Chromium Code Reviews Chromium Code Reviews
Issue 7082031:
Don't block the UI thread for OCSP/CRLs when viewing a cert on Mac. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: net/base/x509_certificate_mac.cc |
| diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc |
| index 3b5177736f13cdb69474edaf1b5ccad607015608..b494c47ca97e8f780f11b3d38a0d490f41fd7ac4 100644 |
| --- a/net/base/x509_certificate_mac.cc |
| +++ b/net/base/x509_certificate_mac.cc |
| @@ -304,73 +304,18 @@ OSStatus CreateTrustPolicies(const std::string& hostname, int flags, |
| // Create an SSL SecPolicyRef, and configure it to perform hostname |
| // validation. The hostname check does 99% of what we want, with the |
| // exception of dotted IPv4 addreses, which we handle ourselves below. |
| - CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options = { |
| - CSSM_APPLE_TP_SSL_OPTS_VERSION, |
| - hostname.size(), |
| - hostname.data(), |
| - 0 |
| - }; |
| SecPolicyRef ssl_policy; |
| - OSStatus status = CreatePolicy(&CSSMOID_APPLE_TP_SSL, &tp_ssl_options, |
| - sizeof(tp_ssl_options), &ssl_policy); |
| + OSStatus status = X509Certificate::CreateSSLPolicy(true, hostname, |
| + &ssl_policy); |
| if (status) |
| return status; |
| CFArrayAppendValue(local_policies, ssl_policy); |
| CFRelease(ssl_policy); |
| - // Manually add revocation policies. In order to actually disable revocation |
| - // checking, the SecTrustRef must have at least one revocation policy |
| - // associated with it. If none are present, the Apple TP will add policies |
| - // according to the system preferences, which will enable revocation |
| - // checking even if the caller explicitly disabled it. An OCSP policy is |
| - // used, rather than a CRL policy, because the Apple TP will force an OCSP |
| - // policy to be present and enabled if it believes the certificate may chain |
| - // to an EV root. By explicitly disabling network and OCSP cache access, |
| - // then even if the Apple TP enables OCSP checking, no revocation checking |
| - // will actually succeed. |
| - CSSM_APPLE_TP_OCSP_OPTIONS tp_ocsp_options; |
| - memset(&tp_ocsp_options, 0, sizeof(tp_ocsp_options)); |
| - tp_ocsp_options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION; |
| - |
| - if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) { |
| - // The default for the OCSP policy is to fetch responses via the network, |
| - // unlike the CRL policy default. The policy is further modified to |
| - // prefer OCSP over CRLs, if both are specified on the certificate. This |
| - // is because an OCSP response is both sufficient and typically |
| - // significantly smaller than the CRL counterpart. |
| - tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT; |
| - } else { |
| - // Effectively disable OCSP checking by making it impossible to get an |
| - // OCSP response. Even if the Apple TP forces OCSP, no checking will |
| - // be able to succeed. If this happens, the Apple TP will report an error |
| - // that OCSP was unavailable, but this will be handled and suppressed in |
| - // X509Certificate::Verify(). |
| - tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_DISABLE_NET | |
| - CSSM_TP_ACTION_OCSP_CACHE_READ_DISABLE; |
| - } |
| - |
| - SecPolicyRef ocsp_policy; |
| - status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_OCSP, &tp_ocsp_options, |
| - sizeof(tp_ocsp_options), &ocsp_policy); |
| - if (status) |
| - return status; |
| - CFArrayAppendValue(local_policies, ocsp_policy); |
| - CFRelease(ocsp_policy); |
| - |
| - if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) { |
| - CSSM_APPLE_TP_CRL_OPTIONS tp_crl_options; |
| - memset(&tp_crl_options, 0, sizeof(tp_crl_options)); |
| - tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION; |
| - tp_crl_options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET; |
| - |
| - SecPolicyRef crl_policy; |
| - status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_CRL, &tp_crl_options, |
| - sizeof(tp_crl_options), &crl_policy); |
| - if (status) |
| - return status; |
| - CFArrayAppendValue(local_policies, crl_policy); |
| - CFRelease(crl_policy); |
| - } |
| + // Explicitly add revocation policies, in order to override system checks. |
|
wtc
2011/06/03 01:58:04
Nit: it's not clear what "system checks" means.
|
| + status = X509Certificate::CreateRevocationPolicies( |
| + (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED), |
| + local_policies); |
|
wtc
2011/06/03 01:58:04
Add
if (status)
return status;
|
| policies->reset(local_policies.release()); |
| return noErr; |
| @@ -387,7 +332,8 @@ OSStatus CopyCertChain(SecCertificateRef cert_handle, |
| DCHECK(out_cert_chain); |
| // Create an SSL policy ref configured for client cert evaluation. |
| SecPolicyRef ssl_policy; |
| - OSStatus result = X509Certificate::CreateSSLClientPolicy(&ssl_policy); |
| + OSStatus result = X509Certificate::CreateSSLPolicy(false, std::string(), |
| + &ssl_policy); |
| if (result) |
| return result; |
| ScopedCFTypeRef<SecPolicyRef> scoped_ssl_policy(ssl_policy); |
| @@ -1202,20 +1148,91 @@ bool X509Certificate::IsIssuedBy( |
| } |
| // static |
| -OSStatus X509Certificate::CreateSSLClientPolicy(SecPolicyRef* out_policy) { |
| - CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options = { |
| - CSSM_APPLE_TP_SSL_OPTS_VERSION, |
| - 0, |
| - NULL, |
| - CSSM_APPLE_TP_SSL_CLIENT |
| - }; |
| - return CreatePolicy(&CSSMOID_APPLE_TP_SSL, |
| - &tp_ssl_options, |
| - sizeof(tp_ssl_options), |
| - out_policy); |
| +OSStatus X509Certificate::CreateSSLPolicy(bool is_server, |
| + const std::string& hostname, |
| + SecPolicyRef* policy) { |
| + CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options; |
| + memset(&tp_ssl_options, 0, sizeof(tp_ssl_options)); |
| + tp_ssl_options.Version = CSSM_APPLE_TP_SSL_OPTS_VERSION; |
| + if (is_server && !hostname.empty()) { |
| + tp_ssl_options.ServerName = hostname.c_str(); |
|
wtc
2011/06/03 01:58:04
Use hostname.data(), which does not require conver
|
| + tp_ssl_options.ServerNameLen = hostname.size(); |
| + } |
| + if (!is_server) |
| + tp_ssl_options.Flags |= CSSM_APPLE_TP_SSL_CLIENT; |
| + |
| + return CreatePolicy(&CSSMOID_APPLE_TP_SSL, &tp_ssl_options, |
| + sizeof(tp_ssl_options), policy); |
| +} |
| + |
| +// static |
| +OSStatus X509Certificate::CreateBasicX509Policy(SecPolicyRef* policy) { |
| + return CreatePolicy(&CSSMOID_APPLE_X509_BASIC, NULL, 0, policy); |
| } |
| // static |
| +OSStatus X509Certificate::CreateRevocationPolicies( |
| + bool enable_revocation_checking, |
| + CFMutableArrayRef policies) { |
| + // In order to actually disable revocation checking, the SecTrustRef must |
| + // have at least one revocation policy associated with it. If none are |
| + // present, the Apple TP will add policies according to the system |
| + // preferences, which will enable revocation checking even if the caller |
| + // explicitly disabled it. An OCSP policy is used, rather than a CRL policy, |
| + // because the Apple TP will force an OCSP policy to be present and enabled |
| + // if it believes the certificate may chain to an EV root. By explicitly |
| + // disabling network and OCSP cache access, then even if the Apple TP |
| + // enables OCSP checking, no revocation checking will actually succeed. |
| + CSSM_APPLE_TP_OCSP_OPTIONS tp_ocsp_options; |
| + memset(&tp_ocsp_options, 0, sizeof(tp_ocsp_options)); |
| + tp_ocsp_options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION; |
| + |
| + if (enable_revocation_checking) { |
| + // The default for the OCSP policy is to fetch responses via the network, |
| + // unlike the CRL policy default. The policy is further modified to |
| + // prefer OCSP over CRLs, if both are specified on the certificate. This |
| + // is because an OCSP response is both sufficient and typically |
| + // significantly smaller than the CRL counterpart. |
| + tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT; |
| + } else { |
| + // Effectively disable OCSP checking by making it impossible to get an |
| + // OCSP response. Even if the Apple TP forces OCSP, no checking will |
| + // be able to succeed. If this happens, the Apple TP will report an error |
| + // that OCSP was unavailable, but this will be handled and suppressed in |
| + // X509Certificate::Verify(). |
| + tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_DISABLE_NET | |
| + CSSM_TP_ACTION_OCSP_CACHE_READ_DISABLE; |
| + } |
| + |
| + SecPolicyRef ocsp_policy; |
| + OSStatus status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_OCSP, |
| + &tp_ocsp_options, sizeof(tp_ocsp_options), |
| + &ocsp_policy); |
| + if (status) |
| + return status; |
| + CFArrayAppendValue(policies, ocsp_policy); |
| + CFRelease(ocsp_policy); |
| + |
| + if (enable_revocation_checking) { |
| + CSSM_APPLE_TP_CRL_OPTIONS tp_crl_options; |
| + memset(&tp_crl_options, 0, sizeof(tp_crl_options)); |
| + tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION; |
| + tp_crl_options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET; |
| + |
| + SecPolicyRef crl_policy; |
| + status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_CRL, &tp_crl_options, |
| + sizeof(tp_crl_options), &crl_policy); |
| + if (status) |
| + return status; |
| + CFArrayAppendValue(policies, crl_policy); |
| + CFRelease(crl_policy); |
| + } |
| + |
| + return status; |
| +} |
| + |
| + |
| +// static |
| bool X509Certificate::GetSSLClientCertificates( |
| const std::string& server_domain, |
| const std::vector<CertPrincipal>& valid_issuers, |
