Do not perform online revocation checking when the user has explicitly disabled it, except for when verifying EV certificates where a CRLSet is not present or fresh.
This changes how EVRootMetaData exposes the EV information when NSS is used, in order to efficiently detect when a leaf certificate may be an EV certificate.
BUG=142815
TEST=Test modem enrollment on CrOS as described in chrome-os-partner:9087
Review URL: https://chromiumcodereview.appspot.com/10857020
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@152043 0039d316-1c4b-4281-b951-d872f2087c98
diff --git a/net/base/cert_verify_proc_mac.cc b/net/base/cert_verify_proc_mac.cc
index 49798b5a..2cbffef 100644
--- a/net/base/cert_verify_proc_mac.cc
+++ b/net/base/cert_verify_proc_mac.cc
@@ -157,6 +157,7 @@
// revocation preference.
status = x509_util::CreateRevocationPolicies(
(flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED),
+ (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY),
local_policies);
if (status)
return status;
@@ -380,6 +381,8 @@
tp_action_data.ActionFlags = CSSM_TP_ACTION_FETCH_CERT_FROM_NET |
CSSM_TP_ACTION_TRUST_SETTINGS;
+ // Note: For EV certificates, the Apple TP will handle setting these flags
+ // as part of EV evaluation.
if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) {
// Require a positive result from an OCSP responder or a CRL (or both)
// for every certificate in the chain. The Apple TP automatically
@@ -564,6 +567,8 @@
if (CFDictionaryContainsKey(ev_dict,
kSecEVOrganizationName)) {
verify_result->cert_status |= CERT_STATUS_IS_EV;
+ if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY)
+ verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
}
}
}
