Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(161)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/base/x509_certificate_openssl.cc

Issue 9313004: Use test root cert once we can not find root cert in system cert store on Android when running un... (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 8 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/base/x509_certificate_openssl.cc
===================================================================
--- net/base/x509_certificate_openssl.cc (revision 120188)
+++ net/base/x509_certificate_openssl.cc (working copy)
@@ -365,6 +365,45 @@
}
}
+#if defined(OS_ANDROID)
+
+// Returns true we have verification result in |verify_result| from Android
wtc 2012/02/06 20:56:30 Nit: add "if" after "Returns true". Nit: delete t
Johnny(Jianning) Ding 2012/02/07 04:57:12 Done.
+// Trust Manager. Otherwise returns false.
+bool VerifyFromAndroidTrustManager(const std::vector<std::string>& cert_bytes,
+ CertVerifyResult* verify_result) {
+
+ // TODO(joth): Fetch the authentication type from SSL rather than hardcode.
+ // TODO(jnd): Remove unused |hostname| from net::android::VerifyX509CertChain.
+ bool verified = true;
+#if 0
+ android::VerifyResult result =
+ android::VerifyX509CertChain(cert_bytes, hostname, "RSA");
+#else
+ // TODO(jingzhao): Recover the original implementation once we support JNI.
+ android::VerifyResult result = android::VERIFY_INVOCATION_ERROR;
+ NOTIMPLEMENTED();
+#endif
+ switch (result) {
+ case android::VERIFY_OK:
+ break;
+ case android::VERIFY_BAD_HOSTNAME:
+ verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
+ break;
+ case android::VERIFY_NO_TRUSTED_ROOT:
+ verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
+ break;
+ case android::VERIFY_INVOCATION_ERROR:
+ verified = false;
+ break;
+ default:
+ verify_result->cert_status |= CERT_STATUS_INVALID;
+ break;
+ }
+ return verified;
+}
+
+#endif
+
} // namespace
// static
@@ -516,7 +555,6 @@
return X509InitSingleton::GetInstance()->store();
}
-#if defined(OS_ANDROID)
int X509Certificate::VerifyInternal(const std::string& hostname,
int flags,
CRLSet* crl_set,
@@ -524,79 +562,53 @@
if (!VerifyNameMatch(hostname))
verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
+ bool verify_attempted = false;
+
+#if defined(OS_ANDROID)
std::vector<std::string> cert_bytes;
GetChainDEREncodedBytes(&cert_bytes);
- // TODO(joth): Fetch the authentication type from SSL rather than hardcode.
- // TODO(jingzhao): Recover the original implementation once we support JNI.
-#if 0
- android::VerifyResult result =
- android::VerifyX509CertChain(cert_bytes, hostname, "RSA");
-#else
- android::VerifyResult result = android::VERIFY_INVOCATION_ERROR;
- NOTIMPLEMENTED();
+ verify_attempted = VerifyFromAndroidTrustManager(cert_bytes, verify_result);
#endif
- switch (result) {
- case android::VERIFY_OK:
- break;
- case android::VERIFY_BAD_HOSTNAME:
- verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
- break;
- case android::VERIFY_NO_TRUSTED_ROOT:
- verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
- break;
- case android::VERIFY_INVOCATION_ERROR:
- default:
- verify_result->cert_status |= CERT_STATUS_INVALID;
- break;
- }
- if (IsCertStatusError(verify_result->cert_status))
- return MapCertStatusToNetError(verify_result->cert_status);
- return OK;
-}
-#else
-int X509Certificate::VerifyInternal(const std::string& hostname,
- int flags,
- CRLSet* crl_set,
- CertVerifyResult* verify_result) const {
- if (!VerifyNameMatch(hostname))
- verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
+ if (verify_attempted) {
+ if (IsCertStatusError(verify_result->cert_status))
+ return MapCertStatusToNetError(verify_result->cert_status);
+ } else {
+ crypto::ScopedOpenSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx(
+ X509_STORE_CTX_new());
- crypto::ScopedOpenSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx(
- X509_STORE_CTX_new());
+ crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn> intermediates(
+ sk_X509_new_null());
+ if (!intermediates.get())
+ return ERR_OUT_OF_MEMORY;
- crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn> intermediates(
- sk_X509_new_null());
- if (!intermediates.get())
- return ERR_OUT_OF_MEMORY;
+ for (OSCertHandles::const_iterator it = intermediate_ca_certs_.begin();
+ it != intermediate_ca_certs_.end(); ++it) {
+ if (!sk_X509_push(intermediates.get(), *it))
+ return ERR_OUT_OF_MEMORY;
+ }
+ int rv = X509_STORE_CTX_init(ctx.get(), cert_store(),
+ cert_handle_, intermediates.get());
+ CHECK_EQ(1, rv);
- for (OSCertHandles::const_iterator it = intermediate_ca_certs_.begin();
- it != intermediate_ca_certs_.end(); ++it) {
- if (!sk_X509_push(intermediates.get(), *it))
- return ERR_OUT_OF_MEMORY;
- }
- int rv = X509_STORE_CTX_init(ctx.get(), cert_store(),
- cert_handle_, intermediates.get());
- CHECK_EQ(1, rv);
+ if (X509_verify_cert(ctx.get()) != 1) {
+ int x509_error = X509_STORE_CTX_get_error(ctx.get());
+ CertStatus cert_status = MapCertErrorToCertStatus(x509_error);
+ LOG(ERROR) << "X509 Verification error "
+ << X509_verify_cert_error_string(x509_error)
+ << " : " << x509_error
+ << " : " << X509_STORE_CTX_get_error_depth(ctx.get())
+ << " : " << cert_status;
+ verify_result->cert_status |= cert_status;
+ }
- if (X509_verify_cert(ctx.get()) != 1) {
- int x509_error = X509_STORE_CTX_get_error(ctx.get());
- CertStatus cert_status = MapCertErrorToCertStatus(x509_error);
- LOG(ERROR) << "X509 Verification error "
- << X509_verify_cert_error_string(x509_error)
- << " : " << x509_error
- << " : " << X509_STORE_CTX_get_error_depth(ctx.get())
- << " : " << cert_status;
- verify_result->cert_status |= cert_status;
+ GetCertChainInfo(ctx.get(), verify_result);
+ if (IsCertStatusError(verify_result->cert_status))
+ return MapCertStatusToNetError(verify_result->cert_status);
+ AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes);
wtc 2012/02/06 20:56:30 IMPORTANT: should we move this AppendPublicKeyHash
Johnny(Jianning) Ding 2012/02/07 04:57:12 Currently the verified cert chain info doesn't ret
}
- GetCertChainInfo(ctx.get(), verify_result);
-
- if (IsCertStatusError(verify_result->cert_status))
- return MapCertStatusToNetError(verify_result->cert_status);
-
- AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes);
// Currently we only ues OpenSSL's default root CA paths, so treat all
// correctly verified certs as being from a known root. TODO(joth): if the
// motivations described in http://src.chromium.org/viewvc/chrome?view=rev&revision=80778
@@ -607,8 +619,6 @@
return OK;
}
-#endif // defined(OS_ANDROID)
-
// static
bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle,
std::string* encoded) {
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698