File: revocation_checker.h

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (145 lines) | stat: -rw-r--r-- 6,472 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
 
// Copyright 2017 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef NET_CERT_INTERNAL_REVOCATION_CHECKER_H_
#define NET_CERT_INTERNAL_REVOCATION_CHECKER_H_

#include <string_view>

#include "base/time/time.h"
#include "net/base/net_export.h"
#include "net/cert/crl_set.h"
#include "third_party/boringssl/src/pki/cert_errors.h"
#include "third_party/boringssl/src/pki/ocsp.h"
#include "third_party/boringssl/src/pki/parsed_certificate.h"

namespace net {

class CertNetFetcher;

// Baseline Requirements 1.6.5, section 4.9.7:
//     For the status of Subscriber Certificates: If the CA publishes a CRL,
//     then the CA SHALL update and reissue CRLs at least once every seven
//     days, and the value of the nextUpdate field MUST NOT be more than ten
//     days beyond the value of the thisUpdate field.
//
// Baseline Requirements 1.6.5, section 4.9.10:
//     For the status of Subscriber Certificates: The CA SHALL update
//     information provided via an Online Certificate Status Protocol at least
//     every four days.  OCSP responses from this service MUST have a maximum
//     expiration time of ten days.
//
// Use 7 days as the max allowable leaf revocation status age, which is
// sufficient for both CRL and OCSP, and which aligns with Microsoft policies.
inline constexpr base::TimeDelta kMaxRevocationLeafUpdateAge = base::Days(7);

// Baseline Requirements 1.6.5, section 4.9.7:
//     For the status of Subordinate CA Certificates: The CA SHALL update and
//     reissue CRLs at least (i) once every twelve months and (ii) within 24
//     hours after revoking a Subordinate CA Certificate, and the value of the
//     nextUpdate field MUST NOT be more than twelve months beyond the value of
//     the thisUpdate field.
//
// Baseline Requirements 1.6.5, section 4.9.10:
//     For the status of Subordinate CA Certificates: The CA SHALL update
//     information provided via an Online Certificate Status Protocol at least
//     (i) every twelve months and (ii) within 24 hours after revoking a
//     Subordinate CA Certificate.
//
// Use 366 days to allow for leap years, though it is overly permissive in
// other years.
inline constexpr base::TimeDelta kMaxRevocationIntermediateUpdateAge =
    base::Days(366);

// RevocationPolicy describes how revocation should be carried out for a
// particular chain.
// Callers should not rely on the default-initialized value, but should fully
// specify all the parameters. The default values specify a strict revocation
// checking mode, in case users fail to fully set the parameters.
struct NET_EXPORT_PRIVATE RevocationPolicy {
  // If |check_revocation| is true, then revocation checking is mandatory. This
  // means that every certificate in the chain (excluding trust anchors) must
  // have valid (unexpired) revocation information proving it to be unrevoked.
  //
  // The mechanisms used for checking revocation may include stapled OCSP,
  // cached OCSP, online OCSP, cached CRL, online CRL.
  //
  // The other properties of RevocationPolicy place further constraints on how
  // revocation checking may proceed.
  bool check_revocation = true;

  // If |networking_allowed| is true then revocation checking is allowed to
  // issue network requests in order to fetch fresh OCSP/CRL. Otherwise
  // networking is not permitted in the course of revocation checking.
  bool networking_allowed = false;

  // If |crl_allowed| is true then CRLs will be checked as a fallback when an
  // OCSP URL is not present or OCSP results are indeterminate.
  bool crl_allowed = true;

  // If set to true, considers certificates lacking URLs for OCSP/CRL to be
  // unrevoked. Otherwise will fail for certificates lacking revocation
  // mechanisms.
  bool allow_missing_info = false;

  // If set to true, other failure to perform revocation checks (e.g. due to a
  // network level failure, OCSP response error status, failure parsing or
  // evaluating the OCSP/CRL response, etc) is considered equivalent to a
  // successful revocation check.
  bool allow_unable_to_check = false;

  // If set to true, enforce requirements specified in the Baseline
  // Requirements such as maximum age of revocation responses.
  bool enforce_baseline_requirements = true;
};

// Checks the revocation status of |certs| according to |policy|, and adds
// any failures to |errors|. On failure errors are added to |errors|. On success
// no errors are added.
//
// |deadline|, if not null, will limit the overall amount of time spent doing
// online revocation checks. If |base::TimeTicks::Now()| exceeds |deadline|, no
// more revocation checks will be attempted. Note that this is not a hard
// limit, the deadline may be exceeded by the individual request timetout of a
// single CertNetFetcher.
//
// |certs| must be a successfully validated chain according to RFC 5280 section
// 6.1, in order from leaf to trust anchor.
//
// |net_fetcher| may be null, however this may lead to failed revocation checks
// depending on |policy|.
//
// |stapled_ocsp_verify_result|, if non-null, will be filled with the result of
// checking the leaf certificate against |stapled_leaf_ocsp_response|.
NET_EXPORT_PRIVATE void CheckValidatedChainRevocation(
    const bssl::ParsedCertificateList& certs,
    const RevocationPolicy& policy,
    base::TimeTicks deadline,
    std::string_view stapled_leaf_ocsp_response,
    base::Time current_time,
    CertNetFetcher* net_fetcher,
    bssl::CertPathErrors* errors,
    bssl::OCSPVerifyResult* stapled_ocsp_verify_result);

// Checks the revocation status of a certificate chain using the CRLSet and adds
// revocation errors to |errors|.
//
// Returns the revocation status of the leaf certificate:
//
// * CRLSet::REVOKED if any certificate in the chain is revoked. Also adds a
//   corresponding error for the certificate in |errors|.
//
// * CRLSet::GOOD if the leaf certificate is covered as GOOD by the CRLSet, and
//   none of the intermediates were revoked according to the CRLSet.
//
// * CRLSet::UNKNOWN if none of the certificates are known to be revoked, and
//   the revocation status of leaf certificate was UNKNOWN by the CRLSet.
NET_EXPORT_PRIVATE CRLSet::Result CheckChainRevocationUsingCRLSet(
    const CRLSet* crl_set,
    const bssl::ParsedCertificateList& certs,
    bssl::CertPathErrors* errors);

}  // namespace net

#endif  // NET_CERT_INTERNAL_REVOCATION_CHECKER_H_