Enable Mac EV cert validation w/o requiring the user to explicitly enable revocation checking

BUG=none
TEST=https://www.paypal.com and other EV sites should have green text to the right of the lock icon in the address field
Review URL: http://codereview.chromium.org/283005

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29352 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 6 deletions

diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
index 9c1de5c..e5535fb 100644
--- a/net/base/x509_certificate_mac.cc
+++ b/net/base/x509_certificate_mac.cc
@@ -487,9 +487,10 @@ int X509Certificate::Verify(const std::string& hostname, int flags,
     // kSecTrustResultRecoverableTrustFailure back from SecTrustEvaluate()
     // with one of a number of sub error codes indicating that revocation
     // checking did not occur. In that case, we'll set our own result to include
-    // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION (note that this does not apply
-    // to EV certificates, which always get revocation checks regardless of the
-    // global settings).
+    // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION.
+    //
+    // NOTE: This does not apply to EV certificates, which always get
+    // revocation checks regardless of the global settings.
     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
     CSSM_APPLE_TP_ACTION_DATA tp_action_data = { CSSM_APPLE_TP_ACTION_VERSION };
     tp_action_data.ActionFlags = CSSM_TP_ACTION_REQUIRE_REV_PER_CERT;
@@ -503,9 +504,6 @@ int X509Certificate::Verify(const std::string& hostname, int flags,
                                    action_data_ref);
     if (status)
       return NetErrorFromOSStatus(status);
-  } else {
-    // EV requires revocation checking.
-    flags &= ~VERIFY_EV_CERT;
   }
 
   // Verify the certificate. A non-zero result from SecTrustGetResult()