Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(187)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/cert_verify_proc_mac.cc

Issue 10857020: Do not perform online revocation checking when the user has explicitly disabled it, except for when… (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Linux and Mac fixes Created 8 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/base/cert_verify_proc.cc ('k') | net/base/cert_verify_proc_nss.cc » ('j') | net/base/ev_root_ca_metadata.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/cert_verify_proc_mac.h" 5 #include "net/base/cert_verify_proc_mac.h"
6 6
7 #include <CommonCrypto/CommonDigest.h> 7 #include <CommonCrypto/CommonDigest.h>
8 #include <CoreServices/CoreServices.h> 8 #include <CoreServices/CoreServices.h>
9 #include <Security/Security.h> 9 #include <Security/Security.h>
10 10
(...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after
150 if (status) 150 if (status)
151 return status; 151 return status;
152 CFArrayAppendValue(local_policies, ssl_policy); 152 CFArrayAppendValue(local_policies, ssl_policy);
153 CFRelease(ssl_policy); 153 CFRelease(ssl_policy);
154 154
155 // Explicitly add revocation policies, in order to override system 155 // Explicitly add revocation policies, in order to override system
156 // revocation checking policies and instead respect the application-level 156 // revocation checking policies and instead respect the application-level
157 // revocation preference. 157 // revocation preference.
158 status = x509_util::CreateRevocationPolicies( 158 status = x509_util::CreateRevocationPolicies(
159 (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED), 159 (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED),
160 (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY),
wtc 2012/08/16 23:28:03 We pass (flags & X509Certificate::VERIFY_REV_CHE
Ryan Sleevi 2012/08/16 23:55:30 Just to make sure - you're asking for a comment he
wtc 2012/08/17 00:34:44 Yes, I was asking for an extra comment here, at th
160 local_policies); 161 local_policies);
161 if (status) 162 if (status)
162 return status; 163 return status;
163 164
164 policies->reset(local_policies.release()); 165 policies->reset(local_policies.release());
165 return noErr; 166 return noErr;
166 } 167 }
167 168
168 // Saves some information about the certificate chain |cert_chain| in 169 // Saves some information about the certificate chain |cert_chain| in
169 // |*verify_result|. The caller MUST initialize |*verify_result| before 170 // |*verify_result|. The caller MUST initialize |*verify_result| before
(...skipping 203 matching lines...) Expand 10 before | Expand all | Expand 10 after
373 } 374 }
374 375
375 CSSM_APPLE_TP_ACTION_DATA tp_action_data; 376 CSSM_APPLE_TP_ACTION_DATA tp_action_data;
376 memset(&tp_action_data, 0, sizeof(tp_action_data)); 377 memset(&tp_action_data, 0, sizeof(tp_action_data));
377 tp_action_data.Version = CSSM_APPLE_TP_ACTION_VERSION; 378 tp_action_data.Version = CSSM_APPLE_TP_ACTION_VERSION;
378 // Allow CSSM to download any missing intermediate certificates if an 379 // Allow CSSM to download any missing intermediate certificates if an
379 // authorityInfoAccess extension or issuerAltName extension is present. 380 // authorityInfoAccess extension or issuerAltName extension is present.
380 tp_action_data.ActionFlags = CSSM_TP_ACTION_FETCH_CERT_FROM_NET | 381 tp_action_data.ActionFlags = CSSM_TP_ACTION_FETCH_CERT_FROM_NET |
381 CSSM_TP_ACTION_TRUST_SETTINGS; 382 CSSM_TP_ACTION_TRUST_SETTINGS;
382 383
384 // Note: For EV certificates, the Apple TP will handle setting these flags
385 // as part of EV evaluation.
383 if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) { 386 if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) {
384 // Require a positive result from an OCSP responder or a CRL (or both) 387 // Require a positive result from an OCSP responder or a CRL (or both)
385 // for every certificate in the chain. The Apple TP automatically 388 // for every certificate in the chain. The Apple TP automatically
386 // excludes the self-signed root from this requirement. If a certificate 389 // excludes the self-signed root from this requirement. If a certificate
387 // is missing both a crlDistributionPoints extension and an 390 // is missing both a crlDistributionPoints extension and an
388 // authorityInfoAccess extension with an OCSP responder URL, then we 391 // authorityInfoAccess extension with an OCSP responder URL, then we
389 // will get a kSecTrustResultRecoverableTrustFailure back from 392 // will get a kSecTrustResultRecoverableTrustFailure back from
390 // SecTrustEvaluate(), with a 393 // SecTrustEvaluate(), with a
391 // CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK error code. In that case, 394 // CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK error code. In that case,
392 // we'll set our own result to include 395 // we'll set our own result to include
(...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after
557 // releases, SecTrustCopyExtendedResult would only return noErr and 560 // releases, SecTrustCopyExtendedResult would only return noErr and
558 // populate ev_dict for EV certificates, but would always include 561 // populate ev_dict for EV certificates, but would always include
559 // kSecEVOrganizationName in that case, so checking for this key is 562 // kSecEVOrganizationName in that case, so checking for this key is
560 // appropriate for all known versions of SecTrustCopyExtendedResult. 563 // appropriate for all known versions of SecTrustCopyExtendedResult.
561 // The actual organization name is unneeded here and can be accessed 564 // The actual organization name is unneeded here and can be accessed
562 // through other means. All that matters here is the OS' conception 565 // through other means. All that matters here is the OS' conception
563 // of whether or not the certificate is EV. 566 // of whether or not the certificate is EV.
564 if (CFDictionaryContainsKey(ev_dict, 567 if (CFDictionaryContainsKey(ev_dict,
565 kSecEVOrganizationName)) { 568 kSecEVOrganizationName)) {
566 verify_result->cert_status |= CERT_STATUS_IS_EV; 569 verify_result->cert_status |= CERT_STATUS_IS_EV;
570 if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY)
571 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
567 } 572 }
568 } 573 }
569 } 574 }
570 } 575 }
571 } 576 }
572 577
573 AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes); 578 AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes);
574 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain); 579 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain);
575 580
576 return OK; 581 return OK;
577 } 582 }
578 583
579 } // namespace net 584 } // namespace net
OLDNEW
« no previous file with comments | « net/base/cert_verify_proc.cc ('k') | net/base/cert_verify_proc_nss.cc » ('j') | net/base/ev_root_ca_metadata.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698