Adding OCSP Verification

net/cert/internal/ocsp.h

Index: net/cert/internal/ocsp.h
diff --git a/net/cert/internal/parse_ocsp.h b/net/cert/internal/ocsp.h
similarity index 90%
rename from net/cert/internal/parse_ocsp.h
rename to net/cert/internal/ocsp.h
index 07c155d0949ebd52e9a6431ced88e59aa067f2aa..8e4880bcafc90f2f3717a7e898806da4682d1c81 100644
--- a/net/cert/internal/parse_ocsp.h
+++ b/net/cert/internal/ocsp.h
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef NET_CERT_INTERNAL_PARSE_OCSP_H_
-#define NET_CERT_INTERNAL_PARSE_OCSP_H_
+#ifndef NET_CERT_INTERNAL_OCSP_H_
+#define NET_CERT_INTERNAL_OCSP_H_
 
 #include <memory>
 #include <string>
@@ -12,6 +12,7 @@
 #include "net/base/hash_value.h"
 #include "net/cert/internal/parse_certificate.h"
 #include "net/cert/internal/signature_algorithm.h"
+#include "net/cert/internal/signature_policy.h"
 #include "net/der/input.h"
 #include "net/der/parse_values.h"
 #include "net/der/parser.h"
@@ -224,7 +225,7 @@ struct NET_EXPORT OCSPResponse {
 // id-pkix-ocsp-basic     OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
 //
 // In dotted notation: 1.3.6.1.5.5.7.48.1.1
-NET_EXPORT der::Input BasicOCSPResponseOid();
+NET_EXPORT der::Input BasicOCSPResponseOid() WARN_UNUSED_RESULT;
 
 // Parses a DER-encoded OCSP "CertID" as specified by RFC 6960. Returns true on
 // success and sets the results in |out|.
@@ -232,7 +233,7 @@ NET_EXPORT der::Input BasicOCSPResponseOid();
 // On failure |out| has an undefined state. Some of its fields may have been
 // updated during parsing, whereas others may not have been changed.
 NET_EXPORT_PRIVATE bool ParseOCSPCertID(const der::Input& raw_tlv,
-                                        OCSPCertID* out);
+                                        OCSPCertID* out) WARN_UNUSED_RESULT;
 
 // Parses a DER-encoded OCSP "SingleResponse" as specified by RFC 6960. Returns
 // true on success and sets the results in |out|. The resulting |out|
@@ -242,7 +243,8 @@ NET_EXPORT_PRIVATE bool ParseOCSPCertID(const der::Input& raw_tlv,
 // On failure |out| has an undefined state. Some of its fields may have been
 // updated during parsing, whereas others may not have been changed.
 NET_EXPORT_PRIVATE bool ParseOCSPSingleResponse(const der::Input& raw_tlv,
-                                                OCSPSingleResponse* out);
+                                                OCSPSingleResponse* out)
+    WARN_UNUSED_RESULT;
 
 // Parses a DER-encoded OCSP "ResponseData" as specified by RFC 6960. Returns
 // true on success and sets the results in |out|. The resulting |out|
@@ -252,7 +254,8 @@ NET_EXPORT_PRIVATE bool ParseOCSPSingleResponse(const der::Input& raw_tlv,
 // On failure |out| has an undefined state. Some of its fields may have been
 // updated during parsing, whereas others may not have been changed.
 NET_EXPORT_PRIVATE bool ParseOCSPResponseData(const der::Input& raw_tlv,
-                                              OCSPResponseData* out);
+                                              OCSPResponseData* out)
+    WARN_UNUSED_RESULT;
 
 // Parses a DER-encoded "OCSPResponse" as specified by RFC 6960. Returns true
 // on success and sets the results in |out|. The resulting |out|
@@ -262,7 +265,7 @@ NET_EXPORT_PRIVATE bool ParseOCSPResponseData(const der::Input& raw_tlv,
 // On failure |out| has an undefined state. Some of its fields may have been
 // updated during parsing, whereas others may not have been changed.
 NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv,
-                                          OCSPResponse* out);
+                                          OCSPResponse* out) WARN_UNUSED_RESULT;
 
 // Checks the certificate status of |cert| based on the OCSPResponseData
 // |response_data| and issuer |issuer| and sets the results in |out|. In the
@@ -275,8 +278,19 @@ NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv,
 NET_EXPORT_PRIVATE bool GetOCSPCertStatus(const OCSPResponseData& response_data,
                                           const ParsedCertificate& issuer,
                                           const ParsedCertificate& cert,
-                                          OCSPCertStatus* out);
+                                          OCSPCertStatus* out)
+    WARN_UNUSED_RESULT;
+
+// Verifies that the OCSP Response |response| is signed and has a valid trust
+// path to the issuer |issuer_cert|, and returns whether the verification was
+// successful. |signature_policy| is the policy to be applied to the signature
+// verification of the trust path and OCSP response. The verification is
+// performed as per RFC 6960.
+NET_EXPORT_PRIVATE bool VerifyOCSPResponse(

[eroman, 2016/05/31 19:12:46]

IMPORTANT: How does this prevent replay attacks?

I don't see the use of a nonce, or enforcement of response time anywhere, which
implies an OCSP response could simply be replayed and accepted here ad
infinitum, after it has been revoked.

Should this function take a timestamp ?

+    const OCSPResponse& response,
+    const ParsedCertificate& issuer_cert,
+    const SignaturePolicy& signature_policy) WARN_UNUSED_RESULT;
 
 }  // namespace net
 
-#endif  // NET_CERT_INTERNAL_PARSE_OCSP_H_
+#endif  // NET_CERT_INTERNAL_OCSP_H_