Certificate Transparency: Code for unpacking EV cert hashes whitelist

net/socket/ssl_client_socket_openssl.cc

Index: net/socket/ssl_client_socket_openssl.cc
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index aa45a9d3a830260837568207fbac8c666e25c01a..faa9cb33562294607f99bec7416632d9a7c8da0d 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -24,6 +24,7 @@
 #include "crypto/scoped_openssl_types.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_ev_whitelist.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/single_request_cert_verifier.h"
 #include "net/cert/x509_certificate_net_log_param.h"
@@ -1098,6 +1099,21 @@ int SSLClientSocketOpenSSL::DoVerifyCertComplete(int result) {
     result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
   }
 
+  scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
+      SSLConfigService::GetEVCertsWhitelist();
+  if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
+    if (ev_whitelist.get() && ev_whitelist->IsValid()) {
+      const SHA256HashValue fingerprint(
+          X509Certificate::CalculateFingerprint256(
+              server_cert_verify_result_.verified_cert->os_cert_handle()));
+
+      UMA_HISTOGRAM_BOOLEAN(
+          "Net.SSL_EVCertificateInWhitelist",
+          ev_whitelist->ContainsCertificateHash(
+              std::string(reinterpret_cast<const char*>(fingerprint.data), 8)));
+    }
+  }
+
   if (result == OK) {
     // Only check Certificate Transparency if there were no other errors with
     // the connection.