Explicitly set properties of net::CertVerifyResult

chrome/browser/extensions/api/gcd_private/privet_v3_context_getter.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/api/gcd_private/privet_v3_context_getter.h"
 
 #include "base/command_line.h"
 #include "chrome/common/chrome_content_client.h"
 #include "chrome/common/chrome_switches.h"
 #include "net/base/net_errors.h"
@@ skipping 14 matching lines @@
 
   int Verify(net::X509Certificate* cert,
              const std::string& hostname,
              const std::string& ocsp_response,
              int flags,
              net::CRLSet* crl_set,
              net::CertVerifyResult* verify_result,
              const net::CompletionCallback& callback,
              scoped_ptr<Request>* out_req,
              const net::BoundNetLog& net_log) override {
-    // Mark certificate as invalid as we didn't check it.
     verify_result->Reset();
     verify_result->verified_cert = cert;
-    verify_result->cert_status = net::CERT_STATUS_INVALID;
 
-    auto it = fingerprints_.find(hostname);
-    if (it == fingerprints_.end())
-      return net::ERR_CERT_INVALID;
+    // Because no trust anchor checking is being performed, don't indicate that
+    // it came from an OS-trusted root.
+    verify_result->is_issued_by_known_root = false;
+    // Because no trust anchor checking is being performed, don't indicate that
+    // it came from a supplemental trust anchor.
+    verify_result->is_issued_by_additional_trust_anchor = false;
+    // Because no name checking is being performed, don't indicate that it the
+    // common name was used.
+    verify_result->common_name_fallback_used = false;
+    // Because the signature is not checked, do not indicate any deprecated
+    // signature algorithms were used, even if they might be present.
+    verify_result->has_md2 = false;
+    verify_result->has_md4 = false;
+    verify_result->has_md5 = false;
+    verify_result->has_sha1 = false;
+    verify_result->has_sha1_leaf = false;
+    // Because no chain hashes calculation is being performed, keep hashes
+    // container clean.
+    verify_result->public_key_hashes.clear();

[Vitaly Buka (NO REVIEWS), 2015/11/17 00:08:14]

Default implementation calculates hashes for certs in the chain.
Also code is hidden in platform specific implementations of VerifyProc.
So if we need this, we need expose that code.

I can put whatever I can get from X509Certificate interfaces, e.g. result
of CalculateFingerprint256 and CalculateFingerprint.
But I don't know what is more preferable, empty or partial array.

 
-    auto fingerprint =
-        net::X509Certificate::CalculateFingerprint256(cert->os_cert_handle());
-    return it->second.Equals(fingerprint) ? net::OK : net::ERR_CERT_INVALID;
+    verify_result->cert_status = CheckFingerprint(cert, hostname)
+                                     ? 0
+                                     : net::CERT_STATUS_AUTHORITY_INVALID;
+    return net::IsCertStatusError(verify_result->cert_status)
+               ? net::MapCertStatusToNetError(verify_result->cert_status)
+               : net::OK;
   }
 
   void AddPairedHost(const std::string& host,
                      const net::SHA256HashValue& certificate_fingerprint) {
     fingerprints_[host] = certificate_fingerprint;
   }
 
  private:
+  bool CheckFingerprint(net::X509Certificate* cert,
+                        const std::string& hostname) const {
+    auto it = fingerprints_.find(hostname);
+    if (it == fingerprints_.end())
+      return false;
+
+    return it->second.Equals(
+        net::X509Certificate::CalculateFingerprint256(cert->os_cert_handle()));
+  }
+
   std::map<std::string, net::SHA256HashValue> fingerprints_;
 
   DISALLOW_COPY_AND_ASSIGN(CertVerifier);
 };
 
 PrivetV3ContextGetter::PrivetV3ContextGetter(
     const scoped_refptr<base::SingleThreadTaskRunner>& net_task_runner)
     : net_task_runner_(net_task_runner), weak_ptr_factory_(this) {
   CHECK(base::CommandLine::ForCurrentProcess()->HasSwitch(
       switches::kEnablePrivetV3));
@@ skipping 39 matching lines @@
     const net::SHA256HashValue& certificate_fingerprint) {
   InitOnNetThread();
   cert_verifier_->AddPairedHost(host, certificate_fingerprint);
 }
 
 PrivetV3ContextGetter::~PrivetV3ContextGetter() {
   DCHECK(net_task_runner_->BelongsToCurrentThread());
 }
 
 }  // namespace extensions