// Copyright (c) 2010 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "net/base/x509_certificate.h"

#include "base/logging.h"
#include "net/base/android_network_library.h"
#include "net/base/cert_status_flags.h"
#include "net/base/cert_verify_result.h"
#include "net/base/net_errors.h"

namespace net {

int X509Certificate::Verify(const std::string& hostname,
                            int flags,
                            CertVerifyResult* verify_result) const {
  verify_result->Reset();

  AndroidNetworkLibrary* lib = AndroidNetworkLibrary::GetSharedInstance();
  if (!lib) {
    LOG(ERROR) << "Rejecting verify as no net library installed";
    verify_result->cert_status |= ERR_CERT_INVALID;
    return MapCertStatusToNetError(verify_result->cert_status);
  }

  OSCertHandles cert_handles(intermediate_ca_certs_);
  // Make sure the peer's own cert is the first in the chain, if it's not
  // already there.
  if (cert_handles.empty() || cert_handles[0] != cert_handle_)
    cert_handles.insert(cert_handles.begin(), cert_handle_);

  std::vector<std::string> cert_bytes;
  cert_bytes.reserve(cert_handles.size());
  for (OSCertHandles::const_iterator it = cert_handles.begin();
       it != cert_handles.end(); ++it) {
    cert_bytes.push_back(GetDEREncodedBytes(*it));
  }


  if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
    verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
    return MapCertStatusToNetError(verify_result->cert_status);
  }

  // TODO(joth): Fetch the authentication type from SSL rather than hardcode.
  AndroidNetworkLibrary::VerifyResult result =
      lib->VerifyX509CertChain(cert_bytes, hostname, "RSA");
  switch (result) {
    case AndroidNetworkLibrary::VERIFY_OK:
      return OK;
    case AndroidNetworkLibrary::VERIFY_BAD_HOSTNAME:
      verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
      break;
    case AndroidNetworkLibrary::VERIFY_NO_TRUSTED_ROOT:
      verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
      break;
    case AndroidNetworkLibrary::VERIFY_INVOCATION_ERROR:
    default:
      verify_result->cert_status |= ERR_CERT_INVALID;
      break;
  }
  return MapCertStatusToNetError(verify_result->cert_status);
}

}  // namespace net