xref: /aosp_15_r20/external/cronet/net/cert/crl_set.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_CRL_SET_H_
6 #define NET_CERT_CRL_SET_H_
7 
8 #include <stddef.h>
9 #include <stdint.h>
10 
11 #include <string>
12 #include <string_view>
13 #include <unordered_map>
14 #include <utility>
15 #include <vector>
16 
17 #include "base/memory/ref_counted.h"
18 #include "net/base/hash_value.h"
19 #include "net/base/net_export.h"
20 
21 namespace net {
22 
23 // A CRLSet is a structure that lists the serial numbers of revoked
24 // certificates from a number of issuers where issuers are identified by the
25 // SHA256 of their SubjectPublicKeyInfo.
26 class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
27  public:
28   enum Result {
29     REVOKED,  // the certificate should be rejected.
30     UNKNOWN,  // the CRL for the certificate is not included in the set.
31     GOOD,     // the certificate is not listed.
32   };
33 
34   // Parses the bytes in |data| and, on success, puts a new CRLSet in
35   // |out_crl_set| and returns true.
36   static bool Parse(std::string_view data, scoped_refptr<CRLSet>* out_crl_set);
37 
38   // CheckSPKI checks whether the given SPKI has been listed as blocked.
39   //   spki_hash: the SHA256 of the SubjectPublicKeyInfo of the certificate.
40   Result CheckSPKI(std::string_view spki_hash) const;
41 
42   // CheckSerial returns the information contained in the set for a given
43   // certificate:
44   //   serial_number: the serial number of the certificate, as the DER-encoded
45   //       value
46   //   issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL
47   //       signer
48   Result CheckSerial(std::string_view serial_number,
49                      std::string_view issuer_spki_hash) const;
50 
51   // CheckSubject returns the information contained in the set for a given,
52   // encoded subject name and SPKI SHA-256 hash. The subject name is encoded as
53   // a DER X.501 Name (see https://tools.ietf.org/html/rfc5280#section-4.1.2.4).
54   Result CheckSubject(std::string_view asn1_subject,
55                       std::string_view spki_hash) const;
56 
57   // Returns true if |spki_hash|, the SHA256 of the SubjectPublicKeyInfo,
58   // is known to be used for interception by a party other than the device
59   // or machine owner.
60   bool IsKnownInterceptionKey(std::string_view spki_hash) const;
61 
62   // IsExpired returns true iff the current time is past the NotAfter time
63   // specified in the CRLSet.
64   bool IsExpired() const;
65 
66   // sequence returns the sequence number of this CRL set. CRL sets generated
67   // by the same source are given strictly monotonically increasing sequence
68   // numbers.
69   uint32_t sequence() const;
70 
71   // CRLList contains a map of (issuer SPKI hash, revoked serial numbers)
72   // pairs.
73   using CRLList = std::unordered_map<std::string, std::vector<std::string>>;
74 
75   // crls returns the internal state of this CRLSet. It should only be used in
76   // testing.
77   const CRLList& CrlsForTesting() const;
78 
79   // BuiltinCRLSet() returns the default CRLSet, to be used when no CRLSet is
80   // available from the network.  The default CRLSet includes a statically-
81   // configured block list.
82   static scoped_refptr<CRLSet> BuiltinCRLSet();
83 
84   // EmptyCRLSetForTesting returns a valid, but empty, CRLSet for unit tests.
85   static scoped_refptr<CRLSet> EmptyCRLSetForTesting();
86 
87   // ExpiredCRLSetForTesting returns a expired, empty CRLSet for unit tests.
88   static scoped_refptr<CRLSet> ExpiredCRLSetForTesting();
89 
90   // ForTesting returns a CRLSet for testing. If |is_expired| is true, calling
91   // IsExpired on the result will return true. If |issuer_spki| is not NULL,
92   // the CRLSet will cover certificates issued by that SPKI. If |serial_number|
93   // is not empty, then that DER-encoded serial number will be considered to
94   // have been revoked by |issuer_spki|. If |utf8_common_name| is not empty
95   // then the CRLSet will consider certificates with a subject consisting only
96   // of that common name as a UTF8String to be revoked unless they match an
97   // SPKI hash from |acceptable_spki_hashes_for_cn|.
98   static scoped_refptr<CRLSet> ForTesting(
99       bool is_expired,
100       const SHA256HashValue* issuer_spki,
101       std::string_view serial_number,
102       std::string_view utf8_common_name,
103       const std::vector<std::string>& acceptable_spki_hashes_for_cn);
104 
105  private:
106   CRLSet();
107   ~CRLSet();
108 
109   friend class base::RefCountedThreadSafe<CRLSet>;
110 
111   uint32_t sequence_ = 0;
112   // not_after_ contains the time, in UNIX epoch seconds, after which the
113   // CRLSet should be considered stale, or 0 if no such time was given.
114   uint64_t not_after_ = 0;
115   // crls_ is a map from the SHA-256 hash of an X.501 subject name to a list
116   // of revoked serial numbers.
117   CRLList crls_;
118   // blocked_spkis_ contains the SHA256 hashes of SPKIs which are to be blocked
119   // no matter where in a certificate chain they might appear.
120   std::vector<std::string> blocked_spkis_;
121   // known_interception_spkis_ contains the SHA256 hashes of SPKIs which are
122   // known to be used for interception by a party other than the device or
123   // machine owner.
124   std::vector<std::string> known_interception_spkis_;
125   // limited_subjects_ is a map from the SHA256 hash of an X.501 subject name
126   // to a list of allowed SPKI hashes for certificates with that subject name.
127   std::unordered_map<std::string, std::vector<std::string>> limited_subjects_;
128 };
129 
130 }  // namespace net
131 
132 #endif  // NET_CERT_CRL_SET_H_
133