Index: net/socket/ssl_client_socket_nss.cc |
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc |
index 7366c166fb788ead37d83937a4121f82bfa02c47..9d82b4c65dde254c81895a99ea37a8444cb4e6f1 100644 |
--- a/net/socket/ssl_client_socket_nss.cc |
+++ b/net/socket/ssl_client_socket_nss.cc |
@@ -92,6 +92,7 @@ |
#include "net/base/net_errors.h" |
#include "net/base/net_log.h" |
#include "net/cert/asn1_util.h" |
+#include "net/cert/cert_policy_enforcer.h" |
#include "net/cert/cert_status_flags.h" |
#include "net/cert/cert_verifier.h" |
#include "net/cert/ct_objects_extractor.h" |
@@ -2807,6 +2808,10 @@ SSLClientSocketNSS::SSLClientSocketNSS( |
nss_fd_(NULL), |
net_log_(transport_->socket()->NetLog()), |
transport_security_state_(context.transport_security_state), |
+ policy_enforcer_(new CertPolicyEnforcer( |
Ryan Sleevi
2014/10/22 19:48:36
This should be passed in, not created.
Eran Messeri
2014/10/24 12:12:36
Done. It's passed *all* the way from the IOThread.
|
+ cert_transparency_verifier_ |
+ ? cert_transparency_verifier_->GetNumKnownLogs() |
+ : 0)), |
valid_thread_id_(base::kInvalidThreadId) { |
EnterFunction(""); |
InitCore(); |
@@ -3525,6 +3530,13 @@ void SSLClientSocketNSS::VerifyCT() { |
<< " Verified scts: " << ct_verify_result_.verified_scts.size() |
<< " scts from unknown logs: " |
<< ct_verify_result_.unknown_logs_scts.size(); |
+ |
+ if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) && |
+ (!policy_enforcer_->DoesConformToCTEVPolicy( |
+ server_cert_verify_result_.verified_cert.get(), ct_verify_result_))) { |
+ VLOG(1) << "EV certificate without enough SCTs, removing EV status."; |
+ server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
+ } |
} |
void SSLClientSocketNSS::LogConnectionTypeMetrics() const { |