From 51523f50c70d7732bc2634fd469badc8c66f60b0 Mon Sep 17 00:00:00 2001 From: "agl@chromium.org" Date: Wed, 31 Jul 2013 21:57:28 +0000 Subject: Perform online revocation checks when EV certificates aren't covered by a fresh CRLSet. Previously a fresh CRLSet was sufficient to suppress online revocation checking for EV certificates because we aimed to have full EV coverage in the CRLSet. With this change, we'll only suppress online revocation checking for EV certificates when a fresh CRLSet actually covers the chain in question. We determine coverage by seeing if the CRLSet contains the issuer SPKI. There are no changes to the OS X certificate code as I believe that OS X already does online revocation checking for EV certs no matter what we do in Chrome. BUG=none Review URL: https://chromiumcodereview.appspot.com/11260018 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@214825 0039d316-1c4b-4281-b951-d872f2087c98 --- net/test/spawned_test_server/base_test_server.cc | 7 +++++++ net/test/spawned_test_server/base_test_server.h | 4 ++++ 2 files changed, 11 insertions(+) (limited to 'net/test/spawned_test_server') diff --git a/net/test/spawned_test_server/base_test_server.cc b/net/test/spawned_test_server/base_test_server.cc index bf38b4e..fc586fd 100644 --- a/net/test/spawned_test_server/base_test_server.cc +++ b/net/test/spawned_test_server/base_test_server.cc @@ -56,6 +56,7 @@ void GetCiphersList(int cipher, base::ListValue* values) { BaseTestServer::SSLOptions::SSLOptions() : server_certificate(CERT_OK), ocsp_status(OCSP_OK), + cert_serial(0), request_client_certificate(false), bulk_ciphers(SSLOptions::BULK_CIPHER_ANY), record_resume(false), @@ -64,6 +65,8 @@ BaseTestServer::SSLOptions::SSLOptions() BaseTestServer::SSLOptions::SSLOptions( BaseTestServer::SSLOptions::ServerCertificate cert) : server_certificate(cert), + ocsp_status(OCSP_OK), + cert_serial(0), request_client_certificate(false), bulk_ciphers(SSLOptions::BULK_CIPHER_ANY), record_resume(false), @@ -375,6 +378,10 @@ bool BaseTestServer::GenerateArguments(base::DictionaryValue* arguments) const { if (!ocsp_arg.empty()) arguments->SetString("ocsp", ocsp_arg); + if (ssl_options_.cert_serial != 0) + arguments->Set("cert-serial", + base::Value::CreateIntegerValue(ssl_options_.cert_serial)); + // Check bulk cipher argument. scoped_ptr bulk_cipher_values(new base::ListValue()); GetCiphersList(ssl_options_.bulk_ciphers, bulk_cipher_values.get()); diff --git a/net/test/spawned_test_server/base_test_server.h b/net/test/spawned_test_server/base_test_server.h index 9691f5d..289c76b 100644 --- a/net/test/spawned_test_server/base_test_server.h +++ b/net/test/spawned_test_server/base_test_server.h @@ -120,6 +120,10 @@ class BaseTestServer { // response returned. OCSPStatus ocsp_status; + // If not zero, |serial| will be the serial number of the auto-generated + // leaf certificate when |server_certificate==CERT_AUTO|. + uint64 cert_serial; + // True if a CertificateRequest should be sent to the client during // handshaking. bool request_client_certificate; -- cgit v1.1