| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/cert_verify_proc.h" | 5 #include "net/base/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include "base/metrics/histogram.h" | 7 #include "base/metrics/histogram.h" |
| 8 #include "base/sha1.h" | 8 #include "base/sha1.h" |
| 9 #include "build/build_config.h" | 9 #include "build/build_config.h" |
| 10 #include "net/base/cert_status_flags.h" | 10 #include "net/base/cert_status_flags.h" |
| (...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 75 | 75 |
| 76 if (IsBlacklisted(cert)) { | 76 if (IsBlacklisted(cert)) { |
| 77 verify_result->cert_status |= CERT_STATUS_REVOKED; | 77 verify_result->cert_status |= CERT_STATUS_REVOKED; |
| 78 return ERR_CERT_REVOKED; | 78 return ERR_CERT_REVOKED; |
| 79 } | 79 } |
| 80 | 80 |
| 81 // If EV verification was requested and no CRLSet is present, or if the | 81 // If EV verification was requested and no CRLSet is present, or if the |
| 82 // CRLSet has expired, then enable online revocation checks. If the online | 82 // CRLSet has expired, then enable online revocation checks. If the online |
| 83 // check fails, EV status won't be shown. | 83 // check fails, EV status won't be shown. |
| 84 // | 84 // |
| 85 // A possible optimisation is to only enable online revocation checking in | 85 // TODO(rsleevi): http://crbug.com/142974 - Allow preferences to fully |
| 86 // the event that the leaf certificate appears to include a EV policy ID. | 86 // disable revocation checking. |
| 87 // However, it's expected that having a current CRLSet will be very common. | |
| 88 if ((flags & X509Certificate::VERIFY_EV_CERT) && | 87 if ((flags & X509Certificate::VERIFY_EV_CERT) && |
| 89 (!crl_set || crl_set->IsExpired())) { | 88 (!crl_set || crl_set->IsExpired())) { |
| 90 flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; | 89 flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY; |
| 91 } | 90 } |
| 92 | 91 |
| 93 int rv = VerifyInternal(cert, hostname, flags, crl_set, verify_result); | 92 int rv = VerifyInternal(cert, hostname, flags, crl_set, verify_result); |
| 94 | 93 |
| 95 // This check is done after VerifyInternal so that VerifyInternal can fill | 94 // This check is done after VerifyInternal so that VerifyInternal can fill |
| 96 // in the list of public key hashes. | 95 // in the list of public key hashes. |
| 97 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { | 96 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
| 98 verify_result->cert_status |= CERT_STATUS_REVOKED; | 97 verify_result->cert_status |= CERT_STATUS_REVOKED; |
| 99 rv = MapCertStatusToNetError(verify_result->cert_status); | 98 rv = MapCertStatusToNetError(verify_result->cert_status); |
| 100 } | 99 } |
| (...skipping 167 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 268 j = public_key_hashes.begin(); j != public_key_hashes.end(); ++j) { | 267 j = public_key_hashes.begin(); j != public_key_hashes.end(); ++j) { |
| 269 if (memcmp(j->data, kHashes[i], base::kSHA1Length) == 0) | 268 if (memcmp(j->data, kHashes[i], base::kSHA1Length) == 0) |
| 270 return true; | 269 return true; |
| 271 } | 270 } |
| 272 } | 271 } |
| 273 | 272 |
| 274 return false; | 273 return false; |
| 275 } | 274 } |
| 276 | 275 |
| 277 } // namespace net | 276 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10857020:
Do not perform online revocation checking when the user has explicitly disabled it, except for when… (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src