net/base/cert_verify_proc_android.cc - Issue 11549033: Separate CertVerifyProcAndroid from CertVerifyProcOpenSSL

Side by Side Diff: net/base/cert_verify_proc_android.cc

Issue 11549033: Separate CertVerifyProcAndroid from CertVerifyProcOpenSSL (Closed) Base URL: http://git.chromium.org/chromium/src.git@master

Patch Set: Created 8 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "net/base/cert_verify_proc_android.h"

	6

	7 #include <string>

	8 #include <vector>

	9

	10 #include "base/logging.h"

	11 #include "net/android/network_library.h"

	12 #include "net/base/cert_status_flags.h"

	13 #include "net/base/cert_verify_result.h"

	14 #include "net/base/net_errors.h"

	15 #include "net/base/x509_certificate.h"

	16

	17 namespace net {

	18

	19 namespace {

	20

	21 // Returns true if the certificate verification call was successful (regardless

	22 // of its result), i.e. if \|verify_result\| was set. Otherwise returns false.

	23 bool VerifyFromAndroidTrustManager(const std::vector<std::string>& cert_bytes,

	24 CertVerifyResult* verify_result) {

	25 // TODO(joth): Fetch the authentication type from SSL rather than hardcode.
	Ryan Sleevi 2012/12/13 02:16:36 Reference the crbug DIGIT filed Reference the crbug DIGIT filed ppi 2012/12/13 04:49:09 My understanding is that David's bug (https://code Show quoted text On 2012/12/13 02:16:36, Ryan Sleevi wrote: > Reference the crbug DIGIT filed My understanding is that David's bug (https://code.google.com/p/chromium/issues/detail?id=165446) refers: (a) to client rather than server certificate verification (b) to OpenSSL functionality, which should not be within the concern of this file. Do you think that the bug should be nevertheless referenced? digit1 2012/12/13 12:14:29 It's really a different bug. On the other hand, th It's really a different bug. On the other hand, this can be fixed relatively easily here by using a function like X509Certificate::GetPublicKeyInfo() to retrieve the key type and translate that into a string. I'd recommend doing this in a different patch though. ppi 2012/12/13 21:09:52 Sounds good, I will take care of this. Thanks! Show quoted text On 2012/12/13 12:14:29, digit1 wrote: > It's really a different bug. On the other hand, this can be fixed relatively > easily here by using a function like X509Certificate::GetPublicKeyInfo() to > retrieve the key type and translate that into a string. I'd recommend doing this > in a different patch though. Sounds good, I will take care of this. Thanks!
	26 bool verified = true;

	27 android::VerifyResult result =

	28 android::VerifyX509CertChain(cert_bytes, "RSA");

	29 switch (result) {

	30 case android::VERIFY_OK:

	31 break;

	32 case android::VERIFY_NO_TRUSTED_ROOT:

	33 verify_result->cert_status \|= CERT_STATUS_AUTHORITY_INVALID;

	34 break;

	35 case android::VERIFY_INVOCATION_ERROR:

	36 verified = false;

	37 break;

	38 default:

	39 verify_result->cert_status \|= CERT_STATUS_INVALID;

	40 break;

	41 }

	42 return verified;

	43 }

	44

	45 void GetChainDEREncodedBytes(X509Certificate* cert,

	46 std::vector<std::string>* chain_bytes) {

	47 X509Certificate::OSCertHandle cert_handle = cert->os_cert_handle();

	48 X509Certificate::OSCertHandles cert_handles =

	49 cert->GetIntermediateCertificates();

	50

	51 // Make sure the peer's own cert is the first in the chain, if it's not

	52 // already there.

	53 if (cert_handles.empty() \|\| cert_handles[0] != cert_handle)

	54 cert_handles.insert(cert_handles.begin(), cert_handle);

	55

	56 chain_bytes->reserve(cert_handles.size());

	57 for (X509Certificate::OSCertHandles::const_iterator it =

	58 cert_handles.begin(); it != cert_handles.end(); ++it) {

	59 std::string cert_bytes;

	60 X509Certificate::X509Certificate::GetDEREncoded(*it, &cert_bytes);
	Ryan Sleevi 2012/12/13 02:16:36 [existing?] BUG: Check the ret value of GetDEREnco [existing?] BUG: Check the ret value of GetDEREncoded This method should also be a bool so that you can fail validation on invalid certs. ppi 2012/12/13 04:49:09 Thanks, addressed in patch set 2. Show quoted text On 2012/12/13 02:16:36, Ryan Sleevi wrote: > [existing?] BUG: Check the ret value of GetDEREncoded > > This method should also be a bool so that you can fail validation on invalid > certs. Thanks, addressed in patch set 2.
	61 chain_bytes->push_back(cert_bytes);

	62 }

	63 }

	64

	65 } // namespace

	66

	67 CertVerifyProcAndroid::CertVerifyProcAndroid() {}

	68

	69 CertVerifyProcAndroid::~CertVerifyProcAndroid() {}

	70

	71 int CertVerifyProcAndroid::VerifyInternal(X509Certificate* cert,

	72 const std::string& hostname,

	73 int flags,

	74 CRLSet* crl_set,

	75 CertVerifyResult* verify_result) {

	76 if (!cert->VerifyNameMatch(hostname))

	77 verify_result->cert_status \|= CERT_STATUS_COMMON_NAME_INVALID;

	78

	79 std::vector<std::string> cert_bytes;

	80 GetChainDEREncodedBytes(cert, &cert_bytes);

	81

	82 if (!VerifyFromAndroidTrustManager(cert_bytes, verify_result))

	83 NOTREACHED();

	84

	85 if (IsCertStatusError(verify_result->cert_status))

	86 return MapCertStatusToNetError(verify_result->cert_status);

	87 return OK;

	88 }

	89

	90 } // namespace net

OLD	NEW

« net/base/cert_verify_proc_android.h ('K') | « net/base/cert_verify_proc_android.h ('k') | net/base/cert_verify_proc_openssl.cc » ('j') | net/base/cert_verify_proc_openssl.cc » ('J')