diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-17 20:40:07 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-17 20:40:07 +0000 |
| commit | 20de5f80ed2d88557a6763a2abd2333ea7552ff9 (patch) | |
| tree | 0ec9aad22683e8ee7c4ab1b52238aff856f14a44 /net/base | |
| parent | 373146206cd7820850332a61353ce3f57a4f0c07 (diff) | |
| download | chromium_src-20de5f80ed2d88557a6763a2abd2333ea7552ff9.zip chromium_src-20de5f80ed2d88557a6763a2abd2333ea7552ff9.tar.gz chromium_src-20de5f80ed2d88557a6763a2abd2333ea7552ff9.tar.bz2 | |
Disable OCSP until we have fixed the crash in OCSP code. As a result our
EV checks must fail because EV requires revocation checking. (We aren't
downloading CRLs yet.)
R=willchan
BUG=18907,10911
TEST=Visit EV websites such as https://www.paypal.com/ and
https://www.verisign.com/. Chromium must not show the EV status because
it is not doing OCSP checks.
Review URL: http://codereview.chromium.org/172050
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23575 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/x509_certificate_nss.cc | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc index 9a8b70c..ff40deb 100644 --- a/net/base/x509_certificate_nss.cc +++ b/net/base/x509_certificate_nss.cc @@ -344,6 +344,10 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, const SECOidTag* policy_oids, int num_policy_oids, CERTValOutParam* cvout) { + // TODO(wtc): Disable OCSP until we track down the crash in OCSP code. + // See http://crbug.com/18907. + bool use_ocsp = false; + PRUint64 revocation_method_flags = CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_ALLOW_NETWORK_FETCHING | @@ -357,6 +361,8 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, // revoked if we don't have revocation info. // TODO(wtc): Add a bool parameter to expressly specify we're doing EV // verification or we want strict revocation flags. + if (!use_ocsp) + return SECFailure; // No OCSP, no EV. revocation_method_flags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE; revocation_method_independent_flags |= CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; @@ -369,12 +375,19 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, method_flags[cert_revocation_method_crl] = revocation_method_flags; method_flags[cert_revocation_method_ocsp] = revocation_method_flags; + int number_of_defined_methods; CERTRevocationMethodIndex preferred_revocation_methods[1]; - preferred_revocation_methods[0] = cert_revocation_method_ocsp; + if (use_ocsp) { + number_of_defined_methods = arraysize(method_flags); + preferred_revocation_methods[0] = cert_revocation_method_ocsp; + } else { + number_of_defined_methods = arraysize(method_flags) - 1; + preferred_revocation_methods[0] = cert_revocation_method_crl; + } CERTRevocationFlags revocation_flags; revocation_flags.leafTests.number_of_defined_methods = - arraysize(method_flags); + number_of_defined_methods; revocation_flags.leafTests.cert_rev_flags_per_method = method_flags; revocation_flags.leafTests.number_of_preferred_methods = arraysize(preferred_revocation_methods); @@ -383,7 +396,7 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, revocation_method_independent_flags; revocation_flags.chainTests.number_of_defined_methods = - arraysize(method_flags); + number_of_defined_methods; revocation_flags.chainTests.cert_rev_flags_per_method = method_flags; revocation_flags.chainTests.number_of_preferred_methods = arraysize(preferred_revocation_methods); |