// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef NET_CERT_INTERNAL_REVOCATION_CHECKER_H_ #define NET_CERT_INTERNAL_REVOCATION_CHECKER_H_ #include <string_view> #include "base/time/time.h" #include "net/base/net_export.h" #include "net/cert/crl_set.h" #include "third_party/boringssl/src/pki/cert_errors.h" #include "third_party/boringssl/src/pki/ocsp.h" #include "third_party/boringssl/src/pki/parsed_certificate.h" namespace net { class CertNetFetcher; // Baseline Requirements 1.6.5, section 4.9.7: // For the status of Subscriber Certificates: If the CA publishes a CRL, // then the CA SHALL update and reissue CRLs at least once every seven // days, and the value of the nextUpdate field MUST NOT be more than ten // days beyond the value of the thisUpdate field. // // Baseline Requirements 1.6.5, section 4.9.10: // For the status of Subscriber Certificates: The CA SHALL update // information provided via an Online Certificate Status Protocol at least // every four days. OCSP responses from this service MUST have a maximum // expiration time of ten days. // // Use 7 days as the max allowable leaf revocation status age, which is // sufficient for both CRL and OCSP, and which aligns with Microsoft policies. constexpr base::TimeDelta kMaxRevocationLeafUpdateAge = …; // Baseline Requirements 1.6.5, section 4.9.7: // For the status of Subordinate CA Certificates: The CA SHALL update and // reissue CRLs at least (i) once every twelve months and (ii) within 24 // hours after revoking a Subordinate CA Certificate, and the value of the // nextUpdate field MUST NOT be more than twelve months beyond the value of // the thisUpdate field. // // Baseline Requirements 1.6.5, section 4.9.10: // For the status of Subordinate CA Certificates: The CA SHALL update // information provided via an Online Certificate Status Protocol at least // (i) every twelve months and (ii) within 24 hours after revoking a // Subordinate CA Certificate. // // Use 366 days to allow for leap years, though it is overly permissive in // other years. constexpr base::TimeDelta kMaxRevocationIntermediateUpdateAge = …; // RevocationPolicy describes how revocation should be carried out for a // particular chain. // Callers should not rely on the default-initialized value, but should fully // specify all the parameters. The default values specify a strict revocation // checking mode, in case users fail to fully set the parameters. struct NET_EXPORT_PRIVATE RevocationPolicy { … }; // Checks the revocation status of |certs| according to |policy|, and adds // any failures to |errors|. On failure errors are added to |errors|. On success // no errors are added. // // |deadline|, if not null, will limit the overall amount of time spent doing // online revocation checks. If |base::TimeTicks::Now()| exceeds |deadline|, no // more revocation checks will be attempted. Note that this is not a hard // limit, the deadline may be exceeded by the individual request timetout of a // single CertNetFetcher. // // |certs| must be a successfully validated chain according to RFC 5280 section // 6.1, in order from leaf to trust anchor. // // |net_fetcher| may be null, however this may lead to failed revocation checks // depending on |policy|. // // |stapled_ocsp_verify_result|, if non-null, will be filled with the result of // checking the leaf certificate against |stapled_leaf_ocsp_response|. NET_EXPORT_PRIVATE void CheckValidatedChainRevocation( const bssl::ParsedCertificateList& certs, const RevocationPolicy& policy, base::TimeTicks deadline, std::string_view stapled_leaf_ocsp_response, CertNetFetcher* net_fetcher, bssl::CertPathErrors* errors, bssl::OCSPVerifyResult* stapled_ocsp_verify_result); // Checks the revocation status of a certificate chain using the CRLSet and adds // revocation errors to |errors|. // // Returns the revocation status of the leaf certificate: // // * CRLSet::REVOKED if any certificate in the chain is revoked. Also adds a // corresponding error for the certificate in |errors|. // // * CRLSet::GOOD if the leaf certificate is covered as GOOD by the CRLSet, and // none of the intermediates were revoked according to the CRLSet. // // * CRLSet::UNKNOWN if none of the certificates are known to be revoked, and // the revocation status of leaf certificate was UNKNOWN by the CRLSet. NET_EXPORT_PRIVATE CRLSet::Result CheckChainRevocationUsingCRLSet( const CRLSet* crl_set, const bssl::ParsedCertificateList& certs, bssl::CertPathErrors* errors); } // namespace net #endif // NET_CERT_INTERNAL_REVOCATION_CHECKER_H_
Codebase Browser
chromium