Differentiate between VERIFY_FAILED and VERIFY_INCORRECT_KEY_USAGE.

VERIFY_FAILED means general failure to validate the X.509 chain at all,
which is not what we want when eKU is incorrectly.

BUG=233150

Review URL: https://chromiumcodereview.appspot.com/14358023

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@196500 0039d316-1c4b-4281-b951-d872f2087c98

5 files changed, 10 insertions, 4 deletions

diff --git a/build/android/pylib/gtest/filter/net_unittests_disabled b/build/android/pylib/gtest/filter/net_unittests_disabled
index 353a316..18e4fc9 100644
--- a/build/android/pylib/gtest/filter/net_unittests_disabled
+++ b/build/android/pylib/gtest/filter/net_unittests_disabled
@@ -1,6 +1,5 @@
 # List of suppressions.
 
-CertVerifyProcTest.InvalidKeyUsage
 CertVerifyProcTest.PublicKeyHashes
 CertVerifyProcTest.VerifyReturnChainBasic
 CertVerifyProcTest.VerifyReturnChainFiltersUnrelatedCerts
diff --git a/net/android/cert_verify_result_android_list.h b/net/android/cert_verify_result_android_list.h
index 201ea5a..3cbcc1e 100644
--- a/net/android/cert_verify_result_android_list.h
+++ b/net/android/cert_verify_result_android_list.h
@@ -25,3 +25,7 @@ CERT_VERIFY_RESULT_ANDROID(NOT_YET_VALID, -4)
 
 // Certificate is not trusted because it could not be parsed.
 CERT_VERIFY_RESULT_ANDROID(UNABLE_TO_PARSE, -5)
+
+// Certificate is not trusted because it has an extendedKeyUsage field, but
+// its value is not correct for a web server.
+CERT_VERIFY_RESULT_ANDROID(INCORRECT_KEY_USAGE, -6)
diff --git a/net/android/java/src/org/chromium/net/X509Util.java b/net/android/java/src/org/chromium/net/X509Util.java
index 15481e9..a50399e 100644
--- a/net/android/java/src/org/chromium/net/X509Util.java
+++ b/net/android/java/src/org/chromium/net/X509Util.java
@@ -195,7 +195,7 @@ public class X509Util {
         try {
             serverCertificates[0].checkValidity();
             if (!verifyKeyUsage(serverCertificates[0]))
-                return CertVerifyResultAndroid.VERIFY_FAILED;
+                return CertVerifyResultAndroid.VERIFY_INCORRECT_KEY_USAGE;
         } catch (CertificateExpiredException e) {
             return CertVerifyResultAndroid.VERIFY_EXPIRED;
         } catch (CertificateNotYetValidException e) {
diff --git a/net/cert/cert_verify_proc_android.cc b/net/cert/cert_verify_proc_android.cc
index 71456e2..9a8acf7 100644
--- a/net/cert/cert_verify_proc_android.cc
+++ b/net/cert/cert_verify_proc_android.cc
@@ -41,6 +41,9 @@ bool VerifyFromAndroidTrustManager(const std::vector<std::string>& cert_bytes,
     case android::VERIFY_UNABLE_TO_PARSE:
       verify_result->cert_status |= CERT_STATUS_INVALID;
       break;
+    case android::VERIFY_INCORRECT_KEY_USAGE:
+      verify_result->cert_status |= CERT_STATUS_INVALID;
+      break;
     default:
       NOTREACHED();
       verify_result->cert_status |= CERT_STATUS_INVALID;
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 2c0e97d..c1722d5 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -528,7 +528,7 @@ TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
   CertVerifyResult verify_result;
   int error = Verify(server_cert, "jira.aquameta.com", flags, NULL,
                      empty_cert_list_, &verify_result);
-#if defined(USE_OPENSSL)
+#if defined(USE_OPENSSL) && !defined(OS_ANDROID)
   // This certificate has two errors: "invalid key usage" and "untrusted CA".
   // However, OpenSSL returns only one (the latter), and we can't detect
   // the other errors.
@@ -539,7 +539,7 @@ TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
 #endif
   // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
   // from NSS.
-#if !defined(USE_NSS) && !defined(OS_IOS)
+#if !defined(USE_NSS) && !defined(OS_IOS) && !defined(OS_ANDROID)
   // The certificate is issued by an unknown CA.
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
 #endif