Differentiate between VERIFY_FAILED and VERIFY_INCORRECT_KEY_USAGE.

VERIFY_FAILED means general failure to validate the X.509 chain at all,
which is not what we want when eKU is incorrectly.

BUG=233150

Review URL: https://chromiumcodereview.appspot.com/14358023

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@196500 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 5 insertions, 1 deletions

diff --git a/net/android/cert_verify_result_android_list.h b/net/android/cert_verify_result_android_list.h
index 201ea5a..3cbcc1e 100644
--- a/net/android/cert_verify_result_android_list.h
+++ b/net/android/cert_verify_result_android_list.h
@@ -25,3 +25,7 @@ CERT_VERIFY_RESULT_ANDROID(NOT_YET_VALID, -4)
 
 // Certificate is not trusted because it could not be parsed.
 CERT_VERIFY_RESULT_ANDROID(UNABLE_TO_PARSE, -5)
+
+// Certificate is not trusted because it has an extendedKeyUsage field, but
+// its value is not correct for a web server.
+CERT_VERIFY_RESULT_ANDROID(INCORRECT_KEY_USAGE, -6)
diff --git a/net/android/java/src/org/chromium/net/X509Util.java b/net/android/java/src/org/chromium/net/X509Util.java
index 15481e9..a50399e 100644
--- a/net/android/java/src/org/chromium/net/X509Util.java
+++ b/net/android/java/src/org/chromium/net/X509Util.java
@@ -195,7 +195,7 @@ public class X509Util {
         try {
             serverCertificates[0].checkValidity();
             if (!verifyKeyUsage(serverCertificates[0]))
-                return CertVerifyResultAndroid.VERIFY_FAILED;
+                return CertVerifyResultAndroid.VERIFY_INCORRECT_KEY_USAGE;
         } catch (CertificateExpiredException e) {
             return CertVerifyResultAndroid.VERIFY_EXPIRED;
         } catch (CertificateNotYetValidException e) {