Index: net/cert/cert_verify_proc_android.cc |
diff --git a/net/cert/cert_verify_proc_android.cc b/net/cert/cert_verify_proc_android.cc |
index bd747267a2e0c293465020e2ff35497d806f8c74..9c99444d8e381a866a5f43aa1968f54ede006516 100644 |
--- a/net/cert/cert_verify_proc_android.cc |
+++ b/net/cert/cert_verify_proc_android.cc |
@@ -4,6 +4,8 @@ |
#include "net/cert/cert_verify_proc_android.h" |
+#include <openssl/x509v3.h> |
+ |
#include <string> |
#include <vector> |
@@ -71,6 +73,36 @@ bool VerifyFromAndroidTrustManager(const std::vector<std::string>& cert_bytes, |
verify_result->verified_cert = verified_cert; |
} |
+ // Extract the algorithm information from the certs |
+ X509Certificate::OSCertHandles chain; |
+ const X509Certificate::OSCertHandles& intermediates = |
+ verify_result->verified_cert->GetIntermediateCertificates(); |
+ chain.push_back(verify_result->verified_cert->os_cert_handle()); |
+ chain.insert(chain.end(), intermediates.begin(), intermediates.end()); |
+ |
+ // If the chain successfully verified, ignore the trust anchor (the last |
+ // certificate). Otherwise, assume the chain is partial. This is not entirely |
+ // correct, as a full chain may have been constructed and then failed to |
+ // validate. However, if that is the case, the more serious error will |
+ // override any SHA-1 considerations. |
+ size_t correction_for_root = (status == android::VERIFY_OK) ? 1 : 0; |
+ for (size_t i = 0; i < chain.size() - correction_for_root; ++i) { |
+ int sig_alg = OBJ_obj2nid(chain[i]->sig_alg->algorithm); |
+ if (sig_alg == NID_md2WithRSAEncryption) { |
+ verify_result->has_md2 = true; |
+ } else if (sig_alg == NID_md4WithRSAEncryption) { |
+ verify_result->has_md4 = true; |
+ } else if (sig_alg == NID_md5WithRSAEncryption || |
+ sig_alg == NID_md5WithRSA) { |
+ verify_result->has_md5 = true; |
+ } else if (sig_alg == NID_sha1WithRSAEncryption || |
+ sig_alg == NID_dsaWithSHA || sig_alg == NID_dsaWithSHA1 || |
+ sig_alg == NID_dsaWithSHA1_2 || sig_alg == NID_sha1WithRSA || |
+ sig_alg == NID_ecdsa_with_SHA1) { |
+ verify_result->has_sha1 = true; |
+ } |
+ } |
+ |
// Extract the public key hashes. |
for (size_t i = 0; i < verified_chain.size(); i++) { |
base::StringPiece spki_bytes; |