net: fallback to online revocation checks for EV status when CRLSet has expired.

net/base/x509_certificate_win.cc

Index: net/base/x509_certificate_win.cc
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index 2f1bcac12043b02f38b5816a2032680e6e840bdd..a80833fe852e1462b7baa30bb361979783aaafe9 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -498,7 +498,6 @@ bool CheckRevocationWithCRLSet(PCCERT_CHAIN_CONTEXT chain,
         return false;
       case CRLSet::UNKNOWN:
       case CRLSet::GOOD:
-      case CRLSet::CRL_SET_EXPIRED:

[wtc, 2012/03/16 00:33:10]

Removing this case means we will hit the NOTREACHED() assertion
for CRLSet::CRL_SET_EXPIRED.  I guess this is because
we won't use an expired CRLSet?

[wtc, 2012/03/16 00:34:13]

Please ignore this comment.  I forgot to remove it.

         continue;
       default:
         NOTREACHED();
@@ -730,7 +729,9 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
   // We can set CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS to get more chains.
   DWORD chain_flags = CERT_CHAIN_CACHE_END_CERT |
                       CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
-  if (flags & VERIFY_REV_CHECKING_ENABLED) {
+  const bool rev_checking_enabled = flags & VERIFY_REV_CHECKING_ENABLED;
+
+  if (rev_checking_enabled) {
     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
   } else {
     chain_flags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
@@ -915,8 +916,10 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
   AppendPublicKeyHashes(chain_context, &verify_result->public_key_hashes);
   verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context);
 
-  if (ev_policy_oid && CheckEV(chain_context, flags, ev_policy_oid))
+  if (ev_policy_oid &&
+      CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) {
     verify_result->cert_status |= CERT_STATUS_IS_EV;
+  }
   return OK;
 }
 
@@ -937,7 +940,7 @@ bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle,
 // of the EV Certificate Guidelines Version 1.0 at
 // http://cabforum.org/EV_Certificate_Guidelines.pdf.
 bool X509Certificate::CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
-                              int flags,
+                              bool rev_checking_enabled,
                               const char* policy_oid) const {
   DCHECK_NE(static_cast<DWORD>(0), chain_context->cChain);
   // If the cert doesn't match any of the policies, the
@@ -945,11 +948,12 @@ bool X509Certificate::CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
   // chain_context->TrustStatus.dwErrorStatus is set.
   DWORD error_status = chain_context->TrustStatus.dwErrorStatus;
 
-  if (!(flags & VERIFY_REV_CHECKING_ENABLED)) {
+  if (!rev_checking_enabled) {
     // If online revocation checking is disabled then we will have still
     // requested that the revocation cache be checked. However, that will often
-    // cause the following two error bits to be set. Since they are expected,
-    // we mask them away.
+    // cause the following two error bits to be set. These error bits mean that
+    // the local OCSP/CRL is stale or missing entries for these certificates.
+    // Since they are expected, we mask them away.
     error_status &= ~(CERT_TRUST_IS_OFFLINE_REVOCATION |
                       CERT_TRUST_REVOCATION_STATUS_UNKNOWN);
   }