Don't block the UI thread for OCSP/CRLs when viewing a cert on Mac.

chrome/browser/ui/cocoa/certificate_viewer.mm

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/certificate_viewer.h"
 
 #include <Security/Security.h>
 #include <SecurityInterface/SFCertificatePanel.h>
 
 #include <vector>
@@ skipping 16 matching lines @@
   }
   CFArrayAppendValue(certificates, cert_mac);
 
   // Server certificate must be first in the array; subsequent certificates
   // in the chain can be in any order.
   const std::vector<SecCertificateRef>& ca_certs =
       cert->GetIntermediateCertificates();
   for (size_t i = 0; i < ca_certs.size(); ++i)
     CFArrayAppendValue(certificates, ca_certs[i]);
 
-  [[[SFCertificatePanel alloc] init]
-      beginSheetForWindow:parent
-            modalDelegate:nil
-           didEndSelector:NULL
-              contextInfo:NULL
-             certificates:reinterpret_cast<NSArray*>(certificates.get())
-                showGroup:YES];
+  // Explicitly disable revocation checking, regardless of user preferences or
+  // system settings. The behaviour of SFCertificatePanel is to call
+  // SecTrustEvaluate on the certificate(s) supplied, effectively duplicating
+  // the behaviour of net::X509Certificate::Verify(). However, the call is
+  // made in such a way as to stall the UI while doing so. If an OCSP

[wtc, 2011/06/03 01:58:04]

Nit: just say "However, the call stalls the UI."

+  // responder or CRL source is experiencing delays and/or is unreachable,
+  // this may cause long stalls in the UI. By disabling revocation checking,
+  // the intent is to minimize these stalls to the lesser of the evils, which
+  // is the time taken for path building and verification, which should be
+  // optimized based on the certificates supplied in |certificates|. This does
+  // not affect normal revocation checking, which is controlled by
+  // net::X509Certificate::Verify() and user preferences, so revoked
+  // certificates will still be processed. This does, however, prevent the UI
+  // from displaying which certificate in the chain was the revoked
+  // certificate if net::X509Certificate::Verify() had previously been called
+  // with revocation checking enabled. For the time being, this is an

[wtc, 2011/06/03 01:58:04]

Nit: remove "For the time being".

(This comment block is a little long, so I'm looking for simple
ways to shorten it.)

+  // acceptable trade-off.
+  base::mac::ScopedCFTypeRef<CFMutableArrayRef> policies(
+      CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
+  if (!policies.get()) {
+    NOTREACHED();
+    return;
+  }
+  OSStatus status =
+      net::X509Certificate::CreateRevocationPolicies(false, policies);
+
+  // In addition to revocation policies, it's necessary to re-add the basic
+  // X.509 policy that the SFCertificatePanel applies when no policies are
+  // explicitly provided. Because only the base X.509 policy is applied,
+  // any errors that are specific to SSL (such as invalid EKU or mismatched
+  // hostname and name identifiers) will not be displayed in the certificate

[wtc, 2011/06/03 01:58:04]

Nit: just say "certificate name mismatch".  "name identifiers"
isn't a common term.

+  // viewer if the user is viewing an SSL server certificate.

[wtc, 2011/06/03 01:58:04]

Does the ordering of the policies matter?  I wonder if we
should add the basic X.509 policy first.

[Ryan Sleevi, 2011/06/21 03:52:25]

Functionally, it doesn't, but I went ahead and made that change to see if it
would help readability.

+  if (!status) {

[wtc, 2011/06/03 01:58:04]

Nit: use
  if (status == noErr)
and
  if (status != noErr)
in this file.  This is Mark Mentovai's preferred style.

+    SecPolicyRef basic_policy = NULL;
+    status = net::X509Certificate::CreateBasicX509Policy(&basic_policy);
+    if (!status) {
+      CFArrayAppendValue(policies, basic_policy);
+      CFRelease(basic_policy);
+    }
+  }
+  if (status) {
+    NOTREACHED();
+    return;
+  }
+
+  SFCertificatePanel* panel = [[SFCertificatePanel alloc] init];
+  [panel setPolicies:(id)policies.get()];
+  [panel beginSheetForWindow:parent
+               modalDelegate:nil
+              didEndSelector:NULL
+                 contextInfo:NULL
+                certificates:reinterpret_cast<NSArray*>(certificates.get())
+                   showGroup:YES];
   // The SFCertificatePanel releases itself when the sheet is dismissed.
 }