Home | History | Annotate | Download | only in base 
      1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "net/base/x509_certificate.h"
      6 
      7 #include "base/logging.h"
      8 #include "net/base/android_network_library.h"
      9 #include "net/base/cert_status_flags.h"
     10 #include "net/base/cert_verify_result.h"
     11 #include "net/base/net_errors.h"
     12 
     13 namespace net {
     14 
     15 int X509Certificate::Verify(const std::string& hostname,
     16                             int flags,
     17                             CertVerifyResult* verify_result) const {
     18   verify_result->Reset();
     19 
     20   AndroidNetworkLibrary* lib = AndroidNetworkLibrary::GetSharedInstance();
     21   if (!lib) {
     22     LOG(ERROR) << "Rejecting verify as no net library installed";
     23     verify_result->cert_status |= ERR_CERT_INVALID;
     24     return MapCertStatusToNetError(verify_result->cert_status);
     25   }
     26 
     27   OSCertHandles cert_handles(intermediate_ca_certs_);
     28   // Make sure the peer's own cert is the first in the chain, if it's not
     29   // already there.
     30   if (cert_handles.empty() || cert_handles[0] != cert_handle_)
     31     cert_handles.insert(cert_handles.begin(), cert_handle_);
     32 
     33   std::vector<std::string> cert_bytes;
     34   cert_bytes.reserve(cert_handles.size());
     35   for (OSCertHandles::const_iterator it = cert_handles.begin();
     36        it != cert_handles.end(); ++it) {
     37     cert_bytes.push_back(GetDEREncodedBytes(*it));
     38   }
     39 
     40 
     41   if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
     42     verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
     43     return MapCertStatusToNetError(verify_result->cert_status);
     44   }
     45 
     46   // TODO(joth): Fetch the authentication type from SSL rather than hardcode.
     47   AndroidNetworkLibrary::VerifyResult result =
     48       lib->VerifyX509CertChain(cert_bytes, hostname, "RSA");
     49   switch (result) {
     50     case AndroidNetworkLibrary::VERIFY_OK:
     51       return OK;
     52     case AndroidNetworkLibrary::VERIFY_BAD_HOSTNAME:
     53       verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
     54       break;
     55     case AndroidNetworkLibrary::VERIFY_NO_TRUSTED_ROOT:
     56       verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
     57       break;
     58     case AndroidNetworkLibrary::VERIFY_INVOCATION_ERROR:
     59     default:
     60       verify_result->cert_status |= ERR_CERT_INVALID;
     61       break;
     62   }
     63   return MapCertStatusToNetError(verify_result->cert_status);
     64 }
     65 
     66 }  // namespace net
     67 
     68