OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc_win.h" | 5 #include "net/cert/cert_verify_proc_win.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 924 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
935 if (policies_info.get()) { | 935 if (policies_info.get()) { |
936 EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance(); | 936 EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance(); |
937 for (DWORD i = 0; i < policies_info->cPolicyInfo; ++i) { | 937 for (DWORD i = 0; i < policies_info->cPolicyInfo; ++i) { |
938 LPSTR policy_oid = policies_info->rgPolicyInfo[i].pszPolicyIdentifier; | 938 LPSTR policy_oid = policies_info->rgPolicyInfo[i].pszPolicyIdentifier; |
939 if (metadata->IsEVPolicyOID(policy_oid)) { | 939 if (metadata->IsEVPolicyOID(policy_oid)) { |
940 ev_policy_oid = policy_oid; | 940 ev_policy_oid = policy_oid; |
941 chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND; | 941 chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND; |
942 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1; | 942 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1; |
943 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = | 943 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = |
944 &ev_policy_oid; | 944 &ev_policy_oid; |
945 break; | 945 |
| 946 // De-prioritize the CA/Browser forum Extended Validation policy |
| 947 // (2.23.140.1.1). See crbug.com/705285. |
| 948 if (!EVRootCAMetadata::IsCaBrowserForumEvOid(ev_policy_oid)) |
| 949 break; |
946 } | 950 } |
947 } | 951 } |
948 } | 952 } |
949 } | 953 } |
950 | 954 |
951 // Revocation checking is always enabled, in order to enable CRLSets to be | 955 // Revocation checking is always enabled, in order to enable CRLSets to be |
952 // evaluated as part of a revocation provider. However, when the caller did | 956 // evaluated as part of a revocation provider. However, when the caller did |
953 // not explicitly request revocation checking (which is to say, online | 957 // not explicitly request revocation checking (which is to say, online |
954 // revocation checking), then only enable cached results. This disables OCSP | 958 // revocation checking), then only enable cached results. This disables OCSP |
955 // and CRL fetching, but still allows the revocation provider to be called. | 959 // and CRL fetching, but still allows the revocation provider to be called. |
(...skipping 252 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1208 return MapCertStatusToNetError(verify_result->cert_status); | 1212 return MapCertStatusToNetError(verify_result->cert_status); |
1209 | 1213 |
1210 if (ev_policy_oid && | 1214 if (ev_policy_oid && |
1211 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) { | 1215 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) { |
1212 verify_result->cert_status |= CERT_STATUS_IS_EV; | 1216 verify_result->cert_status |= CERT_STATUS_IS_EV; |
1213 } | 1217 } |
1214 return OK; | 1218 return OK; |
1215 } | 1219 } |
1216 | 1220 |
1217 } // namespace net | 1221 } // namespace net |
OLD | NEW |