Add information to SSLInfo about CT EV policy compliance

net/ssl/ssl_info.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SSL_SSL_INFO_H_
 #define NET_SSL_SSL_INFO_H_
 
 #include <vector>
 
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
 #include "net/cert/cert_status_flags.h"
+#include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/sct_status_flags.h"
 #include "net/cert/x509_cert_types.h"
 #include "net/ssl/signed_certificate_timestamp_and_status.h"
 #include "net/ssl/ssl_config.h"
 
 namespace net {
 
 class X509Certificate;
 
 // SSL connection info.
 // This is really a struct.  All members are public.
 class NET_EXPORT SSLInfo {
  public:
   // HandshakeType enumerates the possible resumption cases after an SSL
   // handshake.
   enum HandshakeType {
     HANDSHAKE_UNKNOWN = 0,
     HANDSHAKE_RESUME,  // we resumed a previous session.
     HANDSHAKE_FULL,  // we negotiated a new session.
   };
 
+  // Contains information about the Certificate Transparency (CT)
+  // policies that were applied on this connection, whether the
+  // connection complied with these policies, and why
+  // the connection was considered non-compliant, if applicable.
+  struct CTPolicyComplianceDetails {
+    CTPolicyComplianceDetails();
+
+    // True if Certificate Transparency policies were applied on this
+    // connection and results were stored in the rest of the fields in
+    // the struct. This field might be false because, for example, no
+    // CTPolicyEnforcer was in use when the connection was set up, or
+    // because this SSLInfo was serialized and deserialized without
+    // storing the compliance information.

[Ryan Sleevi, 2016/02/05 02:09:25]

The 'for example' feels like it's documenting implementation, not interface. If
you strip that, does the remainder make sense and provide enough context?

[estark, 2016/02/08 08:36:26]

I suppose so. I wanted to make it clear that false doesn't necessarily mean that
CT policies weren't applied, just that we don't have any information about them
(i.e. false could mean that CT policies were applied but we don't have the
details about them around anymore because we read the response out of the
cache). But hopefully the name makes that clear too (|available| instead of
|applied|).

+    bool compliance_details_available;
+
+    // Whether the connection complied with the CT EV policy, and if
+    // not, why not.
+    CTPolicyEnforcer::EVPolicyCompliance ev_policy_compliance;
+  };
+
   SSLInfo();
   SSLInfo(const SSLInfo& info);
   ~SSLInfo();
   SSLInfo& operator=(const SSLInfo& info);
 
   void Reset();
 
   bool is_valid() const { return cert.get() != NULL; }
 
   // Adds the specified |error| to the cert status.
   void SetCertError(int error);
 
-  // Adds the SignedCertificateTimestamps from ct_verify_result to
-  // |signed_certificate_timestamps|.  SCTs are held in three separate vectors
-  // in ct_verify_result, each vetor representing a particular verification
-  // state, this method associates each of the SCTs with the corresponding
-  // SCTVerifyStatus as it adds it to the |signed_certificate_timestamps| list.
-  void UpdateSignedCertificateTimestamps(
+  // Adds the SignedCertificateTimestamps and policy compliance details
+  // from ct_verify_result to |signed_certificate_timestamps| and
+  // |ct_policy_compliance_details|.  SCTs are held in three separate
+  // vectors in ct_verify_result, each vetor representing a particular
+  // verification state, this method associates each of the SCTs with
+  // the corresponding SCTVerifyStatus as it adds it to the
+  // |signed_certificate_timestamps| list.
+  void UpdateCertificateTransparencyInfo(
       const ct::CTVerifyResult& ct_verify_result);
 
   // The SSL certificate.
   scoped_refptr<X509Certificate> cert;
 
   // The SSL certificate as received by the client. Can be different
   // from |cert|, which is the chain as built by the client during
   // validation.
   scoped_refptr<X509Certificate> unverified_cert;
 
@@ skipping 45 matching lines @@
   HashValueVector public_key_hashes;
 
   // pinning_failure_log contains a message produced by
   // TransportSecurityState::PKPState::CheckPublicKeyPins in the event of a
   // pinning failure. It is a (somewhat) human-readable string.
   std::string pinning_failure_log;
 
   // List of SignedCertificateTimestamps and their corresponding validation
   // status.
   SignedCertificateTimestampAndStatusList signed_certificate_timestamps;
+
+  // Details about the Certificate Transparency policies that were
+  // applied to this connection. Be sure to check the
+  // |compliance_details_available| field inside before using any of the
+  // other fields, because information about CT policies might not be
+  // available (for example, because this SSLInfo was serialized without
+  // storing the CT policy details and subsequently deserialized).
+  CTPolicyComplianceDetails ct_policy_compliance_details;
 };
 
 }  // namespace net
 
 #endif  // NET_SSL_SSL_INFO_H_