Certificate Transparency: Threading the CT verifier into the SSL client socket.

net/base/net_error_list.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file intentionally does not have header guards, it's included
 // inside a macro to generate enum values.
 
 // This file contains the list of network errors.
 
 //
@@ skipping 390 matching lines @@
 NET_ERROR(CERT_WEAK_KEY, -211)
 
 // Add new certificate error codes here.
 //
 // Update the value of CERT_END whenever you add a new certificate error
 // code.
 
 // The value immediately past the last certificate error code.
 NET_ERROR(CERT_END, -212)
 
+// Certificate Transparency-related errors. Logically these are certificate
+// errors but, for now, are not included in the certificate errors range
+// so IsCertificateError will not be affected by CT-related errors.
+
+// Serialization of the Precertificate LogEntry or X.509 LogEntry failed
+// That means that there were no embedded SCTs *and* the DER encoding of the
+// certificate could not be created, which is surprising - as CT checks are
+// only performed after SCTs have been validated.
+NET_ERROR(CT_LOG_ENTRY_CREATION_FAILED, -298)
+
+// SCT(s) were present but failed to verify - this could indicate an attack
+// or corrupted SCTs.
+NET_ERROR(NO_SCTS_VERIFIED_OK, -299)

[wtc, 2013/11/27 16:45:57]

If we add these two CT errors as certificate errors, they need to be before
|CERT_END|, and corresponding *error* status bits (in bits 0 to 15) need to be
added to cert_status_flags.h.

So this part of the CL still needs work. I am sorry that I haven't spent the
time to study this issue and give you clear advices. So your attempts have been
repeatedly declined.

An error should be a certificate error (in the -2xx range) if it will trigger
the certificate error interstitial page. By this criterion, it seems that
CT_LOG_ENTRY_CREATION_FAILED is not a certificate error, but NO_SCTS_VERIFIED_OK
is.

[Eran M. (Google), 2013/11/27 19:05:48]

As we discussed offline, completely reverting these changes so this patch won't
be blocked on them. Let's discuss error handling later on.

+
 // The URL is invalid.
 NET_ERROR(INVALID_URL, -300)
 
 // The scheme of the URL is disallowed.
 NET_ERROR(DISALLOWED_URL_SCHEME, -301)
 
 // The scheme of the URL is unknown.
 NET_ERROR(UNKNOWN_URL_SCHEME, -302)
 
 // Attempting to load an URL resulted in too many redirects.
@@ skipping 283 matching lines @@
 NET_ERROR(DNS_TIMED_OUT, -803)
 
 // The entry was not found in cache, for cache-only lookups.
 NET_ERROR(DNS_CACHE_MISS, -804)
 
 // Suffix search list rules prevent resolution of the given host name.
 NET_ERROR(DNS_SEARCH_EMPTY, -805)
 
 // Failed to sort addresses according to RFC3484.
 NET_ERROR(DNS_SORT_ERROR, -806)