Adding OCSP Verification

net/cert/internal/ocsp.h

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef NET_CERT_INTERNAL_PARSE_OCSP_H_
-#define NET_CERT_INTERNAL_PARSE_OCSP_H_
+#ifndef NET_CERT_INTERNAL_OCSP_H_
+#define NET_CERT_INTERNAL_OCSP_H_
 
 #include <memory>
 #include <string>
 #include <vector>
 
 #include "net/base/hash_value.h"
 #include "net/cert/internal/parse_certificate.h"
 #include "net/cert/internal/signature_algorithm.h"
+#include "net/cert/internal/signature_policy.h"
 #include "net/der/input.h"
 #include "net/der/parse_values.h"
 #include "net/der/parser.h"
 #include "net/der/tag.h"
 
 namespace net {
 
 // OCSPCertID contains a representation of a DER-encoded RFC 6960 "CertID".
 //
 // CertID ::= SEQUENCE {
@@ skipping 192 matching lines @@
   bool has_certs;
   std::vector<der::Input> certs;
 };
 
 // From RFC 6960:
 //
 // id-pkix-ocsp           OBJECT IDENTIFIER ::= { id-ad-ocsp }
 // id-pkix-ocsp-basic     OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
 //
 // In dotted notation: 1.3.6.1.5.5.7.48.1.1
-NET_EXPORT der::Input BasicOCSPResponseOid();
+NET_EXPORT der::Input BasicOCSPResponseOid() WARN_UNUSED_RESULT;
 
 // Parses a DER-encoded OCSP "CertID" as specified by RFC 6960. Returns true on
 // success and sets the results in |out|.
 //
 // On failure |out| has an undefined state. Some of its fields may have been
 // updated during parsing, whereas others may not have been changed.
 NET_EXPORT_PRIVATE bool ParseOCSPCertID(const der::Input& raw_tlv,
-                                        OCSPCertID* out);
+                                        OCSPCertID* out) WARN_UNUSED_RESULT;
 
 // Parses a DER-encoded OCSP "SingleResponse" as specified by RFC 6960. Returns
 // true on success and sets the results in |out|. The resulting |out|
 // references data from |raw_tlv| and is only valid for the lifetime of
 // |raw_tlv|.
 //
 // On failure |out| has an undefined state. Some of its fields may have been
 // updated during parsing, whereas others may not have been changed.
 NET_EXPORT_PRIVATE bool ParseOCSPSingleResponse(const der::Input& raw_tlv,
-                                                OCSPSingleResponse* out);
+                                                OCSPSingleResponse* out)
+    WARN_UNUSED_RESULT;
 
 // Parses a DER-encoded OCSP "ResponseData" as specified by RFC 6960. Returns
 // true on success and sets the results in |out|. The resulting |out|
 // references data from |raw_tlv| and is only valid for the lifetime of
 // |raw_tlv|.
 //
 // On failure |out| has an undefined state. Some of its fields may have been
 // updated during parsing, whereas others may not have been changed.
 NET_EXPORT_PRIVATE bool ParseOCSPResponseData(const der::Input& raw_tlv,
-                                              OCSPResponseData* out);
+                                              OCSPResponseData* out)
+    WARN_UNUSED_RESULT;
 
 // Parses a DER-encoded "OCSPResponse" as specified by RFC 6960. Returns true
 // on success and sets the results in |out|. The resulting |out|
 // references data from |raw_tlv| and is only valid for the lifetime of
 // |raw_tlv|.
 //
 // On failure |out| has an undefined state. Some of its fields may have been
 // updated during parsing, whereas others may not have been changed.
 NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv,
-                                          OCSPResponse* out);
+                                          OCSPResponse* out) WARN_UNUSED_RESULT;
 
 // Checks the certificate status of |cert| based on the OCSPResponseData
 // |response_data| and issuer |issuer| and sets the results in |out|. In the
 // case that there are multiple responses for a given certificate, as a result
 // of caching or performance (RFC 6960, 4.2.2.3), the strictest response is
 // returned (REVOKED > UNKNOWN > GOOD).
 //
 // On failure |out| has an undefined state. Some of its fields may have been
 // updated during parsing, whereas others may not have been changed.
 NET_EXPORT_PRIVATE bool GetOCSPCertStatus(const OCSPResponseData& response_data,
                                           const ParsedCertificate& issuer,
                                           const ParsedCertificate& cert,
-                                          OCSPCertStatus* out);
+                                          OCSPCertStatus* out)
+    WARN_UNUSED_RESULT;
+
+// Verifies that the OCSP Response |response| is signed and has a valid trust
+// path to the issuer |issuer_cert|, and returns whether the verification was
+// successful. |signature_policy| is the policy to be applied to the signature
+// verification of the trust path and OCSP response. The verification is
+// performed as per RFC 6960.
+NET_EXPORT_PRIVATE bool VerifyOCSPResponse(

[eroman, 2016/05/31 19:12:46]

IMPORTANT: How does this prevent replay attacks?

I don't see the use of a nonce, or enforcement of response time anywhere, which
implies an OCSP response could simply be replayed and accepted here ad
infinitum, after it has been revoked.

Should this function take a timestamp ?

+    const OCSPResponse& response,
+    const ParsedCertificate& issuer_cert,
+    const SignaturePolicy& signature_policy) WARN_UNUSED_RESULT;
 
 }  // namespace net
 
-#endif  // NET_CERT_INTERNAL_PARSE_OCSP_H_
+#endif  // NET_CERT_INTERNAL_OCSP_H_