Don't block the UI thread for OCSP/CRLs when viewing a cert on Mac.

net/base/x509_certificate_mac.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreServices/CoreServices.h>
 #include <Security/Security.h>
 #include <time.h>
@@ skipping 286 matching lines @@
 OSStatus CreateTrustPolicies(const std::string& hostname, int flags,
                              ScopedCFTypeRef<CFArrayRef>* policies) {
   ScopedCFTypeRef<CFMutableArrayRef> local_policies(
       CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
   if (!local_policies)
     return memFullErr;
 
   // Create an SSL SecPolicyRef, and configure it to perform hostname
   // validation. The hostname check does 99% of what we want, with the
   // exception of dotted IPv4 addreses, which we handle ourselves below.
-  CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options = {
-    CSSM_APPLE_TP_SSL_OPTS_VERSION,
-    hostname.size(),
-    hostname.data(),
-    0
-  };
   SecPolicyRef ssl_policy;
-  OSStatus status = CreatePolicy(&CSSMOID_APPLE_TP_SSL, &tp_ssl_options,
-                                 sizeof(tp_ssl_options), &ssl_policy);
+  OSStatus status = X509Certificate::CreateSSLPolicy(true, hostname,
+                                                     &ssl_policy);
   if (status)
     return status;
   CFArrayAppendValue(local_policies, ssl_policy);
   CFRelease(ssl_policy);
 
-  // Manually add revocation policies. In order to actually disable revocation
-  // checking, the SecTrustRef must have at least one revocation policy
-  // associated with it. If none are present, the Apple TP will add policies
-  // according to the system preferences, which will enable revocation
-  // checking even if the caller explicitly disabled it. An OCSP policy is
-  // used, rather than a CRL policy, because the Apple TP will force an OCSP
-  // policy to be present and enabled if it believes the certificate may chain
-  // to an EV root. By explicitly disabling network and OCSP cache access,
-  // then even if the Apple TP enables OCSP checking, no revocation checking
-  // will actually succeed.
-  CSSM_APPLE_TP_OCSP_OPTIONS tp_ocsp_options;
-  memset(&tp_ocsp_options, 0, sizeof(tp_ocsp_options));
-  tp_ocsp_options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
-
-  if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) {
-    // The default for the OCSP policy is to fetch responses via the network,
-    // unlike the CRL policy default. The policy is further modified to
-    // prefer OCSP over CRLs, if both are specified on the certificate. This
-    // is because an OCSP response is both sufficient and typically
-    // significantly smaller than the CRL counterpart.
-    tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT;
-  } else {
-    // Effectively disable OCSP checking by making it impossible to get an
-    // OCSP response. Even if the Apple TP forces OCSP, no checking will
-    // be able to succeed. If this happens, the Apple TP will report an error
-    // that OCSP was unavailable, but this will be handled and suppressed in
-    // X509Certificate::Verify().
-    tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_DISABLE_NET |
-                            CSSM_TP_ACTION_OCSP_CACHE_READ_DISABLE;
-  }
-
-  SecPolicyRef ocsp_policy;
-  status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_OCSP, &tp_ocsp_options,
-                        sizeof(tp_ocsp_options), &ocsp_policy);
-  if (status)
-    return status;
-  CFArrayAppendValue(local_policies, ocsp_policy);
-  CFRelease(ocsp_policy);
-
-  if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) {
-    CSSM_APPLE_TP_CRL_OPTIONS tp_crl_options;
-    memset(&tp_crl_options, 0, sizeof(tp_crl_options));
-    tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
-    tp_crl_options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET;
-
-    SecPolicyRef crl_policy;
-    status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_CRL, &tp_crl_options,
-                          sizeof(tp_crl_options), &crl_policy);
-    if (status)
-      return status;
-    CFArrayAppendValue(local_policies, crl_policy);
-    CFRelease(crl_policy);
-  }
+  // Explicitly add revocation policies, in order to override system checks.

[wtc, 2011/06/03 01:58:04]

Nit: it's not clear what "system checks" means.

+  status = X509Certificate::CreateRevocationPolicies(
+      (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED),
+      local_policies);

[wtc, 2011/06/03 01:58:04]

Add
  if (status)
    return status;

 
   policies->reset(local_policies.release());
   return noErr;
 }
 
 // Gets the issuer for a given cert, starting with the cert itself and
 // including the intermediate and finally root certificates (if any).
 // This function calls SecTrust but doesn't actually pay attention to the trust
 // result: it shouldn't be used to determine trust, just to traverse the chain.
 // Caller is responsible for releasing the value stored into *out_cert_chain.
 OSStatus CopyCertChain(SecCertificateRef cert_handle,
                        CFArrayRef* out_cert_chain) {
   DCHECK(cert_handle);
   DCHECK(out_cert_chain);
   // Create an SSL policy ref configured for client cert evaluation.
   SecPolicyRef ssl_policy;
-  OSStatus result = X509Certificate::CreateSSLClientPolicy(&ssl_policy);
+  OSStatus result = X509Certificate::CreateSSLPolicy(false, std::string(),
+                                                     &ssl_policy);
   if (result)
     return result;
   ScopedCFTypeRef<SecPolicyRef> scoped_ssl_policy(ssl_policy);
 
   // Create a SecTrustRef.
   ScopedCFTypeRef<CFArrayRef> input_certs(CFArrayCreate(
       NULL, const_cast<const void**>(reinterpret_cast<void**>(&cert_handle)),
       1, &kCFTypeArrayCallBacks));
   SecTrustRef trust_ref = NULL;
   result = SecTrustCreateWithCertificates(input_certs, ssl_policy, &trust_ref);
@@ skipping 794 matching lines @@
         X509Certificate::OSCertHandles()));
     for (unsigned j = 0; j < valid_issuers.size(); j++) {
       if (cert->issuer().Matches(valid_issuers[j]))
         return true;
     }
   }
   return false;
 }
 
 // static
-OSStatus X509Certificate::CreateSSLClientPolicy(SecPolicyRef* out_policy) {
-  CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options = {
-    CSSM_APPLE_TP_SSL_OPTS_VERSION,
-    0,
-    NULL,
-    CSSM_APPLE_TP_SSL_CLIENT
-  };
-  return CreatePolicy(&CSSMOID_APPLE_TP_SSL,
-                      &tp_ssl_options,
-                      sizeof(tp_ssl_options),
-                      out_policy);
+OSStatus X509Certificate::CreateSSLPolicy(bool is_server,
+                                          const std::string& hostname,
+                                          SecPolicyRef* policy) {
+  CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options;
+  memset(&tp_ssl_options, 0, sizeof(tp_ssl_options));
+  tp_ssl_options.Version = CSSM_APPLE_TP_SSL_OPTS_VERSION;
+  if (is_server && !hostname.empty()) {
+    tp_ssl_options.ServerName = hostname.c_str();

[wtc, 2011/06/03 01:58:04]

Use hostname.data(), which does not require conversion to
a C string.  (See line 310 of the original code.)

+    tp_ssl_options.ServerNameLen = hostname.size();
+  }
+  if (!is_server)
+    tp_ssl_options.Flags |= CSSM_APPLE_TP_SSL_CLIENT;
+
+  return CreatePolicy(&CSSMOID_APPLE_TP_SSL, &tp_ssl_options,
+                      sizeof(tp_ssl_options), policy);
 }
 
 // static
+OSStatus X509Certificate::CreateBasicX509Policy(SecPolicyRef* policy) {
+  return CreatePolicy(&CSSMOID_APPLE_X509_BASIC, NULL, 0, policy);
+}
+
+// static
+OSStatus X509Certificate::CreateRevocationPolicies(
+    bool enable_revocation_checking,
+    CFMutableArrayRef policies) {
+  // In order to actually disable revocation checking, the SecTrustRef must
+  // have at least one revocation policy associated with it. If none are
+  // present, the Apple TP will add policies according to the system
+  // preferences, which will enable revocation checking even if the caller
+  // explicitly disabled it. An OCSP policy is used, rather than a CRL policy,
+  // because the Apple TP will force an OCSP policy to be present and enabled
+  // if it believes the certificate may chain to an EV root. By explicitly
+  // disabling network and OCSP cache access, then even if the Apple TP
+  // enables OCSP checking, no revocation checking will actually succeed.
+  CSSM_APPLE_TP_OCSP_OPTIONS tp_ocsp_options;
+  memset(&tp_ocsp_options, 0, sizeof(tp_ocsp_options));
+  tp_ocsp_options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
+
+  if (enable_revocation_checking) {
+    // The default for the OCSP policy is to fetch responses via the network,
+    // unlike the CRL policy default. The policy is further modified to
+    // prefer OCSP over CRLs, if both are specified on the certificate. This
+    // is because an OCSP response is both sufficient and typically
+    // significantly smaller than the CRL counterpart.
+    tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT;
+  } else {
+    // Effectively disable OCSP checking by making it impossible to get an
+    // OCSP response. Even if the Apple TP forces OCSP, no checking will
+    // be able to succeed. If this happens, the Apple TP will report an error
+    // that OCSP was unavailable, but this will be handled and suppressed in
+    // X509Certificate::Verify().
+    tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_DISABLE_NET |
+                            CSSM_TP_ACTION_OCSP_CACHE_READ_DISABLE;
+  }
+
+  SecPolicyRef ocsp_policy;
+  OSStatus status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_OCSP,
+                                 &tp_ocsp_options, sizeof(tp_ocsp_options),
+                                 &ocsp_policy);
+  if (status)
+    return status;
+  CFArrayAppendValue(policies, ocsp_policy);
+  CFRelease(ocsp_policy);
+
+  if (enable_revocation_checking) {
+    CSSM_APPLE_TP_CRL_OPTIONS tp_crl_options;
+    memset(&tp_crl_options, 0, sizeof(tp_crl_options));
+    tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
+    tp_crl_options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET;
+
+    SecPolicyRef crl_policy;
+    status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_CRL, &tp_crl_options,
+                          sizeof(tp_crl_options), &crl_policy);
+    if (status)
+      return status;
+    CFArrayAppendValue(policies, crl_policy);
+    CFRelease(crl_policy);
+  }
+
+  return status;
+}
+
+
+// static
 bool X509Certificate::GetSSLClientCertificates(
     const std::string& server_domain,
     const std::vector<CertPrincipal>& valid_issuers,
     CertificateList* certs) {
   ScopedCFTypeRef<SecIdentityRef> preferred_identity;
   if (!server_domain.empty()) {
     // See if there's an identity preference for this domain:
     ScopedCFTypeRef<CFStringRef> domain_str(
         base::SysUTF8ToCFStringRef("https://" + server_domain));
     SecIdentityRef identity = NULL;
@@ skipping 117 matching lines @@
   CSSM_DATA cert_data;
   OSStatus status = SecCertificateGetData(cert_handle, &cert_data);
   if (status)
     return false;
 
   return pickle->WriteData(reinterpret_cast<char*>(cert_data.Data),
                            cert_data.Length);
 }
 
 }  // namespace net