diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-13 23:38:44 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-13 23:38:44 +0000 |
| commit | cb51aaaf4ea49d19a518c1620080a09205c6005b (patch) | |
| tree | 5636300ec3ed273316c2f39274ad3eb0d425af19 /net/base | |
| parent | 0e2a12d33776619983dd366daa41ceb6711d10bc (diff) | |
| download | chromium_src-cb51aaaf4ea49d19a518c1620080a09205c6005b.zip chromium_src-cb51aaaf4ea49d19a518c1620080a09205c6005b.tar.gz chromium_src-cb51aaaf4ea49d19a518c1620080a09205c6005b.tar.bz2 | |
Address Alexei Volkov's comments on http://codereview.chromium.org/119026.
Patch by Fumitoshi Ukai.
R=alexei,wtc
BUG=http://crbug.com/10911
TEST=none
Review URL: http://codereview.chromium.org/164521
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23390 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/x509_certificate_nss.cc | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc index 9e41219..9a8b70c 100644 --- a/net/base/x509_certificate_nss.cc +++ b/net/base/x509_certificate_nss.cc @@ -60,6 +60,22 @@ class ScopedCERTCertList { DISALLOW_COPY_AND_ASSIGN(ScopedCERTCertList); }; +class ScopedCERTCertificatePolicies { + public: + explicit ScopedCERTCertificatePolicies(CERTCertificatePolicies* policies) + : policies_(policies) {} + + ~ScopedCERTCertificatePolicies() { + if (policies_) + CERT_DestroyCertificatePoliciesExtension(policies_); + } + + private: + CERTCertificatePolicies* policies_; + + DISALLOW_COPY_AND_ASSIGN(ScopedCERTCertificatePolicies); +}; + // ScopedCERTValOutParam manages destruction of values in the CERTValOutParam // array that cvout points to. cvout must be initialized as passed to // CERT_PKIXVerifyCert, so that the array must be terminated with @@ -331,7 +347,8 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, PRUint64 revocation_method_flags = CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_ALLOW_NETWORK_FETCHING | - CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | + CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE | + CERT_REV_M_IGNORE_MISSING_FRESH_INFO | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO; PRUint64 revocation_method_independent_flags = CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; @@ -352,9 +369,6 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, method_flags[cert_revocation_method_crl] = revocation_method_flags; method_flags[cert_revocation_method_ocsp] = revocation_method_flags; - // TODO(ukai): need to find out if we need to call OCSP-related NSS functions, - // CERT_EnableOCSPChecking, CERT_DisableOCSPDefaultResponder and - // CERT_SetOCSPFailureMode. CERTRevocationMethodIndex preferred_revocation_methods[1]; preferred_revocation_methods[0] = cert_revocation_method_ocsp; @@ -412,6 +426,7 @@ bool CheckCertPolicies(X509Certificate::OSCertHandle cert_handle, LOG(ERROR) << "Failed to decode certificate policy."; return false; } + ScopedCERTCertificatePolicies scoped_policies(policies); CERTPolicyInfo** policy_infos = policies->policyInfos; while (*policy_infos != NULL) { CERTPolicyInfo* policy_info = *policy_infos++; @@ -522,9 +537,7 @@ int X509Certificate::Verify(const std::string& hostname, // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp // and nsNSSCertHelper.cpp) to learn how to verify EV certificate. -// TODO(wtc): We may be able to request cert_po_policyOID and just -// check if any of the returned policies is the EV policy of the trust anchor. -// Another possible optimization is that we get the trust anchor from +// TODO(wtc): A possible optimization is that we get the trust anchor from // the first PKIXVerifyCert call. We look up the EV policy for the trust // anchor. If the trust anchor has no EV policy, we know the cert isn't EV. // Otherwise, we pass just that EV policy (as opposed to all the EV policies) |