInfo. | 28 // SHA256 of their SubjectPublicKeyInfo. |
| 29 class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { | 29 class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { |
| 30 public: | 30 public: |
| 31 enum Result { | 31 enum Result { |
| 32 REVOKED, // the certificate should be rejected. | 32 REVOKED, // the certificate should be rejected. |
| 33 UNKNOWN, // the CRL for the certificate is not included in the set. | 33 UNKNOWN, // the CRL for the certificate is not included in the set. |
| 34 GOOD, // the certificate is not listed. | 34 GOOD, // the certificate is not listed. |
| 35 CRL_SET_EXPIRED, // the CRLSet has expired. | |
| 36 }; | 35 }; |
| 37 | 36 |
| 38 ~CRLSet(); | 37 ~CRLSet(); |
| 39 | 38 |
| 40 // Parse parses the bytes in |data| and, on success, puts a new CRLSet in | 39 // Parse parses the bytes in |data| and, on success, puts a new CRLSet in |
| 41 // |out_crl_set| and returns true. | 40 // |out_crl_set| and returns true. |
| 42 static bool Parse(base::StringPiece data, | 41 static bool Parse(base::StringPiece data, |
| 43 scoped_refptr<CRLSet>* out_crl_set); | 42 scoped_refptr<CRLSet>* out_crl_set); |
| 44 | 43 |
| 45 // CheckSPKI checks whether the given SPKI has been listed as blocked. | 44 // CheckSPKI checks whether the given SPKI has been listed as blocked. |
| 46 // spki_hash: the SHA256 of the SubjectPublicKeyInfo of the certificate. | 45 // spki_hash: the SHA256 of the SubjectPublicKeyInfo of the certificate. |
| 47 Result CheckSPKI(const base::StringPiece& spki_hash) const; | 46 Result CheckSPKI(const base::StringPiece& spki_hash) const; |
| 48 | 47 |
| 49 // CheckSerial returns the information contained in the set for a given | 48 // CheckSerial returns the information contained in the set for a given |
| 50 // certificate: | 49 // certificate: |
| 51 // serial_number: the serial number of the certificate | 50 // serial_number: the serial number of the certificate |
| 52 // issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL | 51 // issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL |
| 53 // signer | 52 // signer |
| 54 Result CheckSerial( | 53 Result CheckSerial( |
| 55 const base::StringPiece& serial_number, | 54 const base::StringPiece& serial_number, |
| 56 const base::StringPiece& issuer_spki_hash) const; | 55 const base::StringPiece& issuer_spki_hash) const; |
| 57 | 56 |
| 57 // IsExpired returns true iff the current time is past the NotAfter time | |
| 58 // specified in the CRLSet. | |
| 59 bool IsExpired() const; | |
| 60 | |
| 58 // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of | 61 // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of |
| 59 // updating the current CRL set with the delta information in |delta_bytes|. | 62 // updating the current CRL set with the delta information in |delta_bytes|. |
| 60 bool ApplyDelta(const base::StringPiece& delta_bytes, | 63 bool ApplyDelta(const base::StringPiece& delta_bytes, |
| 61 scoped_refptr<CRLSet>* out_crl_set); | 64 scoped_refptr<CRLSet>* out_crl_set); |
| 62 | 65 |
| 63 // GetIsDeltaUpdate extracts the header from |bytes|, sets *is_delta to | 66 // GetIsDeltaUpdate extracts the header from |bytes|, sets *is_delta to |
| 64 // whether |bytes| is a delta CRL set or not and returns true. In the event | 67 // whether |bytes| is a delta CRL set or not and returns true. In the event |
| 65 // of a parse error, it returns false. | 68 // of a parse error, it returns false. |
| 66 static bool GetIsDeltaUpdate(const base::StringPiece& bytes, bool *is_delta); | 69 static bool GetIsDeltaUpdate(const base::StringPiece& bytes, bool *is_delta); |
| 67 | 70 |
| 68 // Serialize returns a string of bytes suitable for passing to Parse. Parsing | 71 // Serialize returns a string of bytes suitable for passing to Parse. Parsing |
| 69 // and serializing a CRLSet is a lossless operation - the resulting bytes | 72 // and serializing a CRLSet is a lossless operation - the resulting bytes |
| 70 // will be equal. | 73 // will be equal. |
| 71 std::string Serialize() const; | 74 std::string Serialize() const; |
| 72 | 75 |
| 73 // sequence returns the sequence number of this CRL set. CRL sets generated | 76 // sequence returns the sequence number of this CRL set. CRL sets generated |
| 74 // by the same source are given strictly monotonically increasing sequence | 77 // by the same source are given strictly monotonically increasing sequence |
| 75 // numbers. | 78 // numbers. |
| 76 uint32 sequence() const; | 79 uint32 sequence() const; |
| 77 | 80 |
| 78 // CRLList contains a list of (issuer SPKI hash, revoked serial numbers) | 81 // CRLList contains a list of (issuer SPKI hash, revoked serial numbers) |
|
Ryan Sleevi
2012/03/16 00:50:52
As a clean-up point, if these (lines 81-94) are me
| |
| 79 // pairs. | 82 // pairs. |
| 80 typedef std::vector< std::pair<std::string, std::vector<std::string> > > | 83 typedef std::vector< std::pair<std::string, std::vector<std::string> > > |
| 81 CRLList; | 84 CRLList; |
| 82 | 85 |
| 83 // crls returns the internal state of this CRLSet. It should only be used in | 86 // crls returns the internal state of this CRLSet. It should only be used in |
| 84 // testing. | 87 // testing. |
| 85 const CRLList& crls() const; | 88 const CRLList& crls() const; |
| 86 | 89 |
| 90 // EmptyCRLSetForTesting returns a valid, but empty, CRLSet for unit tests. | |
| 91 static CRLSet* EmptyCRLSetForTesting(); | |
| 92 | |
| 93 // ExpiredCRLSetForTesting returns a expired, empty CRLSet for unit tests. | |
| 94 static CRLSet* ExpiredCRLSetForTesting(); | |
| 95 | |
| 87 private: | 96 private: |
| 88 CRLSet(); | 97 CRLSet(); |
| 89 | 98 |
| 90 // CopyBlockedSPKIsFromHeader sets |blocked_spkis_| to the list of values | 99 // CopyBlockedSPKIsFromHeader sets |blocked_spkis_| to the list of values |
| 91 // from "BlockedSPKIs" in |header_dict|. | 100 // from "BlockedSPKIs" in |header_dict|. |
| 92 bool CopyBlockedSPKIsFromHeader(base::DictionaryValue* header_dict); | 101 bool CopyBlockedSPKIsFromHeader(base::DictionaryValue* header_dict); |
| 93 | 102 |
| 94 // CheckSerialIsRevoked is a helper function for |CheckSerial|. | |
| 95 Result CheckSerialIsRevoked( | |
| 96 const base::StringPiece& serial_number, | |
| 97 const base::StringPiece& issuer_spki_hash) const; | |
| 98 | |
| 99 uint32 sequence_; | 103 uint32 sequence_; |
| 100 CRLList crls_; | 104 CRLList crls_; |
| 101 // not_after_ contains the time, in UNIX epoch seconds, after which the | 105 // not_after_ contains the time, in UNIX epoch seconds, after which the |
| 102 // CRLSet should be considered stale, or 0 if no such time was given. | 106 // CRLSet should be considered stale, or 0 if no such time was given. |
| 103 uint64 not_after_; | 107 uint64 not_after_; |
| 104 // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_| | 108 // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_| |
| 105 // where the information for that issuer can be found. We have both |crls_| | 109 // where the information for that issuer can be found. We have both |crls_| |
| 106 // and |crls_index_by_issuer_| because, when applying a delta update, we need | 110 // and |crls_index_by_issuer_| because, when applying a delta update, we need |
| 107 // to identify a CRL by index. | 111 // to identify a CRL by index. |
| 108 std::map<std::string, size_t> crls_index_by_issuer_; | 112 std::map<std::string, size_t> crls_index_by_issuer_; |
| 109 // blocked_spkis_ contains the SHA256 hashes of SPKIs which are to be blocked | 113 // blocked_spkis_ contains the SHA256 hashes of SPKIs which are to be blocked |
| 110 // no matter where in a certificate chain they might appear. | 114 // no matter where in a certificate chain they might appear. |
| 111 std::vector<std::string> blocked_spkis_; | 115 std::vector<std::string> blocked_spkis_; |
| 112 }; | 116 }; |
| 113 | 117 |
| 114 } // namespace net | 118 } // namespace net |
| 115 | 119 |
| 116 #endif // NET_BASE_CRL_SET_H_ | 120 #endif // NET_BASE_CRL_SET_H_ |
| OLD | NEW |
