1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_CERT_CRL_SET_H_
6#define NET_CERT_CRL_SET_H_
7
8#include <map>
9#include <string>
10#include <utility>
11#include <vector>
12
13#include "base/memory/ref_counted.h"
14#include "base/strings/string_piece.h"
15#include "net/base/net_export.h"
16#include "net/cert/x509_cert_types.h"
17
18namespace base {
19class DictionaryValue;
20}
21
22namespace net {
23
24// A CRLSet is a structure that lists the serial numbers of revoked
25// certificates from a number of issuers where issuers are identified by the
26// SHA256 of their SubjectPublicKeyInfo.
27class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
28 public:
29  enum Result {
30    REVOKED,  // the certificate should be rejected.
31    UNKNOWN,  // the CRL for the certificate is not included in the set.
32    GOOD,     // the certificate is not listed.
33  };
34
35  // Parse parses the bytes in |data| and, on success, puts a new CRLSet in
36  // |out_crl_set| and returns true.
37  static bool Parse(base::StringPiece data,
38                    scoped_refptr<CRLSet>* out_crl_set);
39
40  // CheckSPKI checks whether the given SPKI has been listed as blocked.
41  //   spki_hash: the SHA256 of the SubjectPublicKeyInfo of the certificate.
42  Result CheckSPKI(const base::StringPiece& spki_hash) const;
43
44  // CheckSerial returns the information contained in the set for a given
45  // certificate:
46  //   serial_number: the serial number of the certificate
47  //   issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL
48  //       signer
49  Result CheckSerial(
50      const base::StringPiece& serial_number,
51      const base::StringPiece& issuer_spki_hash) const;
52
53  // IsExpired returns true iff the current time is past the NotAfter time
54  // specified in the CRLSet.
55  bool IsExpired() const;
56
57  // ApplyDelta returns a new CRLSet in |out_crl_set| that is the result of
58  // updating the current CRL set with the delta information in |delta_bytes|.
59  bool ApplyDelta(const base::StringPiece& delta_bytes,
60                  scoped_refptr<CRLSet>* out_crl_set);
61
62  // GetIsDeltaUpdate extracts the header from |bytes|, sets *is_delta to
63  // whether |bytes| is a delta CRL set or not and returns true. In the event
64  // of a parse error, it returns false.
65  static bool GetIsDeltaUpdate(const base::StringPiece& bytes, bool *is_delta);
66
67  // Serialize returns a string of bytes suitable for passing to Parse. Parsing
68  // and serializing a CRLSet is a lossless operation - the resulting bytes
69  // will be equal.
70  std::string Serialize() const;
71
72  // sequence returns the sequence number of this CRL set. CRL sets generated
73  // by the same source are given strictly monotonically increasing sequence
74  // numbers.
75  uint32 sequence() const;
76
77  // CRLList contains a list of (issuer SPKI hash, revoked serial numbers)
78  // pairs.
79  typedef std::vector< std::pair<std::string, std::vector<std::string> > >
80      CRLList;
81
82  // crls returns the internal state of this CRLSet. It should only be used in
83  // testing.
84  const CRLList& crls() const;
85
86  // EmptyCRLSetForTesting returns a valid, but empty, CRLSet for unit tests.
87  static CRLSet* EmptyCRLSetForTesting();
88
89  // ExpiredCRLSetForTesting returns a expired, empty CRLSet for unit tests.
90  static CRLSet* ExpiredCRLSetForTesting();
91
92  // ForTesting returns a CRLSet for testing. If |is_expired| is true, calling
93  // IsExpired on the result will return true. If |issuer_spki| is not NULL,
94  // the CRLSet will cover certificates issued by that SPKI. If |serial_number|
95  // is not emtpy, then that big-endian serial number will be considered to
96  // have been revoked by |issuer_spki|.
97  static CRLSet* ForTesting(bool is_expired,
98                            const SHA256HashValue* issuer_spki,
99                            const std::string& serial_number);
100
101 private:
102  CRLSet();
103  ~CRLSet();
104
105  friend class base::RefCountedThreadSafe<CRLSet>;
106
107  // CopyBlockedSPKIsFromHeader sets |blocked_spkis_| to the list of values
108  // from "BlockedSPKIs" in |header_dict|.
109  bool CopyBlockedSPKIsFromHeader(base::DictionaryValue* header_dict);
110
111  uint32 sequence_;
112  CRLList crls_;
113  // not_after_ contains the time, in UNIX epoch seconds, after which the
114  // CRLSet should be considered stale, or 0 if no such time was given.
115  uint64 not_after_;
116  // crls_index_by_issuer_ maps from issuer SPKI hashes to the index in |crls_|
117  // where the information for that issuer can be found. We have both |crls_|
118  // and |crls_index_by_issuer_| because, when applying a delta update, we need
119  // to identify a CRL by index.
120  std::map<std::string, size_t> crls_index_by_issuer_;
121  // blocked_spkis_ contains the SHA256 hashes of SPKIs which are to be blocked
122  // no matter where in a certificate chain they might appear.
123  std::vector<std::string> blocked_spkis_;
124};
125
126}  // namespace net
127
128#endif  // NET_CERT_CRL_SET_H_
129