diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-06-05 19:34:46 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-06-05 19:34:46 +0000 |
| commit | 89904504a55525eebbba9b1c8519fdfbef667255 (patch) | |
| tree | e1804f32e427cd3b619b257bc71a2b10dd9285e1 /net/base | |
| parent | 0e34d7893a17558b6520f853e63adc5e1cc4aa81 (diff) | |
| download | chromium_src-89904504a55525eebbba9b1c8519fdfbef667255.zip chromium_src-89904504a55525eebbba9b1c8519fdfbef667255.tar.gz chromium_src-89904504a55525eebbba9b1c8519fdfbef667255.tar.bz2 | |
Don't consider a certificate revoked if we don't have
fresh revocation status of the certificate.
We haven't written the code for NSS to use our network
stack to download CRLs or talk to OCSP responders, so NSS
doesn't have any revocation info.
R=agl,ukai
BUG=http://crbug.com/13336
TEST=none (requires a Linux system with NSS 3.12.3)
Review URL: http://codereview.chromium.org/118314
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@17756 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/x509_certificate_nss.cc | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc index 733483a..4954cfd 100644 --- a/net/base/x509_certificate_nss.cc +++ b/net/base/x509_certificate_nss.cc @@ -392,15 +392,18 @@ int X509Certificate::Verify(const std::string& hostname, // We need to set up OCSP and install an HTTP client for NSS. bool use_ocsp = false; + // TODO(wtc): Use CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE and + // CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE for EV certificate + // verification. PRUint64 revocation_method_flags = CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_ALLOW_NETWORK_FETCHING | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | - CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE | + CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO; PRUint64 revocation_method_independent_flags = CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | - CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; + CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT; PRUint64 method_flags[2]; method_flags[cert_revocation_method_crl] = revocation_method_flags; method_flags[cert_revocation_method_ocsp] = revocation_method_flags; |