diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-07-31 21:57:28 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-07-31 21:57:28 +0000 |
| commit | 51523f50c70d7732bc2634fd469badc8c66f60b0 (patch) | |
| tree | adcb10aa17d7ada585728d574bb8e21ef3d05799 /net/test/spawned_test_server | |
| parent | f88077f5f1462ba372e579406d73f07630f38430 (diff) | |
| download | chromium_src-51523f50c70d7732bc2634fd469badc8c66f60b0.zip chromium_src-51523f50c70d7732bc2634fd469badc8c66f60b0.tar.gz chromium_src-51523f50c70d7732bc2634fd469badc8c66f60b0.tar.bz2 | |
Perform online revocation checks when EV certificates aren't covered by a fresh CRLSet.
Previously a fresh CRLSet was sufficient to suppress online revocation checking
for EV certificates because we aimed to have full EV coverage in the CRLSet.
With this change, we'll only suppress online revocation checking for EV
certificates when a fresh CRLSet actually covers the chain in question. We
determine coverage by seeing if the CRLSet contains the issuer SPKI.
There are no changes to the OS X certificate code as I believe that OS X
already does online revocation checking for EV certs no matter what we do in
Chrome.
BUG=none
Review URL: https://chromiumcodereview.appspot.com/11260018
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@214825 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/test/spawned_test_server')
| -rw-r--r-- | net/test/spawned_test_server/base_test_server.cc | 7 | ||||
| -rw-r--r-- | net/test/spawned_test_server/base_test_server.h | 4 |
2 files changed, 11 insertions, 0 deletions
diff --git a/net/test/spawned_test_server/base_test_server.cc b/net/test/spawned_test_server/base_test_server.cc index bf38b4e..fc586fd 100644 --- a/net/test/spawned_test_server/base_test_server.cc +++ b/net/test/spawned_test_server/base_test_server.cc @@ -56,6 +56,7 @@ void GetCiphersList(int cipher, base::ListValue* values) { BaseTestServer::SSLOptions::SSLOptions() : server_certificate(CERT_OK), ocsp_status(OCSP_OK), + cert_serial(0), request_client_certificate(false), bulk_ciphers(SSLOptions::BULK_CIPHER_ANY), record_resume(false), @@ -64,6 +65,8 @@ BaseTestServer::SSLOptions::SSLOptions() BaseTestServer::SSLOptions::SSLOptions( BaseTestServer::SSLOptions::ServerCertificate cert) : server_certificate(cert), + ocsp_status(OCSP_OK), + cert_serial(0), request_client_certificate(false), bulk_ciphers(SSLOptions::BULK_CIPHER_ANY), record_resume(false), @@ -375,6 +378,10 @@ bool BaseTestServer::GenerateArguments(base::DictionaryValue* arguments) const { if (!ocsp_arg.empty()) arguments->SetString("ocsp", ocsp_arg); + if (ssl_options_.cert_serial != 0) + arguments->Set("cert-serial", + base::Value::CreateIntegerValue(ssl_options_.cert_serial)); + // Check bulk cipher argument. scoped_ptr<base::ListValue> bulk_cipher_values(new base::ListValue()); GetCiphersList(ssl_options_.bulk_ciphers, bulk_cipher_values.get()); diff --git a/net/test/spawned_test_server/base_test_server.h b/net/test/spawned_test_server/base_test_server.h index 9691f5d..289c76b 100644 --- a/net/test/spawned_test_server/base_test_server.h +++ b/net/test/spawned_test_server/base_test_server.h @@ -120,6 +120,10 @@ class BaseTestServer { // response returned. OCSPStatus ocsp_status; + // If not zero, |serial| will be the serial number of the auto-generated + // leaf certificate when |server_certificate==CERT_AUTO|. + uint64 cert_serial; + // True if a CertificateRequest should be sent to the client during // handshaking. bool request_client_certificate; |