Follow-up changes to Android certificate verification logic.

net/android/java/src/org/chromium/net/X509Util.java

Index: net/android/java/src/org/chromium/net/X509Util.java
diff --git a/net/android/java/src/org/chromium/net/X509Util.java b/net/android/java/src/org/chromium/net/X509Util.java
index 788f226b922a54e5f41eda91e6cbe9ec1aa8191a..18ab61333d56802f4151c0d1165a9125b15f27cd 100644
--- a/net/android/java/src/org/chromium/net/X509Util.java
+++ b/net/android/java/src/org/chromium/net/X509Util.java
@@ -157,7 +157,7 @@ public class X509Util {
     private static final Object sLock = new Object();
 
     /*
-     * Allow disabling registering the observer for the certificat changes. Net unit tests do not
+     * Allow disabling registering the observer for the certificate changes. Net unit tests do not
      * load native libraries which prevent this to succeed. Moreover, the system does not allow to
      * interact with the certificate store without user interaction.
      */
@@ -176,7 +176,14 @@ public class X509Util {
                 sDefaultTrustManager = X509Util.createTrustManager(null);
             }
             if (sSystemTrustRoots == null) {
-                sSystemTrustRoots = buildSystemTrustRootSet();
+                try {
+                    sSystemTrustRoots = buildSystemTrustRootSet();
+                } catch (KeyStoreException e) {
+                    // If the device does not have an "AndroidCAStore" KeyStore, don't make the
+                    // failure fatal. Instead default conservatively to setting isIssuedByKnownRoot
+                    // to false everywhere.
+                    Log.w(TAG, "Could not load system trust root set", e);
+                }
             }
             if (sTestKeyStore == null) {
                 sTestKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
@@ -240,7 +247,7 @@ public class X509Util {
         for (TrustManager tm : tmf.getTrustManagers()) {
             if (tm instanceof X509TrustManager) {
                 try {
-                    if (Build.VERSION.SDK_INT >= 17) {
+                    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
                         return new X509TrustManagerJellyBean((X509TrustManager) tm);
                     } else {
                         return new X509TrustManagerIceCreamSandwich((X509TrustManager) tm);
@@ -404,13 +411,15 @@ public class X509Util {
             }
 
             boolean isIssuedByKnownRoot = false;
-            if (verifiedChain.size() > 0) {
+            if (sSystemTrustRoots != null && verifiedChain.size() > 0) {
                 X509Certificate root = verifiedChain.get(verifiedChain.size() - 1);
                 isIssuedByKnownRoot = sSystemTrustRoots.contains(
                         new Pair<X500Principal, PublicKey>(root.getSubjectX500Principal(),
                                                            root.getPublicKey()));
             }
 
+            nativeRecordCertVerifyCapabilitiesHistogram(sSystemTrustRoots != null);
+
             return new AndroidCertVerifyResult(CertVerifyStatusAndroid.VERIFY_OK,
                                                isIssuedByKnownRoot, verifiedChain);
         }
@@ -425,6 +434,12 @@ public class X509Util {
     private static native void nativeNotifyKeyChainChanged();
 
     /**
+     * Record histograms on the platform's certificate verification capabilities.
+     */
+    private static native void nativeRecordCertVerifyCapabilitiesHistogram(
+        boolean foundSystemTrustRoots);
+
+    /**
      * Returns the application context.
      */
     private static native Context nativeGetApplicationContext();