net: fallback to online revocation checks for EV status when CRLSet has expired.

net/base/x509_certificate_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <blapi.h>  // Implement CalculateChainFingerprint() with NSS.
 
 #include "base/lazy_instance.h"
 #include "base/logging.h"
@@ skipping 480 matching lines @@
     if (result != CRLSet::REVOKED && !issuer_spki_hash.empty())
       result = crl_set->CheckSerial(serial, issuer_spki_hash);
 
     issuer_spki_hash = spki_hash;
 
     switch (result) {
       case CRLSet::REVOKED:
         return false;
       case CRLSet::UNKNOWN:
       case CRLSet::GOOD:
-      case CRLSet::CRL_SET_EXPIRED:

[wtc, 2012/03/16 00:33:10]

Removing this case means we will hit the NOTREACHED() assertion
for CRLSet::CRL_SET_EXPIRED.  I guess this is because
we won't use an expired CRLSet?

[wtc, 2012/03/16 00:34:13]

Please ignore this comment.  I forgot to remove it.

         continue;
       default:
         NOTREACHED();
         continue;
     }
   }
 
   return true;
 }
 
@@ skipping 211 matching lines @@
     szOID_SERVER_GATED_CRYPTO,
     szOID_SGC_NETSCAPE
   };
   chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
   chain_para.RequestedUsage.Usage.cUsageIdentifier = arraysize(usage);
   chain_para.RequestedUsage.Usage.rgpszUsageIdentifier =
       const_cast<LPSTR*>(usage);
   // We can set CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS to get more chains.
   DWORD chain_flags = CERT_CHAIN_CACHE_END_CERT |
                       CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
-  if (flags & VERIFY_REV_CHECKING_ENABLED) {
+  const bool rev_checking_enabled = flags & VERIFY_REV_CHECKING_ENABLED;
+
+  if (rev_checking_enabled) {
     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
   } else {
     chain_flags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
   }
 
   // Get the certificatePolicies extension of the certificate.
   scoped_ptr_malloc<CERT_POLICIES_INFO> policies_info;
   LPSTR ev_policy_oid = NULL;
   if (flags & VERIFY_EV_CERT) {
     GetCertPoliciesInfo(cert_handle_, &policies_info);
@@ skipping 164 matching lines @@
     // statuses from the offline checks so we squash this error.
     verify_result->cert_status &= ~CERT_STATUS_UNABLE_TO_CHECK_REVOCATION;
   }
 
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);
 
   AppendPublicKeyHashes(chain_context, &verify_result->public_key_hashes);
   verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context);
 
-  if (ev_policy_oid && CheckEV(chain_context, flags, ev_policy_oid))
+  if (ev_policy_oid &&
+      CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) {
     verify_result->cert_status |= CERT_STATUS_IS_EV;
+  }
   return OK;
 }
 
 // static
 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle,
                                     std::string* encoded) {
   if (!cert_handle->pbCertEncoded || !cert_handle->cbCertEncoded)
     return false;
   encoded->assign(reinterpret_cast<char*>(cert_handle->pbCertEncoded),
                   cert_handle->cbCertEncoded);
   return true;
 }
 
 // Returns true if the certificate is an extended-validation certificate.
 //
 // This function checks the certificatePolicies extensions of the
 // certificates in the certificate chain according to Section 7 (pp. 11-12)
 // of the EV Certificate Guidelines Version 1.0 at
 // http://cabforum.org/EV_Certificate_Guidelines.pdf.
 bool X509Certificate::CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
-                              int flags,
+                              bool rev_checking_enabled,
                               const char* policy_oid) const {
   DCHECK_NE(static_cast<DWORD>(0), chain_context->cChain);
   // If the cert doesn't match any of the policies, the
   // CERT_TRUST_IS_NOT_VALID_FOR_USAGE bit (0x10) in
   // chain_context->TrustStatus.dwErrorStatus is set.
   DWORD error_status = chain_context->TrustStatus.dwErrorStatus;
 
-  if (!(flags & VERIFY_REV_CHECKING_ENABLED)) {
+  if (!rev_checking_enabled) {
     // If online revocation checking is disabled then we will have still
     // requested that the revocation cache be checked. However, that will often
-    // cause the following two error bits to be set. Since they are expected,
-    // we mask them away.
+    // cause the following two error bits to be set. These error bits mean that
+    // the local OCSP/CRL is stale or missing entries for these certificates.
+    // Since they are expected, we mask them away.
     error_status &= ~(CERT_TRUST_IS_OFFLINE_REVOCATION |
                       CERT_TRUST_REVOCATION_STATUS_UNKNOWN);
   }
   if (!chain_context->cChain || error_status != CERT_TRUST_NO_ERROR)
     return false;
 
   // Check the end certificate simple chain (chain_context->rgpChain[0]).
   // If the end certificate's certificatePolicies extension contains the
   // EV policy OID of the root CA, return true.
   PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement;
@@ skipping 174 matching lines @@
       *type = kPublicKeyTypeECDH;
       break;
     default:
       *type = kPublicKeyTypeUnknown;
       *size_bits = 0;
       break;
   }
 }
 
 }  // namespace net