Add Expect CT policy that gets checked on all certs

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 3107 matching lines @@
   // Note that this is a completely synchronous operation: The CT Log Verifier
   // gets all the data it needs for SCT verification and does not do any
   // external communication.
   cert_transparency_verifier_->Verify(
       server_cert_verify_result_.verified_cert.get(),
       core_->state().stapled_ocsp_response,
       core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_);
   // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension
   // from the state after verification is complete, to conserve memory.
 
-  if (policy_enforcer_ &&
-      (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {
+  if (policy_enforcer_) {
     scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
         SSLConfigService::GetEVCertsWhitelist();
-    if (!policy_enforcer_->DoesConformToCTEVPolicy(
-            server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(),
-            ct_verify_result_, net_log_)) {
+    if (!policy_enforcer_->DoesConformToCertPolicy(
+            server_cert_verify_result_.verified_cert.get(),
+            ct_verify_result_)) {
+      server_cert_verify_result_.cert_status |=
+          CERT_STATUS_CT_COMPLIANCE_FAILED;
+    }
+    if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) &&
+        !policy_enforcer_->DoesConformToEVPolicy(
+            server_cert_verify_result_.verified_cert.get(),
+            server_cert_verify_result_.cert_status, ev_whitelist.get(),
+            net_log_)) {

[Ryan Sleevi, 2016/01/22 23:49:41]

The interface between these two methods feels wrong. PolicyEnforcer (previously)
was ignorant of the CertStatus behaviour and machinations - PolicyEnforcer's
responsibilities were solely about returning results about the CT status.

The new API introduces a dependency on the CertStatus that we likely don't want
to do.

One possible solution is to move this to an else-if on 3136-3137, another would
be to make the EVPolicy separately re-evaluate the certificate using the
ct_verify_result_ (which may be more robust anyways), although that would mean
double-validation in the case of EV.

[estark, 2016/01/23 01:38:41]

If we're okay with double-validating for EV, that sounds good to me (and maybe
even potentially useful in the future, if we ever, say, wanted to apply a more
strict SCT check to EV certs?).

       // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
       VLOG(1) << "EV certificate for "
               << server_cert_verify_result_.verified_cert->subject()
                      .GetDisplayName()
               << " does not conform to CT policy, removing EV status.";
-      server_cert_verify_result_.cert_status |=
-          CERT_STATUS_CT_COMPLIANCE_FAILED;
       server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
     }
   }
 }
 
 void SSLClientSocketNSS::EnsureThreadIdAssigned() const {
   base::AutoLock auto_lock(lock_);
   if (valid_thread_id_ != base::kInvalidThreadId)
     return;
   valid_thread_id_ = base::PlatformThread::CurrentId();
@@ skipping 26 matching lines @@
   return channel_id_service_;
 }
 
 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const {
   if (completed_handshake_)
     return SSL_FAILURE_NONE;
   return SSL_FAILURE_UNKNOWN;
 }
 
 }  // namespace net