Separate CertVerifyProcAndroid from CertVerifyProcOpenSSL

net/base/cert_verify_proc_android.cc

Index: net/base/cert_verify_proc_android.cc
diff --git a/net/base/cert_verify_proc_android.cc b/net/base/cert_verify_proc_android.cc
new file mode 100644
index 0000000000000000000000000000000000000000..948af9783688c80c9aa1aed30736e26490838847
--- /dev/null
+++ b/net/base/cert_verify_proc_android.cc
@@ -0,0 +1,90 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/cert_verify_proc_android.h"
+
+#include <string>
+#include <vector>
+
+#include "base/logging.h"
+#include "net/android/network_library.h"
+#include "net/base/cert_status_flags.h"
+#include "net/base/cert_verify_result.h"
+#include "net/base/net_errors.h"
+#include "net/base/x509_certificate.h"
+
+namespace net {
+
+namespace {
+
+// Returns true if the certificate verification call was successful (regardless
+// of its result), i.e. if |verify_result| was set. Otherwise returns false.
+bool VerifyFromAndroidTrustManager(const std::vector<std::string>& cert_bytes,
+                                   CertVerifyResult* verify_result) {
+  // TODO(joth): Fetch the authentication type from SSL rather than hardcode.

[Ryan Sleevi, 2012/12/13 02:16:36]

Reference the crbug DIGIT filed

[ppi, 2012/12/13 04:49:09]

My understanding is that David's bug
(https://code.google.com/p/chromium/issues/detail?id=165446) refers: (a) to
client rather than server certificate verification (b) to OpenSSL functionality,
which should not be within the concern of this file. 

Do you think that the bug should be nevertheless referenced?

[digit1, 2012/12/13 12:14:29]

It's really a different bug. On the other hand, this can be fixed relatively
easily here by using a function like X509Certificate::GetPublicKeyInfo() to
retrieve the key type and translate that into a string. I'd recommend doing this
in a different patch though.

[ppi, 2012/12/13 21:09:52]

Sounds good, I will take care of this. Thanks!

+  bool verified = true;
+  android::VerifyResult result =
+      android::VerifyX509CertChain(cert_bytes, "RSA");
+  switch (result) {
+    case android::VERIFY_OK:
+      break;
+    case android::VERIFY_NO_TRUSTED_ROOT:
+      verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
+      break;
+    case android::VERIFY_INVOCATION_ERROR:
+      verified = false;
+      break;
+    default:
+      verify_result->cert_status |= CERT_STATUS_INVALID;
+      break;
+  }
+  return verified;
+}
+
+void GetChainDEREncodedBytes(X509Certificate* cert,
+                             std::vector<std::string>* chain_bytes) {
+  X509Certificate::OSCertHandle cert_handle = cert->os_cert_handle();
+  X509Certificate::OSCertHandles cert_handles =
+      cert->GetIntermediateCertificates();
+
+  // Make sure the peer's own cert is the first in the chain, if it's not
+  // already there.
+  if (cert_handles.empty() || cert_handles[0] != cert_handle)
+    cert_handles.insert(cert_handles.begin(), cert_handle);
+
+  chain_bytes->reserve(cert_handles.size());
+  for (X509Certificate::OSCertHandles::const_iterator it =
+       cert_handles.begin(); it != cert_handles.end(); ++it) {
+    std::string cert_bytes;
+    X509Certificate::X509Certificate::GetDEREncoded(*it, &cert_bytes);

[Ryan Sleevi, 2012/12/13 02:16:36]

[existing?] BUG: Check the ret value of GetDEREncoded

This method should also be a bool so that you can fail validation on invalid
certs.

[ppi, 2012/12/13 04:49:09]

Thanks, addressed in patch set 2.

+    chain_bytes->push_back(cert_bytes);
+  }
+}
+
+}  // namespace
+
+CertVerifyProcAndroid::CertVerifyProcAndroid() {}
+
+CertVerifyProcAndroid::~CertVerifyProcAndroid() {}
+
+int CertVerifyProcAndroid::VerifyInternal(X509Certificate* cert,
+                                          const std::string& hostname,
+                                          int flags,
+                                          CRLSet* crl_set,
+                                          CertVerifyResult* verify_result) {
+  if (!cert->VerifyNameMatch(hostname))
+    verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
+
+  std::vector<std::string> cert_bytes;
+  GetChainDEREncodedBytes(cert, &cert_bytes);
+
+  if (!VerifyFromAndroidTrustManager(cert_bytes, verify_result))
+    NOTREACHED();
+
+  if (IsCertStatusError(verify_result->cert_status))
+    return MapCertStatusToNetError(verify_result->cert_status);
+  return OK;
+}
+
+}  // namespace net