Add code for enabling or disabling CRLs and OCSP correctly.

Previously we varied the number of elements in the method_flags array to enable/disable OCSP. It turns out that's the wrong way. Between CRLs and OCSP, we prefer OCSP. R=ukai BUG=http://crbug.com/10911 TEST=none Review URL: http://codereview.chromium.org/174283 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@24126 0039d316-1c4b-4281-b951-d872f2087c98
author: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2009-08-24 19:27:25 +0000
committer: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2009-08-24 19:27:25 +0000
commit: 2a1c0f32a8611defc5f0f5b9e4022efc1810c93f (patch)
tree: 1c06f4072e7d9c627c1019cdba05c0be2638098d /net/base
parent: c0b0188c34489ec29cd0f340de167fe5585c90c8 (diff)
download: chromium_src-2a1c0f32a8611defc5f0f5b9e4022efc1810c93f.zip
chromium_src-2a1c0f32a8611defc5f0f5b9e4022efc1810c93f.tar.gz
chromium_src-2a1c0f32a8611defc5f0f5b9e4022efc1810c93f.tar.bz2
1 files changed, 18 insertions, 2 deletions
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc
index acf20e8..fd52608 100644
--- a/net/base/x509_certificate_nss.cc
+++ b/net/base/x509_certificate_nss.cc
@@ -350,8 +350,11 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle,
                          const SECOidTag* policy_oids,
                          int num_policy_oids,
                          CERTValOutParam* cvout) {
+  bool use_crl = true;
+  bool use_ocsp = true;
+
   PRUint64 revocation_method_flags =
-      CERT_REV_M_TEST_USING_THIS_METHOD |
+      CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |
       CERT_REV_M_ALLOW_NETWORK_FETCHING |
       CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE |
       CERT_REV_M_IGNORE_MISSING_FRESH_INFO |
@@ -375,8 +378,21 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle,
   method_flags[cert_revocation_method_crl] = revocation_method_flags;
   method_flags[cert_revocation_method_ocsp] = revocation_method_flags;
 
+  if (use_crl) {
+    method_flags[cert_revocation_method_crl] |=
+        CERT_REV_M_TEST_USING_THIS_METHOD;
+  }
+  if (use_ocsp) {
+    method_flags[cert_revocation_method_ocsp] |=
+        CERT_REV_M_TEST_USING_THIS_METHOD;
+  }
+
   CERTRevocationMethodIndex preferred_revocation_methods[1];
-  preferred_revocation_methods[0] = cert_revocation_method_ocsp;
+  if (use_ocsp) {
+    preferred_revocation_methods[0] = cert_revocation_method_ocsp;
+  } else {
+    preferred_revocation_methods[0] = cert_revocation_method_crl;
+  }
 
   CERTRevocationFlags revocation_flags;
   revocation_flags.leafTests.number_of_defined_methods =
author	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2009-08-24 19:27:25 +0000
committer	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2009-08-24 19:27:25 +0000
commit	2a1c0f32a8611defc5f0f5b9e4022efc1810c93f (patch)
tree	1c06f4072e7d9c627c1019cdba05c0be2638098d /net/base
parent	c0b0188c34489ec29cd0f340de167fe5585c90c8 (diff)
download	chromium_src-2a1c0f32a8611defc5f0f5b9e4022efc1810c93f.zip chromium_src-2a1c0f32a8611defc5f0f5b9e4022efc1810c93f.tar.gz chromium_src-2a1c0f32a8611defc5f0f5b9e4022efc1810c93f.tar.bz2