Index: net/socket/ssl_client_socket_openssl.cc |
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc |
index aa45a9d3a830260837568207fbac8c666e25c01a..faa9cb33562294607f99bec7416632d9a7c8da0d 100644 |
--- a/net/socket/ssl_client_socket_openssl.cc |
+++ b/net/socket/ssl_client_socket_openssl.cc |
@@ -24,6 +24,7 @@ |
#include "crypto/scoped_openssl_types.h" |
#include "net/base/net_errors.h" |
#include "net/cert/cert_verifier.h" |
+#include "net/cert/ct_ev_whitelist.h" |
#include "net/cert/ct_verifier.h" |
#include "net/cert/single_request_cert_verifier.h" |
#include "net/cert/x509_certificate_net_log_param.h" |
@@ -1098,6 +1099,21 @@ int SSLClientSocketOpenSSL::DoVerifyCertComplete(int result) { |
result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
} |
+ scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
+ SSLConfigService::GetEVCertsWhitelist(); |
+ if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { |
+ if (ev_whitelist.get() && ev_whitelist->IsValid()) { |
+ const SHA256HashValue fingerprint( |
+ X509Certificate::CalculateFingerprint256( |
+ server_cert_verify_result_.verified_cert->os_cert_handle())); |
+ |
+ UMA_HISTOGRAM_BOOLEAN( |
+ "Net.SSL_EVCertificateInWhitelist", |
+ ev_whitelist->ContainsCertificateHash( |
+ std::string(reinterpret_cast<const char*>(fingerprint.data), 8))); |
+ } |
+ } |
+ |
if (result == OK) { |
// Only check Certificate Transparency if there were no other errors with |
// the connection. |