Route OCSP stapling through CertVerifier.

net/cert/cert_verify_proc_win.cc

Index: net/cert/cert_verify_proc_win.cc
diff --git a/net/cert/cert_verify_proc_win.cc b/net/cert/cert_verify_proc_win.cc
index 13a337bfe2f54fa5a826b09642f5a6807eda741f..21572b4b0fec69d0ab3fa2437f41a2dd68fd958a 100644
--- a/net/cert/cert_verify_proc_win.cc
+++ b/net/cert/cert_verify_proc_win.cc
@@ -559,9 +559,19 @@ bool CertVerifyProcWin::SupportsAdditionalTrustAnchors() const {
   return false;
 }
 
+bool CertVerifyProcWin::SupportsOCSPStapling() const {
+  // CERT_OCSP_RESPONSE_PROP_ID is only implemented on Vista+, but it can be
+  // set on Windows XP without error. There is some overhead from the server
+  // sending the OCSP response if it supports the extension, for the subset of
+  // XP clients who will request it but be unable to use it, but this is an
+  // acceptable trade-off for simplicity of implementation.
+  return true;
+}
+
 int CertVerifyProcWin::VerifyInternal(
     X509Certificate* cert,
     const std::string& hostname,
+    const std::string& ocsp_response,
     int flags,
     CRLSet* crl_set,
     const CertificateList& additional_trust_anchors,
@@ -633,6 +643,18 @@ int CertVerifyProcWin::VerifyInternal(
     chain_engine.reset(TestRootCerts::GetInstance()->GetChainEngine());
 
   ScopedPCCERT_CONTEXT cert_list(cert->CreateOSCertChainForCert());
+
+  if (!ocsp_response.empty()) {
+    // Attach the OCSP response to the chain.
+    CRYPT_DATA_BLOB ocsp_response_blob;
+    ocsp_response_blob.cbData = ocsp_response.size();
+    ocsp_response_blob.pbData =
+        reinterpret_cast<BYTE*>(const_cast<char*>(ocsp_response.data()));
+    CertSetCertificateContextProperty(
+        cert_list.get(), CERT_OCSP_RESPONSE_PROP_ID,
+        CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, &ocsp_response_blob);
+  }
+
   PCCERT_CHAIN_CONTEXT chain_context;
   // IE passes a non-NULL pTime argument that specifies the current system
   // time.  IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the