blob: 2deddbbf88ff620d9f6f8866cce8f7b743df8845 [file] [log] [blame]
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "base/strings/string_piece_forward.h"
#include "net/base/net_export.h"
#include "net/cert/crl_set.h"
#include "net/cert/internal/parsed_certificate.h"
namespace net {
class CertPathErrors;
class CertNetFetcher;
struct CertificateTrust;
// RevocationPolicy describes how revocation should be carried out for a
// particular chain.
struct NET_EXPORT_PRIVATE RevocationPolicy {
// Callers should not rely on the default-initialized value, but should fully
// specify all the parameters.
// If |check_revocation| is true, then revocation checking is mandatory. This
// means that every certificate in the chain (excluding trust anchors) must
// have valid (unexpired) revocation information proving it to be unrevoked.
// The mechanisms used for checking revocation may include stapled OCSP,
// cached OCSP, online OCSP, cached CRL, online CRL.
// The other properties of RevocationPolicy place further constraints on how
// revocation checking may proceed.
bool check_revocation : 1;
// If |networking_allowed| is true then revocation checking is allowed to
// issue network requests in order to fetch fresh OCSP/CRL. Otherwise
// networking is not permitted in the course of revocation checking.
bool networking_allowed : 1;
// If set to true, considers certificates lacking URLs for OCSP/CRL to be
// unrevoked. Otherwise will fail for certificates lacking revocation
// mechanisms.
bool allow_missing_info : 1;
// If set to true, failure to perform online revocation checks (due to a
// network level failure) is considered equivalent to a successful revocation
// check.
// TODO(649017): The "soft fail" expectations of consumers are more broad than
// this, and may also entail parsing failures and parsed non-success OCSP
// responses.
bool allow_network_failure : 1;
// Checks the revocation status of |certs| according to |policy|, and adds
// any failures to |errors|. On failure errors are added to |errors|. On success
// no errors are added.
// |net_fetcher| may be null, however this may lead to failed revocation checks
// depending on |policy|.
NET_EXPORT_PRIVATE void CheckCertChainRevocation(
const ParsedCertificateList& certs,
const CertificateTrust& last_cert_trust,
const RevocationPolicy& policy,
base::StringPiece stapled_leaf_ocsp_response,
CertNetFetcher* net_fetcher,
CertPathErrors* errors);
// Checks the revocation status of a certificate chain using the CRLSet and adds
// revocation errors to |errors|.
// Returns the revocation status of the leaf certificate:
// * CRLSet::REVOKED if any certificate in the chain is revoked. Also adds a
// corresponding error for the certificate in |errors|.
// * CRLSet::GOOD if the leaf certificate is covered as GOOD by the CRLSet, and
// none of the intermediates were revoked according to the CRLSet.
// * CRLSet::UNKNOWN if none of the certificates are known to be revoked, and
// the revocation status of leaf certificate was UNKNOWN by the CRLSet.
NET_EXPORT_PRIVATE CRLSet::Result CheckChainRevocationUsingCRLSet(
const CRLSet* crl_set,
const ParsedCertificateList& certs,
CertPathErrors* errors);
} // namespace net