Bug 405139, EV certs should be treated as providing less certainty of identity if OCSP is disabled. r=rrelyea, a1.9=mtschrep
authorkaie@kuix.de
Tue, 22 Jan 2008 15:46:49 -0800
changeset 10548 4d6ca12ae9a7843992dacfb990003e9dfe038182
parent 10547 e8a02dad7e03c3f5ef543734f2ced29dc0743b05
child 10549 5d0ce48d3bed9843e08c6964dd28352d6bbbc9a8
push idunknown
push userunknown
push dateunknown
reviewersrrelyea
bugs405139
milestone1.9b3pre
Bug 405139, EV certs should be treated as providing less certainty of identity if OCSP is disabled. r=rrelyea, a1.9=mtschrep
security/manager/ssl/src/nsIdentityChecking.cpp
--- a/security/manager/ssl/src/nsIdentityChecking.cpp
+++ b/security/manager/ssl/src/nsIdentityChecking.cpp
@@ -563,16 +563,25 @@ nsNSSCertificate::hasValidEVOidTag(SECOi
     do_GetService(PSM_COMPONENT_CONTRACTID, &nrv);
   if (NS_FAILED(nrv))
     return nrv;
   nssComponent->EnsureIdentityInfoLoaded();
 
   validEV = PR_FALSE;
   resultOidTag = SEC_OID_UNKNOWN;
 
+  PRBool isOCSPEnabled = PR_FALSE;
+  nsCOMPtr<nsIX509CertDB> certdb;
+  certdb = do_GetService(NS_X509CERTDB_CONTRACTID);
+  if (certdb)
+    certdb->GetIsOcspOn(&isOCSPEnabled);
+  // No OCSP, no EV
+  if (!isOCSPEnabled)
+    return NS_OK;
+
   SECOidTag oid_tag;
   SECStatus rv = getFirstEVPolicy(mCert, oid_tag);
   if (rv != SECSuccess)
     return NS_OK;
 
   if (oid_tag == SEC_OID_UNKNOWN) // not in our list of OIDs accepted for EV
     return NS_OK;