Route OCSP stapling through CertVerifier.

net/cert/cert_verify_proc_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc_win.h"
 
 #include <string>
 #include <vector>
 
 #include "base/memory/scoped_ptr.h"
@@ skipping 541 matching lines @@
 }  // namespace
 
 CertVerifyProcWin::CertVerifyProcWin() {}
 
 CertVerifyProcWin::~CertVerifyProcWin() {}
 
 bool CertVerifyProcWin::SupportsAdditionalTrustAnchors() const {
   return false;
 }
 
+bool CertVerifyProcWin::SupportsOCSPStapling() const {
+  // CERT_OCSP_RESPONSE_PROP_ID is only implemented on Vista+, but it can be
+  // set on Windows XP without error. There is some overhead from the server
+  // sending the OCSP response if it supports the extension, for the subset of
+  // XP clients who will request it but be unable to use it, but this is an
+  // acceptable trade-off for simplicity of implementation.
+  return true;
+}
+
 int CertVerifyProcWin::VerifyInternal(
     X509Certificate* cert,
     const std::string& hostname,
+    const std::string& ocsp_response,
     int flags,
     CRLSet* crl_set,
     const CertificateList& additional_trust_anchors,
     CertVerifyResult* verify_result) {
   PCCERT_CONTEXT cert_handle = cert->os_cert_handle();
   if (!cert_handle)
     return ERR_UNEXPECTED;
 
   // Build and validate certificate chain.
   CERT_CHAIN_PARA chain_para;
@@ skipping 51 matching lines @@
   // crypt32. However, when testing, it is necessary to create a new
   // HCERTCHAINENGINE and use that instead. This is because each
   // HCERTCHAINENGINE maintains a cache of information about certificates
   // encountered, and each test run may modify the trust status of a
   // certificate.
   ScopedHCERTCHAINENGINE chain_engine(NULL);
   if (TestRootCerts::HasInstance())
     chain_engine.reset(TestRootCerts::GetInstance()->GetChainEngine());
 
   ScopedPCCERT_CONTEXT cert_list(cert->CreateOSCertChainForCert());
+
+  if (!ocsp_response.empty()) {
+    // Attach the OCSP response to the chain.
+    CRYPT_DATA_BLOB ocsp_response_blob;
+    ocsp_response_blob.cbData = ocsp_response.size();
+    ocsp_response_blob.pbData =
+        reinterpret_cast<BYTE*>(const_cast<char*>(ocsp_response.data()));
+    BOOL ok = CertSetCertificateContextProperty(
+        cert_list.get(), CERT_OCSP_RESPONSE_PROP_ID,
+        CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, &ocsp_response_blob);
+    if (!ok) {
+      VLOG(1) << "Failed to set OCSP response property: " << GetLastError();

[Ryan Sleevi, 2015/04/23 01:41:23]

Time to nuke this; we've never once used it, and we've had it for years.

(Line 656-658)

[davidben, 2015/04/23 20:41:47]

Done.

+    }
+  }
+
   PCCERT_CHAIN_CONTEXT chain_context;
   // IE passes a non-NULL pTime argument that specifies the current system
   // time.  IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the
   // chain_flags argument.
   if (!CertGetCertificateChain(
            chain_engine,
            cert_list.get(),
            NULL,  // current system time
            cert_list->hCertStore,
            &chain_para,
@@ skipping 157 matching lines @@
     return MapCertStatusToNetError(verify_result->cert_status);
 
   if (ev_policy_oid &&
       CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) {
     verify_result->cert_status |= CERT_STATUS_IS_EV;
   }
   return OK;
 }
 
 }  // namespace net