Upstream certificate and mime Android implementation.

net/base/x509_certificate_openssl_android.cc

+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/x509_certificate.h"
+
+#include "base/logging.h"
+#include "net/android/network_library.h"
+#include "net/base/cert_status_flags.h"
+#include "net/base/cert_verify_result.h"
+#include "net/base/net_errors.h"
+
+namespace net {
+
+int X509Certificate::VerifyInternal(const std::string& hostname,
+                                    int flags,
+                                    CertVerifyResult* verify_result) const {
+  if (!VerifyNameMatch(hostname))
+    verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
+
+  std::vector<std::string> cert_bytes;
+  GetChainDEREncodedBytes(&cert_bytes);
+
+  // TODO(joth): Fetch the authentication type from SSL rather than hardcode.
+  net::android::VerifyResult result =
+      net::android::VerifyX509CertChain(cert_bytes, hostname, "RSA");

[wtc, 2011/08/09 18:47:22]

Remove the net:: prefixes because this is inside the net
namespace.

You verify the hostname twice, here and on line 18 above.
Is it possible for android::VerifyX509CertChain to NOT
verify the hostname?

[michaelbai, 2011/08/11 16:10:18]

There is a TODO in Java code to try to decide whether the hostname should be
verified again. Currently hostname isn't verified in Java code.

+  switch (result) {
+    case net::android::VERIFY_OK:
+      return OK;
+    case net::android::VERIFY_BAD_HOSTNAME:
+      verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
+      break;
+    case net::android::VERIFY_NO_TRUSTED_ROOT:
+      verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
+      break;
+    case net::android::VERIFY_INVOCATION_ERROR:
+    default:
+      verify_result->cert_status |= ERR_CERT_INVALID;
+      break;
+  }
+  return MapCertStatusToNetError(verify_result->cert_status);
+}
+
+void X509Certificate::GetChainDEREncodedBytes(
+    std::vector<std::string>* chain_bytes) const {
+  OSCertHandles cert_handles(intermediate_ca_certs_);
+  // Make sure the peer's own cert is the first in the chain, if it's not
+  // already there.
+  if (cert_handles.empty() || cert_handles[0] != cert_handle_)
+    cert_handles.insert(cert_handles.begin(), cert_handle_);

[wtc, 2011/08/09 18:47:22]

The cert_handles[0] != cert_handle_ test is not necessary.
If cert_handles[0] == cert_handle_, that's a bug.

[michaelbai, 2011/08/11 16:10:18]

Done.

+
+  chain_bytes->reserve(cert_handles.size());
+  for (OSCertHandles::const_iterator it = cert_handles.begin();
+       it != cert_handles.end(); ++it) {
+    DERCache der_cache = {0};
+    GetDERAndCacheIfNeeded(*it, &der_cache);
+    std::string cert_bytes = std::string(
+        reinterpret_cast<const char*>(der_cache.data), der_cache.data_length);

[wtc, 2011/08/09 18:47:22]

Write this as
    std::string cert_bytes(
        reinterpret_cast<const char*>(der_cache.data), der_cache.data_length);

to avoid a potential temporary object.

[michaelbai, 2011/08/11 16:10:18]

Done.

+    chain_bytes->push_back(cert_bytes);
+  }
+}
+
+}  // namespace net