Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(345)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/x509_util_mac.cc

Issue 2368453002: Hack for AIA fetching on Mac Sierra: On >=10.12, always do FETCH_CRL_FROM_NET if adding a crl polic… (Closed)
Patch Set: Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/x509_util_mac.h" 5 #include "net/cert/x509_util_mac.h"
6 6
7 #include "base/logging.h" 7 #include "base/logging.h"
8 #include "base/mac/mac_util.h"
8 #include "third_party/apple_apsl/cssmapplePriv.h" 9 #include "third_party/apple_apsl/cssmapplePriv.h"
9 10
10 namespace net { 11 namespace net {
11 12
12 // CSSM functions are deprecated as of OSX 10.7, but have no replacement. 13 // CSSM functions are deprecated as of OSX 10.7, but have no replacement.
13 // https://bugs.chromium.org/p/chromium/issues/detail?id=590914#c1 14 // https://bugs.chromium.org/p/chromium/issues/detail?id=590914#c1
14 #pragma clang diagnostic push 15 #pragma clang diagnostic push
15 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 16 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
16 17
17 namespace x509_util { 18 namespace x509_util {
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after
93 // that the leaf is EV, then the default CRL policy will effectively no-op. 94 // that the leaf is EV, then the default CRL policy will effectively no-op.
94 // This behaviour is used to implement EV-only revocation checking. 95 // This behaviour is used to implement EV-only revocation checking.
95 if (enable_ev_checking || enable_revocation_checking) { 96 if (enable_ev_checking || enable_revocation_checking) {
96 CSSM_APPLE_TP_CRL_OPTIONS tp_crl_options; 97 CSSM_APPLE_TP_CRL_OPTIONS tp_crl_options;
97 memset(&tp_crl_options, 0, sizeof(tp_crl_options)); 98 memset(&tp_crl_options, 0, sizeof(tp_crl_options));
98 tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION; 99 tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
99 // Only allow network CRL fetches if the caller explicitly requests 100 // Only allow network CRL fetches if the caller explicitly requests
100 // online revocation checking. Note that, as of OS X 10.7.2, the system 101 // online revocation checking. Note that, as of OS X 10.7.2, the system
101 // will set force this flag on according to system policies, so 102 // will set force this flag on according to system policies, so
102 // online revocation checks cannot be completely disabled. 103 // online revocation checks cannot be completely disabled.
103 if (enable_revocation_checking) 104 // Starting with OS X 10.12, if a CRL policy is added without the
105 // FETCH_CRL_FROM_NET flag, AIA fetching is disabled.
106 if (enable_revocation_checking || base::mac::IsAtLeastOS10_12())
104 tp_crl_options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET; 107 tp_crl_options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET;
105 108
106 SecPolicyRef crl_policy; 109 SecPolicyRef crl_policy;
107 status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_CRL, &tp_crl_options, 110 status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_CRL, &tp_crl_options,
108 sizeof(tp_crl_options), &crl_policy); 111 sizeof(tp_crl_options), &crl_policy);
109 if (status) 112 if (status)
110 return status; 113 return status;
111 CFArrayAppendValue(policies, crl_policy); 114 CFArrayAppendValue(policies, crl_policy);
112 CFRelease(crl_policy); 115 CFRelease(crl_policy);
113 } 116 }
(...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after
229 CSSM_CL_CertAbortQuery(cl_handle_, results_handle); 232 CSSM_CL_CertAbortQuery(cl_handle_, results_handle);
230 field->Reset(cl_handle_, oid, field_ptr); 233 field->Reset(cl_handle_, oid, field_ptr);
231 return CSSM_OK; 234 return CSSM_OK;
232 } 235 }
233 236
234 } // namespace x509_util 237 } // namespace x509_util
235 238
236 #pragma clang diagnostic pop // "-Wdeprecated-declarations" 239 #pragma clang diagnostic pop // "-Wdeprecated-declarations"
237 240
238 } // namespace net 241 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698