Certificate Transparency: Code for unpacking EV cert hashes whitelist

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 92af627b7f871e3edc19ae201c9da6919fc0a5ee..02dc039e6c18f5a6f736c2fb50c62574019b2c06 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -93,6 +93,7 @@
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_ev_whitelist.h"
 #include "net/cert/ct_objects_extractor.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/ct_verify_result.h"
@@ -3442,6 +3443,17 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
     result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
   }
 
+  if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
+    // fingerprint certificate

[wtc, 2014/08/20 19:04:22]

Nit: this comment can be omitted because it merely repeat the code.

[Eran Messeri, 2014/09/02 12:20:23]

Done.

+    const SHA256HashValue fingerprint(X509Certificate::CalculateFingerprint256(
+        server_cert_verify_result_.verified_cert->os_cert_handle()));
+
+    UMA_HISTOGRAM_BOOLEAN(
+        "Net.SSL_EVCertificateInWhitelist",
+        ct::IsCertificateHashInWhitelist(
+            std::string(reinterpret_cast<const char*>(fingerprint.data), 8)));
+  }
+
   if (result == OK) {
     // Only check Certificate Transparency if there were no other errors with
     // the connection.