Fix a glitch in disentanglement of CertVerifyProc(OpenSSL/Android)

net/base/cert_verify_proc_android.cc

Index: net/base/cert_verify_proc_android.cc
diff --git a/net/base/cert_verify_proc_android.cc b/net/base/cert_verify_proc_android.cc
index 1bdbcef87b22eb71937be686f02be26d6d194943..fc46251f09475862e92eef96d4d790a0774b4ba1 100644
--- a/net/base/cert_verify_proc_android.cc
+++ b/net/base/cert_verify_proc_android.cc
@@ -88,6 +88,14 @@ int CertVerifyProcAndroid::VerifyInternal(X509Certificate* cert,
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);
 
+  // Android call does not provide information if the trust root at the end of
+  // the constructed chain was standard or user-added CA, so we mark all
+  // correctly verified certificates as issued by a known root.
+  verify_result->is_issued_by_known_root = true;

[Ryan Sleevi, 2012/12/14 18:22:07]

blaaarghh

This will need to be a system API feature request, otherwise getting the
verified hashes back won't help much for pinning.

[ppi, 2012/12/14 20:27:35]

I edited the comment to mention the need of such support.

[joth, 2012/12/14 20:30:01]

A solution was discussed in b/5826113 (linked from the bug you reference below)

+
+  // TODO(ppi): Implement missing functionality of certificate verification:
+  // providing the constructed trust chain (along with public key hashes of its
+  // certificates). See also: crbug.com/116838

[Ryan Sleevi, 2012/12/14 18:22:07]

nit: http://-ify the link

[ppi, 2012/12/14 20:27:35]

Thanks, fixed.

   return OK;
 }