net/cert/cert_verify_proc_win.cc - Issue 23441005: net: mark cert as revoked if EV revocation check receives revoked response (Win).

Side by Side Diff: net/cert/cert_verify_proc_win.cc

Issue 23441005: net: mark cert as revoked if EV revocation check receives revoked response (Win). (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: g try Created 7 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verify_proc_win.h"	5 #include "net/cert/cert_verify_proc_win.h"

6	6

7 #include <string>	7 #include <string>

8 #include <vector>	8 #include <vector>

9	9

10 #include "base/memory/scoped_ptr.h"	10 #include "base/memory/scoped_ptr.h"

(...skipping 629 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
640 } else if (crl_set_result == kCRLSetUnknown &&	640 } else if (crl_set_result == kCRLSetUnknown &&

641 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY) &&	641 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY) &&

642 !rev_checking_enabled &&	642 !rev_checking_enabled &&

643 ev_policy_oid != NULL) {	643 ev_policy_oid != NULL) {

644 // We don't have fresh information about this chain from the CRLSet and	644 // We don't have fresh information about this chain from the CRLSet and

645 // it's probably an EV certificate. Retry with online revocation checking.	645 // it's probably an EV certificate. Retry with online revocation checking.

646 rev_checking_enabled = true;	646 rev_checking_enabled = true;

647 chain_flags &= ~CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;	647 chain_flags &= ~CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;

648 verify_result->cert_status \|= CERT_STATUS_REV_CHECKING_ENABLED;	648 verify_result->cert_status \|= CERT_STATUS_REV_CHECKING_ENABLED;

649	649

	650 CertFreeCertificateChain(chain_context);

650 if (!CertGetCertificateChain(	651 if (!CertGetCertificateChain(

651 chain_engine,	652 chain_engine,

652 cert_list.get(),	653 cert_list.get(),

653 NULL, // current system time	654 NULL, // current system time

654 cert_list->hCertStore,	655 cert_list->hCertStore,

655 &chain_para,	656 &chain_para,

656 chain_flags,	657 chain_flags,

657 NULL, // reserved	658 NULL, // reserved

658 &chain_context)) {	659 &chain_context)) {

659 verify_result->cert_status \|= CERT_STATUS_INVALID;	660 verify_result->cert_status \|= CERT_STATUS_INVALID;

(...skipping 17 matching lines...) Expand all Loading...
677 NULL, // reserved	678 NULL, // reserved

678 &chain_context)) {	679 &chain_context)) {

679 verify_result->cert_status \|= CERT_STATUS_INVALID;	680 verify_result->cert_status \|= CERT_STATUS_INVALID;

680 return MapSecurityError(GetLastError());	681 return MapSecurityError(GetLastError());

681 }	682 }

682 }	683 }

683	684

684 CertVerifyResult temp_verify_result = *verify_result;	685 CertVerifyResult temp_verify_result = *verify_result;

685 GetCertChainInfo(chain_context, verify_result);	686 GetCertChainInfo(chain_context, verify_result);

686 if (!verify_result->is_issued_by_known_root &&	687 if (!verify_result->is_issued_by_known_root &&

687 (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS)) {	688 (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS)) {
	wtc 2013/08/28 23:58:42 Should we add && !rev_checking_enabled to th Should we add && !rev_checking_enabled to this conditional expression? Otherwise we may be redoing the same verification if rev_checking_enabled was already true. agl 2013/08/29 16:46:59 Just adding the conditional wouldn't be correct, I Show quoted text On 2013/08/28 23:58:42, wtc wrote: > > Should we add > > && !rev_checking_enabled > > to this conditional expression? > > Otherwise we may be redoing the same verification if rev_checking_enabled > was already true. Just adding the conditional wouldn't be correct, I believe, because it would skip the hard fail in the case that we did a soft-fail, online check. But there might be scope for avoiding a verification here. However, I don't think it's in scope for this change.
688 *verify_result = temp_verify_result;	689 *verify_result = temp_verify_result;

689	690

690 rev_checking_enabled = true;	691 rev_checking_enabled = true;

691 verify_result->cert_status \|= CERT_STATUS_REV_CHECKING_ENABLED;	692 verify_result->cert_status \|= CERT_STATUS_REV_CHECKING_ENABLED;

692 chain_flags &= ~CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;	693 chain_flags &= ~CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;

693	694

694 CertFreeCertificateChain(chain_context);	695 CertFreeCertificateChain(chain_context);

695 if (!CertGetCertificateChain(	696 if (!CertGetCertificateChain(

696 chain_engine,	697 chain_engine,

697 cert_list.get(),	698 cert_list.get(),

(...skipping 83 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
781 return MapCertStatusToNetError(verify_result->cert_status);	782 return MapCertStatusToNetError(verify_result->cert_status);

782	783

783 if (ev_policy_oid &&	784 if (ev_policy_oid &&

784 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) {	785 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) {

785 verify_result->cert_status \|= CERT_STATUS_IS_EV;	786 verify_result->cert_status \|= CERT_STATUS_IS_EV;

786 }	787 }

787 return OK;	788 return OK;

788 }	789 }

789	790

790 } // namespace net	791 } // namespace net

OLD	NEW

« no previous file with comments | « no previous file | net/url_request/url_request_unittest.cc » ('j') | net/url_request/url_request_unittest.cc » ('J')