Add information to SSLInfo about CT EV policy compliance

net/quic/crypto/proof_verifier_chromium.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/proof_verifier_chromium.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback_helpers.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/stl_util.h"
 #include "base/strings/stringprintf.h"
 #include "crypto/signature_verifier.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/ct_policy_enforcer.h"
+#include "net/cert/ct_policy_status.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
 #include "net/http/transport_security_state.h"
 #include "net/log/net_log.h"
 #include "net/quic/crypto/crypto_protocol.h"
 #include "net/ssl/ssl_config_service.h"
 
 using base::StringPiece;
 using base::StringPrintf;
@@ skipping 241 matching lines @@
                  base::Unretained(this)),
       &cert_verifier_request_, net_log_);
 }
 
 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
   cert_verifier_request_.reset();
 
   const CertVerifyResult& cert_verify_result =
       verify_details_->cert_verify_result;
   const CertStatus cert_status = cert_verify_result.cert_status;
+  verify_details_->ct_verify_result.ct_policies_applied =
+      (result == OK && policy_enforcer_ != nullptr);
+  verify_details_->ct_verify_result.ev_policy_compliance =
+      ct::EV_POLICY_DOES_NOT_APPLY;
   if (result == OK && policy_enforcer_ &&
       (cert_verify_result.cert_status & CERT_STATUS_IS_EV)) {
-    if (!policy_enforcer_->DoesConformToCTEVPolicy(
+    ct::EVPolicyCompliance ev_policy_compliance =
+        policy_enforcer_->DoesConformToCTEVPolicy(
             cert_verify_result.verified_cert.get(),
             SSLConfigService::GetEVCertsWhitelist().get(),
-            verify_details_->ct_verify_result, net_log_)) {
+            verify_details_->ct_verify_result.verified_scts, net_log_);
+    verify_details_->ct_verify_result.ev_policy_compliance =
+        ev_policy_compliance;
+    if (ev_policy_compliance != ct::EV_POLICY_COMPLIES_VIA_WHITELIST &&
+        ev_policy_compliance != ct::EV_POLICY_COMPLIES_VIA_SCTS) {

[Ryan Sleevi, 2016/02/11 02:57:24]

Why does DOES_NOT_APPLY not need to be checked here? I would think that if a
policy does not apply, it remains EV.

I'm strictly speaking from an interface perspective - I totally understand that
DOES_NOT_APPLY doesn't apply here, but that's only because all the intersecting
files are in this CL...

If it really should apply, but not be used for EV, perhaps that name should be
changed?

[estark, 2016/02/11 04:06:20]

Oh, I think we should just be checking for DOES_NOT_APPLY here, fixed.

       verify_details_->cert_verify_result.cert_status |=
           CERT_STATUS_CT_COMPLIANCE_FAILED;
       verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV;
     }
   }
 
   // TODO(estark): replace 0 below with the port of the connection.
   if (transport_security_state_ &&
       (result == OK ||
        (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
@@ skipping 133 matching lines @@
   }
   return status;
 }
 
 void ProofVerifierChromium::OnJobComplete(Job* job) {
   active_jobs_.erase(job);
   delete job;
 }
 
 }  // namespace net