Certificate Transparency: Require SCTs for EV certificates.

net/cert/multi_log_ct_verifier.h

Index: net/cert/multi_log_ct_verifier.h
diff --git a/net/cert/multi_log_ct_verifier.h b/net/cert/multi_log_ct_verifier.h
index 29fbdca647b421d03e6e8ac873e570c5eb0cbeff..370f51f719ed8a0ecc28d3e322ef14e7a5eb9c72 100644
--- a/net/cert/multi_log_ct_verifier.h
+++ b/net/cert/multi_log_ct_verifier.h
@@ -36,6 +36,8 @@ class NET_EXPORT MultiLogCTVerifier : public CTVerifier {
   void AddLog(scoped_ptr<CTLogVerifier> log_verifier);
   void AddLogs(ScopedVector<CTLogVerifier> log_verifiers);
 
+  void SetEnforceCTEVPolicy(bool enforce_policy);
+
   // CTVerifier implementation:
   virtual int Verify(X509Certificate* cert,
                      const std::string& stapled_ocsp_response,
@@ -43,6 +45,10 @@ class NET_EXPORT MultiLogCTVerifier : public CTVerifier {
                      ct::CTVerifyResult* result,
                      const BoundNetLog& net_log) OVERRIDE;
 
+  virtual bool DoesConformToCTEVPolicy(
+      X509Certificate* cert,
+      const ct::CTVerifyResult& ct_result) OVERRIDE;

[Ryan Sleevi, 2014/08/05 22:19:10]

I see nothing that requires this to hang off the CT verifier. There's no special
access to members.

In terms of single-responsibility, I'd rather keep Chrome's specific policies on
validated SCTs + chains independent of the ability to check/validate SCTs.

[Eran Messeri, 2014/10/20 17:26:30]

The number of logs is necessary - but I can make the CTVerifier return that
information.

+
  private:
   // Mapping from a log's ID to the verifier for this log.
   // A log's ID is the SHA-256 of the log's key, as defined in section 3.2.
@@ -64,6 +70,7 @@ class NET_EXPORT MultiLogCTVerifier : public CTVerifier {
       ct::CTVerifyResult* result);
 
   IDToLogMap logs_;
+  bool enforce_ct_ev_policy_;
 
   DISALLOW_COPY_AND_ASSIGN(MultiLogCTVerifier);
 };