Add information to SSLInfo about CT EV policy compliance

net/ssl/ssl_info.h

Index: net/ssl/ssl_info.h
diff --git a/net/ssl/ssl_info.h b/net/ssl/ssl_info.h
index 40dec2865729bb3e431dfc1641f46d0a6086193e..d5ef1d1e1dcdb9a6276a85bec2e71c6d2e667ec5 100644
--- a/net/ssl/ssl_info.h
+++ b/net/ssl/ssl_info.h
@@ -10,6 +10,8 @@
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
 #include "net/cert/cert_status_flags.h"
+#include "net/cert/ct_policy_enforcer.h"
+#include "net/cert/ct_policy_status.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/sct_status_flags.h"
 #include "net/cert/x509_cert_types.h"
@@ -32,6 +34,23 @@ class NET_EXPORT SSLInfo {
     HANDSHAKE_FULL,  // we negotiated a new session.
   };
 
+  // Contains information about the Certificate Transparency (CT)
+  // policies that were applied on this connection, whether the
+  // connection complied with these policies, and why
+  // the connection was considered non-compliant, if applicable.
+  struct CTPolicyComplianceDetails {

[Ryan Sleevi, 2016/02/11 02:57:24]

I'm not sure why you introduced a struct for this - is it just to namespace the
variables?

It's unclear why these just wouldn't be normal members of the SSLInfo struct,
grouped into sections.

[estark, 2016/02/11 04:06:20]

Yeah, the struct was just to group them together. Changed to normal fields in
their own little section.

+    CTPolicyComplianceDetails();
+
+    // True if Certificate Transparency policies were applied on this
+    // connection and results were stored in the rest of the fields in
+    // the struct.
+    bool compliance_details_available;
+
+    // Whether the connection complied with the CT EV policy, and if
+    // not, why not.
+    ct::EVPolicyCompliance ev_policy_compliance;
+  };
+
   SSLInfo();
   SSLInfo(const SSLInfo& info);
   ~SSLInfo();
@@ -44,12 +63,14 @@ class NET_EXPORT SSLInfo {
   // Adds the specified |error| to the cert status.
   void SetCertError(int error);
 
-  // Adds the SignedCertificateTimestamps from ct_verify_result to
-  // |signed_certificate_timestamps|.  SCTs are held in three separate vectors
-  // in ct_verify_result, each vetor representing a particular verification
-  // state, this method associates each of the SCTs with the corresponding
-  // SCTVerifyStatus as it adds it to the |signed_certificate_timestamps| list.
-  void UpdateSignedCertificateTimestamps(
+  // Adds the SignedCertificateTimestamps and policy compliance details
+  // from ct_verify_result to |signed_certificate_timestamps| and
+  // |ct_policy_compliance_details|.  SCTs are held in three separate
+  // vectors in ct_verify_result, each vetor representing a particular
+  // verification state, this method associates each of the SCTs with
+  // the corresponding SCTVerifyStatus as it adds it to the
+  // |signed_certificate_timestamps| list.
+  void UpdateCertificateTransparencyInfo(
       const ct::CTVerifyResult& ct_verify_result);
 
   // The SSL certificate.
@@ -115,6 +136,14 @@ class NET_EXPORT SSLInfo {
   // List of SignedCertificateTimestamps and their corresponding validation
   // status.
   SignedCertificateTimestampAndStatusList signed_certificate_timestamps;
+
+  // Details about the Certificate Transparency policies that were
+  // applied to this connection. Be sure to check the
+  // |compliance_details_available| field inside before using any of the
+  // other fields, because information about CT policies might not be
+  // available (for example, because this SSLInfo was serialized without
+  // storing the CT policy details and subsequently deserialized).
+  CTPolicyComplianceDetails ct_policy_compliance_details;
 };
 
 }  // namespace net