From 9566343c2165c5823b33932ec836c58953ea4ecb Mon Sep 17 00:00:00 2001 From: "hawk@chromium.org" Date: Fri, 16 Oct 2009 00:05:41 +0000 Subject: Enable certificate revocation and EV certificate validation for Mac BUG=13377,10910 TEST=none yet, awaiting aonther CL that hooks up the UI Review URL: http://codereview.chromium.org/209040 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29219 0039d316-1c4b-4281-b951-d872f2087c98 --- net/base/x509_certificate_mac.cc | 11 +++++++++-- net/socket/ssl_client_socket_mac.cc | 6 ++++-- 2 files changed, 13 insertions(+), 4 deletions(-) (limited to 'net') diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc index d55a770..9c1de5c 100644 --- a/net/base/x509_certificate_mac.cc +++ b/net/base/x509_certificate_mac.cc @@ -124,14 +124,15 @@ int CertStatusFromOSStatus(OSStatus status) { case CSSMERR_APPLETP_CRL_NOT_FOUND: case CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK: + case CSSMERR_APPLETP_OCSP_UNAVAILABLE: return CERT_STATUS_NO_REVOCATION_MECHANISM; case CSSMERR_APPLETP_CRL_NOT_TRUSTED: case CSSMERR_APPLETP_CRL_SERVER_DOWN: case CSSMERR_APPLETP_CRL_NOT_VALID_YET: case CSSMERR_APPLETP_NETWORK_FAILURE: - case CSSMERR_APPLETP_OCSP_UNAVAILABLE: case CSSMERR_APPLETP_OCSP_BAD_RESPONSE: + case CSSMERR_APPLETP_OCSP_NO_SIGNER: case CSSMERR_APPLETP_OCSP_RESP_UNAUTHORIZED: case CSSMERR_APPLETP_OCSP_RESP_SIG_REQUIRED: case CSSMERR_APPLETP_OCSP_RESP_MALFORMED_REQ: @@ -574,7 +575,8 @@ int X509Certificate::Verify(const std::string& hostname, int flags, status_code_index < chain_info[index].NumStatusCodes; ++status_code_index) { got_certificate_error = true; - int cert_status = CertStatusFromOSStatus(cssm_result); + int cert_status = CertStatusFromOSStatus( + chain_info[index].StatusCodes[status_code_index]); if (cert_status == CERT_STATUS_COMMON_NAME_INVALID) { std::vector names; GetDNSNames(&names); @@ -607,6 +609,11 @@ int X509Certificate::Verify(const std::string& hostname, int flags, break; } + // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be + // compatible with Windows, which in turn implements this behavior to be + // compatible with WinHTTP, which doesn't report this error (bug 3004). + verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM; + if (IsCertStatusError(verify_result->cert_status)) return MapCertStatusToNetError(verify_result->cert_status); diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc index 1a0c6a5..9eef727 100644 --- a/net/socket/ssl_client_socket_mac.cc +++ b/net/socket/ssl_client_socket_mac.cc @@ -635,9 +635,11 @@ int SSLClientSocketMac::DoVerifyCert() { if (!server_cert_) return ERR_UNEXPECTED; - // TODO(hawk): set flags based on the SSLConfig, once SSLConfig is - // fully fleshed out on Mac OS X. int flags = 0; + if (ssl_config_.rev_checking_enabled) + flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; + if (ssl_config_.verify_ev_cert) + flags |= X509Certificate::VERIFY_EV_CERT; verifier_.reset(new CertVerifier); return verifier_->Verify(server_cert_, hostname_, flags, &server_cert_verify_result_, &io_callback_); -- cgit v1.1