Add information to SSLInfo about CT EV policy compliance

net/cert/ct_policy_enforcer.h

Index: net/cert/ct_policy_enforcer.h
diff --git a/net/cert/ct_policy_enforcer.h b/net/cert/ct_policy_enforcer.h
index 8c29da5ecb3a9891ef2be90a55ae873ab61c91d4..1c52c0e771cdd7590a485eeed7801ea7b1cd262e 100644
--- a/net/cert/ct_policy_enforcer.h
+++ b/net/cert/ct_policy_enforcer.h
@@ -7,19 +7,22 @@
 #include <stddef.h>
 
 #include "net/base/net_export.h"
+#include "net/cert/ct_policy_status.h"
+#include "net/cert/signed_certificate_timestamp.h"
 #include "net/log/net_log.h"
 
 namespace net {
 
 namespace ct {
 
-struct CTVerifyResult;
 class EVCertsWhitelist;
 
 }  // namespace ct
 
 class X509Certificate;
 
+using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>;

[Ryan Sleevi, 2016/02/18 06:46:51]

Missing include: vector

[estark, 2016/02/18 19:24:31]

Done.

+
 // Class for checking that a given certificate conforms to security-related
 // policies.
 class NET_EXPORT CTPolicyEnforcer {
@@ -27,16 +30,17 @@ class NET_EXPORT CTPolicyEnforcer {
   CTPolicyEnforcer() {}
   virtual ~CTPolicyEnforcer() {}
 
-  // Returns true if the collection of SCTs for the given certificate
-  // conforms with the CT/EV policy. Conformance details are logged to
-  // |net_log|.
+  // Returns an enum indicating if the collection of SCTs for the given
+  // certificate conforms with the CT/EV policy. Conformance details are logged

[Ryan Sleevi, 2016/02/18 06:46:51]

Comment nit:
It feels weird to say "returns an enum" (that feels a bit like documenting the
interface prosaically) and it feels weird to say "if", since it always returns
an enum

// Returns the compliance status to the CT/EV policy for a given certificate and
collection of SCTs.
// |cert| is the certificate to check the compliance of, and |verified_scts|
contains any/all SCTs
// associated with |cert| that have been verified (well-formed, issued by known
logs, applying to
// |cert|)

There's probably better ways to phrase that, but that gives the rough idea.

[estark, 2016/02/18 19:24:31]

Done.

+  // to |net_log|.
   // |cert| is the certificate for which the SCTs apply.
-  // |ct_result| must contain the result of verifying any SCTs associated with
-  // |cert| prior to invoking this method.
-  virtual bool DoesConformToCTEVPolicy(X509Certificate* cert,
-                                       const ct::EVCertsWhitelist* ev_whitelist,
-                                       const ct::CTVerifyResult& ct_result,
-                                       const BoundNetLog& net_log);
+  // |verified_scts| contains any SCTs associated with |cert| that were
+  // verified prior to invoking this method and found to be valid.
+  virtual ct::EVPolicyCompliance DoesConformToCTEVPolicy(
+      X509Certificate* cert,
+      const ct::EVCertsWhitelist* ev_whitelist,
+      const SCTList& verified_scts,
+      const BoundNetLog& net_log);
 };
 
 }  // namespace net