Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(37)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/x509_certificate_nss.cc

Issue 165206: Use strict revocation flags only for EV verification.... (Closed) Base URL: http://src.chromium.org/svn/trunk/src/
Patch Set: Upload before checkin Created 11 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/x509_certificate.h" 5 #include "net/base/x509_certificate.h"
6 6
7 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 7 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424
8 // until NSS 3.12.2 comes out and we update to it. 8 // until NSS 3.12.2 comes out and we update to it.
9 #define Lock FOO_NSS_Lock 9 #define Lock FOO_NSS_Lock
10 #include <cert.h> 10 #include <cert.h>
(...skipping 346 matching lines...) Expand 10 before | Expand all | Expand 10 after
357 // are also checked. 357 // are also checked.
358 // Caller must initialize cvout before calling this function. 358 // Caller must initialize cvout before calling this function.
359 SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, 359 SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle,
360 const SECOidTag* policy_oids, 360 const SECOidTag* policy_oids,
361 int num_policy_oids, 361 int num_policy_oids,
362 CERTValOutParam* cvout) { 362 CERTValOutParam* cvout) {
363 PRUint64 revocation_method_flags = 363 PRUint64 revocation_method_flags =
364 CERT_REV_M_TEST_USING_THIS_METHOD | 364 CERT_REV_M_TEST_USING_THIS_METHOD |
365 CERT_REV_M_ALLOW_NETWORK_FETCHING | 365 CERT_REV_M_ALLOW_NETWORK_FETCHING |
366 CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | 366 CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE |
367 CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE |
368 CERT_REV_M_STOP_TESTING_ON_FRESH_INFO; 367 CERT_REV_M_STOP_TESTING_ON_FRESH_INFO;
369 PRUint64 revocation_method_independent_flags = 368 PRUint64 revocation_method_independent_flags =
370 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | 369 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
371 CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; 370 if (policy_oids && num_policy_oids > 0) {
371 // EV verification requires revocation checking. Consider the certificate
372 // revoked if we don't have revocation info.
373 // TODO(wtc): Add a bool parameter to expressly specify we're doing EV
374 // verification or we want strict revocation flags.
375 revocation_method_flags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE;
376 revocation_method_independent_flags |=
377 CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
378 } else {
379 revocation_method_flags |= CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE;
380 revocation_method_independent_flags |=
381 CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT;
382 }
372 PRUint64 method_flags[2]; 383 PRUint64 method_flags[2];
373 method_flags[cert_revocation_method_crl] = revocation_method_flags; 384 method_flags[cert_revocation_method_crl] = revocation_method_flags;
374 method_flags[cert_revocation_method_ocsp] = revocation_method_flags; 385 method_flags[cert_revocation_method_ocsp] = revocation_method_flags;
375 386
376 // TODO(ukai): need to find out if we need to call OCSP-related NSS functions, 387 // TODO(ukai): need to find out if we need to call OCSP-related NSS functions,
377 // CERT_EnableOCSPChecking, CERT_DisableOCSPDefaultResponder and 388 // CERT_EnableOCSPChecking, CERT_DisableOCSPDefaultResponder and
378 // CERT_SetOCSPFailureMode. 389 // CERT_SetOCSPFailureMode.
379 CERTRevocationMethodIndex preferred_revocation_methods[1]; 390 CERTRevocationMethodIndex preferred_revocation_methods[1];
380 preferred_revocation_methods[0] = cert_revocation_method_ocsp; 391 preferred_revocation_methods[0] = cert_revocation_method_ocsp;
381 392
(...skipping 255 matching lines...) Expand 10 before | Expand all | Expand 10 after
637 DCHECK(0 != cert->derCert.len); 648 DCHECK(0 != cert->derCert.len);
638 649
639 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, 650 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data,
640 cert->derCert.data, cert->derCert.len); 651 cert->derCert.data, cert->derCert.len);
641 DCHECK(rv == SECSuccess); 652 DCHECK(rv == SECSuccess);
642 653
643 return sha1; 654 return sha1;
644 } 655 }
645 656
646 } // namespace net 657 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698