1*6777b538SAndroid Build Coastguard Worker // Copyright 2020 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker #ifndef NET_TEST_REVOCATION_BUILDER_H_ 6*6777b538SAndroid Build Coastguard Worker #define NET_TEST_REVOCATION_BUILDER_H_ 7*6777b538SAndroid Build Coastguard Worker 8*6777b538SAndroid Build Coastguard Worker #include <optional> 9*6777b538SAndroid Build Coastguard Worker #include <string> 10*6777b538SAndroid Build Coastguard Worker #include <vector> 11*6777b538SAndroid Build Coastguard Worker 12*6777b538SAndroid Build Coastguard Worker #include "base/time/time.h" 13*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/evp.h" 14*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/pki/ocsp.h" 15*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/pki/ocsp_revocation_status.h" 16*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/pki/signature_algorithm.h" 17*6777b538SAndroid Build Coastguard Worker 18*6777b538SAndroid Build Coastguard Worker namespace net { 19*6777b538SAndroid Build Coastguard Worker 20*6777b538SAndroid Build Coastguard Worker struct OCSPBuilderSingleResponse { 21*6777b538SAndroid Build Coastguard Worker // OCSP allows the OCSP responder and certificate issuer to be different, 22*6777b538SAndroid Build Coastguard Worker // but this implementation currently assumes they are the same, thus issuer 23*6777b538SAndroid Build Coastguard Worker // is not specified here. 24*6777b538SAndroid Build Coastguard Worker // 25*6777b538SAndroid Build Coastguard Worker // This implementation currently requires serial to be an unsigned 64 bit 26*6777b538SAndroid Build Coastguard Worker // integer. 27*6777b538SAndroid Build Coastguard Worker uint64_t serial; 28*6777b538SAndroid Build Coastguard Worker bssl::OCSPRevocationStatus cert_status; 29*6777b538SAndroid Build Coastguard Worker base::Time revocation_time; // Only used if |cert_status|==REVOKED. 30*6777b538SAndroid Build Coastguard Worker base::Time this_update; 31*6777b538SAndroid Build Coastguard Worker // nextUpdate is optional, but this implementation currently always encodes 32*6777b538SAndroid Build Coastguard Worker // it. 33*6777b538SAndroid Build Coastguard Worker base::Time next_update; 34*6777b538SAndroid Build Coastguard Worker // singleExtensions not currently supported. 35*6777b538SAndroid Build Coastguard Worker }; 36*6777b538SAndroid Build Coastguard Worker 37*6777b538SAndroid Build Coastguard Worker // Creates an bssl::OCSPResponse indicating a |response_status| error, which 38*6777b538SAndroid Build Coastguard Worker // must not be ResponseStatus::SUCCESSFUL. 39*6777b538SAndroid Build Coastguard Worker std::string BuildOCSPResponseError( 40*6777b538SAndroid Build Coastguard Worker bssl::OCSPResponse::ResponseStatus response_status); 41*6777b538SAndroid Build Coastguard Worker 42*6777b538SAndroid Build Coastguard Worker // Creates an bssl::OCSPResponse from responder with DER subject 43*6777b538SAndroid Build Coastguard Worker // |responder_subject| and public key |responder_key|, containing |responses|. 44*6777b538SAndroid Build Coastguard Worker std::string BuildOCSPResponse( 45*6777b538SAndroid Build Coastguard Worker const std::string& responder_subject, 46*6777b538SAndroid Build Coastguard Worker EVP_PKEY* responder_key, 47*6777b538SAndroid Build Coastguard Worker base::Time produced_at, 48*6777b538SAndroid Build Coastguard Worker const std::vector<OCSPBuilderSingleResponse>& responses); 49*6777b538SAndroid Build Coastguard Worker 50*6777b538SAndroid Build Coastguard Worker // Creates an bssl::OCSPResponse signed by |responder_key| with 51*6777b538SAndroid Build Coastguard Worker // |tbs_response_data| as the to-be-signed ResponseData. If 52*6777b538SAndroid Build Coastguard Worker // |signature_algorithm| is nullopt, a default algorithm will be chosen based on 53*6777b538SAndroid Build Coastguard Worker // the key type. 54*6777b538SAndroid Build Coastguard Worker std::string BuildOCSPResponseWithResponseData( 55*6777b538SAndroid Build Coastguard Worker EVP_PKEY* responder_key, 56*6777b538SAndroid Build Coastguard Worker const std::string& response_data, 57*6777b538SAndroid Build Coastguard Worker std::optional<bssl::SignatureAlgorithm> signature_algorithm = std::nullopt); 58*6777b538SAndroid Build Coastguard Worker 59*6777b538SAndroid Build Coastguard Worker // Creates a CRL issued by |crl_issuer_subject| and signed by |crl_issuer_key|, 60*6777b538SAndroid Build Coastguard Worker // marking |revoked_serials| as revoked. If |signature_algorithm| is nullopt, a 61*6777b538SAndroid Build Coastguard Worker // default algorithm will be chosen based on the key type. 62*6777b538SAndroid Build Coastguard Worker // Returns the DER-encoded CRL. 63*6777b538SAndroid Build Coastguard Worker std::string BuildCrl( 64*6777b538SAndroid Build Coastguard Worker const std::string& crl_issuer_subject, 65*6777b538SAndroid Build Coastguard Worker EVP_PKEY* crl_issuer_key, 66*6777b538SAndroid Build Coastguard Worker const std::vector<uint64_t>& revoked_serials, 67*6777b538SAndroid Build Coastguard Worker std::optional<bssl::SignatureAlgorithm> signature_algorithm = std::nullopt); 68*6777b538SAndroid Build Coastguard Worker 69*6777b538SAndroid Build Coastguard Worker std::string BuildCrlWithAlgorithmTlvAndDigest( 70*6777b538SAndroid Build Coastguard Worker const std::string& crl_issuer_subject, 71*6777b538SAndroid Build Coastguard Worker EVP_PKEY* crl_issuer_key, 72*6777b538SAndroid Build Coastguard Worker const std::vector<uint64_t>& revoked_serials, 73*6777b538SAndroid Build Coastguard Worker const std::string& signature_algorithm_tlv, 74*6777b538SAndroid Build Coastguard Worker const EVP_MD* digest); 75*6777b538SAndroid Build Coastguard Worker 76*6777b538SAndroid Build Coastguard Worker } // namespace net 77*6777b538SAndroid Build Coastguard Worker 78*6777b538SAndroid Build Coastguard Worker #endif // NET_TEST_REVOCATION_BUILDER_H_ 79