net/cert/crl_set.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/crl_set.h"
   6
   7 #include "base/logging.h"
   8 #include "base/time/time.h"
   9
  10 namespace net {
  11
  12 CRLSet::CRLSet()
  13     : sequence_(0),
  14       not_after_(0) {
  15 }
  16
  17 CRLSet::~CRLSet() {
  18 }
  19
  20 CRLSet::Result CRLSet::CheckSPKI(const base::StringPiece& spki_hash) const {
  21   for (std::vector<std::string>::const_iterator i = blocked_spkis_.begin();
  22        i != blocked_spkis_.end(); ++i) {
  23     if (spki_hash.size() == i->size() &&
  24         memcmp(spki_hash.data(), i->data(), i->size()) == 0) {
  25       return REVOKED;
  26     }
  27   }
  28
  29   return GOOD;
  30 }
  31
  32 CRLSet::Result CRLSet::CheckSerial(
  33     const base::StringPiece& serial_number,
  34     const base::StringPiece& issuer_spki_hash) const {
  35   base::StringPiece serial(serial_number);
  36
  37   if (!serial.empty() && (serial[0] & 0x80) != 0) {
  38     // This serial number is negative but the process which generates CRL sets
  39     // will reject any certificates with negative serial numbers as invalid.
  40     return UNKNOWN;
  41   }
  42
  43   // Remove any leading zero bytes.
  44   while (serial.size() > 1 && serial[0] == 0x00)
  45     serial.remove_prefix(1);
  46
  47   base::hash_map<std::string, size_t>::const_iterator crl_index =
  48       crls_index_by_issuer_.find(issuer_spki_hash.as_string());
  49   if (crl_index == crls_index_by_issuer_.end())
  50     return UNKNOWN;
  51   const std::vector<std::string>& serials = crls_[crl_index->second].second;
  52
  53   for (std::vector<std::string>::const_iterator i = serials.begin();
  54        i != serials.end(); ++i) {
  55     if (base::StringPiece(*i) == serial)
  56       return REVOKED;
  57   }
  58
  59   return GOOD;
  60 }
  61
  62 bool CRLSet::IsExpired() const {
  63   if (not_after_ == 0)
  64     return false;
  65
  66   uint64_t now = base::Time::Now().ToTimeT();
  67   return now > not_after_;
  68 }
  69
  70 uint32_t CRLSet::sequence() const {
  71   return sequence_;
  72 }
  73
  74 const CRLSet::CRLList& CRLSet::crls() const {
  75   return crls_;
  76 }
  77
  78 // static
  79 CRLSet* CRLSet::EmptyCRLSetForTesting() {
  80   return ForTesting(false, NULL, "");
  81 }
  82
  83 CRLSet* CRLSet::ExpiredCRLSetForTesting() {
  84   return ForTesting(true, NULL, "");
  85 }
  86
  87 // static
  88 CRLSet* CRLSet::ForTesting(bool is_expired,
  89                            const SHA256HashValue* issuer_spki,
  90                            const std::string& serial_number) {
  91   CRLSet* crl_set = new CRLSet;
  92   if (is_expired)
  93     crl_set->not_after_ = 1;
  94   if (issuer_spki != NULL) {
  95     const std::string spki(reinterpret_cast<const char*>(issuer_spki->data),
  96                            sizeof(issuer_spki->data));
  97     crl_set->crls_.push_back(make_pair(spki, std::vector<std::string>()));
  98     crl_set->crls_index_by_issuer_[spki] = 0;
  99   }
 100
 101   if (!serial_number.empty())
 102     crl_set->crls_[0].second.push_back(serial_number);
 103
 104   return crl_set;
 105 }
 106
 107 }  // namespace net