Index: net/ssl/ssl_info.h |
diff --git a/net/ssl/ssl_info.h b/net/ssl/ssl_info.h |
index 40dec2865729bb3e431dfc1641f46d0a6086193e..a96d9712735d9912e8ba4f52524736475ad2c68e 100644 |
--- a/net/ssl/ssl_info.h |
+++ b/net/ssl/ssl_info.h |
@@ -10,6 +10,7 @@ |
#include "base/memory/ref_counted.h" |
#include "net/base/net_export.h" |
#include "net/cert/cert_status_flags.h" |
+#include "net/cert/ct_policy_enforcer.h" |
#include "net/cert/ct_verify_result.h" |
#include "net/cert/sct_status_flags.h" |
#include "net/cert/x509_cert_types.h" |
@@ -32,6 +33,26 @@ class NET_EXPORT SSLInfo { |
HANDSHAKE_FULL, // we negotiated a new session. |
}; |
+ // Contains information about the Certificate Transparency (CT) |
+ // policies that were applied on this connection, whether the |
+ // connection complied with these policies, and why |
+ // the connection was considered non-compliant, if applicable. |
+ struct CTPolicyComplianceDetails { |
+ CTPolicyComplianceDetails(); |
+ |
+ // True if Certificate Transparency policies were applied on this |
+ // connection and results were stored in the rest of the fields in |
+ // the struct. This field might be false because, for example, no |
+ // CTPolicyEnforcer was in use when the connection was set up, or |
+ // because this SSLInfo was serialized and deserialized without |
+ // storing the compliance information. |
Ryan Sleevi
2016/02/05 02:09:25
The 'for example' feels like it's documenting impl
estark
2016/02/08 08:36:26
I suppose so. I wanted to make it clear that false
|
+ bool compliance_details_available; |
+ |
+ // Whether the connection complied with the CT EV policy, and if |
+ // not, why not. |
+ CTPolicyEnforcer::EVPolicyCompliance ev_policy_compliance; |
+ }; |
+ |
SSLInfo(); |
SSLInfo(const SSLInfo& info); |
~SSLInfo(); |
@@ -44,12 +65,14 @@ class NET_EXPORT SSLInfo { |
// Adds the specified |error| to the cert status. |
void SetCertError(int error); |
- // Adds the SignedCertificateTimestamps from ct_verify_result to |
- // |signed_certificate_timestamps|. SCTs are held in three separate vectors |
- // in ct_verify_result, each vetor representing a particular verification |
- // state, this method associates each of the SCTs with the corresponding |
- // SCTVerifyStatus as it adds it to the |signed_certificate_timestamps| list. |
- void UpdateSignedCertificateTimestamps( |
+ // Adds the SignedCertificateTimestamps and policy compliance details |
+ // from ct_verify_result to |signed_certificate_timestamps| and |
+ // |ct_policy_compliance_details|. SCTs are held in three separate |
+ // vectors in ct_verify_result, each vetor representing a particular |
+ // verification state, this method associates each of the SCTs with |
+ // the corresponding SCTVerifyStatus as it adds it to the |
+ // |signed_certificate_timestamps| list. |
+ void UpdateCertificateTransparencyInfo( |
const ct::CTVerifyResult& ct_verify_result); |
// The SSL certificate. |
@@ -115,6 +138,14 @@ class NET_EXPORT SSLInfo { |
// List of SignedCertificateTimestamps and their corresponding validation |
// status. |
SignedCertificateTimestampAndStatusList signed_certificate_timestamps; |
+ |
+ // Details about the Certificate Transparency policies that were |
+ // applied to this connection. Be sure to check the |
+ // |compliance_details_available| field inside before using any of the |
+ // other fields, because information about CT policies might not be |
+ // available (for example, because this SSLInfo was serialized without |
+ // storing the CT policy details and subsequently deserialized). |
+ CTPolicyComplianceDetails ct_policy_compliance_details; |
}; |
} // namespace net |