Add CheckOCSPDateValid() to net/cert/internal

net/cert/internal/parse_ocsp.cc

Index: net/cert/internal/parse_ocsp.cc
diff --git a/net/cert/internal/parse_ocsp.cc b/net/cert/internal/parse_ocsp.cc
index 0243d9537b6216cdd4aa2854ee317f60a9bad2fa..74a27afefa1c4ad4bdec899f84abafe750a581b6 100644
--- a/net/cert/internal/parse_ocsp.cc
+++ b/net/cert/internal/parse_ocsp.cc
@@ -529,4 +529,28 @@ bool GetOCSPCertStatus(const OCSPResponseData& response_data,
   return found;
 }
 
+bool CheckOCSPDateValid(const OCSPSingleResponse& response,
+                        const base::Time& verify_time,
+                        const base::TimeDelta& max_age) {
+  if (response.has_next_update &&
+      (response.next_update <= response.this_update)) {
+    return false;
+  }
+
+  // Place |verify_time| in the bounds.
+  der::GeneralizedTime verify_time_der = der::ConvertBaseUTCTime(verify_time);
+  if (response.this_update > verify_time_der)
+    return false;
+
+  if (response.has_next_update && (response.next_update <= verify_time_der))

[svaldez, 2016/06/24 13:40:46]

Possibly move this to the bottom, to match the ordering in the header comment.

[dadrian, 2016/06/24 17:16:14]

Done.

+    return false;
+
+  // Enforce |max_age|.
+  der::GeneralizedTime lower_bound =
+      der::ConvertBaseUTCTime(verify_time - max_age);
+  if (response.this_update < lower_bound)

[svaldez, 2016/06/24 13:40:46]

Use '<=' to match the same upper bound semantic as the next_update <=
verify_time check.

[dadrian, 2016/06/24 17:16:14]

Done.

+    return false;
+  return true;
+}
+
 }  // namespace net