1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/cert_verify_proc_android.h"
#include <string>
#include <vector>
#include "base/logging.h"
#include "net/android/cert_verify_result_android.h"
#include "net/android/network_library.h"
#include "net/base/net_errors.h"
#include "net/cert/cert_status_flags.h"
#include "net/cert/cert_verify_result.h"
#include "net/cert/x509_certificate.h"
namespace net {
namespace {
// Returns true if the certificate verification call was successful (regardless
// of its result), i.e. if |verify_result| was set. Otherwise returns false.
bool VerifyFromAndroidTrustManager(const std::vector<std::string>& cert_bytes,
CertVerifyResult* verify_result) {
// TODO(joth): Fetch the authentication type from SSL rather than hardcode.
android::CertVerifyResultAndroid android_result =
android::VerifyX509CertChain(cert_bytes, "RSA");
switch (android_result) {
case android::VERIFY_FAILED:
return false;
case android::VERIFY_OK:
break;
case android::VERIFY_NO_TRUSTED_ROOT:
verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
break;
case android::VERIFY_EXPIRED:
case android::VERIFY_NOT_YET_VALID:
verify_result->cert_status |= CERT_STATUS_DATE_INVALID;
break;
case android::VERIFY_UNABLE_TO_PARSE:
verify_result->cert_status |= CERT_STATUS_INVALID;
break;
case android::VERIFY_INCORRECT_KEY_USAGE:
verify_result->cert_status |= CERT_STATUS_INVALID;
break;
default:
NOTREACHED();
verify_result->cert_status |= CERT_STATUS_INVALID;
break;
}
return true;
}
bool GetChainDEREncodedBytes(X509Certificate* cert,
std::vector<std::string>* chain_bytes) {
X509Certificate::OSCertHandle cert_handle = cert->os_cert_handle();
X509Certificate::OSCertHandles cert_handles =
cert->GetIntermediateCertificates();
// Make sure the peer's own cert is the first in the chain, if it's not
// already there.
if (cert_handles.empty() || cert_handles[0] != cert_handle)
cert_handles.insert(cert_handles.begin(), cert_handle);
chain_bytes->reserve(cert_handles.size());
for (X509Certificate::OSCertHandles::const_iterator it =
cert_handles.begin(); it != cert_handles.end(); ++it) {
std::string cert_bytes;
if(!X509Certificate::GetDEREncoded(*it, &cert_bytes))
return false;
chain_bytes->push_back(cert_bytes);
}
return true;
}
} // namespace
CertVerifyProcAndroid::CertVerifyProcAndroid() {}
CertVerifyProcAndroid::~CertVerifyProcAndroid() {}
bool CertVerifyProcAndroid::SupportsAdditionalTrustAnchors() const {
return false;
}
int CertVerifyProcAndroid::VerifyInternal(
X509Certificate* cert,
const std::string& hostname,
int flags,
CRLSet* crl_set,
const CertificateList& additional_trust_anchors,
CertVerifyResult* verify_result) {
if (!cert->VerifyNameMatch(hostname))
verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
std::vector<std::string> cert_bytes;
if (!GetChainDEREncodedBytes(cert, &cert_bytes))
return ERR_CERT_INVALID;
if (!VerifyFromAndroidTrustManager(cert_bytes, verify_result)) {
NOTREACHED();
return ERR_FAILED;
}
if (IsCertStatusError(verify_result->cert_status))
return MapCertStatusToNetError(verify_result->cert_status);
// TODO(ppi): Implement missing functionality: yielding the constructed trust
// chain, public key hashes of its certificates and |is_issued_by_known_root|
// flag. All of the above require specific support from the platform, missing
// in the Java APIs. See also: http://crbug.com/116838
// Until the required support is available in the platform, we don't know if
// the trust root at the end of the chain was standard or user-added, so we
// mark all correctly verified certificates as issued by a known root.
verify_result->is_issued_by_known_root = true;
return OK;
}
} // namespace net
|
