Don't block the UI thread for OCSP/CRLs when viewing a cert on Mac.

net/base/x509_certificate.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 #pragma once
 
 #include <string.h>
 
@@ skipping 239 matching lines @@
   // Returns true if I already contain all the given intermediate certs.
   bool HasIntermediateCertificates(const OSCertHandles& certs);
 
 #if defined(OS_MACOSX)
   // Does this certificate's usage allow SSL client authentication?
   bool SupportsSSLClientAuth() const;
 
   // Do any of the given issuer names appear in this cert's chain of trust?
   bool IsIssuedBy(const std::vector<CertPrincipal>& valid_issuers);
 
-  // Creates a security policy for SSL client certificates.
-  static OSStatus CreateSSLClientPolicy(SecPolicyRef* outPolicy);
+  // Creates a security policy for SSL certificates. If |is_server| is true,
+  // the certificate(s) this policy applies to should be valid as an SSL
+  // server; otherwise, they should be valid as an SSL client certificate.
+  // If |is_server| is true, |hostname| may be optionally supplied to indicate
+  // the hostname that the policy should validate as the server. If empty, or
+  // if |is_server| is false, no name validation will occur.
+  // If a policy is successfully created, it will be stored in |*policy| and
+  // ownership transferred to the caller.
+  static OSStatus CreateSSLPolicy(bool is_server, const std::string& hostname,
+                                  SecPolicyRef* policy);
+
+  // Creates a security policy for basix X.509 validation. If the policy is

[wtc, 2011/06/03 01:58:04]

Typo: basix => basic

+  // successfully created, it will be stored in |*policy| and ownership
+  // transferred to the caller.
+  static OSStatus CreateBasicX509Policy(SecPolicyRef* policy);
+
+  // Creates security policies to control revocation checking (OCSP and CRL).
+  // If |enable_revocation_checking| is false, the policies returned will be
+  // explicitly disabled from accessing the network or the cache. This may be
+  // used to override system settings regarding revocation checking.
+  // If the policies are successfully created, they will be appended to
+  // |policies|.

[wtc, 2011/06/03 01:58:04]

Do we need to mention "and ownership transferred to the caller"?

[Ryan Sleevi, 2011/06/21 03:52:25]

I don't think so. It should be well understood that appending to a CFArray will
cause the value to be CFRetain'd (well, use the Retain callback of the array
invoked, which by default is CFRetain), so ownership transfer is implied,
similar to storing in a scoped_refptr<>*.

+  static OSStatus CreateRevocationPolicies(bool enable_revocation_checking,
+                                           CFMutableArrayRef policies);
 
   // Adds all available SSL client identity certs to the given vector.
   // |server_domain| is a hint for which domain the cert is to be sent to
   // (a cert previously specified as the default for that domain will be given
   // precedence and returned first in the output vector.)
   // If valid_issuers is non-empty, only certs that were transitively issued by
   // one of the given names will be included in the list.
   static bool GetSSLClientCertificates(
       const std::string& server_domain,
       const std::vector<CertPrincipal>& valid_issuers,
@@ skipping 182 matching lines @@
 
   // Where the certificate comes from.
   Source source_;
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_