Add Expect CT policy that gets checked on all certs

net/cert/ct_policy_enforcer.h

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #ifndef NET_CERT_CT_POLICY_ENFORCER_H
 #define NET_CERT_CT_POLICY_ENFORCER_H
 
 #include <stddef.h>
 
 #include "net/base/net_export.h"
+#include "net/cert/cert_status_flags.h"
 #include "net/log/net_log.h"
 
 namespace net {
 
 namespace ct {
 
 struct CTVerifyResult;
 class EVCertsWhitelist;
 
 }  // namespace ct
 
 class X509Certificate;
 
-// Class for checking that a given certificate conforms to security-related
-// policies.
+// Class for checking that a given certificate conforms to
+// Certificate-Transparency-related policies.
 class NET_EXPORT CTPolicyEnforcer {
  public:
   CTPolicyEnforcer() {}
   virtual ~CTPolicyEnforcer() {}
 
-  // Returns true if the collection of SCTs for the given certificate
-  // conforms with the CT/EV policy. Conformance details are logged to
-  // |net_log|.
+  // Returns true if the collection of SCTs for the given |certificate|
+  // conforms with the CT certificate policy.
   // |cert| is the certificate for which the SCTs apply.
   // |ct_result| must contain the result of verifying any SCTs associated with
   // |cert| prior to invoking this method.
-  virtual bool DoesConformToCTEVPolicy(X509Certificate* cert,
-                                       const ct::EVCertsWhitelist* ev_whitelist,
-                                       const ct::CTVerifyResult& ct_result,
-                                       const BoundNetLog& net_log);
+  virtual bool DoesConformToCertPolicy(X509Certificate* cert,
+                                       const ct::CTVerifyResult& ct_result);
+
+  // Returns true if the collection of SCTs for the given |certificate|
+  // and |cert_status| conforms with the EV policy. Conformance details
+  // are logged to |net_log|.
+  // |cert| is the certificate for which the SCTs apply.
+  // |cert_status| is the CertStatus computed for |cert|.
+  // |ev_whitelist| is a whitelist of EV certificates for which CT policy need
+  // not apply.
+  virtual bool DoesConformToEVPolicy(X509Certificate* cert,
+                                     CertStatus cert_status,
+                                     const ct::EVCertsWhitelist* ev_whitelist,
+                                     const BoundNetLog& net_log);

[Ryan Sleevi, 2016/01/22 23:49:41]

DESIGN: [Note, this comment just comes from reading the header alone]

So from an API direction, I'm a little confused why the ct::CTVerifyResult isn't
supplied/modified in this call, or why the CertStatus is necessary (just from
reading this header)

I'm thinking it may be useful to perhaps add class-level documentation of
example usage, which may help sanity-check the design.

[estark, 2016/01/23 01:38:41]

I changed the interface a bit as you suggested below, and added a bit more
documentation at the top of the class, though hopefully the new API makes it
clearer?

I can still add example usage if you think it'd be helpful... I'm just not sure
if it adds much with the modified API.

 };
 
 }  // namespace net
 
 #endif  // NET_CERT_CT_POLICY_ENFORCER_H