Certificate Transparency: Threading the CT verifier into the SSL client socket.

net/socket/ssl_client_socket_nss.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_
 #define NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_
 
 #include <certt.h>
 #include <keyt.h>
 #include <nspr.h>
 #include <nss.h>
 
 #include <string>
 #include <vector>
 
 #include "base/memory/scoped_ptr.h"
 #include "base/synchronization/lock.h"
 #include "base/threading/platform_thread.h"
 #include "base/time/time.h"
 #include "base/timer/timer.h"
 #include "net/base/completion_callback.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_export.h"
 #include "net/base/net_log.h"
 #include "net/base/nss_memio.h"
 #include "net/cert/cert_verify_result.h"
+#include "net/cert/ct_verify_result.h"
 #include "net/cert/x509_certificate.h"
 #include "net/socket/ssl_client_socket.h"
 #include "net/ssl/server_bound_cert_service.h"
 #include "net/ssl/ssl_config_service.h"
 
 namespace base {
 class SequencedTaskRunner;
 }
 
 namespace net {
 
 class BoundNetLog;
 class CertVerifier;
+class CTVerifier;
 class ClientSocketHandle;
 class ServerBoundCertService;
 class SingleRequestCertVerifier;
 class TransportSecurityState;
 class X509Certificate;
 
 // An SSL client socket implemented with Mozilla NSS.
 class SSLClientSocketNSS : public SSLClientSocket {
  public:
   // Takes ownership of the |transport_socket|, which must already be connected.
@@ skipping 58 matching lines @@
   // Helper class to handle marshalling any NSS interaction to and from the
   // NSS and network task runners. Not every call needs to happen on the Core
   class Core;
 
   enum State {
     STATE_NONE,
     STATE_HANDSHAKE,
     STATE_HANDSHAKE_COMPLETE,
     STATE_VERIFY_CERT,
     STATE_VERIFY_CERT_COMPLETE,
+    STATE_VERIFY_CT,
+    STATE_VERIFY_CT_COMPLETE,
   };
 
   int Init();
   void InitCore();
 
   // Initializes NSS SSL options.  Returns a net error code.
   int InitializeSSLOptions();
 
   // Initializes the socket peer name in SSL.  Returns a net error code.
   int InitializeSSLPeerName();
 
   void DoConnectCallback(int result);
   void OnHandshakeIOComplete(int result);
 
   int DoHandshakeLoop(int last_io_result);
   int DoHandshake();
   int DoHandshakeComplete(int result);
   int DoVerifyCert(int result);
   int DoVerifyCertComplete(int result);
+  int DoVerifyCT(int result);
+  int DoVerifyCTComplete(int result);
 
   void LogConnectionTypeMetrics() const;
 
   // The following methods are for debugging bug 65948. Will remove this code
   // after fixing bug 65948.
   void EnsureThreadIdAssigned() const;
   bool CalledOnValidThread() const;
 
   // The task runner used to perform NSS operations.
   scoped_refptr<base::SequencedTaskRunner> nss_task_runner_;
@@ skipping 28 matching lines @@
   // TODO(rsleevi): http://crbug.com/130616 - Remove this member once
   // ExportKeyingMaterial is updated to be asynchronous.
   PRFileDesc* nss_fd_;
 
   BoundNetLog net_log_;
 
   base::TimeTicks start_cert_verification_time_;
 
   TransportSecurityState* transport_security_state_;
 
+  ct::CTVerifyResult ct_verify_result_;
+  CTVerifier* cert_transparency_verifier_;

[wtc, 2013/11/26 01:47:23]

Nit: inside this class, I suggest we list these CT-related members right after
the CertVerifier-related members (lines 161-165).

[Eran M. (Google), 2013/11/26 14:45:53]

Done.

+
   // The following two variables are added for debugging bug 65948. Will
   // remove this code after fixing bug 65948.
   // Added the following code Debugging in release mode.
   mutable base::Lock lock_;
   // This is mutable so that CalledOnValidThread can set it.
   // It's guarded by |lock_|.
   mutable base::PlatformThreadId valid_thread_id_;
 };
 
 }  // namespace net
 
 #endif  // NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_