diff options
| author | hawk@chromium.org <hawk@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-10-16 00:05:41 +0000 |
|---|---|---|
| committer | hawk@chromium.org <hawk@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-10-16 00:05:41 +0000 |
| commit | 9566343c2165c5823b33932ec836c58953ea4ecb (patch) | |
| tree | 8fff55ed87ccef8a9106c81572f936743eed513d | |
| parent | 426e871872cc12212843c3e2b457e86e2c7915b2 (diff) | |
| download | chromium_src-9566343c2165c5823b33932ec836c58953ea4ecb.zip chromium_src-9566343c2165c5823b33932ec836c58953ea4ecb.tar.gz chromium_src-9566343c2165c5823b33932ec836c58953ea4ecb.tar.bz2 | |
Enable certificate revocation and EV certificate validation for Mac
BUG=13377,10910
TEST=none yet, awaiting aonther CL that hooks up the UI
Review URL: http://codereview.chromium.org/209040
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29219 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | net/base/x509_certificate_mac.cc | 11 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_mac.cc | 6 |
2 files changed, 13 insertions, 4 deletions
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc index d55a770..9c1de5c 100644 --- a/net/base/x509_certificate_mac.cc +++ b/net/base/x509_certificate_mac.cc @@ -124,14 +124,15 @@ int CertStatusFromOSStatus(OSStatus status) { case CSSMERR_APPLETP_CRL_NOT_FOUND: case CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK: + case CSSMERR_APPLETP_OCSP_UNAVAILABLE: return CERT_STATUS_NO_REVOCATION_MECHANISM; case CSSMERR_APPLETP_CRL_NOT_TRUSTED: case CSSMERR_APPLETP_CRL_SERVER_DOWN: case CSSMERR_APPLETP_CRL_NOT_VALID_YET: case CSSMERR_APPLETP_NETWORK_FAILURE: - case CSSMERR_APPLETP_OCSP_UNAVAILABLE: case CSSMERR_APPLETP_OCSP_BAD_RESPONSE: + case CSSMERR_APPLETP_OCSP_NO_SIGNER: case CSSMERR_APPLETP_OCSP_RESP_UNAUTHORIZED: case CSSMERR_APPLETP_OCSP_RESP_SIG_REQUIRED: case CSSMERR_APPLETP_OCSP_RESP_MALFORMED_REQ: @@ -574,7 +575,8 @@ int X509Certificate::Verify(const std::string& hostname, int flags, status_code_index < chain_info[index].NumStatusCodes; ++status_code_index) { got_certificate_error = true; - int cert_status = CertStatusFromOSStatus(cssm_result); + int cert_status = CertStatusFromOSStatus( + chain_info[index].StatusCodes[status_code_index]); if (cert_status == CERT_STATUS_COMMON_NAME_INVALID) { std::vector<std::string> names; GetDNSNames(&names); @@ -607,6 +609,11 @@ int X509Certificate::Verify(const std::string& hostname, int flags, break; } + // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be + // compatible with Windows, which in turn implements this behavior to be + // compatible with WinHTTP, which doesn't report this error (bug 3004). + verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM; + if (IsCertStatusError(verify_result->cert_status)) return MapCertStatusToNetError(verify_result->cert_status); diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc index 1a0c6a5..9eef727 100644 --- a/net/socket/ssl_client_socket_mac.cc +++ b/net/socket/ssl_client_socket_mac.cc @@ -635,9 +635,11 @@ int SSLClientSocketMac::DoVerifyCert() { if (!server_cert_) return ERR_UNEXPECTED; - // TODO(hawk): set flags based on the SSLConfig, once SSLConfig is - // fully fleshed out on Mac OS X. int flags = 0; + if (ssl_config_.rev_checking_enabled) + flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; + if (ssl_config_.verify_ev_cert) + flags |= X509Certificate::VERIFY_EV_CERT; verifier_.reset(new CertVerifier); return verifier_->Verify(server_cert_, hostname_, flags, &server_cert_verify_result_, &io_callback_); |