net/base/cert_verify_proc_android.cc - Issue 13006020: net: extract net/cert out of net/base

Side by Side Diff: net/base/cert_verify_proc_android.cc

Issue 13006020: net: extract net/cert out of net/base (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: rebase Created 7 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
	(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.

4

5 #include "net/base/cert_verify_proc_android.h"

6

7 #include <string>

8 #include <vector>

9

10 #include "base/logging.h"

11 #include "net/android/cert_verify_result_android.h"

12 #include "net/android/network_library.h"

13 #include "net/base/cert_status_flags.h"

14 #include "net/base/cert_verify_result.h"

15 #include "net/base/net_errors.h"

16 #include "net/base/x509_certificate.h"

17

18 namespace net {

19

20 namespace {

21

22 // Returns true if the certificate verification call was successful (regardless

23 // of its result), i.e. if \|verify_result\| was set. Otherwise returns false.

24 bool VerifyFromAndroidTrustManager(const std::vector<std::string>& cert_bytes,

25 CertVerifyResult* verify_result) {

26 // TODO(joth): Fetch the authentication type from SSL rather than hardcode.

27 android::CertVerifyResultAndroid android_result =

28 android::VerifyX509CertChain(cert_bytes, "RSA");

29 switch (android_result) {

30 case android::VERIFY_FAILED:

31 return false;

32 case android::VERIFY_OK:

33 break;

34 case android::VERIFY_NO_TRUSTED_ROOT:

35 verify_result->cert_status \|= CERT_STATUS_AUTHORITY_INVALID;

36 break;

37 case android::VERIFY_EXPIRED:

38 case android::VERIFY_NOT_YET_VALID:

39 verify_result->cert_status \|= CERT_STATUS_DATE_INVALID;

40 break;

41 case android::VERIFY_UNABLE_TO_PARSE:

42 verify_result->cert_status \|= CERT_STATUS_INVALID;

43 break;

44 default:

45 NOTREACHED();

46 verify_result->cert_status \|= CERT_STATUS_INVALID;

47 break;

48 }

49 return true;

50 }

51

52 bool GetChainDEREncodedBytes(X509Certificate* cert,

53 std::vector<std::string>* chain_bytes) {

54 X509Certificate::OSCertHandle cert_handle = cert->os_cert_handle();

55 X509Certificate::OSCertHandles cert_handles =

56 cert->GetIntermediateCertificates();

57

58 // Make sure the peer's own cert is the first in the chain, if it's not

59 // already there.

60 if (cert_handles.empty() \|\| cert_handles[0] != cert_handle)

61 cert_handles.insert(cert_handles.begin(), cert_handle);

62

63 chain_bytes->reserve(cert_handles.size());

64 for (X509Certificate::OSCertHandles::const_iterator it =

65 cert_handles.begin(); it != cert_handles.end(); ++it) {

66 std::string cert_bytes;

67 if(!X509Certificate::GetDEREncoded(*it, &cert_bytes))

68 return false;

69 chain_bytes->push_back(cert_bytes);

70 }

71 return true;

72 }

73

74 } // namespace

75

76 CertVerifyProcAndroid::CertVerifyProcAndroid() {}

77

78 CertVerifyProcAndroid::~CertVerifyProcAndroid() {}

79

80 bool CertVerifyProcAndroid::SupportsAdditionalTrustAnchors() const {

81 return false;

82 }

83

84 int CertVerifyProcAndroid::VerifyInternal(

85 X509Certificate* cert,

86 const std::string& hostname,

87 int flags,

88 CRLSet* crl_set,

89 const CertificateList& additional_trust_anchors,

90 CertVerifyResult* verify_result) {

91 if (!cert->VerifyNameMatch(hostname))

92 verify_result->cert_status \|= CERT_STATUS_COMMON_NAME_INVALID;

93

94 std::vector<std::string> cert_bytes;

95 if (!GetChainDEREncodedBytes(cert, &cert_bytes))

96 return ERR_CERT_INVALID;

97 if (!VerifyFromAndroidTrustManager(cert_bytes, verify_result)) {

98 NOTREACHED();

99 return ERR_FAILED;

100 }

101 if (IsCertStatusError(verify_result->cert_status))

102 return MapCertStatusToNetError(verify_result->cert_status);

103

104 // TODO(ppi): Implement missing functionality: yielding the constructed trust

105 // chain, public key hashes of its certificates and \|is_issued_by_known_root\|

106 // flag. All of the above require specific support from the platform, missing

107 // in the Java APIs. See also: http://crbug.com/116838

108

109 // Until the required support is available in the platform, we don't know if

110 // the trust root at the end of the chain was standard or user-added, so we

111 // mark all correctly verified certificates as issued by a known root.

112 verify_result->is_issued_by_known_root = true;

113

114 return OK;

115 }

116

117 } // namespace net

OLD	NEW

« no previous file with comments | « net/base/cert_verify_proc_android.h ('k') | net/base/cert_verify_proc_mac.h » ('j') | no next file with comments »