Certificate Transparency: Require SCTs for EV certificates.

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 7366c166fb788ead37d83937a4121f82bfa02c47..9d82b4c65dde254c81895a99ea37a8444cb4e6f1 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -92,6 +92,7 @@
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/cert/asn1_util.h"
+#include "net/cert/cert_policy_enforcer.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_objects_extractor.h"
@@ -2807,6 +2808,10 @@ SSLClientSocketNSS::SSLClientSocketNSS(
       nss_fd_(NULL),
       net_log_(transport_->socket()->NetLog()),
       transport_security_state_(context.transport_security_state),
+      policy_enforcer_(new CertPolicyEnforcer(

[Ryan Sleevi, 2014/10/22 19:48:36]

This should be passed in, not created.

[Eran Messeri, 2014/10/24 12:12:36]

Done. It's passed *all* the way from the IOThread.

+          cert_transparency_verifier_
+              ? cert_transparency_verifier_->GetNumKnownLogs()
+              : 0)),
       valid_thread_id_(base::kInvalidThreadId) {
   EnterFunction("");
   InitCore();
@@ -3525,6 +3530,13 @@ void SSLClientSocketNSS::VerifyCT() {
           << " Verified scts: " << ct_verify_result_.verified_scts.size()
           << " scts from unknown logs: "
           << ct_verify_result_.unknown_logs_scts.size();
+
+  if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) &&
+      (!policy_enforcer_->DoesConformToCTEVPolicy(
+          server_cert_verify_result_.verified_cert.get(), ct_verify_result_))) {
+    VLOG(1) << "EV certificate without enough SCTs, removing EV status.";
+    server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
+  }
 }
 
 void SSLClientSocketNSS::LogConnectionTypeMetrics() const {