diff options
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/x509_certificate_mac.cc | 11 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_mac.cc | 6 |
2 files changed, 13 insertions, 4 deletions
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc index d55a770..9c1de5c 100644 --- a/net/base/x509_certificate_mac.cc +++ b/net/base/x509_certificate_mac.cc @@ -124,14 +124,15 @@ int CertStatusFromOSStatus(OSStatus status) { case CSSMERR_APPLETP_CRL_NOT_FOUND: case CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK: + case CSSMERR_APPLETP_OCSP_UNAVAILABLE: return CERT_STATUS_NO_REVOCATION_MECHANISM; case CSSMERR_APPLETP_CRL_NOT_TRUSTED: case CSSMERR_APPLETP_CRL_SERVER_DOWN: case CSSMERR_APPLETP_CRL_NOT_VALID_YET: case CSSMERR_APPLETP_NETWORK_FAILURE: - case CSSMERR_APPLETP_OCSP_UNAVAILABLE: case CSSMERR_APPLETP_OCSP_BAD_RESPONSE: + case CSSMERR_APPLETP_OCSP_NO_SIGNER: case CSSMERR_APPLETP_OCSP_RESP_UNAUTHORIZED: case CSSMERR_APPLETP_OCSP_RESP_SIG_REQUIRED: case CSSMERR_APPLETP_OCSP_RESP_MALFORMED_REQ: @@ -574,7 +575,8 @@ int X509Certificate::Verify(const std::string& hostname, int flags, status_code_index < chain_info[index].NumStatusCodes; ++status_code_index) { got_certificate_error = true; - int cert_status = CertStatusFromOSStatus(cssm_result); + int cert_status = CertStatusFromOSStatus( + chain_info[index].StatusCodes[status_code_index]); if (cert_status == CERT_STATUS_COMMON_NAME_INVALID) { std::vector<std::string> names; GetDNSNames(&names); @@ -607,6 +609,11 @@ int X509Certificate::Verify(const std::string& hostname, int flags, break; } + // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be + // compatible with Windows, which in turn implements this behavior to be + // compatible with WinHTTP, which doesn't report this error (bug 3004). + verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM; + if (IsCertStatusError(verify_result->cert_status)) return MapCertStatusToNetError(verify_result->cert_status); diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc index 1a0c6a5..9eef727 100644 --- a/net/socket/ssl_client_socket_mac.cc +++ b/net/socket/ssl_client_socket_mac.cc @@ -635,9 +635,11 @@ int SSLClientSocketMac::DoVerifyCert() { if (!server_cert_) return ERR_UNEXPECTED; - // TODO(hawk): set flags based on the SSLConfig, once SSLConfig is - // fully fleshed out on Mac OS X. int flags = 0; + if (ssl_config_.rev_checking_enabled) + flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; + if (ssl_config_.verify_ev_cert) + flags |= X509Certificate::VERIFY_EV_CERT; verifier_.reset(new CertVerifier); return verifier_->Verify(server_cert_, hostname_, flags, &server_cert_verify_result_, &io_callback_); |