Add information to SSLInfo about CT EV policy compliance

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 77 matching lines @@
 #include "crypto/scoped_nss_types.h"
 #include "net/base/address_list.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/sockaddr_storage.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_ev_whitelist.h"
 #include "net/cert/ct_policy_enforcer.h"
+#include "net/cert/ct_policy_status.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/scoped_nss_types.h"
 #include "net/cert/sct_status_flags.h"
 #include "net/cert/x509_certificate_net_log_param.h"
 #include "net/cert/x509_util.h"
 #include "net/cert_net/nss_ocsp.h"
 #include "net/dns/dns_util.h"
 #include "net/http/transport_security_state.h"
 #include "net/log/net_log.h"
@@ skipping 2295 matching lines @@
   ssl_info->Reset();
   if (core_->state().server_cert_chain.empty() ||
       !core_->state().server_cert_chain[0]) {
     return false;
   }
 
   ssl_info->cert_status = server_cert_verify_result_.cert_status;
   ssl_info->cert = server_cert_verify_result_.verified_cert;
   ssl_info->unverified_cert = core_->state().server_cert;
 
-  AddSCTInfoToSSLInfo(ssl_info);
+  AddCTInfoToSSLInfo(ssl_info);
 
   ssl_info->connection_status =
       core_->state().ssl_connection_status;
   ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes;
   ssl_info->is_issued_by_known_root =
       server_cert_verify_result_.is_issued_by_known_root;
   ssl_info->client_cert_sent =
       ssl_config_.send_client_cert && ssl_config_.client_cert.get();
   ssl_info->channel_id_sent = core_->state().channel_id_sent;
   ssl_info->pinning_failure_log = pinning_failure_log_;
@@ skipping 695 matching lines @@
   // Note that this is a completely synchronous operation: The CT Log Verifier
   // gets all the data it needs for SCT verification and does not do any
   // external communication.
   cert_transparency_verifier_->Verify(
       server_cert_verify_result_.verified_cert.get(),
       core_->state().stapled_ocsp_response,
       core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_);
   // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension
   // from the state after verification is complete, to conserve memory.
 
+  ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr);
+  ct_verify_result_.ev_policy_compliance = ct::EV_POLICY_DOES_NOT_APPLY;
   if (policy_enforcer_ &&
       (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {
     scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
         SSLConfigService::GetEVCertsWhitelist();
-    if (!policy_enforcer_->DoesConformToCTEVPolicy(
+    ct_verify_result_.ev_policy_compliance =

[Ryan Sleevi, 2016/02/18 06:46:52]

nit: in the QUIC code, a temporary is used, in this code, it's directly written
to the ct_verify_result_

I don't have feelings one way or the other - whatever makes the code more
readable - but at least when reviewing this CL, the inconsistency was noticable
:)

[estark, 2016/02/18 19:24:32]

Done -- used a temporary everywhere.

+        policy_enforcer_->DoesConformToCTEVPolicy(
             server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(),
-            ct_verify_result_, net_log_)) {
+            ct_verify_result_.verified_scts, net_log_);
+    if (ct_verify_result_.ev_policy_compliance !=
+            ct::EV_POLICY_DOES_NOT_APPLY &&
+        ct_verify_result_.ev_policy_compliance !=
+            ct::EV_POLICY_COMPLIES_VIA_WHITELIST &&
+        ct_verify_result_.ev_policy_compliance !=
+            ct::EV_POLICY_COMPLIES_VIA_SCTS) {
       // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
       VLOG(1) << "EV certificate for "
               << server_cert_verify_result_.verified_cert->subject()
                      .GetDisplayName()
               << " does not conform to CT policy, removing EV status.";
       server_cert_verify_result_.cert_status |=
           CERT_STATUS_CT_COMPLIANCE_FAILED;
       server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
     }
   }
 }
 
 void SSLClientSocketNSS::EnsureThreadIdAssigned() const {
   base::AutoLock auto_lock(lock_);
   if (valid_thread_id_ != base::kInvalidThreadId)
     return;
   valid_thread_id_ = base::PlatformThread::CurrentId();
 }
 
 bool SSLClientSocketNSS::CalledOnValidThread() const {
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
-void SSLClientSocketNSS::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const {
-  ssl_info->UpdateSignedCertificateTimestamps(ct_verify_result_);
+void SSLClientSocketNSS::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const {
+  ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_);
 }
 
 // static
 void SSLClientSocketNSS::ReorderNextProtos(NextProtoVector* next_protos) {
   if (next_protos->size() < 2) {
     return;
   }
 
   NextProto fallback_proto = next_protos->back();
   for (size_t i = next_protos->size() - 1; i > 0; --i) {
@@ skipping 13 matching lines @@
   return ERR_NOT_IMPLEMENTED;
 }
 
 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const {
   if (completed_handshake_)
     return SSL_FAILURE_NONE;
   return SSL_FAILURE_UNKNOWN;
 }
 
 }  // namespace net