From 20de5f80ed2d88557a6763a2abd2333ea7552ff9 Mon Sep 17 00:00:00 2001
From: "wtc@chromium.org"
 <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Mon, 17 Aug 2009 20:40:07 +0000
Subject: Disable OCSP until we have fixed the crash in OCSP code.  As a result
 our EV checks must fail because EV requires revocation checking.  (We aren't
 downloading CRLs yet.)

R=willchan
BUG=18907,10911
TEST=Visit EV websites such as https://www.paypal.com/ and
https://www.verisign.com/.  Chromium must not show the EV status because
it is not doing OCSP checks.
Review URL: http://codereview.chromium.org/172050

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23575 0039d316-1c4b-4281-b951-d872f2087c98
---
 net/base/x509_certificate_nss.cc | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

(limited to 'net/base')

diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc
index 9a8b70c..ff40deb 100644
--- a/net/base/x509_certificate_nss.cc
+++ b/net/base/x509_certificate_nss.cc
@@ -344,6 +344,10 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle,
                          const SECOidTag* policy_oids,
                          int num_policy_oids,
                          CERTValOutParam* cvout) {
+  // TODO(wtc): Disable OCSP until we track down the crash in OCSP code.
+  // See http://crbug.com/18907.
+  bool use_ocsp = false;
+
   PRUint64 revocation_method_flags =
       CERT_REV_M_TEST_USING_THIS_METHOD |
       CERT_REV_M_ALLOW_NETWORK_FETCHING |
@@ -357,6 +361,8 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle,
     // revoked if we don't have revocation info.
     // TODO(wtc): Add a bool parameter to expressly specify we're doing EV
     // verification or we want strict revocation flags.
+    if (!use_ocsp)
+      return SECFailure;  // No OCSP, no EV.
     revocation_method_flags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE;
     revocation_method_independent_flags |=
         CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
@@ -369,12 +375,19 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle,
   method_flags[cert_revocation_method_crl] = revocation_method_flags;
   method_flags[cert_revocation_method_ocsp] = revocation_method_flags;
 
+  int number_of_defined_methods;
   CERTRevocationMethodIndex preferred_revocation_methods[1];
-  preferred_revocation_methods[0] = cert_revocation_method_ocsp;
+  if (use_ocsp) {
+    number_of_defined_methods = arraysize(method_flags);
+    preferred_revocation_methods[0] = cert_revocation_method_ocsp;
+  } else {
+    number_of_defined_methods = arraysize(method_flags) - 1;
+    preferred_revocation_methods[0] = cert_revocation_method_crl;
+  }
 
   CERTRevocationFlags revocation_flags;
   revocation_flags.leafTests.number_of_defined_methods =
-      arraysize(method_flags);
+      number_of_defined_methods;
   revocation_flags.leafTests.cert_rev_flags_per_method = method_flags;
   revocation_flags.leafTests.number_of_preferred_methods =
       arraysize(preferred_revocation_methods);
@@ -383,7 +396,7 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle,
       revocation_method_independent_flags;
 
   revocation_flags.chainTests.number_of_defined_methods =
-      arraysize(method_flags);
+      number_of_defined_methods;
   revocation_flags.chainTests.cert_rev_flags_per_method = method_flags;
   revocation_flags.chainTests.number_of_preferred_methods =
       arraysize(preferred_revocation_methods);
-- 
cgit v1.1