net/cert/ocsp_verify_result.h - Issue 2587243002: Do not do Expect-Staple when OCSPVerifyResult has not been populated

Side by Side Diff: net/cert/ocsp_verify_result.h

Issue 2587243002: Do not do Expect-Staple when OCSPVerifyResult has not been populated (Closed)

Patch Set: Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2016 The Chromium Authors. All rights reserved.	1 // Copyright 2016 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_CERT_OCSP_VERIFY_RESULT_H_	5 #ifndef NET_CERT_OCSP_VERIFY_RESULT_H_

6 #define NET_CERT_OCSP_VERIFY_RESULT_H_	6 #define NET_CERT_OCSP_VERIFY_RESULT_H_

7	7

8 #include <string>	8 #include <string>

9	9

10 #include "net/base/net_export.h"	10 #include "net/base/net_export.h"

11 #include "net/cert/ocsp_revocation_status.h"	11 #include "net/cert/ocsp_revocation_status.h"

12	12

13 namespace net {	13 namespace net {

14	14

15 // The result of OCSP verification. This always contains a ResponseStatus, which	15 // The result of OCSP verification. This always contains a ResponseStatus, which

16 // describes whether or not an OCSP response was provided, and response level	16 // describes whether or not an OCSP response was provided, and response level

17 // errors. It optionally contains an OCSPRevocationStatus when \|response_status	17 // errors. It optionally contains an OCSPRevocationStatus when \|response_status

18 // = PROVIDED\|. For example, a stapled OCSP response matching the certificate,	18 // = PROVIDED\|. For example, a stapled OCSP response matching the certificate,

19 // and indicating a non-revoked status, will have \|response_status = PROVIDED\|	19 // and indicating a non-revoked status, will have \|response_status = PROVIDED\|

20 // and \|revocation_status = GOOD\|. This is populated as part of the certificate	20 // and \|revocation_status = GOOD\|. This is populated as part of the certificate

21 // verification process, and should not be modified at other layers.	21 // verification process, and should not be modified at other layers.

22 struct NET_EXPORT OCSPVerifyResult {	22 struct NET_EXPORT OCSPVerifyResult {

23 OCSPVerifyResult();	23 OCSPVerifyResult();

24 OCSPVerifyResult(const OCSPVerifyResult&);	24 OCSPVerifyResult(const OCSPVerifyResult&);

25 ~OCSPVerifyResult();	25 ~OCSPVerifyResult();

26	26

27 bool operator==(const OCSPVerifyResult& other) const;	27 bool operator==(const OCSPVerifyResult& other) const;

28	28

29 enum ResponseStatus {	29 enum ResponseStatus {

	30 // OCSP verification was not checked on this connection.

	31 UNKNOWN,
	Ryan Sleevi 2016/12/21 01:35:29 The risk of "Unknown" here is that it might become The risk of "Unknown" here is that it might become more overloaded. Any reason not to call this something like NOT_CHECKED ? (I can see arguments both for & against, just noting the asymmetry between this and the other response codes) estark 2016/12/21 17:53:12 NOT_CHECKED seems reasonable, done. Show quoted text On 2016/12/21 01:35:29, Ryan Sleevi wrote: > The risk of "Unknown" here is that it might become more overloaded. Any reason > not to call this something like NOT_CHECKED ? > > (I can see arguments both for & against, just noting the asymmetry between this > and the other response codes) NOT_CHECKED seems reasonable, done.
	32

30 // No OCSPResponse was stapled.	33 // No OCSPResponse was stapled.

31 MISSING,	34 MISSING,

32	35

33 // An up-to-date OCSP response was stapled and matched the certificate.	36 // An up-to-date OCSP response was stapled and matched the certificate.

34 PROVIDED,	37 PROVIDED,

35	38

36 // The stapled OCSP response did not have a SUCCESSFUL status.	39 // The stapled OCSP response did not have a SUCCESSFUL status.

37 ERROR_RESPONSE,	40 ERROR_RESPONSE,

38	41

39 // The OCSPResponseData field producedAt was outside the certificate	42 // The OCSPResponseData field producedAt was outside the certificate

40 // validity period.	43 // validity period.

41 BAD_PRODUCED_AT,	44 BAD_PRODUCED_AT,

42	45

43 // At least one OCSPSingleResponse was stapled, but none matched the	46 // At least one OCSPSingleResponse was stapled, but none matched the

44 // certificate.	47 // certificate.

45 NO_MATCHING_RESPONSE,	48 NO_MATCHING_RESPONSE,

46	49

47 // A matching OCSPSingleResponse was stapled, but was either expired or not	50 // A matching OCSPSingleResponse was stapled, but was either expired or not

48 // yet valid.	51 // yet valid.

49 INVALID_DATE,	52 INVALID_DATE,

50	53

51 // The OCSPResponse structure could not be parsed.	54 // The OCSPResponse structure could not be parsed.

52 PARSE_RESPONSE_ERROR,	55 PARSE_RESPONSE_ERROR,

53	56

54 // The OCSPResponseData structure could not be parsed.	57 // The OCSPResponseData structure could not be parsed.

55 PARSE_RESPONSE_DATA_ERROR,	58 PARSE_RESPONSE_DATA_ERROR,

56	59

57 };	60 };

58	61

59 ResponseStatus response_status = MISSING;	62 ResponseStatus response_status = UNKNOWN;

60	63

61 // The strictest CertStatus matching the certificate (REVOKED > UNKNOWN >	64 // The strictest CertStatus matching the certificate (REVOKED > UNKNOWN >

62 // GOOD). Only valid if \|response_status\| = PROVIDED.	65 // GOOD). Only valid if \|response_status\| = PROVIDED.

63 OCSPRevocationStatus revocation_status = OCSPRevocationStatus::UNKNOWN;	66 OCSPRevocationStatus revocation_status = OCSPRevocationStatus::UNKNOWN;

64 };	67 };

65	68

66 } // namespace net	69 } // namespace net

67	70

68 #endif // NET_CERT_OCSP_VERIFY_RESULT_H_	71 #endif // NET_CERT_OCSP_VERIFY_RESULT_H_

OLD	NEW

« no previous file with comments | « no previous file | net/http/transport_security_state.cc » ('j') | net/http/transport_security_state.cc » ('J')