Surface SCT (Signed Certificate Timestamp) counts in the Security panel.

content/child/web_url_loader_impl.cc

Index: content/child/web_url_loader_impl.cc
diff --git a/content/child/web_url_loader_impl.cc b/content/child/web_url_loader_impl.cc
index b6fdd6a93933e8ade0d76da4214984cdcc41b9d0..185886fc9eb39443fa4f8f0f4af37c6fa59b1565 100644
--- a/content/child/web_url_loader_impl.cc
+++ b/content/child/web_url_loader_impl.cc
@@ -8,6 +8,7 @@
 #include <algorithm>
 #include <string>
 #include <utility>
+#include <vector>
 
 #include "base/bind.h"
 #include "base/files/file_path.h"
@@ -36,9 +37,13 @@
 #include "content/public/child/fixed_received_data.h"
 #include "content/public/child/request_peer.h"
 #include "content/public/common/browser_side_navigation_policy.h"
+#include "content/public/common/signed_certificate_timestamp_id_and_status.h"
+#include "content/public/common/ssl_status.h"
 #include "net/base/data_url.h"
 #include "net/base/filename_util.h"
 #include "net/base/net_errors.h"
+#include "net/cert/cert_status_flags.h"
+#include "net/cert/sct_status_flags.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_util.h"
 #include "net/ssl/ssl_cipher_suite_names.h"
@@ -237,14 +242,51 @@ void SetSecurityStyleAndDetails(const GURL& url,
 
   response->setSecurityStyle(securityStyle);
 
+  bool is_valid_ev = ssl_status.cert_status & net::CERT_STATUS_IS_EV;
+
+  SignedCertificateTimestampIDStatusList sct_list =
+      ssl_status.signed_certificate_timestamp_ids;
+
+  // Although the number of SCTs is small (usually <= 5), there is no technical
+  // constraint on the number of deserialized SCTs (apart from RAM size), so we
+  // sanity check that the total count fits into an int before counting the
+  // types of SCTs.
+  DCHECK_LT(sct_list.size(),
+            static_cast<size_t>(std::numeric_limits<int>::max()));

[Ryan Sleevi, 2016/01/19 19:39:00]

SECURITY BUG: This is a security check hidden in a DCHECK, which will do nothing
in real code and overflow.

Please consider using safe_numerics or make this check a proper conditional.

[lgarron, 2016/01/22 22:51:27]

I've opted to what you recommend below and use size_t until the last possible
moment where we need to convert to int for the DevTools protocol.

+
+  int num_unknown_scts = 0;
+  int num_invalid_scts = 0;
+  int num_valid_scts = 0;
+
+  SignedCertificateTimestampIDStatusList::iterator iter;
+  for (iter = sct_list.begin(); iter < sct_list.end(); ++iter) {
+    switch (iter->status) {
+      case net::ct::SCT_STATUS_LOG_UNKNOWN:
+        num_unknown_scts++;
+        break;
+      case net::ct::SCT_STATUS_INVALID:
+        num_invalid_scts++;
+        break;
+      case net::ct::SCT_STATUS_OK:
+        num_valid_scts++;
+        break;
+      case net::ct::SCT_STATUS_NONE:
+      case net::ct::SCT_STATUS_MAX:
+        // These enum values do not represent SCTs that are taken into account
+        // for CT compliance calculations, so we ignore them.
+        break;
+    }
+  }
+
   blink::WebString protocol_string = blink::WebString::fromUTF8(protocol);
   blink::WebString cipher_string = blink::WebString::fromUTF8(cipher);
   blink::WebString key_exchange_string =
       blink::WebString::fromUTF8(key_exchange);
   blink::WebString mac_string = blink::WebString::fromUTF8(mac);
   response->setSecurityDetails(protocol_string, key_exchange_string,
-                               cipher_string, mac_string,
-                               ssl_status.cert_id);
+                               cipher_string, mac_string, ssl_status.cert_id,
+                               is_valid_ev, num_unknown_scts, num_invalid_scts,
+                               num_valid_scts);
 }
 
 }  // namespace