1 // Copyright 2021 The Pigweed Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); you may not 4 // use this file except in compliance with the License. You may obtain a copy of 5 // the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 // License for the specific language governing permissions and limitations under 13 // the License. 14 15 #pragma once 16 17 #include "pw_bytes/span.h" 18 19 namespace pw::tls_client::crlset { 20 21 // The following APIs will be used to verify the chains of certificates the TLS 22 // client builds. For example, for each certificate in the chain, 23 // IsCertificateBlocked() is used to check if it needs to be blocked. Then 24 // IsCertificateRevoked() is used to check if it is revoked by the issuer (the 25 // certificate one level up the chain). If either of them returns true, the 26 // chain should be rejected. 27 28 // Query whether a certificate needs to be blocked according to the hardcoded 29 // CRLSet. Callers need to provide the sha256 of the Subject Public Key Info 30 // (SPKI) of the certificate. 31 bool IsCertificateBlocked(ConstByteSpan certificate); 32 33 // Query whether a certificate is revoked by its issuer according to the 34 // hardcoded CRLSet. Callers need to provide the sha256 of the SPKI of the 35 // issuer (in |issuer|) and the serial number (as byte sequences) of the 36 // target certificate to query. 37 bool IsCertificateRevoked(ConstByteSpan issuer, ConstByteSpan serial); 38 39 } // namespace pw::tls_client::crlset 40