net/cert/crl_set.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_CERT_CRL_SET_H_
   6 #define NET_CERT_CRL_SET_H_
   7
   8 #include <map>
   9 #include <string>
  10 #include <utility>
  11 #include <vector>
  12
  13 #include "base/memory/ref_counted.h"
  14 #include "base/strings/string_piece.h"
  15 #include "net/base/net_export.h"
  16
  17 namespace base {
  18 class DictionaryValue;
  19 }
  20
  21 namespace net {
  22
  23 // A CRLSet is a structure that lists the serial numbers of revoked
  24 // certificates from a number of issuers where issuers are identified by the
  25 // SHA256 of their SubjectPublicKeyInfo.
  26 class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
  27  public:
  28   enum Result {
  29     REVOKED,  // the certificate should be rejected.
  30     UNKNOWN,  // the CRL for the certificate is not included in the set.
  31     GOOD,     // the certificate is not listed.
  32   };
  33
  34   // Parse parses the bytes in |data| and, on success, puts a new CRLSet in
  35   // |out_crl_set| and returns true.
  36   static bool Parse(base::StringPiece data,
  37                     scoped_refptr<CRLSet>* out_crl_set);
  38
  39   // CheckSPKI checks whether the given SPKI has been listed as blocked.
  40   //   spki_hash: the SHA256 of the SubjectPublicKeyInfo of the certificate.
  41   Result CheckSPKI(const base::StringPiece& spki_hash) const;
  42
  43   // CheckSerial returns the information contained in the set for a given
  44   // certificate:
  45   //   serial_number: the serial number of the certificate
  46   //   issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL
  47   //       signer
  48   Result CheckSerial(
  49       const base::StringPiece& serial_number,
  50       const base::StringPiece& issuer_spki_hash) const;
  51
  52   // IsExpired returns true iff the current time is past the NotAfter time
  53   // specified in the CRLSet.
  54   bool IsExpired() const;
  55
  56   // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of
  57   // updating the current CRL set with the delta information in |delta_bytes|.
  58   bool ApplyDelta(const base::StringPiece& delta_bytes,
  59                   scoped_refptr<CRLSet>* out_crl_set);
  60
  61   // GetIsDeltaUpdate extracts the header from |bytes|, sets *is_delta to
  62   // whether |bytes| is a delta CRL set or not and returns true. In the event
  63   // of a parse error, it returns false.
  64   static bool GetIsDeltaUpdate(const base::StringPiece& bytes, bool *is_delta);
  65
  66   // Serialize returns a string of bytes suitable for passing to Parse. Parsing
  67   // and serializing a CRLSet is a lossless operation - the resulting bytes
  68   // will be equal.
  69   std::string Serialize() const;
  70
  71   // sequence returns the sequence number of this CRL set. CRL sets generated
  72   // by the same source are given strictly monotonically increasing sequence
  73   // numbers.
  74   uint32 sequence() const;
  75
  76   // CRLList contains a list of (issuer SPKI hash, revoked serial numbers)
  77   // pairs.
  78   typedef std::vector< std::pair<std::string, std::vector<std::string> > >
  79       CRLList;
  80
  81   // crls returns the internal state of this CRLSet. It should only be used in
  82   // testing.
  83   const CRLList& crls() const;
  84
  85   // EmptyCRLSetForTesting returns a valid, but empty, CRLSet for unit tests.
  86   static CRLSet* EmptyCRLSetForTesting();
  87
  88   // ExpiredCRLSetForTesting returns a expired, empty CRLSet for unit tests.
  89   static CRLSet* ExpiredCRLSetForTesting();
  90
  91  private:
  92   CRLSet();
  93   ~CRLSet();
  94
  95   friend class base::RefCountedThreadSafe<CRLSet>;
  96
  97   // CopyBlockedSPKIsFromHeader sets |blocked_spkis_| to the list of values
  98   // from "BlockedSPKIs" in |header_dict|.
  99   bool CopyBlockedSPKIsFromHeader(base::DictionaryValue* header_dict);
 100
 101   uint32 sequence_;
 102   CRLList crls_;
 103   // not_after_ contains the time, in UNIX epoch seconds, after which the
 104   // CRLSet should be considered stale, or 0 if no such time was given.
 105   uint64 not_after_;
 106   // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_|
 107   // where the information for that issuer can be found. We have both |crls_|
 108   // and |crls_index_by_issuer_| because, when applying a delta update, we need
 109   // to identify a CRL by index.
 110   std::map<std::string, size_t> crls_index_by_issuer_;
 111   // blocked_spkis_ contains the SHA256 hashes of SPKIs which are to be blocked
 112   // no matter where in a certificate chain they might appear.
 113   std::vector<std::string> blocked_spkis_;
 114 };
 115
 116 }  // namespace net
 117
 118 #endif  // NET_CERT_CRL_SET_H_