net/base/x509_certificate_openssl_android.cc - platform/external/chromium - Git at Google

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "net/base/x509_certificate.h"

 #include "base/logging.h"
 #include "net/base/android_network_library.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
 #include "net/base/net_errors.h"

 namespace net {

 int X509Certificate::Verify(const std::string& hostname,
                             int flags,
                             CertVerifyResult* verify_result) const {
   verify_result->Reset();

   AndroidNetworkLibrary* lib = AndroidNetworkLibrary::GetSharedInstance();
   if (!lib) {
     LOG(ERROR) << "Rejecting verify as no net library installed";
     verify_result->cert_status |= ERR_CERT_INVALID;
     return MapCertStatusToNetError(verify_result->cert_status);
   }

   OSCertHandles cert_handles(intermediate_ca_certs_);
   // Make sure the peer's own cert is the first in the chain, if it's not
   // already there.
   if (cert_handles.empty() || cert_handles[0] != cert_handle_)
     cert_handles.insert(cert_handles.begin(), cert_handle_);

   std::vector<std::string> cert_bytes;
   cert_bytes.reserve(cert_handles.size());
   for (OSCertHandles::const_iterator it = cert_handles.begin();
        it != cert_handles.end(); ++it) {
     cert_bytes.push_back(GetDEREncodedBytes(*it));
   }


   if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
     verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
     return MapCertStatusToNetError(verify_result->cert_status);
   }

   // TODO(joth): Fetch the authentication type from SSL rather than hardcode.
   AndroidNetworkLibrary::VerifyResult result =
       lib->VerifyX509CertChain(cert_bytes, hostname, "RSA");
   switch (result) {
     case AndroidNetworkLibrary::VERIFY_OK:
       return OK;
     case AndroidNetworkLibrary::VERIFY_BAD_HOSTNAME:
       verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
       break;
     case AndroidNetworkLibrary::VERIFY_NO_TRUSTED_ROOT:
       verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
       break;
     case AndroidNetworkLibrary::VERIFY_INVOCATION_ERROR:
     default:
       verify_result->cert_status |= ERR_CERT_INVALID;
       break;
   }
   return MapCertStatusToNetError(verify_result->cert_status);
 }

 }  // namespace net
	// Copyright (c) 2010 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "net/base/x509_certificate.h"

	#include "base/logging.h"
	#include "net/base/android_network_library.h"
	#include "net/base/cert_status_flags.h"
	#include "net/base/cert_verify_result.h"
	#include "net/base/net_errors.h"

	namespace net {

	int X509Certificate::Verify(const std::string& hostname,
	int flags,
	CertVerifyResult* verify_result) const {
	verify_result->Reset();

	AndroidNetworkLibrary* lib = AndroidNetworkLibrary::GetSharedInstance();
	if (!lib) {
	LOG(ERROR) << "Rejecting verify as no net library installed";
	verify_result->cert_status \|= ERR_CERT_INVALID;
	return MapCertStatusToNetError(verify_result->cert_status);
	}

	OSCertHandles cert_handles(intermediate_ca_certs_);
	// Make sure the peer's own cert is the first in the chain, if it's not
	// already there.
	if (cert_handles.empty() \|\| cert_handles[0] != cert_handle_)
	cert_handles.insert(cert_handles.begin(), cert_handle_);

	std::vector<std::string> cert_bytes;
	cert_bytes.reserve(cert_handles.size());
	for (OSCertHandles::const_iterator it = cert_handles.begin();
	it != cert_handles.end(); ++it) {
	cert_bytes.push_back(GetDEREncodedBytes(*it));
	}


	if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
	verify_result->cert_status \|= CERT_STATUS_AUTHORITY_INVALID;
	return MapCertStatusToNetError(verify_result->cert_status);
	}

	// TODO(joth): Fetch the authentication type from SSL rather than hardcode.
	AndroidNetworkLibrary::VerifyResult result =
	lib->VerifyX509CertChain(cert_bytes, hostname, "RSA");
	switch (result) {
	case AndroidNetworkLibrary::VERIFY_OK:
	return OK;
	case AndroidNetworkLibrary::VERIFY_BAD_HOSTNAME:
	verify_result->cert_status \|= CERT_STATUS_COMMON_NAME_INVALID;
	break;
	case AndroidNetworkLibrary::VERIFY_NO_TRUSTED_ROOT:
	verify_result->cert_status \|= CERT_STATUS_AUTHORITY_INVALID;
	break;
	case AndroidNetworkLibrary::VERIFY_INVOCATION_ERROR:
	default:
	verify_result->cert_status \|= ERR_CERT_INVALID;
	break;
	}
	return MapCertStatusToNetError(verify_result->cert_status);
	}

	} // namespace net