Record when certificates signed with md[2,4,5] are encountered when using OpenSSL

net/base/x509_certificate_openssl.cc

Index: net/base/x509_certificate_openssl.cc
diff --git a/net/base/x509_certificate_openssl.cc b/net/base/x509_certificate_openssl.cc
index 8583e4d0dccda38def3669309e0fea1c65669105..5612d61ab49445ec1b3b9acf646be1f5e2ddbd02 100644
--- a/net/base/x509_certificate_openssl.cc
+++ b/net/base/x509_certificate_openssl.cc
@@ -300,6 +300,66 @@ bool GetDERAndCacheIfNeeded(X509Certificate::OSCertHandle cert,
   return true;
 }
 
+void GetCertChainInfo(X509_STORE_CTX* store_ctx,
+                      CertVerifyResult* verify_result) {
+  STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx);
+  X509* verified_cert = NULL;
+  std::vector<X509*> verified_chain;
+  for (int i = 0; i < sk_X509_num(chain); ++i) {
+    X509* cert = sk_X509_value(chain, i);
+    if (i == 0) {
+      verified_cert = cert;
+    } else {
+      verified_chain.push_back(cert);
+    }
+
+    // Only check the algorithm status for certificates that are not in the
+    // trust store.
+    if (i < store_ctx->last_untrusted) {
+      int sig_alg = OBJ_obj2nid(cert->sig_alg->algorithm);
+      if (sig_alg == NID_md2WithRSAEncryption) {
+        verify_result->has_md2 = true;
+        if (i != 0)
+          verify_result->has_md2_ca = true;
+      } else if (sig_alg == NID_md4WithRSAEncryption) {
+        verify_result->has_md4 = true;
+      } else if (sig_alg == NID_md5WithRSAEncryption) {
+        verify_result->has_md5 = true;
+        if (i != 0)
+          verify_result->has_md5_ca = true;
+      }
+    }
+  }
+
+  if (verified_cert) {
+    verify_result->verified_cert =
+        X509Certificate::CreateFromHandle(verified_cert, verified_chain);
+  }
+}
+
+void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx,
+                           std::vector<SHA1Fingerprint>* hashes) {
+  STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx);
+  for (int i = 0; i < sk_X509_num(chain); ++i) {
+    X509* cert = sk_X509_value(chain, i);
+
+    DERCache der_cache;
+    if (!GetDERAndCacheIfNeeded(cert, &der_cache))
+      continue;
+
+    base::StringPiece der_bytes(reinterpret_cast<const char*>(der_cache.data),
+                                der_cache.data_length);
+    base::StringPiece spki_bytes;
+    if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
+      continue;
+
+    SHA1Fingerprint hash;
+    base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()),
+                        spki_bytes.size(), hash.data);
+    hashes->push_back(hash);
+  }
+}
+
 }  // namespace
 
 // static
@@ -489,41 +549,12 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
     verify_result->cert_status |= cert_status;
   }
 
+  GetCertChainInfo(ctx.get(), verify_result);
+
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);
 
-  STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(ctx.get());
-  X509* verified_cert = NULL;
-  std::vector<X509*> verified_chain;
-  for (int i = 0; i < sk_X509_num(chain); ++i) {
-    X509* cert = sk_X509_value(chain, i);
-    if (i == 0) {
-      verified_cert = cert;
-    } else {
-      verified_chain.push_back(cert);
-    }
-
-    DERCache der_cache;
-    if (!GetDERAndCacheIfNeeded(cert, &der_cache))
-      continue;
-
-    base::StringPiece der_bytes(reinterpret_cast<const char*>(der_cache.data),
-                                der_cache.data_length);
-    base::StringPiece spki_bytes;
-    if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
-      continue;
-
-    SHA1Fingerprint hash;
-    base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()),
-                        spki_bytes.size(), hash.data);
-    verify_result->public_key_hashes.push_back(hash);
-  }
-
-  if (verified_cert) {
-    verify_result->verified_cert = CreateFromHandle(verified_cert,
-                                                    verified_chain);
-  }
-
+  AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes);
   // Currently we only ues OpenSSL's default root CA paths, so treat all
   // correctly verified certs as being from a known root. TODO(joth): if the
   // motivations described in http://src.chromium.org/viewvc/chrome?view=rev&revision=80778