Addition of Certificate Transparency details to Security panel of DevTools

content/child/web_url_loader_impl.cc

Index: content/child/web_url_loader_impl.cc
diff --git a/content/child/web_url_loader_impl.cc b/content/child/web_url_loader_impl.cc
index b2a6f15ba1564d73482c11b5bc7f0f6c7d530cda..d3a04b5e40b2d98289bd902327c6a23900bdc70b 100644
--- a/content/child/web_url_loader_impl.cc
+++ b/content/child/web_url_loader_impl.cc
@@ -17,6 +17,7 @@
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "base/single_thread_task_runner.h"
+#include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
@@ -43,7 +44,7 @@
 #include "net/base/filename_util.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_status_flags.h"
-#include "net/cert/sct_status_flags.h"
+#include "net/cert/ct_sct_to_string.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_util.h"
 #include "net/ssl/ssl_cipher_suite_names.h"
@@ -188,7 +189,7 @@ int GetInfoFromDataURL(const GURL& url,
 }
 
 void SetSecurityStyleAndDetails(const GURL& url,
-                                const std::string& security_info,
+                                const ResourceResponseInfo& info,
                                 WebURLResponse* response,
                                 bool report_security_info) {
   if (!report_security_info) {
@@ -202,6 +203,7 @@ void SetSecurityStyleAndDetails(const GURL& url,
 
   // There are cases where an HTTPS request can come in without security
   // info attached (such as a redirect response).
+  const std::string& security_info = info.security_info;
   if (security_info.empty()) {
     response->setSecurityStyle(WebURLResponse::SecurityStyleUnknown);
     return;
@@ -259,10 +261,38 @@ void SetSecurityStyleAndDetails(const GURL& url,
   size_t num_invalid_scts = ssl_status.num_invalid_scts;
   size_t num_valid_scts = ssl_status.num_valid_scts;
 
+  blink::WebURLResponse::SignedCertificateTimestampList sct_list(
+      info.signed_certificate_timestamps.size());
+
+  for (size_t i = 0; i < sct_list.size(); ++i) {

[Mike West, 2016/06/23 06:48:01]

Can you not iterate through `info.signed_certificate_timestamps` with a fancy
new C++11 for loop?

[dwaxweiler, 2016/06/23 11:53:02]

This is possible, but I would still need a counter for sct_list.

[Mike West, 2016/06/23 16:32:30]

`sct_list.append(sct)` seems like it would work. This is a nit; it's not
terribly important, but dropping the assignment below, and not thinking about
sizes anymore seems like a (small) win.

[dwaxweiler, 2016/06/28 09:51:06]

Unfortunately, blink::WebVector does not provide such a handy method.

+    const net::SignedCertificateTimestampAndStatus& sct_and_status =
+        info.signed_certificate_timestamps[i];
+    // Extract SCT's details.
+    blink::WebURLResponse::SignedCertificateTimestamp sct(

[Charlie Reis, 2016/06/21 23:44:03]

This seems too complicated to be embedded inside this already complex function. 
I'm guessing we can't do it inside SignedCertificateTimestamp because Blink
shouldn't depend on net::SignedCertificateTimestampAndStatus?

At the least, we should have a conversion helper function.

[dwaxweiler, 2016/06/23 11:53:02]

Acknowledged.

+        WebString::fromUTF8(net::ct::StatusToString(sct_and_status.status)),
+        WebString::fromUTF8(
+            net::ct::OriginToString(sct_and_status.sct->origin)),
+        WebString::fromUTF8(sct_and_status.sct->log_description),
+        WebString::fromUTF8(
+            base::HexEncode(reinterpret_cast<const unsigned char*>(

[Charlie Reis, 2016/06/21 23:44:03]

We generally don't like using reinterpret_casts.  Is there a way to avoid it?

[dwaxweiler, 2016/06/23 11:53:02]

I am not aware of an alternative, but I am willing to learn.

[Mike West, 2016/06/23 16:32:30]

Wouldn't `base::HexEncode(sct_and_status.sct->log_id.c_str(),
sct_and_status.sct->log_id.size())` work? I don't understand what the cast is
doing for you here.

[dwaxweiler, 2016/06/28 09:51:06]

You are totally right!

+                                sct_and_status.sct->log_id.data()),
+                            sct_and_status.sct->log_id.length())),
+        sct_and_status.sct->timestamp.ToJavaTime(),
+        WebString::fromUTF8(net::ct::HashAlgorithmToString(
+            sct_and_status.sct->signature.hash_algorithm)),
+        WebString::fromUTF8(net::ct::SignatureAlgorithmToString(
+            sct_and_status.sct->signature.signature_algorithm)),
+        WebString::fromUTF8(base::HexEncode(
+            reinterpret_cast<const unsigned char*>(
+                sct_and_status.sct->signature.signature_data.data()),
+            sct_and_status.sct->signature.signature_data.length())));

[Charlie Reis, 2016/06/21 23:44:03]

I'm not qualified to review all these conversions and whether they're safe or
correct.  Has someone taken a close look at them already?

+    sct_list[i] = sct;
+  }
+
   blink::WebURLResponse::WebSecurityDetails webSecurityDetails(
       WebString::fromUTF8(protocol), WebString::fromUTF8(key_exchange),
-      WebString::fromUTF8(cipher), WebString::fromUTF8(mac),
-      ssl_status.cert_id, num_unknown_scts, num_invalid_scts, num_valid_scts);
+      WebString::fromUTF8(cipher), WebString::fromUTF8(mac), ssl_status.cert_id,
+      num_unknown_scts, num_invalid_scts, num_valid_scts, sct_list);
 
   response->setSecurityDetails(webSecurityDetails);
 }
@@ -964,8 +994,7 @@ void WebURLLoaderImpl::PopulateURLResponse(const GURL& url,
       [](const std::string& h) { return blink::WebString::fromLatin1(h); });
   response->setCorsExposedHeaderNames(cors_exposed_header_names);
 
-  SetSecurityStyleAndDetails(url, info.security_info, response,
-                             report_security_info);
+  SetSecurityStyleAndDetails(url, info, response, report_security_info);
 
   WebURLResponseExtraDataImpl* extra_data =
       new WebURLResponseExtraDataImpl(info.npn_negotiated_protocol);