Refactor the assignment of CertVerifyResult::has_md2, etc.

net/cert/cert_verify_proc.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include <stdint.h>
 
 #include <algorithm>
 
@@ skipping 351 matching lines @@
 #if defined(OS_WIN)
   // TODO(rsleevi): Remove this once https://crbug.com/588789 is resolved
   // for Windows 7/2008 users.
   // Note: This must be kept in sync with cert_verify_proc_unittest.cc
   return base::win::GetVersion() < base::win::VERSION_WIN8;
 #else
   return false;
 #endif
 };
 
+// Sets the "has_*" boolean members in |verify_result| that correspond with
+// the the presence of |hash| somewhere in the certificate chain (excluding the
+// trust anchor).
+void MapHashAlgorithmToBool(X509Certificate::SignatureHashAlgorithm hash,
+                            CertVerifyResult* verify_result) {
+  switch (hash) {
+    case X509Certificate::kSignatureHashAlgorithmMd2:
+      verify_result->has_md2 = true;
+      break;
+    case X509Certificate::kSignatureHashAlgorithmMd4:
+      verify_result->has_md4 = true;
+      break;
+    case X509Certificate::kSignatureHashAlgorithmMd5:
+      verify_result->has_md5 = true;
+      break;
+    case X509Certificate::kSignatureHashAlgorithmSha1:
+      verify_result->has_sha1 = true;
+      break;
+    case X509Certificate::kSignatureHashAlgorithmOther:
+      break;
+  }
+}
+
+// Sets to true the |verify_result->has_*| boolean members for the hash
+// algorithms present in the certificate chain.
+//
+// This considers the hash algorithms in all certificates except trusted
+// certificates.
+//
+// In the case of a successful verification the trust anchor is the final
+// certificate in the chain (either the final intermediate, or the leaf
+// certificate).
+//
+// Whereas if verification was uncessful, the chain may be partial, and the
+// final certificate may not be a trust anchor. This heuristic is used
+// in both successful and failed verifications, despite this ambiguity (failure
+// to tag one of the signature algorithms should only affect the final error).
+void ComputeSignatureHashAlgorithms(CertVerifyResult* verify_result) {
+  const X509Certificate::OSCertHandles& intermediates =
+      verify_result->verified_cert->GetIntermediateCertificates();
+
+  // If there are no intermediates, then the leaf is trusted.

[Ryan Sleevi, 2017/01/10 03:00:41]

"then the leaf is trusted or verification failed."

[eroman, 2017/01/10 03:06:12]

Done.

+  if (intermediates.empty())
+    return;
+
+  DCHECK(!verify_result->has_sha1);
+
+  // Fill in hash algorithms for the leaf certificate.
+  MapHashAlgorithmToBool(X509Certificate::GetSignatureHashAlgorithm(
+                             verify_result->verified_cert->os_cert_handle()),
+                         verify_result);
+  verify_result->has_sha1_leaf = verify_result->has_sha1;
+
+  // Fill in hash algorithms for the intermediate cerificates, excluding the
+  // final one (which is the trust anchor).
+  for (size_t i = 0; i + 1 < intermediates.size(); ++i) {
+    MapHashAlgorithmToBool(
+        X509Certificate::GetSignatureHashAlgorithm(intermediates[i]),
+        verify_result);
+  }
+}
+
 }  // namespace
 
 // static
 CertVerifyProc* CertVerifyProc::CreateDefault() {
 #if defined(USE_NSS_CERTS)
   return new CertVerifyProcNSS();
 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
   return new CertVerifyProcOpenSSL();
 #elif defined(OS_ANDROID)
   return new CertVerifyProcAndroid();
@@ skipping 31 matching lines @@
   // We do online revocation checking for EV certificates that aren't covered
   // by a fresh CRLSet.
   // TODO(rsleevi): http://crbug.com/142974 - Allow preferences to fully
   // disable revocation checking.
   if (flags & CertVerifier::VERIFY_EV_CERT)
     flags |= CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY;
 
   int rv = VerifyInternal(cert, hostname, ocsp_response, flags, crl_set,
                           additional_trust_anchors, verify_result);
 
+  ComputeSignatureHashAlgorithms(verify_result);
+
   UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallback",
                         verify_result->common_name_fallback_used);
   if (!verify_result->is_issued_by_known_root) {
     UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallbackPrivateCA",
                           verify_result->common_name_fallback_used);
   }
 
   CheckOCSP(ocsp_response, *verify_result->verified_cert,
             &verify_result->ocsp_result);
 
@@ skipping 334 matching lines @@
   if (start >= time_2015_04_01 && month_diff > 39)
     return true;
 
   return false;
 }
 
 // static
 const base::Feature CertVerifyProc::kSHA1LegacyMode{
     "SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT};
 
-X509Certificate::SignatureHashAlgorithm FillCertVerifyResultWeakSignature(
-    X509Certificate::OSCertHandle cert,
-    bool is_leaf,
-    CertVerifyResult* verify_result) {
-  X509Certificate::SignatureHashAlgorithm hash =
-      X509Certificate::GetSignatureHashAlgorithm(cert);
-  switch (hash) {
-    case X509Certificate::kSignatureHashAlgorithmMd2:
-      verify_result->has_md2 = true;
-      break;
-    case X509Certificate::kSignatureHashAlgorithmMd4:
-      verify_result->has_md4 = true;
-      break;
-    case X509Certificate::kSignatureHashAlgorithmMd5:
-      verify_result->has_md5 = true;
-      break;
-    case X509Certificate::kSignatureHashAlgorithmSha1:
-      verify_result->has_sha1 = true;
-      if (is_leaf)
-        verify_result->has_sha1_leaf = true;
-      break;
-    case X509Certificate::kSignatureHashAlgorithmOther:
-      break;
-  }
-
-  return hash;
-}
-
 }  // namespace net