Do not perform online revocation checking when the user has explicitly disabled it, except for when…

net/base/cert_verify_proc_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/cert_verify_proc_win.h"
 
 #include "base/memory/scoped_ptr.h"
 #include "base/sha1.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
@@ skipping 523 matching lines @@
   // two usages.
   static const LPSTR usage[] = {
     szOID_PKIX_KP_SERVER_AUTH,
     szOID_SERVER_GATED_CRYPTO,
     szOID_SGC_NETSCAPE
   };
   chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
   chain_para.RequestedUsage.Usage.cUsageIdentifier = arraysize(usage);
   chain_para.RequestedUsage.Usage.rgpszUsageIdentifier =
       const_cast<LPSTR*>(usage);
-  // We can set CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS to get more chains.
-  DWORD chain_flags = CERT_CHAIN_CACHE_END_CERT |
-                      CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
-  const bool rev_checking_enabled =
-      flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED;
-
-  if (rev_checking_enabled) {
-    verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
-  } else {
-    chain_flags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
-  }
 
   // Get the certificatePolicies extension of the certificate.
   scoped_ptr_malloc<CERT_POLICIES_INFO> policies_info;
   LPSTR ev_policy_oid = NULL;
   if (flags & X509Certificate::VERIFY_EV_CERT) {
     GetCertPoliciesInfo(cert_handle, &policies_info);
     if (policies_info.get()) {
       EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
       for (DWORD i = 0; i < policies_info->cPolicyInfo; ++i) {
         LPSTR policy_oid = policies_info->rgPolicyInfo[i].pszPolicyIdentifier;
         if (metadata->IsEVPolicyOID(policy_oid)) {
           ev_policy_oid = policy_oid;
           chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND;
           chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1;
           chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier =
               &ev_policy_oid;
           break;
         }
       }
     }
   }
 
+  // We can set CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS to get more chains.
+  DWORD chain_flags = CERT_CHAIN_CACHE_END_CERT |
+                      CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
+  const bool rev_checking_enabled =
+      (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) ||
+      (ev_policy_oid != NULL &&
+       (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY));
+
+  if (rev_checking_enabled) {
+    verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
+  } else {
+    chain_flags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
+  }
+
   // For non-test scenarios, use the default HCERTCHAINENGINE, NULL, which
   // corresponds to HCCE_CURRENT_USER and is is initialized as needed by
   // crypt32. However, when testing, it is necessary to create a new
   // HCERTCHAINENGINE and use that instead. This is because each
   // HCERTCHAINENGINE maintains a cache of information about certificates
   // encountered, and each test run may modify the trust status of a
   // certificate.
   ScopedHCERTCHAINENGINE chain_engine(NULL);
   if (TestRootCerts::HasInstance())
     chain_engine.reset(TestRootCerts::GetInstance()->GetChainEngine());
@@ skipping 146 matching lines @@
   verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context);
 
   if (ev_policy_oid &&
       CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) {
     verify_result->cert_status |= CERT_STATUS_IS_EV;
   }
   return OK;
 }
 
 }  // namespace net