Do not perform online revocation checking when the user has explicitly disabled it, except for when…

net/base/cert_verify_proc_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/cert_verify_proc_nss.h"
 
 #include <cert.h>
 #include <nss.h>
 #include <prerror.h>
 #include <secerr.h>
@@ skipping 558 matching lines @@
   od.offset = SEC_OID_UNKNOWN;
   // NSS doesn't allow us to pass an empty description, so I use a hardcoded,
   // default description here.  The description doesn't need to be unique for
   // each OID.
   od.desc = "a certificate policy";
   od.mechanism = CKM_INVALID_MECHANISM;
   od.supportedExtension = INVALID_CERT_EXTENSION;
   return SECOID_AddEntry(&od);
 }
 
-bool CheckCertPolicies(X509Certificate::OSCertHandle cert_handle,
-                       SECOidTag ev_policy_tag) {
-  CERTCertificatePolicies* policies = DecodeCertPolicies(cert_handle);
-  if (!policies) {
-    LOG(ERROR) << "Cert has no policies extension or extension couldn't be "
-                  "decoded.";
-    return false;
-  }
-  ScopedCERTCertificatePolicies scoped_policies(policies);
-  CERTPolicyInfo** policy_infos = policies->policyInfos;
-  while (*policy_infos != NULL) {
-    CERTPolicyInfo* policy_info = *policy_infos++;
-    SECOidTag oid_tag = policy_info->oid;
-    if (oid_tag == SEC_OID_UNKNOWN)
-      continue;
-    if (oid_tag == ev_policy_tag)
-      return true;
-  }
-  return false;
-}
-
 SHA1Fingerprint CertPublicKeyHash(CERTCertificate* cert) {
   SHA1Fingerprint hash;
   SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data,
                               cert->derPublicKey.data, cert->derPublicKey.len);
   DCHECK_EQ(rv, SECSuccess);
   return hash;
 }
 
 void AppendPublicKeyHashes(CERTCertList* cert_list,
                            CERTCertificate* root_cert,
                            std::vector<SHA1Fingerprint>* hashes) {
   for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
        !CERT_LIST_END(node, cert_list);
        node = CERT_LIST_NEXT(node)) {
     hashes->push_back(CertPublicKeyHash(node->cert));
   }
   if (root_cert)
     hashes->push_back(CertPublicKeyHash(root_cert));
 }
 
+// Returns true if |cert_handle| contains a policy OID that is an EV policy
+// OID according to |metadata|, storing the resulting policy OID in
+// |*ev_policy_oid|. A true return is not sufficient to establish that a
+// certificate is EV, but a false return is sufficient to establish the
+// certificate cannot be EV.
+bool IsEVCandidate(EVRootCAMetadata* metadata,

[agl, 2012/08/15 22:57:53]

Is the assumption that there'll only be one EV OID correct?

What if I issue my leaves with a pair of EV OIDs because I'm not sure which root
the client will end up with?

(Later:) looks like Windows code might already be making this assumption so I
guess it's ok.

[Ryan Sleevi, 2012/08/15 23:04:58]

That's what I'm not sure about. That's certainly the implemented behaviour on OS
X, and historically Chrome, so I'm guessing CAs are locked into this.

However, CAs don't cross-pollinate OIDs (at least, I don't think - hence the
cabfpub mail), so they should always be issuing the leaf with one EV or the
other, and just associate both roots (old and new) with either set of OIDs.

+                   CERTCertificate* cert_handle,
+                   SECOidTag* ev_policy_oid) {
+  DCHECK(cert_handle);
+  ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle));
+  if (!policies.get())
+    return false;
+
+  CERTPolicyInfo** policy_infos = policies->policyInfos;
+  while (*policy_infos != NULL) {
+    CERTPolicyInfo* policy_info = *policy_infos++;
+    // If the Policy OID is unknown, that implicitly means it has not been
+    // registered as an EV policy.
+    if (policy_info->oid == SEC_OID_UNKNOWN)
+      continue;
+    if (metadata->IsEVPolicyOID(policy_info->oid)) {
+      *ev_policy_oid = policy_info->oid;
+      return true;
+    }
+  }
+
+  return false;
+}
+
 // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp
 // and nsNSSCertHelper.cpp) to learn how to verify EV certificate.
 // TODO(wtc): A possible optimization is that we get the trust anchor from
 // the first PKIXVerifyCert call.  We look up the EV policy for the trust
 // anchor.  If the trust anchor has no EV policy, we know the cert isn't EV.
 // Otherwise, we pass just that EV policy (as opposed to all the EV policies)
 // to the second PKIXVerifyCert call.
 bool VerifyEV(CERTCertificate* cert_handle, int flags, CRLSet* crl_set) {
   EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
 
+  SECOidTag ev_policy_oid = SEC_OID_UNKNOWN;
+  bool is_ev_candidate = IsEVCandidate(metadata, cert_handle, &ev_policy_oid);
+  if (!is_ev_candidate)
+    return false;
+
   CERTValOutParam cvout[3];
   int cvout_index = 0;
   cvout[cvout_index].type = cert_po_certList;
   cvout[cvout_index].value.pointer.chain = NULL;
   int cvout_cert_list_index = cvout_index;
   cvout_index++;
   cvout[cvout_index].type = cert_po_trustAnchor;
   cvout[cvout_index].value.pointer.cert = NULL;
   int cvout_trust_anchor_index = cvout_index;
   cvout_index++;
   cvout[cvout_index].type = cert_po_end;
   ScopedCERTValOutParam scoped_cvout(cvout);
 
+  bool rev_checking_enabled =
+      (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) ||
+      (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY);
+
   SECStatus status = PKIXVerifyCert(
       cert_handle,
-      flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED,
+      rev_checking_enabled,
       flags & X509Certificate::VERIFY_CERT_IO_ENABLED,
-      metadata->GetPolicyOIDs(),
-      metadata->NumPolicyOIDs(),
+      &ev_policy_oid,
+      1,
       cvout);
   if (status != SECSuccess)
     return false;
 
   CERTCertificate* root_ca =
       cvout[cvout_trust_anchor_index].value.pointer.cert;
   if (root_ca == NULL)
     return false;
 
   // This second PKIXVerifyCert call could have found a different certification
   // path and one or more of the certificates on this new path, that weren't on
   // the old path, might have been revoked.
   if (crl_set) {
     CRLSetResult crl_set_result = CheckRevocationWithCRLSet(
         cvout[cvout_cert_list_index].value.pointer.chain,
         cvout[cvout_trust_anchor_index].value.pointer.cert,
         crl_set);
     if (crl_set_result == kCRLSetRevoked)
       return false;
   }
 
   SHA1Fingerprint fingerprint =
       X509Certificate::CalculateFingerprint(root_ca);
-  std::vector<SECOidTag> ev_policy_tags;
-  if (!metadata->GetPolicyOIDsForCA(fingerprint, &ev_policy_tags))
-    return false;
-  DCHECK(!ev_policy_tags.empty());
-
-  for (std::vector<SECOidTag>::const_iterator
-       i = ev_policy_tags.begin(); i != ev_policy_tags.end(); ++i) {
-    if (CheckCertPolicies(cert_handle, *i))
-      return true;
-  }
-  return false;
+  return metadata->HasEVPolicyOID(fingerprint, ev_policy_oid);
 }
 
 }  // namespace
 
 CertVerifyProcNSS::CertVerifyProcNSS() {}
 
 CertVerifyProcNSS::~CertVerifyProcNSS() {}
 
 int CertVerifyProcNSS::VerifyInternal(X509Certificate* cert,
                                       const std::string& hostname,
@@ skipping 73 matching lines @@
   AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain,
                         cvout[cvout_trust_anchor_index].value.pointer.cert,
                         &verify_result->public_key_hashes);
 
   verify_result->is_issued_by_known_root =
       IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert);
 
   if ((flags & X509Certificate::VERIFY_EV_CERT) &&
       VerifyEV(cert_handle, flags, crl_set)) {
     verify_result->cert_status |= CERT_STATUS_IS_EV;
+    if (cert_io_enabled &&
+        (flags & (X509Certificate::VERIFY_REV_CHECKING_ENABLED |
+                  X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY)) {
+      verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
+    }
   }
 
   return OK;
 }
 
 }  // namespace net