chromium/net/cert/ocsp_verify_result.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

// Copyright 2016 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef NET_CERT_OCSP_VERIFY_RESULT_H_
#define NET_CERT_OCSP_VERIFY_RESULT_H_

#include <string>

#include "net/base/net_export.h"
#include "net/cert/ocsp_revocation_status.h"

namespace net {

// The result of OCSP verification. This always contains a ResponseStatus, which
// describes whether or not an OCSP response was provided, and response level
// errors. It optionally contains an OCSPRevocationStatus when |response_status
// = PROVIDED|. For example, a stapled OCSP response matching the certificate,
// and indicating a non-revoked status, will have |response_status = PROVIDED|
// and |revocation_status = GOOD|. This is populated as part of the certificate
// verification process, and should not be modified at other layers.
struct NET_EXPORT OCSPVerifyResult {
  OCSPVerifyResult();
  OCSPVerifyResult(const OCSPVerifyResult&);
  ~OCSPVerifyResult();

  bool operator==(const OCSPVerifyResult& other) const;

  enum ResponseStatus {
    // OCSP verification was not checked on this connection.
    NOT_CHECKED,

    // No OCSPResponse was stapled.
    MISSING,

    // An up-to-date OCSP response was stapled and matched the certificate.
    PROVIDED,

    // The stapled OCSP response did not have a SUCCESSFUL status.
    ERROR_RESPONSE,

    // The OCSPResponseData field producedAt was outside the certificate
    // validity period.
    BAD_PRODUCED_AT,

    // At least one OCSPSingleResponse was stapled, but none matched the
    // certificate.
    NO_MATCHING_RESPONSE,

    // A matching OCSPSingleResponse was stapled, but was either expired or not
    // yet valid.
    INVALID_DATE,

    // The OCSPResponse structure could not be parsed.
    PARSE_RESPONSE_ERROR,

    // The OCSPResponseData structure could not be parsed.
    PARSE_RESPONSE_DATA_ERROR,

  };

  ResponseStatus response_status = NOT_CHECKED;

  // The strictest CertStatus matching the certificate (REVOKED > UNKNOWN >
  // GOOD). Only valid if |response_status| = PROVIDED.
  OCSPRevocationStatus revocation_status = OCSPRevocationStatus::UNKNOWN;
};

}  // namespace net

#endif  // NET_CERT_OCSP_VERIFY_RESULT_H_