xref: /aosp_15_r20/external/cronet/net/test/revocation_builder.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2020 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_TEST_REVOCATION_BUILDER_H_
6 #define NET_TEST_REVOCATION_BUILDER_H_
7 
8 #include <optional>
9 #include <string>
10 #include <vector>
11 
12 #include "base/time/time.h"
13 #include "third_party/boringssl/src/include/openssl/evp.h"
14 #include "third_party/boringssl/src/pki/ocsp.h"
15 #include "third_party/boringssl/src/pki/ocsp_revocation_status.h"
16 #include "third_party/boringssl/src/pki/signature_algorithm.h"
17 
18 namespace net {
19 
20 struct OCSPBuilderSingleResponse {
21   // OCSP allows the OCSP responder and certificate issuer to be different,
22   // but this implementation currently assumes they are the same, thus issuer
23   // is not specified here.
24   //
25   // This implementation currently requires serial to be an unsigned 64 bit
26   // integer.
27   uint64_t serial;
28   bssl::OCSPRevocationStatus cert_status;
29   base::Time revocation_time;  // Only used if |cert_status|==REVOKED.
30   base::Time this_update;
31   // nextUpdate is optional, but this implementation currently always encodes
32   // it.
33   base::Time next_update;
34   // singleExtensions not currently supported.
35 };
36 
37 // Creates an bssl::OCSPResponse indicating a |response_status| error, which
38 // must not be ResponseStatus::SUCCESSFUL.
39 std::string BuildOCSPResponseError(
40     bssl::OCSPResponse::ResponseStatus response_status);
41 
42 // Creates an bssl::OCSPResponse from responder with DER subject
43 // |responder_subject| and public key |responder_key|, containing |responses|.
44 std::string BuildOCSPResponse(
45     const std::string& responder_subject,
46     EVP_PKEY* responder_key,
47     base::Time produced_at,
48     const std::vector<OCSPBuilderSingleResponse>& responses);
49 
50 // Creates an bssl::OCSPResponse signed by |responder_key| with
51 // |tbs_response_data| as the to-be-signed ResponseData. If
52 // |signature_algorithm| is nullopt, a default algorithm will be chosen based on
53 // the key type.
54 std::string BuildOCSPResponseWithResponseData(
55     EVP_PKEY* responder_key,
56     const std::string& response_data,
57     std::optional<bssl::SignatureAlgorithm> signature_algorithm = std::nullopt);
58 
59 // Creates a CRL issued by |crl_issuer_subject| and signed by |crl_issuer_key|,
60 // marking |revoked_serials| as revoked. If |signature_algorithm| is nullopt, a
61 // default algorithm will be chosen based on the key type.
62 // Returns the DER-encoded CRL.
63 std::string BuildCrl(
64     const std::string& crl_issuer_subject,
65     EVP_PKEY* crl_issuer_key,
66     const std::vector<uint64_t>& revoked_serials,
67     std::optional<bssl::SignatureAlgorithm> signature_algorithm = std::nullopt);
68 
69 std::string BuildCrlWithAlgorithmTlvAndDigest(
70     const std::string& crl_issuer_subject,
71     EVP_PKEY* crl_issuer_key,
72     const std::vector<uint64_t>& revoked_serials,
73     const std::string& signature_algorithm_tlv,
74     const EVP_MD* digest);
75 
76 }  // namespace net
77 
78 #endif  // NET_TEST_REVOCATION_BUILDER_H_
79