Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(806)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 125120: Use LOAD_VERIFY_EV_CERT to verify EV-ness in Verify().... (Closed)

Created:
11 years, 6 months ago by ukai
Modified:
9 years, 7 months ago
Reviewers:
wtc
CC:
chromium-reviews_googlegroups.com, John Grabowski
Visibility:
Public.

Description

Use LOAD_VERIFY_EV_CERT to verify EV-ness in Verify(). If LOAD_VERIFY_EV_CERT is requested on load_flags and revokation checking is performed, Verify() peforms EV certificate verification as well, and sets CERT_STATUS_IS_EV in verify_result. Eliminate X509Certificate::IsEV() BUG=3592 TEST=net_unittests with ALLOW_EXTERNAL_ACCESS=1, \ visit https://www.thawte.com/ and shows EV info. Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=19011

Patch Set 1 #

Patch Set 2 : '' #

Patch Set 3 : '' #

Total comments: 18

Patch Set 4 : '' #

Patch Set 5 : '' #

Total comments: 26

Patch Set 6 : '' #

Unified diffs Side-by-side diffs Delta from patch set Stats (+98 lines, -61 lines) Patch
M chrome/browser/renderer_host/resource_dispatcher_host.cc View 4 5 2 chunks +4 lines, -11 lines 0 comments Download
M net/base/cert_verifier.h View 1 2 3 4 5 2 chunks +9 lines, -3 lines 0 comments Download
M net/base/cert_verifier.cc View 1 2 3 4 5 5 chunks +8 lines, -8 lines 0 comments Download
M net/base/ssl_config_service.h View 1 2 3 4 5 2 chunks +4 lines, -2 lines 0 comments Download
M net/base/x509_certificate.h View 1 2 3 4 5 3 chunks +12 lines, -7 lines 0 comments Download
M net/base/x509_certificate_mac.cc View 1 2 3 4 5 2 chunks +2 lines, -3 lines 0 comments Download
M net/base/x509_certificate_nss.cc View 1 2 3 4 5 3 chunks +7 lines, -2 lines 0 comments Download
M net/base/x509_certificate_unittest.cc View 1 2 3 4 5 5 chunks +21 lines, -5 lines 0 comments Download
M net/base/x509_certificate_win.cc View 1 2 3 4 5 4 chunks +16 lines, -16 lines 0 comments Download
M net/http/http_network_transaction.cc View 1 2 3 4 5 1 chunk +3 lines, -0 lines 0 comments Download
M net/socket/ssl_client_socket_nss.cc View 1 chunk +6 lines, -2 lines 0 comments Download
M net/socket/ssl_client_socket_win.cc View 1 chunk +6 lines, -2 lines 0 comments Download

Messages

Total messages: 5 (0 generated)
ukai
11 years, 6 months ago (2009-06-15 10:03:30 UTC) #1
wtc
Sorry about the delay in review this CL. It looks good, but I'd like to ...
11 years, 6 months ago (2009-06-18 22:31:07 UTC) #2
ukai
http://codereview.chromium.org/125120/diff/28/30 File net/base/cert_verifier.h (right): http://codereview.chromium.org/125120/diff/28/30#newcode48 Line 48: // If |verify_ev_cert_enabled| is true, EV certification verification ...
11 years, 6 months ago (2009-06-22 08:45:52 UTC) #3
wtc
LGTM. Please fix the nits below before checking this in. Thanks! http://codereview.chromium.org/125120/diff/4022/4034 File chrome/browser/renderer_host/resource_dispatcher_host.cc (left): ...
11 years, 6 months ago (2009-06-23 01:16:15 UTC) #4
ukai
11 years, 6 months ago (2009-06-23 06:34:05 UTC) #5 
http://codereview.chromium.org/125120/diff/4022/4034
File chrome/browser/renderer_host/resource_dispatcher_host.cc (left):

http://codereview.chromium.org/125120/diff/4022/4034#oldcode931
Line 931: // EV certificate verification could be expensive.  We don't want to
spend
On 2009/06/23 01:16:16, wtc wrote:
> We should move the first two sentences of this comment to
> ResourceDispatcherHost::BeginRequest above this code:
> 
>     if (request_data.resource_type == ResourceType::MAIN_FRAME)
>       load_flags |= net::LOAD_VERIFY_EV_CERT;

Done.

http://codereview.chromium.org/125120/diff/4022/4034
File chrome/browser/renderer_host/resource_dispatcher_host.cc (right):

http://codereview.chromium.org/125120/diff/4022/4034#newcode930
Line 930: int cert_status = request->ssl_info().cert_status;
On 2009/06/23 01:16:16, wtc wrote:
> Nit: you can just plug in request->ssl_info().cert_status
> below and get rid of the local variable cert_status.

Done.

http://codereview.chromium.org/125120/diff/4022/4031
File net/base/cert_verifier.cc (right):

http://codereview.chromium.org/125120/diff/4022/4031#newcode98
Line 98: // bit OR'd of verify_flags.
On 2009/06/23 01:16:16, wtc wrote:
> Nit: change
>   bit OR'd
> to
>   bitwise OR

Done.

http://codereview.chromium.org/125120/diff/4022/4031#newcode98
Line 98: // bit OR'd of verify_flags.
On 2009/06/23 01:16:16, wtc wrote:
> Change
>   verify_flags
> to
>   X509Certificate::VerifyFlags

Done.

http://codereview.chromium.org/125120/diff/4022/4024
File net/base/cert_verifier.h (right):

http://codereview.chromium.org/125120/diff/4022/4024#newcode52
Line 52: // be failed.
On 2009/06/23 01:16:16, wtc wrote:
> Change
>   be failed
> to
>   not be performed
> or
>   be skipped

Done.

http://codereview.chromium.org/125120/diff/4022/4025
File net/base/ssl_config_service.h (right):

http://codereview.chromium.org/125120/diff/4022/4025#newcode42
Line 42: bool verify_ev_cert;  // True if EV certificate verification enabled.
On 2009/06/23 01:16:16, wtc wrote:
> Please change this comment to:
>   True if we should verify the certificate for EV.

Done.

http://codereview.chromium.org/125120/diff/4022/4032
File net/base/x509_certificate.h (right):

http://codereview.chromium.org/125120/diff/4022/4032#newcode215
Line 215: // |flags| is OR'd of VerifyFlags.
On 2009/06/23 01:16:16, wtc wrote:
> Please make the following changes to the comments in
> cert_verifier.h as well.
> 
> Nit: change
>     OR'd
> to
>     bitwise OR

Done.

http://codereview.chromium.org/125120/diff/4022/4032#newcode216
Line 216: // If VERIFY_REV_CHECKING_ENABLED is set on |flags|, certificate
revocation
On 2009/06/23 01:16:16, wtc wrote:
> Nit: change
>   on |flags|
> to
>   in |flags|
> 
> (two occurrences)

Done.

http://codereview.chromium.org/125120/diff/4022/4030
File net/base/x509_certificate_nss.cc (right):

http://codereview.chromium.org/125120/diff/4022/4030#newcode390
Line 390: bool use_ocsp = false;
On 2009/06/23 01:16:16, wtc wrote:
> It seems that we don't need to move this line.

Done.

http://codereview.chromium.org/125120/diff/4022/4030#newcode394
Line 394: if (!(flags & VERIFY_REV_CHECKING_ENABLED))
On 2009/06/23 01:16:16, wtc wrote:
> Add a comment:
>   // EV requires revocation checking.

Done.

http://codereview.chromium.org/125120/diff/4022/4029
File net/base/x509_certificate_unittest.cc (right):

http://codereview.chromium.org/125120/diff/4022/4029#newcode398
Line 398: int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED|
On 2009/06/23 01:16:16, wtc wrote:
> Nit: add a space before '|', and align the two "X509...":
> 
>   int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
>               X509Certificate::VERIFY_EV_CERT;
> 
> Please make the same change elsewhere in this file.

Done.

http://codereview.chromium.org/125120/diff/4022/4028
File net/base/x509_certificate_win.cc (right):

http://codereview.chromium.org/125120/diff/4022/4028#newcode452
Line 452: flags &= ~VERIFY_EV_CERT;
On 2009/06/23 01:16:16, wtc wrote:
> Add a comment
>   // EV requiires revocation checking.

Done.

http://codereview.chromium.org/125120/diff/4022/4028#newcode566
Line 566: // This function checks of the certificatePolicies extensions of the
On 2009/06/23 01:16:16, wtc wrote:
> Nit: remove the first "of".

Done.

Powered by Google App Engine
This is Rietveld 408576698