Add Expect CT policy that gets checked on all certs

chrome/browser/ssl/ssl_browser_tests.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <utility>
 
 #include "base/base_switches.h"
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
@@ skipping 2487 matching lines @@
 
   content::NavigationEntry* entry = tab->GetController().GetActiveEntry();
   ASSERT_TRUE(entry);
   content::SSLStatus interstitial_ssl_status = entry->GetSSL();
 
   ProceedThroughInterstitial(tab);
   EXPECT_FALSE(tab->ShowingInterstitialPage());
   entry = tab->GetController().GetActiveEntry();
   ASSERT_TRUE(entry);
 
+  // Certificate Transparency compliance is not checked until the
+  // connection completes successfully, so the certificate will not have
+  // been marked as failing CT on the interstitial.

[Ryan Sleevi, 2016/01/22 23:49:41]

That's... weird.

[estark, 2016/01/23 01:38:41]

Yeah :/ Not sure how else to deal with it though... I guess maybe this test
shouldn't necessarily be requiring that interstitial_ssl_status.cert_status ==
after_interstitial_ssl_status.cert_status, but rather just checking that they
both contain the relevant cert error.

Also apparently I didn't understand subject verb agreement when I wrote
CheckSSLStatusesEquals(). *twitch*

+  EXPECT_EQ(0u, interstitial_ssl_status.cert_status &
+                    net::CERT_STATUS_CT_COMPLIANCE_FAILED);
+  interstitial_ssl_status.cert_status = interstitial_ssl_status.cert_status |
+                                        net::CERT_STATUS_CT_COMPLIANCE_FAILED;
+
   content::SSLStatus after_interstitial_ssl_status = entry->GetSSL();
   ASSERT_NO_FATAL_FAILURE(CheckSSLStatusesEquals(after_interstitial_ssl_status,
                                                  interstitial_ssl_status));
 }
 
 // As above, but for a bad clock interstitial. Tests that a clock
 // interstitial's SSLStatus matches the SSLStatus of the HTTPS page
 // after proceeding through a normal SSL interstitial.
 IN_PROC_BROWSER_TEST_F(SSLUITest,
                        SSLStatusMatchesonClockInterstitialAndAfterProceed) {
@@ skipping 29 matching lines @@
   ASSERT_TRUE(ssl_interstitial);
   EXPECT_EQ(SSLBlockingPage::kTypeForTesting,
             ssl_interstitial->GetDelegateForTesting()->GetTypeForTesting());
   ProceedThroughInterstitial(tab);
   EXPECT_FALSE(tab->ShowingInterstitialPage());
 
   // Grab the SSLStatus from the page and check that it is the same as
   // on the clock interstitial.
   entry = tab->GetController().GetActiveEntry();
   ASSERT_TRUE(entry);
+  // Certificate Transparency compliance is not checked until the
+  // connection completes successfully, so the certificate will not have
+  // been marked as failing CT on the interstitial.
+  EXPECT_EQ(0u, clock_interstitial_ssl_status.cert_status &
+                    net::CERT_STATUS_CT_COMPLIANCE_FAILED);
+  clock_interstitial_ssl_status.cert_status =
+      clock_interstitial_ssl_status.cert_status |
+      net::CERT_STATUS_CT_COMPLIANCE_FAILED;
   content::SSLStatus after_interstitial_ssl_status = entry->GetSSL();
   ASSERT_NO_FATAL_FAILURE(CheckSSLStatusesEquals(
       after_interstitial_ssl_status, clock_interstitial_ssl_status));
 }
 
 class CommonNameMismatchBrowserTest : public CertVerifierBrowserTest {
  public:
   CommonNameMismatchBrowserTest() : CertVerifierBrowserTest() {}
   ~CommonNameMismatchBrowserTest() override {}
 
@@ skipping 364 matching lines @@
 
 // Visit a page over https that contains a frame with a redirect.
 
 // XMLHttpRequest insecure content in synchronous mode.
 
 // XMLHttpRequest insecure content in asynchronous mode.
 
 // XMLHttpRequest over bad ssl in synchronous mode.
 
 // XMLHttpRequest over OK ssl in synchronous mode.