Use the CT policy enforcer for QUIC, if specified.

net/quic/crypto/proof_verifier_chromium.cc

Index: net/quic/crypto/proof_verifier_chromium.cc
diff --git a/net/quic/crypto/proof_verifier_chromium.cc b/net/quic/crypto/proof_verifier_chromium.cc
index 90543cbbbccf5fcfd3fbb85b8a5eca250acca533..d5855f710013e4d9c7e93f212fdf171d8a46d800 100644
--- a/net/quic/crypto/proof_verifier_chromium.cc
+++ b/net/quic/crypto/proof_verifier_chromium.cc
@@ -16,9 +16,11 @@
 #include "crypto/signature_verifier.h"
 #include "net/base/net_errors.h"
 #include "net/cert/asn1_util.h"
+#include "net/cert/cert_policy_enforcer.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
+#include "net/cert/ct_verify_result.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
 #include "net/http/transport_security_state.h"
@@ -46,6 +48,7 @@ class ProofVerifierChromium::Job {
  public:
   Job(ProofVerifierChromium* proof_verifier,
       CertVerifier* cert_verifier,
+      CertPolicyEnforcer* cert_policy_enforcer,
       TransportSecurityState* transport_security_state,
       int cert_verify_flags,
       const BoundNetLog& net_log);
@@ -83,6 +86,8 @@ class ProofVerifierChromium::Job {
   CertVerifier* verifier_;
   scoped_ptr<CertVerifier::Request> cert_verifier_request_;
 
+  CertPolicyEnforcer* policy_enforcer_;
+
   TransportSecurityState* transport_security_state_;
 
   // |hostname| specifies the hostname for which |certs| is a valid chain.
@@ -109,11 +114,13 @@ class ProofVerifierChromium::Job {
 ProofVerifierChromium::Job::Job(
     ProofVerifierChromium* proof_verifier,
     CertVerifier* cert_verifier,
+    CertPolicyEnforcer* cert_policy_enforcer,
     TransportSecurityState* transport_security_state,
     int cert_verify_flags,
     const BoundNetLog& net_log)
     : proof_verifier_(proof_verifier),
       verifier_(cert_verifier),
+      policy_enforcer_(cert_policy_enforcer),
       transport_security_state_(transport_security_state),
       cert_verify_flags_(cert_verify_flags),
       next_state_(STATE_NONE),
@@ -243,6 +250,20 @@ int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
   const CertVerifyResult& cert_verify_result =
       verify_details_->cert_verify_result;
   const CertStatus cert_status = cert_verify_result.cert_status;
+
+  if (result == OK && policy_enforcer_ &&
+      (cert_verify_result.cert_status & CERT_STATUS_IS_EV)) {
+    // QUIC does not support OCSP stapling or the CT TLS extension; as a
+    // result, CT can never be verified, thus the result is always empty.
+    ct::CTVerifyResult empty_ct_result;
+    if (!policy_enforcer_->DoesConformToCTEVPolicy(
+            cert_verify_result.verified_cert.get(),
+            SSLConfigService::GetEVCertsWhitelist().get(), empty_ct_result,
+            net_log_)) {
+      verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV;
+    }
+  }
+
   if (transport_security_state_ &&
       (result == OK ||
        (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
@@ -254,19 +275,6 @@ int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
     result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
   }
 
-  scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
-      SSLConfigService::GetEVCertsWhitelist();
-  if ((cert_status & CERT_STATUS_IS_EV) && ev_whitelist.get() &&
-      ev_whitelist->IsValid()) {
-    const SHA256HashValue fingerprint(
-        X509Certificate::CalculateFingerprint256(cert_->os_cert_handle()));
-
-    UMA_HISTOGRAM_BOOLEAN(
-        "Net.SSL_EVCertificateInWhitelist",
-        ev_whitelist->ContainsCertificateHash(
-            std::string(reinterpret_cast<const char*>(fingerprint.data), 8)));

[Ryan Hamilton, 2015/07/06 17:36:48]

You would know better than I would, of course, but is it OK to remove this
histogram? My guess is that it's OK because since we're not checking CT we don't
*Really* know if this is EV?

[Ryan Sleevi, 2015/07/06 17:38:51]

This code should not have been histogramming here in the first place - that's
the responsibility of CertPolicyEnforcer. The histogram here was just sort of
hacked in to mimic the CPE being there, but leads to it representing two
different things depending on whether or not QUIC is being used.

[Ryan Hamilton, 2015/07/06 17:39:43]

Ah, that makes sense. Thanks!

-  }
-
   if (result != OK) {
     std::string error_string = ErrorToString(result);
     error_details_ = StringPrintf("Failed to verify certificate chain: %s",
@@ -362,8 +370,10 @@ bool ProofVerifierChromium::Job::VerifySignature(const string& signed_data,
 
 ProofVerifierChromium::ProofVerifierChromium(
     CertVerifier* cert_verifier,
+    CertPolicyEnforcer* cert_policy_enforcer,
     TransportSecurityState* transport_security_state)
     : cert_verifier_(cert_verifier),
+      cert_policy_enforcer_(cert_policy_enforcer),
       transport_security_state_(transport_security_state) {
 }
 
@@ -386,9 +396,9 @@ QuicAsyncStatus ProofVerifierChromium::VerifyProof(
   }
   const ProofVerifyContextChromium* chromium_context =
       reinterpret_cast<const ProofVerifyContextChromium*>(verify_context);
-  scoped_ptr<Job> job(new Job(this, cert_verifier_, transport_security_state_,
-                              chromium_context->cert_verify_flags,
-                              chromium_context->net_log));
+  scoped_ptr<Job> job(new Job(
+      this, cert_verifier_, cert_policy_enforcer_, transport_security_state_,
+      chromium_context->cert_verify_flags, chromium_context->net_log));
   QuicAsyncStatus status =
       job->VerifyProof(hostname, server_config, certs, signature, error_details,
                        verify_details, callback);