1// Copyright (c) 2010 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "net/base/x509_certificate.h"
6
7#include "base/logging.h"
8#include "net/base/android_network_library.h"
9#include "net/base/cert_status_flags.h"
10#include "net/base/cert_verify_result.h"
11#include "net/base/net_errors.h"
12
13namespace net {
14
15int X509Certificate::Verify(const std::string& hostname,
16                            int flags,
17                            CertVerifyResult* verify_result) const {
18  verify_result->Reset();
19
20  AndroidNetworkLibrary* lib = AndroidNetworkLibrary::GetSharedInstance();
21  if (!lib) {
22    LOG(ERROR) << "Rejecting verify as no net library installed";
23    verify_result->cert_status |= ERR_CERT_INVALID;
24    return MapCertStatusToNetError(verify_result->cert_status);
25  }
26
27  OSCertHandles cert_handles(intermediate_ca_certs_);
28  // Make sure the peer's own cert is the first in the chain, if it's not
29  // already there.
30  if (cert_handles.empty() || cert_handles[0] != cert_handle_)
31    cert_handles.insert(cert_handles.begin(), cert_handle_);
32
33  std::vector<std::string> cert_bytes;
34  cert_bytes.reserve(cert_handles.size());
35  for (OSCertHandles::const_iterator it = cert_handles.begin();
36       it != cert_handles.end(); ++it) {
37    cert_bytes.push_back(GetDEREncodedBytes(*it));
38  }
39
40
41  if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
42    verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
43    return MapCertStatusToNetError(verify_result->cert_status);
44  }
45
46  // TODO(joth): Fetch the authentication type from SSL rather than hardcode.
47  AndroidNetworkLibrary::VerifyResult result =
48      lib->VerifyX509CertChain(cert_bytes, hostname, "RSA");
49  switch (result) {
50    case AndroidNetworkLibrary::VERIFY_OK:
51      return OK;
52    case AndroidNetworkLibrary::VERIFY_BAD_HOSTNAME:
53      verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
54      break;
55    case AndroidNetworkLibrary::VERIFY_NO_TRUSTED_ROOT:
56      verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
57      break;
58    case AndroidNetworkLibrary::VERIFY_INVOCATION_ERROR:
59    default:
60      verify_result->cert_status |= ERR_CERT_INVALID;
61      break;
62  }
63  return MapCertStatusToNetError(verify_result->cert_status);
64}
65
66}  // namespace net
67
68