forked from chromium/chromium
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcrl_set.h
144 lines (118 loc) · 5.94 KB
/
crl_set.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_CERT_CRL_SET_H_
#define NET_CERT_CRL_SET_H_
#include <stddef.h>
#include <stdint.h>
#include <string>
#include <unordered_map>
#include <utility>
#include <vector>
#include "base/memory/ref_counted.h"
#include "base/strings/string_piece.h"
#include "net/base/net_export.h"
#include "net/cert/x509_cert_types.h"
namespace net {
// A CRLSet is a structure that lists the serial numbers of revoked
// certificates from a number of issuers where issuers are identified by the
// SHA256 of their SubjectPublicKeyInfo.
// CRLSetStorage is responsible for creating CRLSet instances.
class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
public:
enum Result {
REVOKED, // the certificate should be rejected.
UNKNOWN, // the CRL for the certificate is not included in the set.
GOOD, // the certificate is not listed.
};
// Parses the bytes in |data| and, on success, puts a new CRLSet in
// |out_crl_set| and returns true.
static bool Parse(base::StringPiece data, scoped_refptr<CRLSet>* out_crl_set);
// Same as the above, but stores the string |data| in the resulting CRLSet.
static bool ParseAndStoreUnparsedData(std::string data,
scoped_refptr<CRLSet>* out_crl_set);
// CheckSPKI checks whether the given SPKI has been listed as blocked.
// spki_hash: the SHA256 of the SubjectPublicKeyInfo of the certificate.
Result CheckSPKI(const base::StringPiece& spki_hash) const;
// CheckSerial returns the information contained in the set for a given
// certificate:
// serial_number: the serial number of the certificate, as the DER-encoded
// value
// issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL
// signer
Result CheckSerial(const base::StringPiece& serial_number,
const base::StringPiece& issuer_spki_hash) const;
// CheckSubject returns the information contained in the set for a given,
// encoded subject name and SPKI hash. The subject name is encoded as a DER
// X.501 Name (see https://tools.ietf.org/html/rfc5280#section-4.1.2.4).
Result CheckSubject(const base::StringPiece& asn1_subject,
const base::StringPiece& spki_hash) const;
// Returns true if |spki_hash|, the SHA256 of the SubjectPublicKeyInfo,
// is known to be used for interception by a party other than the device
// or machine owner.
bool IsKnownInterceptionKey(base::StringPiece spki_hash) const;
// IsExpired returns true iff the current time is past the NotAfter time
// specified in the CRLSet.
bool IsExpired() const;
// sequence returns the sequence number of this CRL set. CRL sets generated
// by the same source are given strictly monotonically increasing sequence
// numbers.
uint32_t sequence() const;
const std::string& unparsed_crl_set() const;
// CRLList contains a map of (issuer SPKI hash, revoked serial numbers)
// pairs.
typedef std::unordered_map<std::string, std::vector<std::string>> CRLList;
// crls returns the internal state of this CRLSet. It should only be used in
// testing.
const CRLList& CrlsForTesting() const;
// BuiltinCRLSet() returns the default CRLSet, to be used when no CRLSet is
// available from the network. The default CRLSet includes a statically-
// configured block list.
static scoped_refptr<CRLSet> BuiltinCRLSet();
// EmptyCRLSetForTesting returns a valid, but empty, CRLSet for unit tests.
static scoped_refptr<CRLSet> EmptyCRLSetForTesting();
// ExpiredCRLSetForTesting returns a expired, empty CRLSet for unit tests.
static scoped_refptr<CRLSet> ExpiredCRLSetForTesting();
// ForTesting returns a CRLSet for testing. If |is_expired| is true, calling
// IsExpired on the result will return true. If |issuer_spki| is not NULL,
// the CRLSet will cover certificates issued by that SPKI. If |serial_number|
// is not empty, then that DER-encoded serial number will be considered to
// have been revoked by |issuer_spki|. If |utf8_common_name| is not empty
// then the CRLSet will consider certificates with a subject consisting only
// of that common name as a UTF8String to be revoked unless they match an
// SPKI hash from |acceptable_spki_hashes_for_cn|.
static scoped_refptr<CRLSet> ForTesting(
bool is_expired,
const SHA256HashValue* issuer_spki,
const std::string& serial_number,
const std::string utf8_common_name,
const std::vector<std::string> acceptable_spki_hashes_for_cn);
private:
CRLSet();
~CRLSet();
friend class base::RefCountedThreadSafe<CRLSet>;
uint32_t sequence_;
// not_after_ contains the time, in UNIX epoch seconds, after which the
// CRLSet should be considered stale, or 0 if no such time was given.
uint64_t not_after_;
// crls_ is a map from the SHA-256 hash of an X.501 subject name to a list
// of revoked serial numbers.
CRLList crls_;
// blocked_spkis_ contains the SHA256 hashes of SPKIs which are to be blocked
// no matter where in a certificate chain they might appear.
std::vector<std::string> blocked_spkis_;
// known_interception_spkis_ contains the SHA256 hashes of SPKIs which are
// known to be used for interception by a party other than the device or
// machine owner.
std::vector<std::string> known_interception_spkis_;
// limited_subjects_ is a map from the SHA256 hash of an X.501 subject name
// to a list of allowed SPKI hashes for certificates with that subject name.
std::unordered_map<std::string, std::vector<std::string>> limited_subjects_;
// A string that holds the unparsed version of the CRLSet. Only populated in
// the case that the OOP CertVerifier is enabled.
// TODO(crbug.com/1046728): temporary until the network service doesn't need
// to know about CRLSets.
std::string unparsed_crl_set_;
};
} // namespace net
#endif // NET_CERT_CRL_SET_H_