diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-07-31 21:57:28 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-07-31 21:57:28 +0000 |
| commit | 51523f50c70d7732bc2634fd469badc8c66f60b0 (patch) | |
| tree | adcb10aa17d7ada585728d574bb8e21ef3d05799 /net/tools | |
| parent | f88077f5f1462ba372e579406d73f07630f38430 (diff) | |
| download | chromium_src-51523f50c70d7732bc2634fd469badc8c66f60b0.zip chromium_src-51523f50c70d7732bc2634fd469badc8c66f60b0.tar.gz chromium_src-51523f50c70d7732bc2634fd469badc8c66f60b0.tar.bz2 | |
Perform online revocation checks when EV certificates aren't covered by a fresh CRLSet.
Previously a fresh CRLSet was sufficient to suppress online revocation checking
for EV certificates because we aimed to have full EV coverage in the CRLSet.
With this change, we'll only suppress online revocation checking for EV
certificates when a fresh CRLSet actually covers the chain in question. We
determine coverage by seeing if the CRLSet contains the issuer SPKI.
There are no changes to the OS X certificate code as I believe that OS X
already does online revocation checking for EV certs no matter what we do in
Chrome.
BUG=none
Review URL: https://chromiumcodereview.appspot.com/11260018
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@214825 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/tools')
| -rw-r--r-- | net/tools/testserver/minica.py | 6 | ||||
| -rwxr-xr-x | net/tools/testserver/testserver.py | 7 |
2 files changed, 10 insertions, 3 deletions
diff --git a/net/tools/testserver/minica.py b/net/tools/testserver/minica.py index bfe896f..2dd38ef 100644 --- a/net/tools/testserver/minica.py +++ b/net/tools/testserver/minica.py @@ -323,14 +323,16 @@ unauthorizedDER = '30030a0106'.decode('hex') def GenerateCertKeyAndOCSP(subject = "127.0.0.1", ocsp_url = "http://127.0.0.1", - ocsp_state = OCSP_STATE_GOOD): + ocsp_state = OCSP_STATE_GOOD, + serial = 0): '''GenerateCertKeyAndOCSP returns a (cert_and_key_pem, ocsp_der) where: * cert_and_key_pem contains a certificate and private key in PEM format with the given subject common name and OCSP URL. * ocsp_der contains a DER encoded OCSP response or None if ocsp_url is None''' - serial = RandomNumber(16) + if serial == 0: + serial = RandomNumber(16) cert_der = MakeCertificate(ISSUER_CN, bytes(subject), serial, KEY, KEY, bytes(ocsp_url)) cert_pem = DERToPEM(cert_der) diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py index 0857847..77a3142 100755 --- a/net/tools/testserver/testserver.py +++ b/net/tools/testserver/testserver.py @@ -1884,7 +1884,8 @@ class ServerRunner(testserver_base.TestServerRunner): subject = "127.0.0.1", ocsp_url = ("http://%s:%d/ocsp" % (host, self.__ocsp_server.server_port)), - ocsp_state = ocsp_state) + ocsp_state = ocsp_state, + serial = self.options.cert_serial) self.__ocsp_server.ocsp_response = ocsp_der @@ -2024,6 +2025,10 @@ class ServerRunner(testserver_base.TestServerRunner): help='The type of OCSP response generated ' 'for the automatically generated ' 'certificate. One of [ok,revoked,invalid]') + self.option_parser.add_option('--cert-serial', dest='cert_serial', + default=0, type=int, + help='If non-zero then the generated ' + 'certificate will have this serial number') self.option_parser.add_option('--tls-intolerant', dest='tls_intolerant', default='0', type='int', help='If nonzero, certain TLS connections ' |