// Copyright (c) 2010 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/base/x509_certificate.h" #include "base/logging.h" #include "net/base/android_network_library.h" #include "net/base/cert_status_flags.h" #include "net/base/cert_verify_result.h" #include "net/base/net_errors.h" namespace net { int X509Certificate::Verify(const std::string& hostname, int flags, CertVerifyResult* verify_result) const { verify_result->Reset(); AndroidNetworkLibrary* lib = AndroidNetworkLibrary::GetSharedInstance(); if (!lib) { LOG(ERROR) << "Rejecting verify as no net library installed"; verify_result->cert_status |= ERR_CERT_INVALID; return MapCertStatusToNetError(verify_result->cert_status); } OSCertHandles cert_handles(intermediate_ca_certs_); // Make sure the peer's own cert is the first in the chain, if it's not // already there. if (cert_handles.empty() || cert_handles[0] != cert_handle_) cert_handles.insert(cert_handles.begin(), cert_handle_); std::vector<std::string> cert_bytes; cert_bytes.reserve(cert_handles.size()); for (OSCertHandles::const_iterator it = cert_handles.begin(); it != cert_handles.end(); ++it) { cert_bytes.push_back(GetDEREncodedBytes(*it)); } if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; return MapCertStatusToNetError(verify_result->cert_status); } // TODO(joth): Fetch the authentication type from SSL rather than hardcode. AndroidNetworkLibrary::VerifyResult result = lib->VerifyX509CertChain(cert_bytes, hostname, "RSA"); switch (result) { case AndroidNetworkLibrary::VERIFY_OK: return OK; case AndroidNetworkLibrary::VERIFY_BAD_HOSTNAME: verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; break; case AndroidNetworkLibrary::VERIFY_NO_TRUSTED_ROOT: verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; break; case AndroidNetworkLibrary::VERIFY_INVOCATION_ERROR: default: verify_result->cert_status |= ERR_CERT_INVALID; break; } return MapCertStatusToNetError(verify_result->cert_status); } } // namespace net