Index: net/socket/ssl_client_socket_nss.cc |
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc |
index 5619247ff26e7829b46b70c2d419863f49223ac3..9287e2ad7c162fb1129883779a278987a760e146 100644 |
--- a/net/socket/ssl_client_socket_nss.cc |
+++ b/net/socket/ssl_client_socket_nss.cc |
@@ -95,6 +95,7 @@ |
#include "net/cert/cert_verifier.h" |
#include "net/cert/ct_ev_whitelist.h" |
#include "net/cert/ct_policy_enforcer.h" |
+#include "net/cert/ct_policy_status.h" |
#include "net/cert/ct_verifier.h" |
#include "net/cert/ct_verify_result.h" |
#include "net/cert/scoped_nss_types.h" |
@@ -2410,7 +2411,7 @@ bool SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) { |
ssl_info->cert = server_cert_verify_result_.verified_cert; |
ssl_info->unverified_cert = core_->state().server_cert; |
- AddSCTInfoToSSLInfo(ssl_info); |
+ AddCTInfoToSSLInfo(ssl_info); |
ssl_info->connection_status = |
core_->state().ssl_connection_status; |
@@ -3126,13 +3127,22 @@ void SSLClientSocketNSS::VerifyCT() { |
// TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension |
// from the state after verification is complete, to conserve memory. |
+ ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); |
+ ct_verify_result_.ev_policy_compliance = ct::EV_POLICY_DOES_NOT_APPLY; |
if (policy_enforcer_ && |
(server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { |
scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
SSLConfigService::GetEVCertsWhitelist(); |
- if (!policy_enforcer_->DoesConformToCTEVPolicy( |
+ ct_verify_result_.ev_policy_compliance = |
Ryan Sleevi
2016/02/18 06:46:52
nit: in the QUIC code, a temporary is used, in thi
estark
2016/02/18 19:24:32
Done -- used a temporary everywhere.
|
+ policy_enforcer_->DoesConformToCTEVPolicy( |
server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), |
- ct_verify_result_, net_log_)) { |
+ ct_verify_result_.verified_scts, net_log_); |
+ if (ct_verify_result_.ev_policy_compliance != |
+ ct::EV_POLICY_DOES_NOT_APPLY && |
+ ct_verify_result_.ev_policy_compliance != |
+ ct::EV_POLICY_COMPLIES_VIA_WHITELIST && |
+ ct_verify_result_.ev_policy_compliance != |
+ ct::EV_POLICY_COMPLIES_VIA_SCTS) { |
// TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
VLOG(1) << "EV certificate for " |
<< server_cert_verify_result_.verified_cert->subject() |
@@ -3158,8 +3168,8 @@ bool SSLClientSocketNSS::CalledOnValidThread() const { |
return valid_thread_id_ == base::PlatformThread::CurrentId(); |
} |
-void SSLClientSocketNSS::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const { |
- ssl_info->UpdateSignedCertificateTimestamps(ct_verify_result_); |
+void SSLClientSocketNSS::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const { |
+ ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_); |
} |
// static |