net: fallback to online revocation checks for EV status when CRLSet has expired.

net/base/x509_certificate.cc

Index: net/base/x509_certificate.cc
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
index a4ae89b74f297041c0a08c9c45d32ec337d3b485..ca8299ee2ff4e7f163e9412abe00153ec4a3b890 100644
--- a/net/base/x509_certificate.cc
+++ b/net/base/x509_certificate.cc
@@ -25,6 +25,7 @@
 #include "googleurl/src/url_canon_ip.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
+#include "net/base/crl_set.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
 #include "net/base/pem_tokenizer.h"
@@ -605,6 +606,16 @@ int X509Certificate::Verify(const std::string& hostname,
     return ERR_CERT_REVOKED;
   }
 
+  // If EV verification was requested and no CRLSet is present, or if the
+  // CRLSet has expired, then enable online revocation checks. If the online
+  // check fails, EV status won't be shown.
+  //
+  // A possible optimisation is to only enable online revocation checking in
+  // the event that the leaf certificate appears to include a EV policy ID.
+  // However, it's expected that having a current CRLSet will be very common.
+  if ((flags & VERIFY_EV_CERT) && (!crl_set || crl_set->IsExpired()))
+    flags |= VERIFY_REV_CHECKING_ENABLED;
+
   int rv = VerifyInternal(hostname, flags, crl_set, verify_result);
 
   // This check is done after VerifyInternal so that VerifyInternal can fill in