From e6c4ef0db0d6db52b2179eb6ce9970f84b83cd67 Mon Sep 17 00:00:00 2001 From: "hawk@chromium.org" Date: Fri, 16 Oct 2009 23:22:20 +0000 Subject: Enable Mac EV cert validation w/o requiring the user to explicitly enable revocation checking BUG=none TEST=https://www.paypal.com and other EV sites should have green text to the right of the lock icon in the address field Review URL: http://codereview.chromium.org/283005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29352 0039d316-1c4b-4281-b951-d872f2087c98 --- net/base/x509_certificate_mac.cc | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc index 9c1de5c..e5535fb 100644 --- a/net/base/x509_certificate_mac.cc +++ b/net/base/x509_certificate_mac.cc @@ -487,9 +487,10 @@ int X509Certificate::Verify(const std::string& hostname, int flags, // kSecTrustResultRecoverableTrustFailure back from SecTrustEvaluate() // with one of a number of sub error codes indicating that revocation // checking did not occur. In that case, we'll set our own result to include - // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION (note that this does not apply - // to EV certificates, which always get revocation checks regardless of the - // global settings). + // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION. + // + // NOTE: This does not apply to EV certificates, which always get + // revocation checks regardless of the global settings. verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; CSSM_APPLE_TP_ACTION_DATA tp_action_data = { CSSM_APPLE_TP_ACTION_VERSION }; tp_action_data.ActionFlags = CSSM_TP_ACTION_REQUIRE_REV_PER_CERT; @@ -503,9 +504,6 @@ int X509Certificate::Verify(const std::string& hostname, int flags, action_data_ref); if (status) return NetErrorFromOSStatus(status); - } else { - // EV requires revocation checking. - flags &= ~VERIFY_EV_CERT; } // Verify the certificate. A non-zero result from SecTrustGetResult() -- cgit v1.1