Implement a skeleton version of Expect CT reports

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 2830fd174ee3fbac71fa9121a4f65765c0b67a0d..6d80fecb2c809d96981d2f804fd8422f6f728c9e 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -3125,18 +3125,18 @@ void SSLClientSocketNSS::VerifyCT() {
   // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension
   // from the state after verification is complete, to conserve memory.
 
-  if (policy_enforcer_ &&
-      (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {
+  if (policy_enforcer_) {
     scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
         SSLConfigService::GetEVCertsWhitelist();
     if (!policy_enforcer_->DoesConformToCTEVPolicy(

[Ryan Sleevi, 2016/01/12 04:39:12]

Seems like this method should be renamed?

             server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(),
             ct_verify_result_, net_log_)) {
       // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
-      VLOG(1) << "EV certificate for "
-              << server_cert_verify_result_.verified_cert->subject()
-                     .GetDisplayName()
-              << " does not conform to CT policy, removing EV status.";
+      VLOG(1)
+          << "Certificate for "
+          << server_cert_verify_result_.verified_cert->subject()
+                 .GetDisplayName()
+          << " does not conform to CT policy, removing EV status if present.";
       server_cert_verify_result_.cert_status |=
           CERT_STATUS_CT_COMPLIANCE_FAILED;
       server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;