Use test root cert once we can not find root cert in system cert store on Android when running un...

net/base/x509_certificate_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <openssl/asn1.h>
 #include <openssl/crypto.h>
 #include <openssl/obj_mac.h>
 #include <openssl/pem.h>
@@ skipping 347 matching lines @@
     if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
       continue;
 
     SHA1Fingerprint hash;
     base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()),
                         spki_bytes.size(), hash.data);
     hashes->push_back(hash);
   }
 }
 
+#if defined(OS_ANDROID)
+
+// Returns true we have verification result in |verify_result| from Android

[wtc, 2012/02/06 20:56:30]

Nit: add "if" after "Returns true".

Nit: delete the blank line on line 374.

[Johnny(Jianning) Ding, 2012/02/07 04:57:12]

Done.

+// Trust Manager. Otherwise returns false.
+bool VerifyFromAndroidTrustManager(const std::vector<std::string>& cert_bytes,
+                                   CertVerifyResult* verify_result) {
+
+  // TODO(joth): Fetch the authentication type from SSL rather than hardcode.
+  // TODO(jnd): Remove unused |hostname| from net::android::VerifyX509CertChain.
+  bool verified = true;
+#if 0
+  android::VerifyResult result =
+      android::VerifyX509CertChain(cert_bytes, hostname, "RSA");
+#else
+  // TODO(jingzhao): Recover the original implementation once we support JNI.
+  android::VerifyResult result = android::VERIFY_INVOCATION_ERROR;
+  NOTIMPLEMENTED();
+#endif
+  switch (result) {
+    case android::VERIFY_OK:
+      break;
+    case android::VERIFY_BAD_HOSTNAME:
+      verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
+      break;
+    case android::VERIFY_NO_TRUSTED_ROOT:
+      verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
+      break;
+    case android::VERIFY_INVOCATION_ERROR:
+      verified = false;
+      break;
+    default:
+      verify_result->cert_status |= CERT_STATUS_INVALID;
+      break;
+  }
+  return verified;
+}
+
+#endif
+
 }  // namespace
 
 // static
 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
     OSCertHandle cert_handle) {
   DCHECK(cert_handle);
   // Using X509_dup causes the entire certificate to be reparsed. This
   // conversion, besides being non-trivial, drops any associated
   // application-specific data set by X509_set_ex_data. Using CRYPTO_add
   // just bumps up the ref-count for the cert, without causing any allocations
@@ skipping 131 matching lines @@
     ip_addrs->clear();
 
   ParseSubjectAltName(cert_handle_, dns_names, ip_addrs);
 }
 
 // static
 X509_STORE* X509Certificate::cert_store() {
   return X509InitSingleton::GetInstance()->store();
 }
 
-#if defined(OS_ANDROID)
 int X509Certificate::VerifyInternal(const std::string& hostname,
                                     int flags,
                                     CRLSet* crl_set,
                                     CertVerifyResult* verify_result) const {
   if (!VerifyNameMatch(hostname))
     verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
 
+  bool verify_attempted = false;
+
+#if defined(OS_ANDROID)
   std::vector<std::string> cert_bytes;
   GetChainDEREncodedBytes(&cert_bytes);
 
-  // TODO(joth): Fetch the authentication type from SSL rather than hardcode.
-  // TODO(jingzhao): Recover the original implementation once we support JNI.
-#if 0
-  android::VerifyResult result =
-      android::VerifyX509CertChain(cert_bytes, hostname, "RSA");
-#else
-  android::VerifyResult result = android::VERIFY_INVOCATION_ERROR;
-  NOTIMPLEMENTED();
+  verify_attempted = VerifyFromAndroidTrustManager(cert_bytes, verify_result);
 #endif
-  switch (result) {
-    case android::VERIFY_OK:
-      break;
-    case android::VERIFY_BAD_HOSTNAME:
-      verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
-      break;
-    case android::VERIFY_NO_TRUSTED_ROOT:
-      verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
-      break;
-    case android::VERIFY_INVOCATION_ERROR:
-    default:
-      verify_result->cert_status |= CERT_STATUS_INVALID;
-      break;
-  }
-  if (IsCertStatusError(verify_result->cert_status))
-    return MapCertStatusToNetError(verify_result->cert_status);
-  return OK;
-}
 
-#else
-int X509Certificate::VerifyInternal(const std::string& hostname,
-                                    int flags,
-                                    CRLSet* crl_set,
-                                    CertVerifyResult* verify_result) const {
-  if (!VerifyNameMatch(hostname))
-    verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
+  if (verify_attempted) {
+    if (IsCertStatusError(verify_result->cert_status))
+      return MapCertStatusToNetError(verify_result->cert_status);
+  } else {
+    crypto::ScopedOpenSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx(
+        X509_STORE_CTX_new());
 
-  crypto::ScopedOpenSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx(
-      X509_STORE_CTX_new());
+    crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn> intermediates(
+        sk_X509_new_null());
+    if (!intermediates.get())
+      return ERR_OUT_OF_MEMORY;
 
-  crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn> intermediates(
-      sk_X509_new_null());
-  if (!intermediates.get())
-    return ERR_OUT_OF_MEMORY;
+    for (OSCertHandles::const_iterator it = intermediate_ca_certs_.begin();
+         it != intermediate_ca_certs_.end(); ++it) {
+      if (!sk_X509_push(intermediates.get(), *it))
+        return ERR_OUT_OF_MEMORY;
+    }
+    int rv = X509_STORE_CTX_init(ctx.get(), cert_store(),
+                                 cert_handle_, intermediates.get());
+    CHECK_EQ(1, rv);
 
-  for (OSCertHandles::const_iterator it = intermediate_ca_certs_.begin();
-       it != intermediate_ca_certs_.end(); ++it) {
-    if (!sk_X509_push(intermediates.get(), *it))
-      return ERR_OUT_OF_MEMORY;
-  }
-  int rv = X509_STORE_CTX_init(ctx.get(), cert_store(),
-                               cert_handle_, intermediates.get());
-  CHECK_EQ(1, rv);
+    if (X509_verify_cert(ctx.get()) != 1) {
+      int x509_error = X509_STORE_CTX_get_error(ctx.get());
+      CertStatus cert_status = MapCertErrorToCertStatus(x509_error);
+      LOG(ERROR) << "X509 Verification error "
+          << X509_verify_cert_error_string(x509_error)
+          << " : " << x509_error
+          << " : " << X509_STORE_CTX_get_error_depth(ctx.get())
+          << " : " << cert_status;
+      verify_result->cert_status |= cert_status;
+    }
 
-  if (X509_verify_cert(ctx.get()) != 1) {
-    int x509_error = X509_STORE_CTX_get_error(ctx.get());
-    CertStatus cert_status = MapCertErrorToCertStatus(x509_error);
-    LOG(ERROR) << "X509 Verification error "
-        << X509_verify_cert_error_string(x509_error)
-        << " : " << x509_error
-        << " : " << X509_STORE_CTX_get_error_depth(ctx.get())
-        << " : " << cert_status;
-    verify_result->cert_status |= cert_status;
+    GetCertChainInfo(ctx.get(), verify_result);
+    if (IsCertStatusError(verify_result->cert_status))
+      return MapCertStatusToNetError(verify_result->cert_status);
+    AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes);

[wtc, 2012/02/06 20:56:30]

IMPORTANT: should we move this AppendPublicKeyHashes call
to line 611 so that it will also apply to the Android
Trust Manager case?

Similarly, the GetCertChainInfo call on line 606 probably
should also be used for the Android Trust Manager case.

[Johnny(Jianning) Ding, 2012/02/07 04:57:12]

Currently the verified cert chain info doesn't return by 
android::VerifyX509CertChain.
We should have another bug to track the task of adding verified cert chain info
and public key hashes for Android platform.

@Joth, sounds good?

On 2012/02/06 20:56:30, wtc wrote:

   }
 
-  GetCertChainInfo(ctx.get(), verify_result);
-
-  if (IsCertStatusError(verify_result->cert_status))
-    return MapCertStatusToNetError(verify_result->cert_status);
-
-  AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes);
   // Currently we only ues OpenSSL's default root CA paths, so treat all
   // correctly verified certs as being from a known root. TODO(joth): if the
   // motivations described in http://src.chromium.org/viewvc/chrome?view=rev&revision=80778
   // become an issue on OpenSSL builds, we will need to embed a hardcoded list
   // of well known root CAs, as per the _mac and _win versions.
   verify_result->is_issued_by_known_root = true;
 
   return OK;
 }
 
-#endif  // defined(OS_ANDROID)
-
 // static
 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle,
                                     std::string* encoded) {
   DERCache der_cache;
   if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache))
     return false;
   encoded->assign(reinterpret_cast<const char*>(der_cache.data),
                   der_cache.data_length);
   return true;
 }
@@ skipping 86 matching lines @@
   for (OSCertHandles::const_iterator it = cert_handles.begin();
        it != cert_handles.end(); ++it) {
     std::string cert_bytes;
     GetDEREncoded(*it, &cert_bytes);
     chain_bytes->push_back(cert_bytes);
   }
 }
 #endif
 
 }  // namespace net