Run app_shell_browsertests on Win waterfall and trybots.
[chromium-blink-merge.git] / net / cert / crl_set.h
blob688e47cc737613e31dad3a482359a32b362b5f97
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_CERT_CRL_SET_H_
6 #define NET_CERT_CRL_SET_H_
8 #include <string>
9 #include <utility>
10 #include <vector>
12 #include "base/containers/hash_tables.h"
13 #include "base/memory/ref_counted.h"
14 #include "base/strings/string_piece.h"
15 #include "net/base/net_export.h"
16 #include "net/cert/x509_cert_types.h"
18 namespace net {
20 // A CRLSet is a structure that lists the serial numbers of revoked
21 // certificates from a number of issuers where issuers are identified by the
22 // SHA256 of their SubjectPublicKeyInfo.
23 // CRLSetStorage is responsible for creating CRLSet instances.
24 class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
25 public:
26 enum Result {
27 REVOKED, // the certificate should be rejected.
28 UNKNOWN, // the CRL for the certificate is not included in the set.
29 GOOD, // the certificate is not listed.
32 // CheckSPKI checks whether the given SPKI has been listed as blocked.
33 // spki_hash: the SHA256 of the SubjectPublicKeyInfo of the certificate.
34 Result CheckSPKI(const base::StringPiece& spki_hash) const;
36 // CheckSerial returns the information contained in the set for a given
37 // certificate:
38 // serial_number: the serial number of the certificate
39 // issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL
40 // signer
41 Result CheckSerial(
42 const base::StringPiece& serial_number,
43 const base::StringPiece& issuer_spki_hash) const;
45 // IsExpired returns true iff the current time is past the NotAfter time
46 // specified in the CRLSet.
47 bool IsExpired() const;
49 // sequence returns the sequence number of this CRL set. CRL sets generated
50 // by the same source are given strictly monotonically increasing sequence
51 // numbers.
52 uint32 sequence() const;
54 // CRLList contains a list of (issuer SPKI hash, revoked serial numbers)
55 // pairs.
56 typedef std::vector< std::pair<std::string, std::vector<std::string> > >
57 CRLList;
59 // crls returns the internal state of this CRLSet. It should only be used in
60 // testing.
61 const CRLList& crls() const;
63 // EmptyCRLSetForTesting returns a valid, but empty, CRLSet for unit tests.
64 static CRLSet* EmptyCRLSetForTesting();
66 // ExpiredCRLSetForTesting returns a expired, empty CRLSet for unit tests.
67 static CRLSet* ExpiredCRLSetForTesting();
69 // ForTesting returns a CRLSet for testing. If |is_expired| is true, calling
70 // IsExpired on the result will return true. If |issuer_spki| is not NULL,
71 // the CRLSet will cover certificates issued by that SPKI. If |serial_number|
72 // is not emtpy, then that big-endian serial number will be considered to
73 // have been revoked by |issuer_spki|.
74 static CRLSet* ForTesting(bool is_expired,
75 const SHA256HashValue* issuer_spki,
76 const std::string& serial_number);
78 private:
79 CRLSet();
80 ~CRLSet();
82 friend class base::RefCountedThreadSafe<CRLSet>;
83 friend class CRLSetStorage;
85 uint32 sequence_;
86 CRLList crls_;
87 // not_after_ contains the time, in UNIX epoch seconds, after which the
88 // CRLSet should be considered stale, or 0 if no such time was given.
89 uint64 not_after_;
90 // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_|
91 // where the information for that issuer can be found. We have both |crls_|
92 // and |crls_index_by_issuer_| because, when applying a delta update, we need
93 // to identify a CRL by index.
94 base::hash_map<std::string, size_t> crls_index_by_issuer_;
95 // blocked_spkis_ contains the SHA256 hashes of SPKIs which are to be blocked
96 // no matter where in a certificate chain they might appear.
97 std::vector<std::string> blocked_spkis_;
100 } // namespace net
102 #endif // NET_CERT_CRL_SET_H_