Clang format slam.

net/cert/cert_verify_proc_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc_nss.h"
 
 #include <string>
 #include <vector>
 
 #include <cert.h>
@@ skipping 25 matching lines @@
 namespace net {
 
 namespace {
 
 typedef scoped_ptr<
     CERTCertificatePolicies,
     crypto::NSSDestroyer<CERTCertificatePolicies,
                          CERT_DestroyCertificatePoliciesExtension> >
     ScopedCERTCertificatePolicies;
 
-typedef scoped_ptr<
-    CERTCertList,
-    crypto::NSSDestroyer<CERTCertList, CERT_DestroyCertList> >
+typedef scoped_ptr<CERTCertList,
+                   crypto::NSSDestroyer<CERTCertList, CERT_DestroyCertList> >
     ScopedCERTCertList;
 
 // ScopedCERTValOutParam manages destruction of values in the CERTValOutParam
 // array that cvout points to.  cvout must be initialized as passed to
 // CERT_PKIXVerifyCert, so that the array must be terminated with
 // cert_po_end type.
 // When it goes out of scope, it destroys values of cert_po_trustAnchor
 // and cert_po_certList types, but doesn't release the array itself.
 class ScopedCERTValOutParam {
  public:
   explicit ScopedCERTValOutParam(CERTValOutParam* cvout) : cvout_(cvout) {}
 
-  ~ScopedCERTValOutParam() {
-    Clear();
-  }
+  ~ScopedCERTValOutParam() { Clear(); }
 
   // Free the internal resources, but do not release the array itself.
   void Clear() {
     if (cvout_ == NULL)
       return;
-    for (CERTValOutParam *p = cvout_; p->type != cert_po_end; p++) {
+    for (CERTValOutParam* p = cvout_; p->type != cert_po_end; p++) {
       switch (p->type) {
         case cert_po_trustAnchor:
           if (p->value.pointer.cert) {
             CERT_DestroyCertificate(p->value.pointer.cert);
             p->value.pointer.cert = NULL;
           }
           break;
         case cert_po_certList:
           if (p->value.pointer.chain) {
             CERT_DestroyCertList(p->value.pointer.chain);
@@ skipping 140 matching lines @@
 }
 
 // IsKnownRoot returns true if the given certificate is one that we believe
 // is a standard (as opposed to user-installed) root.
 bool IsKnownRoot(CERTCertificate* root) {
   if (!root || !root->slot)
     return false;
 
   // This magic name is taken from
   // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79
-  return 0 == strcmp(PK11_GetSlotName(root->slot),
-                     "NSS Builtin Objects");
+  return 0 == strcmp(PK11_GetSlotName(root->slot), "NSS Builtin Objects");
 }
 
 // Returns true if the given certificate is one of the additional trust anchors.
 bool IsAdditionalTrustAnchor(CERTCertList* additional_trust_anchors,
                              CERTCertificate* root) {
   if (!additional_trust_anchors || !root)
     return false;
   for (CERTCertListNode* node = CERT_LIST_HEAD(additional_trust_anchors);
        !CERT_LIST_END(node, additional_trust_anchors);
        node = CERT_LIST_NEXT(node)) {
@@ skipping 30 matching lines @@
   }
   if (root)
     certs.push_back(root);
 
   bool covered = true;
 
   // We iterate from the root certificate down to the leaf, keeping track of
   // the issuer's SPKI at each step.
   std::string issuer_spki_hash;
   for (std::vector<CERTCertificate*>::reverse_iterator i = certs.rbegin();
-       i != certs.rend(); ++i) {
+       i != certs.rend();
+       ++i) {
     CERTCertificate* cert = *i;
 
     base::StringPiece der(reinterpret_cast<char*>(cert->derCert.data),
                           cert->derCert.len);
 
     base::StringPiece spki;
     if (!asn1::ExtractSPKIFromDERCert(der, &spki)) {
       NOTREACHED();
       covered = false;
       continue;
     }
     const std::string spki_hash = crypto::SHA256HashString(spki);
 
-    base::StringPiece serial_number = base::StringPiece(
-        reinterpret_cast<char*>(cert->serialNumber.data),
-        cert->serialNumber.len);
+    base::StringPiece serial_number =
+        base::StringPiece(reinterpret_cast<char*>(cert->serialNumber.data),
+                          cert->serialNumber.len);
 
     CRLSet::Result result = crl_set->CheckSPKI(spki_hash);
 
     if (result != CRLSet::REVOKED && !issuer_spki_hash.empty())
       result = crl_set->CheckSerial(serial_number, issuer_spki_hash);
 
     issuer_spki_hash = spki_hash;
 
     switch (result) {
       case CRLSet::REVOKED:
         return kCRLSetRevoked;
       case CRLSet::UNKNOWN:
         covered = false;
         continue;
       case CRLSet::GOOD:
         continue;
       default:
         NOTREACHED();
         covered = false;
         continue;
     }
   }
 
   if (!covered || crl_set->IsExpired())
     return kCRLSetUnknown;
   return kCRLSetOk;
 }
 
 // Forward declarations.
-SECStatus RetryPKIXVerifyCertWithWorkarounds(
-    CERTCertificate* cert_handle, int num_policy_oids,
-    bool cert_io_enabled, std::vector<CERTValInParam>* cvin,
-    CERTValOutParam* cvout);
+SECStatus RetryPKIXVerifyCertWithWorkarounds(CERTCertificate* cert_handle,
+                                             int num_policy_oids,
+                                             bool cert_io_enabled,
+                                             std::vector<CERTValInParam>* cvin,
+                                             CERTValOutParam* cvout);
 SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle);
 
 // Call CERT_PKIXVerifyCert for the cert_handle.
 // Verification results are stored in an array of CERTValOutParam.
 // If |hard_fail| is true, and no policy_oids are supplied (eg: EV is NOT being
 // checked), then the failure to obtain valid CRL/OCSP information for all
 // certificates that contain CRL/OCSP URLs will cause the certificate to be
 // treated as if it was revoked. Since failures may be caused by transient
 // network failures or by malicious attackers, in general, hard_fail should be
 // false.
 // If policy_oids is not NULL and num_policy_oids is positive, policies
 // are also checked.
 // additional_trust_anchors is an optional list of certificates that can be
 // trusted as anchors when building a certificate chain.
 // Caller must initialize cvout before calling this function.
 SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
                          bool check_revocation,
                          bool hard_fail,
                          bool cert_io_enabled,
                          const SECOidTag* policy_oids,
                          int num_policy_oids,
                          CERTCertList* additional_trust_anchors,
                          CERTChainVerifyCallback* chain_verify_callback,
                          CERTValOutParam* cvout) {
   bool use_crl = check_revocation;
   bool use_ocsp = check_revocation;
 
-  PRUint64 revocation_method_flags =
-      CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |
-      CERT_REV_M_ALLOW_NETWORK_FETCHING |
-      CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE |
-      CERT_REV_M_IGNORE_MISSING_FRESH_INFO |
-      CERT_REV_M_STOP_TESTING_ON_FRESH_INFO;
+  PRUint64 revocation_method_flags = CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |
+                                     CERT_REV_M_ALLOW_NETWORK_FETCHING |
+                                     CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE |
+                                     CERT_REV_M_IGNORE_MISSING_FRESH_INFO |
+                                     CERT_REV_M_STOP_TESTING_ON_FRESH_INFO;
   PRUint64 revocation_method_independent_flags =
       CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
   if (check_revocation && policy_oids && num_policy_oids > 0) {
     // EV verification requires revocation checking.  Consider the certificate
     // revoked if we don't have revocation info.
     // TODO(wtc): Add a bool parameter to expressly specify we're doing EV
     // verification or we want strict revocation flags.
     revocation_method_flags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE;
     revocation_method_independent_flags |=
         CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
@@ skipping 38 matching lines @@
 
   revocation_flags.chainTests.number_of_defined_methods =
       arraysize(method_flags);
   revocation_flags.chainTests.cert_rev_flags_per_method = method_flags;
   revocation_flags.chainTests.number_of_preferred_methods =
       arraysize(preferred_revocation_methods);
   revocation_flags.chainTests.preferred_methods = preferred_revocation_methods;
   revocation_flags.chainTests.cert_rev_method_independent_flags =
       revocation_method_independent_flags;
 
-
   std::vector<CERTValInParam> cvin;
   cvin.reserve(7);
   CERTValInParam in_param;
   in_param.type = cert_pi_revocationFlags;
   in_param.value.pointer.revocation = &revocation_flags;
   cvin.push_back(in_param);
   if (policy_oids && num_policy_oids > 0) {
     in_param.type = cert_pi_policyOID;
     in_param.value.arraySize = num_policy_oids;
     in_param.value.array.oids = policy_oids;
     cvin.push_back(in_param);
   }
   if (additional_trust_anchors) {
     in_param.type = cert_pi_trustAnchors;
     in_param.value.pointer.chain = additional_trust_anchors;
     cvin.push_back(in_param);
     in_param.type = cert_pi_useOnlyTrustAnchors;
     in_param.value.scalar.b = PR_FALSE;
     cvin.push_back(in_param);
   }
   if (chain_verify_callback) {
     in_param.type = cert_pi_chainVerifyCallback;
     in_param.value.pointer.chainVerifyCallback = chain_verify_callback;
     cvin.push_back(in_param);
   }
   in_param.type = cert_pi_end;
   cvin.push_back(in_param);
 
-  SECStatus rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
-                                     &cvin[0], cvout, NULL);
+  SECStatus rv = CERT_PKIXVerifyCert(
+      cert_handle, certificateUsageSSLServer, &cvin[0], cvout, NULL);
   if (rv != SECSuccess) {
-    rv = RetryPKIXVerifyCertWithWorkarounds(cert_handle, num_policy_oids,
-                                            cert_io_enabled, &cvin, cvout);
+    rv = RetryPKIXVerifyCertWithWorkarounds(
+        cert_handle, num_policy_oids, cert_io_enabled, &cvin, cvout);
   }
   return rv;
 }
 
 // PKIXVerifyCert calls this function to work around some bugs in
 // CERT_PKIXVerifyCert.  All the arguments of this function are either the
 // arguments or local variables of PKIXVerifyCert.
-SECStatus RetryPKIXVerifyCertWithWorkarounds(
-    CERTCertificate* cert_handle, int num_policy_oids,
-    bool cert_io_enabled, std::vector<CERTValInParam>* cvin,
-    CERTValOutParam* cvout) {
+SECStatus RetryPKIXVerifyCertWithWorkarounds(CERTCertificate* cert_handle,
+                                             int num_policy_oids,
+                                             bool cert_io_enabled,
+                                             std::vector<CERTValInParam>* cvin,
+                                             CERTValOutParam* cvout) {
   // We call this function when the first CERT_PKIXVerifyCert call in
   // PKIXVerifyCert failed,  so we initialize |rv| to SECFailure.
   SECStatus rv = SECFailure;
   int nss_error = PORT_GetError();
   CERTValInParam in_param;
 
   // If we get SEC_ERROR_UNKNOWN_ISSUER, we may be missing an intermediate
   // CA certificate, so we retry with cert_pi_useAIACertFetch.
   // cert_pi_useAIACertFetch has several bugs in its error handling and
   // error reporting (NSS bug 528743), so we don't use it by default.
   // Note: When building a certificate chain, CERT_PKIXVerifyCert may
   // incorrectly pick a CA certificate with the same subject name as the
   // missing intermediate CA certificate, and  fail with the
   // SEC_ERROR_BAD_SIGNATURE error (NSS bug 524013), so we also retry with
   // cert_pi_useAIACertFetch on SEC_ERROR_BAD_SIGNATURE.
-  if (cert_io_enabled &&
-      (nss_error == SEC_ERROR_UNKNOWN_ISSUER ||
-       nss_error == SEC_ERROR_BAD_SIGNATURE)) {
-    DCHECK_EQ(cvin->back().type,  cert_pi_end);
+  if (cert_io_enabled && (nss_error == SEC_ERROR_UNKNOWN_ISSUER ||
+                          nss_error == SEC_ERROR_BAD_SIGNATURE)) {
+    DCHECK_EQ(cvin->back().type, cert_pi_end);
     cvin->pop_back();
     in_param.type = cert_pi_useAIACertFetch;
     in_param.value.scalar.b = PR_TRUE;
     cvin->push_back(in_param);
     in_param.type = cert_pi_end;
     cvin->push_back(in_param);
-    rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
-                             &(*cvin)[0], cvout, NULL);
+    rv = CERT_PKIXVerifyCert(
+        cert_handle, certificateUsageSSLServer, &(*cvin)[0], cvout, NULL);
     if (rv == SECSuccess)
       return rv;
     int new_nss_error = PORT_GetError();
     if (new_nss_error == SEC_ERROR_INVALID_ARGS ||
         new_nss_error == SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE ||
         new_nss_error == SEC_ERROR_BAD_INFO_ACCESS_LOCATION ||
         new_nss_error == SEC_ERROR_BAD_HTTP_RESPONSE ||
         new_nss_error == SEC_ERROR_BAD_LDAP_RESPONSE ||
         !IS_SEC_ERROR(new_nss_error)) {
       // Use the original error code because of cert_pi_useAIACertFetch's
       // bad error reporting.
       PORT_SetError(nss_error);
       return rv;
     }
     nss_error = new_nss_error;
   }
 
   // If an intermediate CA certificate has requireExplicitPolicy in its
   // policyConstraints extension, CERT_PKIXVerifyCert fails with
   // SEC_ERROR_POLICY_VALIDATION_FAILED because we didn't specify any
   // certificate policy (NSS bug 552775).  So we retry with the certificate
   // policy found in the server certificate.
-  if (nss_error == SEC_ERROR_POLICY_VALIDATION_FAILED &&
-      num_policy_oids == 0) {
+  if (nss_error == SEC_ERROR_POLICY_VALIDATION_FAILED && num_policy_oids == 0) {
     SECOidTag policy = GetFirstCertPolicy(cert_handle);
     if (policy != SEC_OID_UNKNOWN) {
-      DCHECK_EQ(cvin->back().type,  cert_pi_end);
+      DCHECK_EQ(cvin->back().type, cert_pi_end);
       cvin->pop_back();
       in_param.type = cert_pi_policyOID;
       in_param.value.arraySize = 1;
       in_param.value.array.oids = &policy;
       cvin->push_back(in_param);
       in_param.type = cert_pi_end;
       cvin->push_back(in_param);
-      rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
-                               &(*cvin)[0], cvout, NULL);
+      rv = CERT_PKIXVerifyCert(
+          cert_handle, certificateUsageSSLServer, &(*cvin)[0], cvout, NULL);
       if (rv != SECSuccess) {
         // Use the original error code.
         PORT_SetError(nss_error);
       }
     }
   }
 
   return rv;
 }
 
 // Decodes the certificatePolicies extension of the certificate.  Returns
 // NULL if the certificate doesn't have the extension or the extension can't
 // be decoded.  The returned value must be freed with a
 // CERT_DestroyCertificatePoliciesExtension call.
-CERTCertificatePolicies* DecodeCertPolicies(
-    CERTCertificate* cert_handle) {
+CERTCertificatePolicies* DecodeCertPolicies(CERTCertificate* cert_handle) {
   SECItem policy_ext;
-  SECStatus rv = CERT_FindCertExtension(cert_handle,
-                                        SEC_OID_X509_CERTIFICATE_POLICIES,
-                                        &policy_ext);
+  SECStatus rv = CERT_FindCertExtension(
+      cert_handle, SEC_OID_X509_CERTIFICATE_POLICIES, &policy_ext);
   if (rv != SECSuccess)
     return NULL;
   CERTCertificatePolicies* policies =
       CERT_DecodeCertificatePoliciesExtension(&policy_ext);
   SECITEM_FreeItem(&policy_ext, PR_FALSE);
   return policies;
 }
 
 // Returns the OID tag for the first certificate policy in the certificate's
 // certificatePolicies extension.  Returns SEC_OID_UNKNOWN if the certificate
@@ skipping 22 matching lines @@
   od.mechanism = CKM_INVALID_MECHANISM;
   od.supportedExtension = INVALID_CERT_EXTENSION;
   return SECOID_AddEntry(&od);
 }
 
 HashValue CertPublicKeyHashSHA1(CERTCertificate* cert) {
   HashValue hash(HASH_VALUE_SHA1);
 #if defined(OS_IOS)
   CC_SHA1(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
 #else
-  SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data(),
-                              cert->derPublicKey.data, cert->derPublicKey.len);
+  SECStatus rv = HASH_HashBuf(HASH_AlgSHA1,
+                              hash.data(),
+                              cert->derPublicKey.data,
+                              cert->derPublicKey.len);
   DCHECK_EQ(SECSuccess, rv);
 #endif
   return hash;
 }
 
 HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) {
   HashValue hash(HASH_VALUE_SHA256);
 #if defined(OS_IOS)
   CC_SHA256(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
 #else
-  SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, hash.data(),
-                              cert->derPublicKey.data, cert->derPublicKey.len);
+  SECStatus rv = HASH_HashBuf(HASH_AlgSHA256,
+                              hash.data(),
+                              cert->derPublicKey.data,
+                              cert->derPublicKey.len);
   DCHECK_EQ(rv, SECSuccess);
 #endif
   return hash;
 }
 
 void AppendPublicKeyHashes(CERTCertList* cert_list,
                            CERTCertificate* root_cert,
                            HashValueVector* hashes) {
   for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
        !CERT_LIST_END(node, cert_list);
@@ skipping 57 matching lines @@
   cvout[cvout_index].value.pointer.chain = NULL;
   int cvout_cert_list_index = cvout_index;
   cvout_index++;
   cvout[cvout_index].type = cert_po_trustAnchor;
   cvout[cvout_index].value.pointer.cert = NULL;
   int cvout_trust_anchor_index = cvout_index;
   cvout_index++;
   cvout[cvout_index].type = cert_po_end;
   ScopedCERTValOutParam scoped_cvout(cvout);
 
-  SECStatus status = PKIXVerifyCert(
-      cert_handle,
-      rev_checking_enabled,
-      true, /* hard fail is implied in EV. */
-      flags & CertVerifier::VERIFY_CERT_IO_ENABLED,
-      &ev_policy_oid,
-      1,
-      additional_trust_anchors,
-      chain_verify_callback,
-      cvout);
+  SECStatus status =
+      PKIXVerifyCert(cert_handle,
+                     rev_checking_enabled,
+                     true, /* hard fail is implied in EV. */
+                     flags & CertVerifier::VERIFY_CERT_IO_ENABLED,
+                     &ev_policy_oid,
+                     1,
+                     additional_trust_anchors,
+                     chain_verify_callback,
+                     cvout);
   if (status != SECSuccess)
     return false;
 
-  CERTCertificate* root_ca =
-      cvout[cvout_trust_anchor_index].value.pointer.cert;
+  CERTCertificate* root_ca = cvout[cvout_trust_anchor_index].value.pointer.cert;
   if (root_ca == NULL)
     return false;
 
   // This second PKIXVerifyCert call could have found a different certification
   // path and one or more of the certificates on this new path, that weren't on
   // the old path, might have been revoked.
   if (crl_set) {
     CRLSetResult crl_set_result = CheckRevocationWithCRLSet(
         cvout[cvout_cert_list_index].value.pointer.chain,
         cvout[cvout_trust_anchor_index].value.pointer.cert,
         crl_set);
     if (crl_set_result == kCRLSetRevoked)
       return false;
   }
 
 #if defined(OS_IOS)
   SHA1HashValue fingerprint = x509_util_ios::CalculateFingerprintNSS(root_ca);
 #else
-  SHA1HashValue fingerprint =
-      X509Certificate::CalculateFingerprint(root_ca);
+  SHA1HashValue fingerprint = X509Certificate::CalculateFingerprint(root_ca);
 #endif
   return metadata->HasEVPolicyOID(fingerprint, ev_policy_oid);
 }
 
 CERTCertList* CertificateListToCERTCertList(const CertificateList& list) {
   CERTCertList* result = CERT_NewCertList();
   for (size_t i = 0; i < list.size(); ++i) {
 #if defined(OS_IOS)
     // X509Certificate::os_cert_handle() on iOS is a SecCertificateRef; convert
     // it to an NSS CERTCertificate.
     CERTCertificate* cert = x509_util_ios::CreateNSSCertHandleFromOSHandle(
         list[i]->os_cert_handle());
 #else
     CERTCertificate* cert = list[i]->os_cert_handle();
 #endif
     CERT_AddCertToListTail(result, CERT_DupCertificate(cert));
   }
   return result;
 }
 
 }  // namespace
 
-CertVerifyProcNSS::CertVerifyProcNSS() {}
+CertVerifyProcNSS::CertVerifyProcNSS() {
+}
 
-CertVerifyProcNSS::~CertVerifyProcNSS() {}
+CertVerifyProcNSS::~CertVerifyProcNSS() {
+}
 
 bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const {
   return true;
 }
 
 int CertVerifyProcNSS::VerifyInternalImpl(
     X509Certificate* cert,
     const std::string& hostname,
     int flags,
     CRLSet* crl_set,
     const CertificateList& additional_trust_anchors,
     CERTChainVerifyCallback* chain_verify_callback,
     CertVerifyResult* verify_result) {
 #if defined(OS_IOS)
   // For iOS, the entire chain must be loaded into NSS's in-memory certificate
   // store.
   x509_util_ios::NSSCertChain scoped_chain(cert);
   CERTCertificate* cert_handle = scoped_chain.cert_handle();
 #else
   CERTCertificate* cert_handle = cert->os_cert_handle();
 #endif  // defined(OS_IOS)
 
   if (!cert->VerifyNameMatch(hostname,
                              &verify_result->common_name_fallback_used)) {
     verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
   }
 
   // Make sure that the cert is valid now.
-  SECCertTimeValidity validity = CERT_CheckCertValidTimes(
-      cert_handle, PR_Now(), PR_TRUE);
+  SECCertTimeValidity validity =
+      CERT_CheckCertValidTimes(cert_handle, PR_Now(), PR_TRUE);
   if (validity != secCertTimeValid)
     verify_result->cert_status |= CERT_STATUS_DATE_INVALID;
 
   CERTValOutParam cvout[3];
   int cvout_index = 0;
   cvout[cvout_index].type = cert_po_certList;
   cvout[cvout_index].value.pointer.chain = NULL;
   int cvout_cert_list_index = cvout_index;
   cvout_index++;
   cvout[cvout_index].type = cert_po_trustAnchor;
   cvout[cvout_index].value.pointer.cert = NULL;
   int cvout_trust_anchor_index = cvout_index;
   cvout_index++;
   cvout[cvout_index].type = cert_po_end;
   ScopedCERTValOutParam scoped_cvout(cvout);
 
   EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
   SECOidTag ev_policy_oid = SEC_OID_UNKNOWN;
-  bool is_ev_candidate =
-      (flags & CertVerifier::VERIFY_EV_CERT) &&
-      IsEVCandidate(metadata, cert_handle, &ev_policy_oid);
+  bool is_ev_candidate = (flags & CertVerifier::VERIFY_EV_CERT) &&
+                         IsEVCandidate(metadata, cert_handle, &ev_policy_oid);
   bool cert_io_enabled = flags & CertVerifier::VERIFY_CERT_IO_ENABLED;
   bool check_revocation =
-      cert_io_enabled &&
-      (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED);
+      cert_io_enabled && (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED);
   if (check_revocation)
     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
 
   ScopedCERTCertList trust_anchors;
   if (!additional_trust_anchors.empty()) {
     trust_anchors.reset(
         CertificateListToCERTCertList(additional_trust_anchors));
   }
 
   SECStatus status = PKIXVerifyCert(cert_handle,
@@ skipping 70 matching lines @@
     }
     // |err| is not a certificate error.
     return MapSecurityError(err);
   }
 
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);
 
   if ((flags & CertVerifier::VERIFY_EV_CERT) && is_ev_candidate) {
     check_revocation |=
-        crl_set_result != kCRLSetOk &&
-        cert_io_enabled &&
+        crl_set_result != kCRLSetOk && cert_io_enabled &&
         (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY);
     if (check_revocation)
       verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
 
     if (VerifyEV(cert_handle,
                  flags,
                  crl_set,
                  check_revocation,
                  metadata,
                  ev_policy_oid,
@@ skipping 16 matching lines @@
   return VerifyInternalImpl(cert,
                             hostname,
                             flags,
                             crl_set,
                             additional_trust_anchors,
                             NULL,  // chain_verify_callback
                             verify_result);
 }
 
 }  // namespace net