Add OCSPVerifyResult for tracking stapled OCSP responses cross-platform.

net/cert/ocsp_verify_result.h

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_OCSP_VERIFY_RESULT_H
+#define NET_CERT_OCSP_VERIFY_RESULT_H
+
+#include <string>
+
+#include "base/optional.h"
+#include "net/base/net_export.h"
+#include "net/cert/ocsp_revocation_status.h"
+
+namespace net {
+
+struct NET_EXPORT OCSPVerifyResult {

[estark, 2016/07/14 21:14:58]

probably could use some documentation on this class

[dadrian, 2016/07/15 01:00:50]

Done.

+  OCSPVerifyResult();
+  OCSPVerifyResult(const OCSPVerifyResult&);
+  ~OCSPVerifyResult();
+
+  void Reset();
+
+  enum ResponseStatus {
+    // No OCSPResponse was stapled.
+    MISSING,
+
+    // An up-to-date OCSP response was stapled and matched the certificate.
+    PROVIDED,
+
+    // The stapled OCSP response did not have a SUCCESFUL status.

[estark, 2016/07/14 21:14:58]

missing an S in SUCCESSFUL

[dadrian, 2016/07/15 01:00:50]

I'm an adult who can spell things, I swear!

+    BAD_RESPONSE,
+
+    // The OCSPResponseData field producedAt was outside the certificate
+    // validity period.
+    BAD_PRODUCED_AT,
+
+    // At least one OCSPSingleResponse was stapled, but none matched the
+    // certificate.
+    NO_MATCHING_RESPONSE,
+
+    // A matching OCSPSingleResponse was stapled, but was either expired or not
+    // yet valid.
+    INVALID_DATE,
+
+    // The OCSPResponse structure could not be parsed.
+    PARSE_RESPONSE,
+
+    // The OCSPResponseData structure could not be parsed.
+    PARSE_RESPONSE_DATA,
+
+  };
+
+  ResponseStatus response_status;
+
+  // The strictest CertStatus matching the certificate (REVOKED > UNKNOWN >
+  // GOOD). Only present if |response_status| = PROVIDED.
+  base::Optional<OCSPRevocationStatus> cert_status;

[estark, 2016/07/14 21:14:58]

Hmm, I wonder if this should be called |revocation_status| or
|cert_revocation_status| instead? In reading the code I keep getting it confused
with the other use of |cert_status|.

[dadrian, 2016/07/15 01:00:50]

It should probably be |revocation_status|. It was called |cert_status| when it
corresponded with the OCSPCertStatus ASN.1 object, but it turns out that's only
_sometimes_ just an enum, because they helpfully attach revocation reason and
timestamp to REVOKED responses. The RFC also doesn't name the enum itself, which
is why in the original OCSP parsing code, it was referred to as a
CertStatus::Status.

tl;dr I'll make my own abstractions! With blackjack and |revocation_status|!

+};
+
+}  // namespace net
+
+#endif  // NET_CERT_OCSP_VERIFY_RESULT_H