net/base/cert_verify_proc_android.cc - Issue 11549033: Separate CertVerifyProcAndroid from CertVerifyProcOpenSSL

Side by Side Diff: net/base/cert_verify_proc_android.cc

Issue 11549033: Separate CertVerifyProcAndroid from CertVerifyProcOpenSSL (Closed) Base URL: http://git.chromium.org/chromium/src.git@master

Patch Set: address Ryan's remarks Created 8 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "net/base/cert_verify_proc_android.h"

	6

	7 #include <string>

	8 #include <vector>

	9

	10 #include "base/logging.h"

	11 #include "net/android/network_library.h"

	12 #include "net/base/cert_status_flags.h"

	13 #include "net/base/cert_verify_result.h"

	14 #include "net/base/net_errors.h"

	15 #include "net/base/x509_certificate.h"

	16

	17 namespace net {

	18

	19 namespace {

	20

	21 // Returns true if the certificate verification call was successful (regardless

	22 // of its result), i.e. if \|verify_result\| was set. Otherwise returns false.

	23 bool VerifyFromAndroidTrustManager(const std::vector<std::string>& cert_bytes,

	24 CertVerifyResult* verify_result) {

	25 // TODO(joth): Fetch the authentication type from SSL rather than hardcode.

	26 bool verified = true;

	27 android::VerifyResult result =

	28 android::VerifyX509CertChain(cert_bytes, "RSA");

	29 switch (result) {

	30 case android::VERIFY_OK:

	31 break;

	32 case android::VERIFY_NO_TRUSTED_ROOT:

	33 verify_result->cert_status \|= CERT_STATUS_AUTHORITY_INVALID;

	34 break;

	35 case android::VERIFY_INVOCATION_ERROR:

	36 verified = false;

	37 break;

	38 default:

	39 verify_result->cert_status \|= CERT_STATUS_INVALID;

	40 break;

	41 }

	42 return verified;

	43 }

	44

	45 bool GetChainDEREncodedBytes(X509Certificate* cert,

	46 std::vector<std::string>* chain_bytes) {

	47 X509Certificate::OSCertHandle cert_handle = cert->os_cert_handle();

	48 X509Certificate::OSCertHandles cert_handles =

	49 cert->GetIntermediateCertificates();

	50

	51 // Make sure the peer's own cert is the first in the chain, if it's not

	52 // already there.

	53 if (cert_handles.empty() \|\| cert_handles[0] != cert_handle)
	Ryan Sleevi 2012/12/13 19:50:50 This second condition should always be false. It's This second condition should always be false. It's a bug if cert_handles[0] ever == cert_handle. For further cleanup though. ppi 2012/12/13 21:06:39 Thanks! If you don't mind I will address this sepa Show quoted text On 2012/12/13 19:50:50, Ryan Sleevi wrote: > This second condition should always be false. It's a bug if cert_handles[0] ever > == cert_handle. > > For further cleanup though. Thanks! If you don't mind I will address this separately.
	54 cert_handles.insert(cert_handles.begin(), cert_handle);

	55

	56 chain_bytes->reserve(cert_handles.size());

	57 for (X509Certificate::OSCertHandles::const_iterator it =

	58 cert_handles.begin(); it != cert_handles.end(); ++it) {

	59 std::string cert_bytes;

	60 if(!X509Certificate::GetDEREncoded(*it, &cert_bytes))

	61 return false;

	62 chain_bytes->push_back(cert_bytes);

	63 }

	64 return true;

	65 }

	66

	67 } // namespace

	68

	69 CertVerifyProcAndroid::CertVerifyProcAndroid() {}

	70

	71 CertVerifyProcAndroid::~CertVerifyProcAndroid() {}

	72

	73 int CertVerifyProcAndroid::VerifyInternal(X509Certificate* cert,

	74 const std::string& hostname,

	75 int flags,

	76 CRLSet* crl_set,

	77 CertVerifyResult* verify_result) {

	78 if (!cert->VerifyNameMatch(hostname))

	79 verify_result->cert_status \|= CERT_STATUS_COMMON_NAME_INVALID;

	80

	81 std::vector<std::string> cert_bytes;

	82 if (!GetChainDEREncodedBytes(cert, &cert_bytes))

	83 return ERR_CERT_INVALID;

	84 if (!VerifyFromAndroidTrustManager(cert_bytes, verify_result)) {

	85 NOTREACHED();

	86 return ERR_FAILED;

	87 }

	88 if (IsCertStatusError(verify_result->cert_status))

	89 return MapCertStatusToNetError(verify_result->cert_status);
	joth 2012/12/14 00:45:01 Bug? I think prior to this patch even on OS_ANDROI Bug? I think prior to this patch even on OS_ANDROID we'd be setting verify_result->is_issued_by_known_root = true here. ppi 2012/12/14 04:02:32 My bad, thanks for catching that! I am fixing this Show quoted text On 2012/12/14 00:45:01, joth wrote: > Bug? > I think prior to this patch even on OS_ANDROID we'd be setting > verify_result->is_issued_by_known_root = true here. > My bad, thanks for catching that! I am fixing this in https://codereview.chromium.org/11570019/ .
	90
	joth 2012/12/14 00:45:01 should there be a TODO / bug link here to implemen should there be a TODO / bug link here to implement the other missing bits? - GetCertChainInfo(ctx.get(), verify_result); - AppendPublicKeyHashes() they depend on crbug.com/116838 IIRC. ppi 2012/12/14 04:02:32 Good idea, thanks. Being addressed in https://code Show quoted text On 2012/12/14 00:45:01, joth wrote: > should there be a TODO / bug link here to implement the other missing bits? > - GetCertChainInfo(ctx.get(), verify_result); > - AppendPublicKeyHashes() > > > they depend on crbug.com/116838 IIRC. Good idea, thanks. Being addressed in https://codereview.chromium.org/11570019/.
	91 return OK;

	92 }

	93

	94 } // namespace net

OLD	NEW

« no previous file with comments | « net/base/cert_verify_proc_android.h ('k') | net/base/cert_verify_proc_openssl.cc » ('j') | no next file with comments »