From 51523f50c70d7732bc2634fd469badc8c66f60b0 Mon Sep 17 00:00:00 2001
From: "agl@chromium.org"
 <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Wed, 31 Jul 2013 21:57:28 +0000
Subject: Perform online revocation checks when EV certificates aren't covered
 by a fresh CRLSet.

Previously a fresh CRLSet was sufficient to suppress online revocation checking
for EV certificates because we aimed to have full EV coverage in the CRLSet.

With this change, we'll only suppress online revocation checking for EV
certificates when a fresh CRLSet actually covers the chain in question. We
determine coverage by seeing if the CRLSet contains the issuer SPKI.

There are no changes to the OS X certificate code as I believe that OS X
already does online revocation checking for EV certs no matter what we do in
Chrome.

BUG=none

Review URL: https://chromiumcodereview.appspot.com/11260018

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@214825 0039d316-1c4b-4281-b951-d872f2087c98
---
 net/tools/testserver/minica.py     | 6 ++++--
 net/tools/testserver/testserver.py | 7 ++++++-
 2 files changed, 10 insertions(+), 3 deletions(-)

(limited to 'net/tools')

diff --git a/net/tools/testserver/minica.py b/net/tools/testserver/minica.py
index bfe896f..2dd38ef 100644
--- a/net/tools/testserver/minica.py
+++ b/net/tools/testserver/minica.py
@@ -323,14 +323,16 @@ unauthorizedDER = '30030a0106'.decode('hex')
 
 def GenerateCertKeyAndOCSP(subject = "127.0.0.1",
                            ocsp_url = "http://127.0.0.1",
-                           ocsp_state = OCSP_STATE_GOOD):
+                           ocsp_state = OCSP_STATE_GOOD,
+                           serial = 0):
   '''GenerateCertKeyAndOCSP returns a (cert_and_key_pem, ocsp_der) where:
        * cert_and_key_pem contains a certificate and private key in PEM format
          with the given subject common name and OCSP URL.
        * ocsp_der contains a DER encoded OCSP response or None if ocsp_url is
          None'''
 
-  serial = RandomNumber(16)
+  if serial == 0:
+    serial = RandomNumber(16)
   cert_der = MakeCertificate(ISSUER_CN, bytes(subject), serial, KEY, KEY,
                              bytes(ocsp_url))
   cert_pem = DERToPEM(cert_der)
diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py
index 0857847..77a3142 100755
--- a/net/tools/testserver/testserver.py
+++ b/net/tools/testserver/testserver.py
@@ -1884,7 +1884,8 @@ class ServerRunner(testserver_base.TestServerRunner):
               subject = "127.0.0.1",
               ocsp_url = ("http://%s:%d/ocsp" %
                   (host, self.__ocsp_server.server_port)),
-              ocsp_state = ocsp_state)
+              ocsp_state = ocsp_state,
+              serial = self.options.cert_serial)
 
           self.__ocsp_server.ocsp_response = ocsp_der
 
@@ -2024,6 +2025,10 @@ class ServerRunner(testserver_base.TestServerRunner):
                                   help='The type of OCSP response generated '
                                   'for the automatically generated '
                                   'certificate. One of [ok,revoked,invalid]')
+    self.option_parser.add_option('--cert-serial', dest='cert_serial',
+                                  default=0, type=int,
+                                  help='If non-zero then the generated '
+                                  'certificate will have this serial number')
     self.option_parser.add_option('--tls-intolerant', dest='tls_intolerant',
                                   default='0', type='int',
                                   help='If nonzero, certain TLS connections '
-- 
cgit v1.1