Add CheckOCSPDateValid() to net/cert/internal

net/cert/internal/parse_ocsp.h

Index: net/cert/internal/parse_ocsp.h
diff --git a/net/cert/internal/parse_ocsp.h b/net/cert/internal/parse_ocsp.h
index b9052aee9f6df9c4e4797a928b5c7024a917ba4e..d79eca8a66207a4fbfdd9fda66abd018a0c551a2 100644
--- a/net/cert/internal/parse_ocsp.h
+++ b/net/cert/internal/parse_ocsp.h
@@ -17,6 +17,10 @@
 #include "net/der/parser.h"
 #include "net/der/tag.h"
 
+namespace base {
+class Time;
+}
+
 namespace net {
 
 // OCSPCertID contains a representation of a DER-encoded RFC 6960 "CertID".
@@ -278,6 +282,13 @@ NET_EXPORT_PRIVATE bool GetOCSPCertStatus(
     const der::Input& cert_tbs_certificate_tlv,
     OCSPCertStatus* out);
 
+// Checks that thisUpdate <= verify_time, and that verify_time <
+// thisUpdate + max_age. If |response| has a nextUpdate, then this also enforces
+// that |verify_time| < nextUpdate.

[Ryan Sleevi, 2016/06/28 17:33:30]

COMMENT: "Checks" doesn't really describe what the bool result would be

// Returns true if |response|, a valid OCSP response with a thisUpdate
// field and potentially a nextUpdate field, is valid at |verify_time|
// and not older than |max_age|.
// Expressed differently, returns true if
// response.thisUpdate <= verify_time < min(response.thisUpdate + max_age,
response.nextUpdate)

[dadrian, 2016/06/29 22:54:02]

Done.

+NET_EXPORT_PRIVATE bool CheckOCSPDateValid(const OCSPSingleResponse& response,
+                                           const base::Time& verify_time,
+                                           const base::TimeDelta& max_age);
+
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_PARSE_OCSP_H_