Add CheckOCSPDateValid() to net/cert/internal

net/cert/internal/parse_ocsp.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <algorithm>
 
 #include "base/sha1.h"
 #include "crypto/sha2.h"
 #include "net/cert/internal/parse_ocsp.h"
 
@@ skipping 511 matching lines @@
       }
     }
   }
 
   if (!found)
     out->status = OCSPCertStatus::Status::UNKNOWN;
 
   return found;
 }
 
+bool CheckOCSPDateValid(const OCSPSingleResponse& response,
+                        const base::Time& verify_time,
+                        const base::TimeDelta& max_age) {
+  if (response.has_next_update &&
+      (response.next_update <= response.this_update)) {
+    return false;
+  }
+
+  // Place |verify_time| in the bounds.
+  der::GeneralizedTime verify_time_der = der::ConvertBaseUTCTime(verify_time);

[Ryan Sleevi, 2016/06/23 21:27:35]

The purpose of this function is just so you don't have to decode this_update and
next_update?

[dadrian, 2016/06/24 01:41:51]

As far as I know there's no function to convert a der::GeneralizedTime to a
base::Time. The goal is just be able to compare timestamps.

+  if (response.this_update > verify_time_der) {
+    return false;
+  }
+  if (response.has_next_update && (response.next_update <= verify_time_der)) {
+    return false;
+  }
+
+  // Enforce |max_age|.
+  der::GeneralizedTime lower_bound =
+      der::ConvertBaseUTCTime(verify_time - max_age);
+  if (response.this_update < lower_bound) {
+    return false;
+  }

[Ryan Sleevi, 2016/06/23 21:27:35]

STYLE: Keep brace style consistent with local file & directory (
https://google.github.io/styleguide/cppguide.html#Conditionals "In general"
allows it, and we value consistency)

[dadrian, 2016/06/24 01:41:51]

Done. Sigh, old habit, my bad.

+  return true;
+}
+
 }  // namespace net