Index: net/cert/internal/ocsp.h |
diff --git a/net/cert/internal/parse_ocsp.h b/net/cert/internal/ocsp.h |
similarity index 90% |
rename from net/cert/internal/parse_ocsp.h |
rename to net/cert/internal/ocsp.h |
index 07c155d0949ebd52e9a6431ced88e59aa067f2aa..8e4880bcafc90f2f3717a7e898806da4682d1c81 100644 |
--- a/net/cert/internal/parse_ocsp.h |
+++ b/net/cert/internal/ocsp.h |
@@ -2,8 +2,8 @@ |
// Use of this source code is governed by a BSD-style license that can be |
// found in the LICENSE file. |
-#ifndef NET_CERT_INTERNAL_PARSE_OCSP_H_ |
-#define NET_CERT_INTERNAL_PARSE_OCSP_H_ |
+#ifndef NET_CERT_INTERNAL_OCSP_H_ |
+#define NET_CERT_INTERNAL_OCSP_H_ |
#include <memory> |
#include <string> |
@@ -12,6 +12,7 @@ |
#include "net/base/hash_value.h" |
#include "net/cert/internal/parse_certificate.h" |
#include "net/cert/internal/signature_algorithm.h" |
+#include "net/cert/internal/signature_policy.h" |
#include "net/der/input.h" |
#include "net/der/parse_values.h" |
#include "net/der/parser.h" |
@@ -224,7 +225,7 @@ struct NET_EXPORT OCSPResponse { |
// id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } |
// |
// In dotted notation: 1.3.6.1.5.5.7.48.1.1 |
-NET_EXPORT der::Input BasicOCSPResponseOid(); |
+NET_EXPORT der::Input BasicOCSPResponseOid() WARN_UNUSED_RESULT; |
// Parses a DER-encoded OCSP "CertID" as specified by RFC 6960. Returns true on |
// success and sets the results in |out|. |
@@ -232,7 +233,7 @@ NET_EXPORT der::Input BasicOCSPResponseOid(); |
// On failure |out| has an undefined state. Some of its fields may have been |
// updated during parsing, whereas others may not have been changed. |
NET_EXPORT_PRIVATE bool ParseOCSPCertID(const der::Input& raw_tlv, |
- OCSPCertID* out); |
+ OCSPCertID* out) WARN_UNUSED_RESULT; |
// Parses a DER-encoded OCSP "SingleResponse" as specified by RFC 6960. Returns |
// true on success and sets the results in |out|. The resulting |out| |
@@ -242,7 +243,8 @@ NET_EXPORT_PRIVATE bool ParseOCSPCertID(const der::Input& raw_tlv, |
// On failure |out| has an undefined state. Some of its fields may have been |
// updated during parsing, whereas others may not have been changed. |
NET_EXPORT_PRIVATE bool ParseOCSPSingleResponse(const der::Input& raw_tlv, |
- OCSPSingleResponse* out); |
+ OCSPSingleResponse* out) |
+ WARN_UNUSED_RESULT; |
// Parses a DER-encoded OCSP "ResponseData" as specified by RFC 6960. Returns |
// true on success and sets the results in |out|. The resulting |out| |
@@ -252,7 +254,8 @@ NET_EXPORT_PRIVATE bool ParseOCSPSingleResponse(const der::Input& raw_tlv, |
// On failure |out| has an undefined state. Some of its fields may have been |
// updated during parsing, whereas others may not have been changed. |
NET_EXPORT_PRIVATE bool ParseOCSPResponseData(const der::Input& raw_tlv, |
- OCSPResponseData* out); |
+ OCSPResponseData* out) |
+ WARN_UNUSED_RESULT; |
// Parses a DER-encoded "OCSPResponse" as specified by RFC 6960. Returns true |
// on success and sets the results in |out|. The resulting |out| |
@@ -262,7 +265,7 @@ NET_EXPORT_PRIVATE bool ParseOCSPResponseData(const der::Input& raw_tlv, |
// On failure |out| has an undefined state. Some of its fields may have been |
// updated during parsing, whereas others may not have been changed. |
NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv, |
- OCSPResponse* out); |
+ OCSPResponse* out) WARN_UNUSED_RESULT; |
// Checks the certificate status of |cert| based on the OCSPResponseData |
// |response_data| and issuer |issuer| and sets the results in |out|. In the |
@@ -275,8 +278,19 @@ NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv, |
NET_EXPORT_PRIVATE bool GetOCSPCertStatus(const OCSPResponseData& response_data, |
const ParsedCertificate& issuer, |
const ParsedCertificate& cert, |
- OCSPCertStatus* out); |
+ OCSPCertStatus* out) |
+ WARN_UNUSED_RESULT; |
+ |
+// Verifies that the OCSP Response |response| is signed and has a valid trust |
+// path to the issuer |issuer_cert|, and returns whether the verification was |
+// successful. |signature_policy| is the policy to be applied to the signature |
+// verification of the trust path and OCSP response. The verification is |
+// performed as per RFC 6960. |
+NET_EXPORT_PRIVATE bool VerifyOCSPResponse( |
eroman
2016/05/31 19:12:46
IMPORTANT: How does this prevent replay attacks?
|
+ const OCSPResponse& response, |
+ const ParsedCertificate& issuer_cert, |
+ const SignaturePolicy& signature_policy) WARN_UNUSED_RESULT; |
} // namespace net |
-#endif // NET_CERT_INTERNAL_PARSE_OCSP_H_ |
+#endif // NET_CERT_INTERNAL_OCSP_H_ |