Chromium Code Reviews Chromium Code Reviews
Issue 1652603002:
Add information to SSLInfo about CT EV policy compliance (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: net/ssl/ssl_info.h |
| diff --git a/net/ssl/ssl_info.h b/net/ssl/ssl_info.h |
| index 40dec2865729bb3e431dfc1641f46d0a6086193e..a96d9712735d9912e8ba4f52524736475ad2c68e 100644 |
| --- a/net/ssl/ssl_info.h |
| +++ b/net/ssl/ssl_info.h |
| @@ -10,6 +10,7 @@ |
| #include "base/memory/ref_counted.h" |
| #include "net/base/net_export.h" |
| #include "net/cert/cert_status_flags.h" |
| +#include "net/cert/ct_policy_enforcer.h" |
| #include "net/cert/ct_verify_result.h" |
| #include "net/cert/sct_status_flags.h" |
| #include "net/cert/x509_cert_types.h" |
| @@ -32,6 +33,26 @@ class NET_EXPORT SSLInfo { |
| HANDSHAKE_FULL, // we negotiated a new session. |
| }; |
| + // Contains information about the Certificate Transparency (CT) |
| + // policies that were applied on this connection, whether the |
| + // connection complied with these policies, and why |
| + // the connection was considered non-compliant, if applicable. |
| + struct CTPolicyComplianceDetails { |
| + CTPolicyComplianceDetails(); |
| + |
| + // True if Certificate Transparency policies were applied on this |
| + // connection and results were stored in the rest of the fields in |
| + // the struct. This field might be false because, for example, no |
| + // CTPolicyEnforcer was in use when the connection was set up, or |
| + // because this SSLInfo was serialized and deserialized without |
| + // storing the compliance information. |
|
Ryan Sleevi
2016/02/05 02:09:25
The 'for example' feels like it's documenting impl
estark
2016/02/08 08:36:26
I suppose so. I wanted to make it clear that false
|
| + bool compliance_details_available; |
| + |
| + // Whether the connection complied with the CT EV policy, and if |
| + // not, why not. |
| + CTPolicyEnforcer::EVPolicyCompliance ev_policy_compliance; |
| + }; |
| + |
| SSLInfo(); |
| SSLInfo(const SSLInfo& info); |
| ~SSLInfo(); |
| @@ -44,12 +65,14 @@ class NET_EXPORT SSLInfo { |
| // Adds the specified |error| to the cert status. |
| void SetCertError(int error); |
| - // Adds the SignedCertificateTimestamps from ct_verify_result to |
| - // |signed_certificate_timestamps|. SCTs are held in three separate vectors |
| - // in ct_verify_result, each vetor representing a particular verification |
| - // state, this method associates each of the SCTs with the corresponding |
| - // SCTVerifyStatus as it adds it to the |signed_certificate_timestamps| list. |
| - void UpdateSignedCertificateTimestamps( |
| + // Adds the SignedCertificateTimestamps and policy compliance details |
| + // from ct_verify_result to |signed_certificate_timestamps| and |
| + // |ct_policy_compliance_details|. SCTs are held in three separate |
| + // vectors in ct_verify_result, each vetor representing a particular |
| + // verification state, this method associates each of the SCTs with |
| + // the corresponding SCTVerifyStatus as it adds it to the |
| + // |signed_certificate_timestamps| list. |
| + void UpdateCertificateTransparencyInfo( |
| const ct::CTVerifyResult& ct_verify_result); |
| // The SSL certificate. |
| @@ -115,6 +138,14 @@ class NET_EXPORT SSLInfo { |
| // List of SignedCertificateTimestamps and their corresponding validation |
| // status. |
| SignedCertificateTimestampAndStatusList signed_certificate_timestamps; |
| + |
| + // Details about the Certificate Transparency policies that were |
| + // applied to this connection. Be sure to check the |
| + // |compliance_details_available| field inside before using any of the |
| + // other fields, because information about CT policies might not be |
| + // available (for example, because this SSLInfo was serialized without |
| + // storing the CT policy details and subsequently deserialized). |
| + CTPolicyComplianceDetails ct_policy_compliance_details; |
| }; |
| } // namespace net |
