From 97a93ce4d2bbf3808e16c612c1ece99f1c3406ef Mon Sep 17 00:00:00 2001
From: mattm <mattm@chromium.org>
Date: Thu, 22 Sep 2016 15:38:22 -0700
Subject: [PATCH] Hack for AIA fetching on Mac Sierra: On >=10.12, always do
 FETCH_CRL_FROM_NET if adding a crl policy.

BUG=645629

Review-Url: https://codereview.chromium.org/2368453002
Cr-Commit-Position: refs/heads/master@{#420482}
---
 net/cert/x509_util_mac.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/cert/x509_util_mac.cc b/net/cert/x509_util_mac.cc
index 7971a733af07c..10dc4364e998f 100644
--- a/net/cert/x509_util_mac.cc
+++ b/net/cert/x509_util_mac.cc
@@ -5,6 +5,7 @@
 #include "net/cert/x509_util_mac.h"
 
 #include "base/logging.h"
+#include "base/mac/mac_util.h"
 #include "third_party/apple_apsl/cssmapplePriv.h"
 
 namespace net {
@@ -100,7 +101,9 @@ OSStatus CreateRevocationPolicies(bool enable_revocation_checking,
     // online revocation checking. Note that, as of OS X 10.7.2, the system
     // will set force this flag on according to system policies, so
     // online revocation checks cannot be completely disabled.
-    if (enable_revocation_checking)
+    // Starting with OS X 10.12, if a CRL policy is added without the
+    // FETCH_CRL_FROM_NET flag, AIA fetching is disabled.
+    if (enable_revocation_checking || base::mac::IsAtLeastOS10_12())
       tp_crl_options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET;
 
     SecPolicyRef crl_policy;