From 9566343c2165c5823b33932ec836c58953ea4ecb Mon Sep 17 00:00:00 2001
From: "hawk@chromium.org"
 <hawk@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Fri, 16 Oct 2009 00:05:41 +0000
Subject: Enable certificate revocation and EV certificate validation for Mac
 BUG=13377,10910 TEST=none yet, awaiting aonther CL that hooks up the UI
 Review URL: http://codereview.chromium.org/209040

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29219 0039d316-1c4b-4281-b951-d872f2087c98
---
 net/base/x509_certificate_mac.cc | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'net/base')

diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
index d55a770..9c1de5c 100644
--- a/net/base/x509_certificate_mac.cc
+++ b/net/base/x509_certificate_mac.cc
@@ -124,14 +124,15 @@ int CertStatusFromOSStatus(OSStatus status) {
 
     case CSSMERR_APPLETP_CRL_NOT_FOUND:
     case CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK:
+    case CSSMERR_APPLETP_OCSP_UNAVAILABLE:
       return CERT_STATUS_NO_REVOCATION_MECHANISM;
 
     case CSSMERR_APPLETP_CRL_NOT_TRUSTED:
     case CSSMERR_APPLETP_CRL_SERVER_DOWN:
     case CSSMERR_APPLETP_CRL_NOT_VALID_YET:
     case CSSMERR_APPLETP_NETWORK_FAILURE:
-    case CSSMERR_APPLETP_OCSP_UNAVAILABLE:
     case CSSMERR_APPLETP_OCSP_BAD_RESPONSE:
+    case CSSMERR_APPLETP_OCSP_NO_SIGNER:
     case CSSMERR_APPLETP_OCSP_RESP_UNAUTHORIZED:
     case CSSMERR_APPLETP_OCSP_RESP_SIG_REQUIRED:
     case CSSMERR_APPLETP_OCSP_RESP_MALFORMED_REQ:
@@ -574,7 +575,8 @@ int X509Certificate::Verify(const std::string& hostname, int flags,
              status_code_index < chain_info[index].NumStatusCodes;
              ++status_code_index) {
           got_certificate_error = true;
-          int cert_status = CertStatusFromOSStatus(cssm_result);
+          int cert_status = CertStatusFromOSStatus(
+              chain_info[index].StatusCodes[status_code_index]);
           if (cert_status == CERT_STATUS_COMMON_NAME_INVALID) {
             std::vector<std::string> names;
             GetDNSNames(&names);
@@ -607,6 +609,11 @@ int X509Certificate::Verify(const std::string& hostname, int flags,
       break;
   }
 
+  // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be
+  // compatible with Windows, which in turn implements this behavior to be
+  // compatible with WinHTTP, which doesn't report this error (bug 3004).
+  verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM;
+
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);
 
-- 
cgit v1.1