Mac EV verification using Chrome methods rather than OS methods.

net/cert/cert_verify_proc_mac.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc_mac.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreServices/CoreServices.h>
 #include <Security/Security.h>
 
 #include <set>
 #include <string>
 #include <vector>
 
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/mac/mac_logging.h"
+#include "base/mac/mac_util.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "base/sha1.h"
 #include "base/strings/string_piece.h"
 #include "base/synchronization/lock.h"
 #include "crypto/mac_security_services_lock.h"
 #include "crypto/sha2.h"
 #include "net/base/hash_value.h"
 #include "net/base/net_errors.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/crl_set.h"
+#include "net/cert/ev_root_ca_metadata.h"
+#include "net/cert/internal/certificate_policies.h"
+#include "net/cert/internal/parsed_certificate.h"
 #include "net/cert/test_keychain_search_list_mac.h"
 #include "net/cert/test_root_certs.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util_mac.h"
 
 // CSSM functions are deprecated as of OSX 10.7, but have no replacement.
 // https://bugs.chromium.org/p/chromium/issues/detail?id=590914#c1
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
 
-// From 10.7.2 libsecurity_keychain-55035/lib/SecTrustPriv.h, for use with
-// SecTrustCopyExtendedResult.
-#ifndef kSecEVOrganizationName
-#define kSecEVOrganizationName CFSTR("Organization")
-#endif
-
 using base::ScopedCFTypeRef;
 
 namespace net {
 
 namespace {
 
 typedef OSStatus (*SecTrustCopyExtendedResultFuncPtr)(SecTrustRef,
                                                       CFDictionaryRef*);
 
 int NetErrorFromOSStatus(OSStatus status) {
@@ skipping 107 matching lines @@
       x509_util::CreateSSLServerPolicy(std::string(), &ssl_policy);
   if (status)
     return status;
   CFArrayAppendValue(local_policies, ssl_policy);
   CFRelease(ssl_policy);
 
   // Explicitly add revocation policies, in order to override system
   // revocation checking policies and instead respect the application-level
   // revocation preference.
   status = x509_util::CreateRevocationPolicies(
-      (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED),
-      (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY),
-      local_policies);
+      (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED), local_policies);
   if (status)
     return status;
 
   policies->reset(local_policies.release());
   return noErr;
 }
 
 // Stores the constructed certificate chain |cert_chain| and information about
 // the signature algorithms used into |*verify_result|. If the leaf cert in
 // |cert_chain| contains a weak (MD2, MD4, MD5, SHA-1) signature, stores that
@@ skipping 78 matching lines @@
   }
   if (!verified_cert) {
     NOTREACHED();
     return;
   }
 
   verify_result->verified_cert =
       X509Certificate::CreateFromHandle(verified_cert, verified_chain);
 }
 
+using ExtensionsMap = std::map<net::der::Input, net::ParsedExtension>;
+
+// Helper that looks up an extension by OID given a map of extensions.
+bool GetExtensionValue(const ExtensionsMap& extensions,
+                       const net::der::Input& oid,
+                       net::der::Input* value) {
+  auto it = extensions.find(oid);
+  if (it == extensions.end())
+    return false;
+  *value = it->second.value;
+  return true;
+}
+
+// Checks if |*cert| has a Certificate Policies extension containing either
+// of |ev_policy_oid| or anyPolicy.
+bool HasPolicyOrAnyPolicy(const ParsedCertificate* cert,
+                          const der::Input& ev_policy_oid) {
+  der::Input extension_value;
+  if (!GetExtensionValue(cert->unparsed_extensions(), CertificatePoliciesOid(),
+                         &extension_value))
+    return false;
+
+  std::vector<der::Input> policies;
+  if (!ParseCertificatePoliciesExtension(extension_value, &policies))
+    return false;
+
+  for (const der::Input& policy_oid : policies) {
+    if (policy_oid == ev_policy_oid || policy_oid == AnyPolicy())
+      return true;
+  }
+  return false;
+}
+
+// Looks for known EV policy OIDs in |cert_input|, if one is found it will be
+// stored in |*ev_policy_oid| as a DER-encoded OID value (no tag or length).
+void GetCandidateEVPolicy(const X509Certificate* cert_input,
+                          std::string* ev_policy_oid) {
+  *ev_policy_oid = std::string();

[Ryan Sleevi, 2016/11/08 23:54:09]

ev_policy_oid->clear(); is slightly more efficient ;)

[mattm, 2016/11/10 05:40:40]

Done.

+
+  std::string der_cert;
+  if (!X509Certificate::GetDEREncoded(cert_input->os_cert_handle(),
+                                      &der_cert)) {
+    return;
+  }
+
+  scoped_refptr<ParsedCertificate> cert(
+      ParsedCertificate::Create(der_cert, {}, nullptr));
+  if (!cert)
+    return;
+
+  der::Input extension_value;
+  if (!GetExtensionValue(cert->unparsed_extensions(), CertificatePoliciesOid(),
+                         &extension_value)) {

[Ryan Sleevi, 2016/11/08 23:54:09]

Since you braced here, should you brace 289-291 for consistency (I think so)

[mattm, 2016/11/10 05:40:40]

Done.

+    return;
+  }
+
+  std::vector<der::Input> policies;
+  if (!ParseCertificatePoliciesExtension(extension_value, &policies))
+    return;
+
+  EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
+  for (const der::Input& policy_oid : policies) {
+    if (metadata->IsEVPolicyOID(policy_oid)) {
+      *ev_policy_oid = policy_oid.AsString();
+      return;
+    }
+  }
+}
+
+// Checks that the certificate chain of |cert| has policies consistent with
+// |ev_policy_oid_string|. The leaf is not checked, as it is assumed that is
+// where the policy came from.
+bool CheckCertChainEV(const X509Certificate* cert,
+                      const std::string& ev_policy_oid_string) {
+  der::Input ev_policy_oid(&ev_policy_oid_string);
+  X509Certificate::OSCertHandles os_cert_chain =
+      cert->GetIntermediateCertificates();
+
+  // Intermediates should have Certificate Policies extension with the EV policy
+  // or AnyPolicy.
+  for (size_t i = 0; i < os_cert_chain.size() - 1; ++i) {
+    std::string der_cert;
+    if (!X509Certificate::GetDEREncoded(os_cert_chain[i], &der_cert))
+      return false;
+    scoped_refptr<ParsedCertificate> intermediate_cert(
+        ParsedCertificate::Create(der_cert, {}, nullptr));
+    if (!intermediate_cert)
+      return false;
+    if (!HasPolicyOrAnyPolicy(intermediate_cert.get(), ev_policy_oid))
+      return false;
+  }
+
+  // Root should have matching policy in EVRootCAMetadata.
+  std::string der_cert;
+  if (!X509Certificate::GetDEREncoded(os_cert_chain.back(), &der_cert))
+    return false;
+  SHA1HashValue weak_fingerprint;
+  base::SHA1HashBytes(reinterpret_cast<const unsigned char*>(der_cert.data()),
+                      der_cert.size(), weak_fingerprint.data);
+  EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
+  return metadata->HasEVPolicyOID(weak_fingerprint, ev_policy_oid);

[Ryan Sleevi, 2016/11/08 23:54:09]

It seems like this check would be faster/a quicker short-circuit. Should we move
this before lines 349-362?

[mattm, 2016/11/10 05:40:40]

Done.

+}
+
 void AppendPublicKeyHashes(CFArrayRef chain,
                            HashValueVector* hashes) {
   const CFIndex n = CFArrayGetCount(chain);
   for (CFIndex i = 0; i < n; i++) {
     SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
         const_cast<void*>(CFArrayGetValueAtIndex(chain, i)));
 
     CSSM_DATA cert_data;
     OSStatus err = SecCertificateGetData(cert, &cert_data);
     DCHECK_EQ(err, noErr);
     base::StringPiece der_bytes(reinterpret_cast<const char*>(cert_data.Data),
                                cert_data.Length);
     base::StringPiece spki_bytes;
     if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
       continue;
 
     HashValue sha1(HASH_VALUE_SHA1);
     CC_SHA1(spki_bytes.data(), spki_bytes.size(), sha1.data());
     hashes->push_back(sha1);
 
     HashValue sha256(HASH_VALUE_SHA256);
     CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data());
     hashes->push_back(sha256);
   }
 }
 
-bool CheckRevocationWithCRLSet(CFArrayRef chain, CRLSet* crl_set) {
+enum CRLSetResult {
+  kCRLSetOk,
+  kCRLSetRevoked,
+  kCRLSetUnknown,
+};
+
+// CheckRevocationWithCRLSet attempts to check each element of |cert_list|
+// against |crl_set|. It returns:
+//   kCRLSetRevoked: if any element of the chain is known to have been revoked.
+//   kCRLSetUnknown: if there is no fresh information about the leaf
+//       certificate in the chain or if the CRLSet has expired.
+//
+//       Only the leaf certificate is considered for coverage because some
+//       intermediates have CRLs with no revocations (after filtering) and
+//       those CRLs are pruned from the CRLSet at generation time. This means
+//       that some EV sites would otherwise take the hit of an OCSP lookup for
+//       no reason.
+//   kCRLSetOk: otherwise.
+CRLSetResult CheckRevocationWithCRLSet(CFArrayRef chain, CRLSet* crl_set) {
   if (CFArrayGetCount(chain) == 0)
-    return true;
+    return kCRLSetOk;
+
+  // error is set to true if any errors are found. It causes such chains to be
+  // considered as not covered.
+  bool error = false;
+  // last_covered is set to the coverage state of the previous certificate. The
+  // certificates are iterated over backwards thus, after the iteration,
+  // |last_covered| contains the coverage state of the leaf certificate.

[Ryan Sleevi, 2016/11/08 23:54:09]

Inconsistency with respect to || vs no ||. I'd drop the || (which is consistent
with 422 as well)

Or word the comment w/o mentioning the variable name

// Set to the coverage state of the previous certificate. As the certificates
are iterated over
// from root to leaf, at the end of the iteration, this indicates the coverage
state of the leaf certificate.


Similarly, you could reword error to

// Set to true if any errors are found, which will cause such chains to not be
treated as covered by the CRLSet.

[mattm, 2016/11/10 05:40:41]

Done.

+  bool last_covered = false;
 
   // We iterate from the root certificate down to the leaf, keeping track of
   // the issuer's SPKI at each step.
   std::string issuer_spki_hash;
   for (CFIndex i = CFArrayGetCount(chain) - 1; i >= 0; i--) {
     SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
         const_cast<void*>(CFArrayGetValueAtIndex(chain, i)));
 
     CSSM_DATA cert_data;
     OSStatus err = SecCertificateGetData(cert, &cert_data);
     if (err != noErr) {
       NOTREACHED();
+      error = true;
       continue;
     }
     base::StringPiece der_bytes(reinterpret_cast<const char*>(cert_data.Data),
                                 cert_data.Length);
     base::StringPiece spki;
     if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki)) {
       NOTREACHED();
+      error = true;
       continue;
     }
 
     const std::string spki_hash = crypto::SHA256HashString(spki);
     x509_util::CSSMCachedCertificate cached_cert;
     if (cached_cert.Init(cert) != CSSM_OK) {
       NOTREACHED();
+      error = true;
       continue;
     }
     x509_util::CSSMFieldValue serial_number;
     err = cached_cert.GetField(&CSSMOID_X509V1SerialNumber, &serial_number);
     if (err || !serial_number.field()) {
       NOTREACHED();
+      error = true;
       continue;
     }
 
     base::StringPiece serial(
         reinterpret_cast<const char*>(serial_number.field()->Data),
         serial_number.field()->Length);
 
     CRLSet::Result result = crl_set->CheckSPKI(spki_hash);
 
     if (result != CRLSet::REVOKED && !issuer_spki_hash.empty())
       result = crl_set->CheckSerial(serial, issuer_spki_hash);
 
     issuer_spki_hash = spki_hash;
 
     switch (result) {
       case CRLSet::REVOKED:
-        return false;
+        return kCRLSetRevoked;
       case CRLSet::UNKNOWN:
+        last_covered = false;
+        continue;
       case CRLSet::GOOD:
+        last_covered = true;
         continue;
       default:
         NOTREACHED();
-        return false;
+        error = true;
+        continue;
     }
   }
 
-  return true;
+  if (error || !last_covered || crl_set->IsExpired())
+    return kCRLSetUnknown;
+  return kCRLSetOk;
 }
 
 // Builds and evaluates a SecTrustRef for the certificate chain contained
 // in |cert_array|, using the verification policies in |trust_policies|. On
 // success, returns OK, and updates |trust_ref|, |trust_result|,
 // |verified_chain|, and |chain_info| with the verification results. On
 // failure, no output parameters are modified.
 //
 // Note: An OK return does not mean that |cert_array| is trusted, merely that
 // verification was performed successfully.
@@ skipping 141 matching lines @@
   }
 
   ~OSXKnownRootHelper() {}
 
   std::set<SHA256HashValue, SHA256HashValueLessThan> known_roots_;
 };
 
 base::LazyInstance<OSXKnownRootHelper>::Leaky g_known_roots =
     LAZY_INSTANCE_INITIALIZER;
 
-}  // namespace
-
-CertVerifyProcMac::CertVerifyProcMac() {}
-
-CertVerifyProcMac::~CertVerifyProcMac() {}
-
-bool CertVerifyProcMac::SupportsAdditionalTrustAnchors() const {
-  return false;
-}
-
-bool CertVerifyProcMac::SupportsOCSPStapling() const {
-  // TODO(rsleevi): Plumb an OCSP response into the Mac system library.
-  // https://crbug.com/430714
-  return false;
-}
-
-int CertVerifyProcMac::VerifyInternal(
-    X509Certificate* cert,
-    const std::string& hostname,
-    const std::string& ocsp_response,
-    int flags,
-    CRLSet* crl_set,
-    const CertificateList& additional_trust_anchors,
-    CertVerifyResult* verify_result) {
+// Runs path building & verification loop for |cert|, given |flags|. This is
+// split into a separate function so verification can be repeated with different
+// flags. This function does not handle EV.
+int VerifyWithGivenFlags(X509Certificate* cert,
+                         const std::string& hostname,
+                         const int flags,
+                         CRLSet* crl_set,
+                         CertVerifyResult* verify_result,
+                         CRLSetResult* completed_chain_crl_result) {
   ScopedCFTypeRef<CFArrayRef> trust_policies;
   OSStatus status = CreateTrustPolicies(flags, &trust_policies);
   if (status)
     return NetErrorFromOSStatus(status);
 
+  *completed_chain_crl_result = kCRLSetUnknown;
+
   // Serialize all calls that may use the Keychain, to work around various
   // issues in OS X 10.6+ with multi-threaded access to Security.framework.
   base::AutoLock lock(crypto::GetMacSecurityServicesLock());
 
   ScopedCFTypeRef<SecTrustRef> trust_ref;
   SecTrustResultType trust_result = kSecTrustResultDeny;
   ScopedCFTypeRef<CFArrayRef> completed_chain;
   CSSM_TP_APPLE_EVIDENCE_INFO* chain_info = NULL;
   bool candidate_untrusted = true;
   bool candidate_weak = false;
-  bool completed_chain_revoked = false;
 
   // OS X lacks proper path discovery; it will take the input certs and never
   // backtrack the graph attempting to discover valid paths.
   // This can create issues in some situations:
   // - When OS X changes the trust store, there may be a chain
   //     A -> B -> C -> D
   //   where OS X trusts D (on some versions) and trusts C (on some versions).
   //   If a server supplies a chain A, B, C (cross-signed by D), then this chain
   //   will successfully validate on systems that trust D, but fail for systems
   //   that trust C. If the server supplies a chain of A -> B, then it forces
@@ skipping 123 matching lines @@
       // The CRLSet checking is performed inside the loop in the hope that if a
       // path is revoked, it's an older path, and the only reason it was built
       // is because the server forced it (by supplying an older or less
       // desirable intermediate) or because the user had installed a
       // certificate in their Keychain forcing this path. However, this means
       // its still possible for a CRLSet block of an intermediate to prevent
       // access, even when there is a 'good' chain. To fully remedy this, a
       // solution might be to have CRLSets contain enough knowledge about what
       // the 'desired' path might be, but for the time being, the
       // implementation is kept as 'simple' as it can be.
-      bool revoked =
-          (crl_set && !CheckRevocationWithCRLSet(temp_chain, crl_set));
+      CRLSetResult crl_result = kCRLSetUnknown;
+      if (crl_set)
+        crl_result = CheckRevocationWithCRLSet(temp_chain, crl_set);
       bool untrusted = (temp_trust_result != kSecTrustResultUnspecified &&
                         temp_trust_result != kSecTrustResultProceed) ||
-                       revoked;
+                       crl_result == kCRLSetRevoked;
       bool weak_chain = false;
       if (CFArrayGetCount(temp_chain) == 0) {
         // If the chain is empty, it cannot be trusted or have recoverable
         // errors.
         DCHECK(untrusted);
         DCHECK_NE(kSecTrustResultRecoverableTrustFailure, temp_trust_result);
       } else {
         CertVerifyResult temp_verify_result;
         bool leaf_is_weak = false;
         GetCertChainInfo(temp_chain, temp_chain_info, &temp_verify_result,
@@ skipping 16 matching lines @@
       //   old chain.
       //
       // Note: If the leaf certificate itself is weak, then the only
       // consideration is whether or not there is a trusted chain. That's
       // because no amount of path discovery will fix a weak leaf.
       if (!trust_ref || (!untrusted && (candidate_untrusted ||
                                         (candidate_weak && !weak_chain)))) {
         trust_ref = temp_ref;
         trust_result = temp_trust_result;
         completed_chain = temp_chain;
-        completed_chain_revoked = revoked;
+        *completed_chain_crl_result = crl_result;
         chain_info = temp_chain_info;
 
         candidate_untrusted = untrusted;
         candidate_weak = weak_chain;
       }
       // Short-circuit when a current, trusted chain is found.
       if (!untrusted && !weak_chain)
         break;
       CFArrayRemoveValueAtIndex(cert_array, CFArrayGetCount(cert_array) - 1);
     }
     // Short-circuit when a current, trusted chain is found.
     if (!candidate_untrusted && !candidate_weak)
       break;
   }
 
   if (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED)
     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
 
-  if (completed_chain_revoked)
+  if (*completed_chain_crl_result == kCRLSetRevoked)
     verify_result->cert_status |= CERT_STATUS_REVOKED;
 
   if (CFArrayGetCount(completed_chain) > 0) {
     bool leaf_is_weak_unused = false;
     GetCertChainInfo(completed_chain, chain_info, verify_result,
                      &leaf_is_weak_unused);
   }
 
   // As of Security Update 2012-002/OS X 10.7.4, when an RSA key < 1024 bits
   // is encountered, CSSM returns CSSMERR_TP_VERIFY_ACTION_FAILED and adds
   // CSSMERR_CSP_UNSUPPORTED_KEY_SIZE as a certificate status. Avoid mapping
   // the CSSMERR_TP_VERIFY_ACTION_FAILED to CERT_STATUS_INVALID if the only
   // error was due to an unsupported key size.
   bool policy_failed = false;
+  bool policy_fail_already_mapped = false;
   bool weak_key_or_signature_algorithm = false;
 
   // Evaluate the results
   OSStatus cssm_result;
   switch (trust_result) {
     case kSecTrustResultUnspecified:
     case kSecTrustResultProceed:
       // Certificate chain is valid and trusted ("unspecified" indicates that
       // the user has not explicitly set a trust setting)
       break;
@@ skipping 37 matching lines @@
           // failure, with the status code CSSMERR_TP_INVALID_CERTIFICATE
           // added to the Status Codes. Don't treat this code as an invalid
           // certificate; instead, map it to a weak key. Any truly invalid
           // certificates will have the major error (cssm_result) set to
           // CSSMERR_TP_INVALID_CERTIFICATE, rather than
           // CSSMERR_TP_VERIFY_ACTION_FAILED.
           CertStatus mapped_status = 0;
           if (policy_failed &&
               chain_info[index].StatusCodes[status_code_index] ==
                   CSSMERR_TP_INVALID_CERTIFICATE) {
-              mapped_status = CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
+            mapped_status = CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
+            weak_key_or_signature_algorithm = true;
+            policy_fail_already_mapped = true;
+          } else if (policy_failed &&
+                     (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED) &&
+                     chain_info[index].StatusCodes[status_code_index] ==
+                         CSSMERR_TP_VERIFY_ACTION_FAILED &&
+                     base::mac::IsAtLeastOS10_12()) {
+            // On 10.12, using kSecRevocationRequirePositiveResponse flag
+            // causes a CSSMERR_TP_VERIFY_ACTION_FAILED status if revocation
+            // couldn't be checked. (Note: even if the cert had no
+            // crlDistributionPoints or OCSP AIA.)
+            mapped_status = CERT_STATUS_UNABLE_TO_CHECK_REVOCATION;
+            policy_fail_already_mapped = true;
+          } else {
+            mapped_status = CertStatusFromOSStatus(
+                chain_info[index].StatusCodes[status_code_index]);
+            if (mapped_status == CERT_STATUS_WEAK_KEY) {
               weak_key_or_signature_algorithm = true;
-          } else {
-              mapped_status = CertStatusFromOSStatus(
-                  chain_info[index].StatusCodes[status_code_index]);
-              if (mapped_status == CERT_STATUS_WEAK_KEY)
-                weak_key_or_signature_algorithm = true;
+              policy_fail_already_mapped = true;
+            }
           }
           verify_result->cert_status |= mapped_status;
         }
       }
-      if (policy_failed && !weak_key_or_signature_algorithm) {
+      if (policy_failed && !policy_fail_already_mapped) {
         // If CSSMERR_TP_VERIFY_ACTION_FAILED wasn't returned due to a weak
-        // key, map it back to an appropriate error code.
+        // key or problem checking revocation, map it back to an appropriate
+        // error code.
         verify_result->cert_status |= CertStatusFromOSStatus(cssm_result);
       }
       if (!IsCertStatusError(verify_result->cert_status)) {
         LOG(ERROR) << "cssm_result=" << cssm_result;
         verify_result->cert_status |= CERT_STATUS_INVALID;
         NOTREACHED();
       }
       break;
 
     default:
@@ skipping 21 matching lines @@
   // compatible with WinHTTP, which doesn't report this error (bug 3004).
   verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM;
 
   AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes);
   verify_result->is_issued_by_known_root =
       g_known_roots.Get().IsIssuedByKnownRoot(completed_chain);
 
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);
 
-  if (flags & CertVerifier::VERIFY_EV_CERT) {
-    // Determine the certificate's EV status using SecTrustCopyExtendedResult(),
-    // which is an internal/private API function added in OS X 10.5.7.
-    // Note: "ExtendedResult" means extended validation results.
-    CFBundleRef bundle =
-        CFBundleGetBundleWithIdentifier(CFSTR("com.apple.security"));
-    if (bundle) {
-      SecTrustCopyExtendedResultFuncPtr copy_extended_result =
-          reinterpret_cast<SecTrustCopyExtendedResultFuncPtr>(
-              CFBundleGetFunctionPointerForName(bundle,
-                  CFSTR("SecTrustCopyExtendedResult")));
-      if (copy_extended_result) {
-        CFDictionaryRef ev_dict_temp = NULL;
-        status = copy_extended_result(trust_ref, &ev_dict_temp);
-        ScopedCFTypeRef<CFDictionaryRef> ev_dict(ev_dict_temp);
-        ev_dict_temp = NULL;
-        if (status == noErr && ev_dict) {
-          // In 10.7.3, SecTrustCopyExtendedResult returns noErr and populates
-          // ev_dict even for non-EV certificates, but only EV certificates
-          // will cause ev_dict to contain kSecEVOrganizationName. In previous
-          // releases, SecTrustCopyExtendedResult would only return noErr and
-          // populate ev_dict for EV certificates, but would always include
-          // kSecEVOrganizationName in that case, so checking for this key is
-          // appropriate for all known versions of SecTrustCopyExtendedResult.
-          // The actual organization name is unneeded here and can be accessed
-          // through other means. All that matters here is the OS' conception
-          // of whether or not the certificate is EV.
-          if (CFDictionaryContainsKey(ev_dict,
-                                      kSecEVOrganizationName)) {
-            verify_result->cert_status |= CERT_STATUS_IS_EV;
-            if (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY)
-              verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
-          }
-        }
-      }
+  return OK;
+}
+
+}  // namespace
+
+CertVerifyProcMac::CertVerifyProcMac() {}
+
+CertVerifyProcMac::~CertVerifyProcMac() {}
+
+bool CertVerifyProcMac::SupportsAdditionalTrustAnchors() const {
+  return false;
+}
+
+bool CertVerifyProcMac::SupportsOCSPStapling() const {
+  // TODO(rsleevi): Plumb an OCSP response into the Mac system library.
+  // https://crbug.com/430714
+  return false;
+}
+
+int CertVerifyProcMac::VerifyInternal(
+    X509Certificate* cert,
+    const std::string& hostname,
+    const std::string& ocsp_response,
+    int flags,
+    CRLSet* crl_set,
+    const CertificateList& additional_trust_anchors,
+    CertVerifyResult* verify_result) {
+  // Save the input state of |*verify_result|, which may be needed to re-do
+  // verification with different flags.
+  const CertVerifyResult input_verify_result(*verify_result);
+
+  // If EV verification is enabled, check for EV policy in leaf cert.
+  std::string candidate_ev_policy_oid;
+  if (flags & CertVerifier::VERIFY_EV_CERT)
+    GetCandidateEVPolicy(cert, &candidate_ev_policy_oid);
+
+  CRLSetResult completed_chain_crl_result;
+  int rv = VerifyWithGivenFlags(cert, hostname, flags, crl_set, verify_result,
+                                &completed_chain_crl_result);
+  if (rv != OK)
+    return rv;
+
+  if (!candidate_ev_policy_oid.empty() &&
+      CheckCertChainEV(verify_result->verified_cert.get(),
+                       candidate_ev_policy_oid)) {
+    // EV policies check out and the verification succeeded. See if revocation
+    // checking still needs to be done before it can be marked as EV.
+    if (completed_chain_crl_result == kCRLSetUnknown &&
+        (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY) &&
+        !(flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED)) {
+      // If this is an EV cert and it wasn't covered by CRLSets and revocation
+      // checking wasn't already on, try again with revocation forced on.
+      //
+      // Restore the input state of |*verify_result|, so that the
+      // re-verification starts with a clean slate.
+      *verify_result = input_verify_result;
+      int tmp_rv = VerifyWithGivenFlags(
+          verify_result->verified_cert.get(), hostname,
+          flags | CertVerifier::VERIFY_REV_CHECKING_ENABLED, crl_set,
+          verify_result, &completed_chain_crl_result);
+      // If re-verification failed, return those results without setting EV
+      // status.
+      if (tmp_rv != OK)
+        return tmp_rv;
+      // Otherwise, fall through and add the EV status flag.
     }
+    // EV cert and it was covered by CRLSets or revocation checking passed.
+    verify_result->cert_status |= CERT_STATUS_IS_EV;
   }
 
   return OK;
 }
 
 }  // namespace net
 
 #pragma clang diagnostic pop  // "-Wdeprecated-declarations"