| Index: net/cert/cert_verify_proc_nss.cc
|
| diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc
|
| index 27558f79d36a4a73e1010cf975d53357b083e47f..8357b78f249b55887701410509d8039ef1ea0471 100644
|
| --- a/net/cert/cert_verify_proc_nss.cc
|
| +++ b/net/cert/cert_verify_proc_nss.cc
|
| @@ -660,6 +660,7 @@ void AppendPublicKeyHashes(CERTCertList* cert_list,
|
| bool IsEVCandidate(EVRootCAMetadata* metadata,
|
| CERTCertificate* cert_handle,
|
| SECOidTag* ev_policy_oid) {
|
| + *ev_policy_oid = SEC_OID_UNKNOWN;
|
| DCHECK(cert_handle);
|
| ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle));
|
| if (!policies.get())
|
| @@ -674,11 +675,15 @@ bool IsEVCandidate(EVRootCAMetadata* metadata,
|
| continue;
|
| if (metadata->IsEVPolicyOID(policy_info->oid)) {
|
| *ev_policy_oid = policy_info->oid;
|
| - return true;
|
| +
|
| + // De-prioritize the CA/Browser forum Extended Validation policy
|
| + // (2.23.140.1.1). See crbug.com/705285.
|
| + if (!EVRootCAMetadata::IsCaBrowserForumEvOid(policy_info->oid))
|
| + break;
|
| }
|
| }
|
|
|
| - return false;
|
| + return *ev_policy_oid != SEC_OID_UNKNOWN;
|
| }
|
|
|
| // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp
|
|
|
Chromium Code Reviews
Issue 2781093003:
De-prioritize 2.23.140.1.1 when searching for EV policy. (Closed)
