Chromium Code Reviews Chromium Code Reviews
Issue 10857020:
Do not perform online revocation checking when the user has explicitly disabled it, except for when… (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: net/base/cert_verify_proc_mac.cc |
| diff --git a/net/base/cert_verify_proc_mac.cc b/net/base/cert_verify_proc_mac.cc |
| index 49798b5afd00d28dedddb298d21e0bef15ab5bfc..2cbffef8a23fa554e3710fa23acb144bdde3703b 100644 |
| --- a/net/base/cert_verify_proc_mac.cc |
| +++ b/net/base/cert_verify_proc_mac.cc |
| @@ -157,6 +157,7 @@ OSStatus CreateTrustPolicies(const std::string& hostname, |
| // revocation preference. |
| status = x509_util::CreateRevocationPolicies( |
| (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED), |
| + (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY), |
|
wtc
2012/08/16 23:28:03
We pass
(flags & X509Certificate::VERIFY_REV_CHE
Ryan Sleevi
2012/08/16 23:55:30
Just to make sure - you're asking for a comment he
wtc
2012/08/17 00:34:44
Yes, I was asking for an extra comment here, at th
|
| local_policies); |
| if (status) |
| return status; |
| @@ -380,6 +381,8 @@ int CertVerifyProcMac::VerifyInternal(X509Certificate* cert, |
| tp_action_data.ActionFlags = CSSM_TP_ACTION_FETCH_CERT_FROM_NET | |
| CSSM_TP_ACTION_TRUST_SETTINGS; |
| + // Note: For EV certificates, the Apple TP will handle setting these flags |
| + // as part of EV evaluation. |
| if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) { |
| // Require a positive result from an OCSP responder or a CRL (or both) |
| // for every certificate in the chain. The Apple TP automatically |
| @@ -564,6 +567,8 @@ int CertVerifyProcMac::VerifyInternal(X509Certificate* cert, |
| if (CFDictionaryContainsKey(ev_dict, |
| kSecEVOrganizationName)) { |
| verify_result->cert_status |= CERT_STATUS_IS_EV; |
| + if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY) |
| + verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
| } |
| } |
| } |
