Add information to SSLInfo about CT EV policy compliance

net/cert/ct_policy_enforcer.h

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #ifndef NET_CERT_CT_POLICY_ENFORCER_H
 #define NET_CERT_CT_POLICY_ENFORCER_H
 
 #include <stddef.h>
 
 #include "net/base/net_export.h"
+#include "net/cert/signed_certificate_timestamp.h"
 #include "net/log/net_log.h"
 
 namespace net {
 
 namespace ct {
 
-struct CTVerifyResult;
 class EVCertsWhitelist;
 
 }  // namespace ct
 
 class X509Certificate;
 
+using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>;
+
 // Class for checking that a given certificate conforms to security-related
 // policies.
 class NET_EXPORT CTPolicyEnforcer {
  public:
+  // Information about the connection's compliance with the EV
+  // certificate policy.
+  enum EVPolicyCompliance {
+    // The certificate was not EV, so the EV policy doesn't apply.
+    EV_POLICY_DOES_NOT_APPLY = 0,
+    // The connection complied with the EV certificate policy by being
+    // included on the EV whitelist.
+    EV_POLICY_COMPLIES_VIA_WHITELIST,
+    // The connection complied with the EV certificate policy by
+    // including SCTs that satisfy the policy.
+    EV_POLICY_COMPLIES_VIA_SCTS,
+    // The connection did not have enough SCTs to retain its EV
+    // status.
+    EV_POLICY_NOT_ENOUGH_SCTS,
+    // The connection did not have diverse enough SCTs to retain its
+    // EV status.
+    EV_POLICY_NOT_DIVERSE_SCTS,
+    // The connection cannot be considered compliant because the build
+    // isn't timely and therefore log information might be out of date
+    // (for example a log might no longer be considered trustworthy).
+    EV_POLICY_BUILD_NOT_TIMELY,
+  };
+
   CTPolicyEnforcer() {}
   virtual ~CTPolicyEnforcer() {}
 
-  // Returns true if the collection of SCTs for the given certificate
-  // conforms with the CT/EV policy. Conformance details are logged to
-  // |net_log|.
+  // Returns an enum indicating if the collection of SCTs for the given
+  // certificate conforms with the CT/EV policy. Conformance details are logged
+  // to |net_log|.
   // |cert| is the certificate for which the SCTs apply.
-  // |ct_result| must contain the result of verifying any SCTs associated with
-  // |cert| prior to invoking this method.
-  virtual bool DoesConformToCTEVPolicy(X509Certificate* cert,
-                                       const ct::EVCertsWhitelist* ev_whitelist,
-                                       const ct::CTVerifyResult& ct_result,
-                                       const BoundNetLog& net_log);
+  // |verified_scts| contains any SCTs associated with |cert| that were
+  // verified prior to invoking this method and found to be valid.
+  virtual EVPolicyCompliance DoesConformToCTEVPolicy(
+      X509Certificate* cert,
+      const ct::EVCertsWhitelist* ev_whitelist,
+      const SCTList& verified_scts,
+      const BoundNetLog& net_log);
 };
 
 }  // namespace net
 
 #endif  // NET_CERT_CT_POLICY_ENFORCER_H