| Index: net/socket/ssl_client_socket_nss.cc
|
| diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
|
| index 5619247ff26e7829b46b70c2d419863f49223ac3..9526c1cd9fe210dff371c3ae45c36d9ba9e87cd7 100644
|
| --- a/net/socket/ssl_client_socket_nss.cc
|
| +++ b/net/socket/ssl_client_socket_nss.cc
|
| @@ -95,6 +95,7 @@
|
| #include "net/cert/cert_verifier.h"
|
| #include "net/cert/ct_ev_whitelist.h"
|
| #include "net/cert/ct_policy_enforcer.h"
|
| +#include "net/cert/ct_policy_status.h"
|
| #include "net/cert/ct_verifier.h"
|
| #include "net/cert/ct_verify_result.h"
|
| #include "net/cert/scoped_nss_types.h"
|
| @@ -2410,7 +2411,7 @@ bool SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
|
| ssl_info->cert = server_cert_verify_result_.verified_cert;
|
| ssl_info->unverified_cert = core_->state().server_cert;
|
|
|
| - AddSCTInfoToSSLInfo(ssl_info);
|
| + AddCTInfoToSSLInfo(ssl_info);
|
|
|
| ssl_info->connection_status =
|
| core_->state().ssl_connection_status;
|
| @@ -3126,13 +3127,24 @@ void SSLClientSocketNSS::VerifyCT() {
|
| // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension
|
| // from the state after verification is complete, to conserve memory.
|
|
|
| + ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr);
|
| + ct_verify_result_.ev_policy_compliance =
|
| + ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
|
| if (policy_enforcer_ &&
|
| (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {
|
| scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
|
| SSLConfigService::GetEVCertsWhitelist();
|
| - if (!policy_enforcer_->DoesConformToCTEVPolicy(
|
| + ct::EVPolicyCompliance ev_policy_compliance =
|
| + policy_enforcer_->DoesConformToCTEVPolicy(
|
| server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(),
|
| - ct_verify_result_, net_log_)) {
|
| + ct_verify_result_.verified_scts, net_log_);
|
| + ct_verify_result_.ev_policy_compliance = ev_policy_compliance;
|
| + if (ev_policy_compliance !=
|
| + ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
|
| + ev_policy_compliance !=
|
| + ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
|
| + ev_policy_compliance !=
|
| + ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
|
| // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
|
| VLOG(1) << "EV certificate for "
|
| << server_cert_verify_result_.verified_cert->subject()
|
| @@ -3158,8 +3170,8 @@ bool SSLClientSocketNSS::CalledOnValidThread() const {
|
| return valid_thread_id_ == base::PlatformThread::CurrentId();
|
| }
|
|
|
| -void SSLClientSocketNSS::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const {
|
| - ssl_info->UpdateSignedCertificateTimestamps(ct_verify_result_);
|
| +void SSLClientSocketNSS::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const {
|
| + ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_);
|
| }
|
|
|
| // static
|
|
|
Chromium Code Reviews
Issue 1652603002:
Add information to SSLInfo about CT EV policy compliance (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master