Return the constructed certificate chain in X509Certificate::Verify()

net/base/x509_certificate_openssl.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <openssl/asn1.h>
 #include <openssl/crypto.h>
 #include <openssl/obj_mac.h>
 #include <openssl/pem.h>
@@ skipping 427 matching lines @@
 
 // static
 X509_STORE* X509Certificate::cert_store() {
   return X509InitSingleton::GetInstance()->store();
 }
 
 int X509Certificate::Verify(const std::string& hostname,
                             int flags,
                             CertVerifyResult* verify_result) const {
   verify_result->Reset();
+  verify_result->verified_cert =
+      CreateFromHandle(cert_handle_, GetIntermediateCertificates());
 
   if (IsBlacklisted()) {
     verify_result->cert_status |= CERT_STATUS_REVOKED;
     return ERR_CERT_REVOKED;
   }
 
   // TODO(joth): We should fetch the subjectAltNames directly rather than via
   // GetDNSNames, so we can apply special handling for IP addresses vs DNS
   // names, etc. See http://crbug.com/62973.
   std::vector<std::string> cert_names;
@@ skipping 26 matching lines @@
         << " : " << x509_error
         << " : " << X509_STORE_CTX_get_error_depth(ctx.get())
         << " : " << cert_status;
     verify_result->cert_status |= cert_status;
   }
 
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);
 
   STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(ctx.get());
+  X509* verified_cert = NULL;
+  std::vector<X509*> verified_chain;
   for (int i = 0; i < sk_X509_num(chain); ++i) {
     X509* cert = sk_X509_value(chain, i);
+    if (i == 0) {
+      verified_cert = cert;
+    } else {
+      verified_chain.push_back(verified_cert);
+    }
+
     DERCache der_cache;
     if (!GetDERAndCacheIfNeeded(cert, &der_cache))
       continue;
 
     base::StringPiece der_bytes(reinterpret_cast<const char*>(der_cache.data),
                                 der_cache.data_length);
     base::StringPiece spki_bytes;
     if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
       continue;
 
     SHA1Fingerprint hash;
     base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()),
                         spki_bytes.size(), hash.data);
     verify_result->public_key_hashes.push_back(hash);
   }
 
+  if (verified_cert) {
+    verify_result->verified_cert = CreateFromHandle(verified_cert,
+                                                    verified_chain);
+  }
+
   // Currently we only ues OpenSSL's default root CA paths, so treat all
   // correctly verified certs as being from a known root. TODO(joth): if the
   // motivations described in http://src.chromium.org/viewvc/chrome?view=rev&revision=80778
   // become an issue on OpenSSL builds, we will need to embed a hardcoded list
   // of well known root CAs, as per the _mac and _win versions.
   verify_result->is_issued_by_known_root = true;
 
   return OK;
 }
 
@@ skipping 42 matching lines @@
   DERCache der_cache;
   if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache))
     return false;
 
   return pickle->WriteData(
       reinterpret_cast<const char*>(der_cache.data),
       der_cache.data_length);
 }
 
 } // namespace net