blob: 727b5a5ee86ef1277e9189281ed28732833dd5b6 [file] [log] [blame]
// Copyright 2021 The Pigweed Authors
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
// use this file except in compliance with the License. You may obtain a copy of
// the License at
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
// License for the specific language governing permissions and limitations under
// the License.
#pragma once
#include "pw_bytes/span.h"
namespace pw::tls_client::crlset {
// The following APIs will be used to verify the chains of certificates the TLS
// client builds. For example, for each certificate in the chain,
// IsCertificateBlocked() is used to check if it needs to be blocked. Then
// IsCertificateRevoked() is used to check if it is revoked by the issuer (the
// certificate one level up the chain). If either of them returns true, the
// chain should be rejected.
// Query whether a certificate needs to be blocked according to the hardcoded
// CRLSet. Callers need to provide the sha256 of the Subject Public Key Info
// (SPKI) of the certificate.
bool IsCertificateBlocked(ConstByteSpan certificate);
// Query whether a certificate is revoked by its issuer according to the
// hardcoded CRLSet. Callers need to provide the sha256 of the SPKI of the
// issuer (in |issuer|) and the serial number (as byte sequences) of the
// target certificate to query.
bool IsCertificateRevoked(ConstByteSpan issuer, ConstByteSpan serial);
} // namespace pw::tls_client::crlset