Address post-review feedback for r81702

net/base/x509_certificate_mac.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreServices/CoreServices.h>
 #include <Security/Security.h>
 #include <time.h>
@@ skipping 271 matching lines @@
     err = SecPolicySetValue(*policy, &options_data);
     if (err) {
       CFRelease(*policy);
       return err;
     }
   }
   return noErr;
 }
 
 // Creates a series of SecPolicyRefs to be added to a SecTrustRef used to
 // validate a certificate for an SSL peer. |hostname| contains the name of

[wtc, 2011/04/20 23:28:11]

Also change the "peer" on this line.

-// the SSL peer that the certificate should be verified against. |flags| is
+// the SSL server that the certificate should be verified against. |flags| is
 // a bitwise-OR of VerifyFlags that can further alter how trust is
 // validated, such as how revocation is checked. If successful, returns
 // noErr, and stores the resultant array of SecPolicyRefs in |policies|.
 OSStatus CreateTrustPolicies(const std::string& hostname, int flags,
                              ScopedCFTypeRef<CFArrayRef>* policies) {
   // Create an SSL SecPolicyRef, and configure it to perform hostname
   // validation. The hostname check does 99% of what we want, with the
   // exception of dotted IPv4 addreses, which we handle ourselves below.
   CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options = {
     CSSM_APPLE_TP_SSL_OPTS_VERSION,
     hostname.size(),
     hostname.data(),
     0
   };
   SecPolicyRef ssl_policy;
   OSStatus status = CreatePolicy(&CSSMOID_APPLE_TP_SSL, &tp_ssl_options,
                                  sizeof(tp_ssl_options), &ssl_policy);
   if (status)
     return status;
   ScopedCFTypeRef<SecPolicyRef> scoped_ssl_policy(ssl_policy);
 
   // Manually add OCSP and CRL policies. If neither an OCSP or CRL policy is
   // specified, the Apple TP module will add whatever the system settings
   // are, which is not desirable here.
-  //
-  // Note that this causes any locally configured OCSP responder URL to be
-  // ignored.
   CSSM_APPLE_TP_OCSP_OPTIONS tp_ocsp_options;
   memset(&tp_ocsp_options, 0, sizeof(tp_ocsp_options));
   tp_ocsp_options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
 
   CSSM_APPLE_TP_CRL_OPTIONS tp_crl_options;
   memset(&tp_crl_options, 0, sizeof(tp_crl_options));
   tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
 
   if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) {
     // If an OCSP responder is available, use it, and avoid fetching any
@@ skipping 518 matching lines @@
     // we'll set our own result to include
     // CERT_STATUS_NO_REVOCATION_MECHANISM. If one or both extensions are
     // present, and a check fails (server unavailable, OCSP retry later,
     // signature mismatch), then we'll set our own result to include
     // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION.
     tp_action_data.ActionFlags |= CSSM_TP_ACTION_REQUIRE_REV_PER_CERT;
     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
   } else {
     // EV requires revocation checking.
     // Note, under the hood, SecTrustEvaluate() will modify the OCSP options
-    // so as to attempt OCSP fetching if it believes a certificate may chain
+    // so as to attempt OCSP checking if it believes a certificate may chain
     // to an EV root. However, because network fetches are disabled in
     // CreateTrustPolicies() when revocation checking is disabled, these
     // will only go against the local cache.
     flags &= ~VERIFY_EV_CERT;
   }
 
   CFDataRef action_data_ref =
       CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
                                   reinterpret_cast<UInt8*>(&tp_action_data),
                                   sizeof(tp_action_data), kCFAllocatorNull);
@@ skipping 466 matching lines @@
   CSSM_DATA cert_data;
   OSStatus status = SecCertificateGetData(cert_handle, &cert_data);
   if (status)
     return false;
 
   return pickle->WriteData(reinterpret_cast<char*>(cert_data.Data),
                            cert_data.Length);
 }
 
 }  // namespace net