Certificate Transparency: Threading the CT verifier into the SSL client socket.

net/cert/cert_status_flags.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_CERT_STATUS_FLAGS_H_
 #define NET_CERT_CERT_STATUS_FLAGS_H_
 
 #include "base/basictypes.h"
 #include "net/base/net_export.h"
 
@@ skipping 17 matching lines @@
 static const CertStatus CERT_STATUS_UNABLE_TO_CHECK_REVOCATION = 1 << 5;
 static const CertStatus CERT_STATUS_REVOKED                    = 1 << 6;
 static const CertStatus CERT_STATUS_INVALID                    = 1 << 7;
 static const CertStatus CERT_STATUS_WEAK_SIGNATURE_ALGORITHM   = 1 << 8;
 // 1 << 9 was used for CERT_STATUS_NOT_IN_DNS
 static const CertStatus CERT_STATUS_NON_UNIQUE_NAME            = 1 << 10;
 static const CertStatus CERT_STATUS_WEAK_KEY                   = 1 << 11;
 static const CertStatus CERT_STATUS_WEAK_DH_KEY                = 1 << 12;
 static const CertStatus CERT_STATUS_PINNED_KEY_MISSING         = 1 << 13;
 
-// Bits 16 to 31 are for non-error statuses.
+// Bits 16 to 29 are for non-error statuses.
 static const CertStatus CERT_STATUS_IS_EV                      = 1 << 16;
 static const CertStatus CERT_STATUS_REV_CHECKING_ENABLED       = 1 << 17;
 // bit 18 was CERT_STATUS_IS_DNSSEC.
 
+// Bits 30, 31 are for Certificate Transparency.
+static const int CERTIFICATE_TRANSPARENCY_STATUS_SHIFT = 30;
+static const int CERTIFICATE_TRANSPARENCY_STATUS_MASK = 3;

[wtc, 2013/11/27 20:00:49]

This mask should have the same type as CertStatus because it is bitwise AND'ed
with a CertStatus, so it should be a uint32.

[Eran M. (Google), 2013/11/27 23:01:42]

Done.

+enum {
+  CERT_TRANSPARENCY_NO_SCTS = 0,
+  CERT_TRANSPARENCY_SCT_FROM_UNKNOWN_LOGS = 1,
+  CERT_TRANSPARENCY_SCT_FAILED_VALIDATION = 2,
+  CERT_TRANSPARENCY_SCT_VALIDATED_OK = 3,

[wtc, 2013/11/27 20:00:49]

Nit: the four values should be documented.

[Eran M. (Google), 2013/11/27 23:01:42]

Done.

+};
+
 // Returns true if the specified cert status has an error set.
 static inline bool IsCertStatusError(CertStatus status) {
   return (CERT_STATUS_ALL_ERRORS & status) != 0;
 }
 
 // IsCertStatusMinorError returns true iff |cert_status| indicates a condition
 // that should typically be ignored by automated requests. (i.e. a revocation
 // check failure.)
 NET_EXPORT bool IsCertStatusMinorError(CertStatus cert_status);
 
 // Maps a network error code to the equivalent certificate status flag.  If
 // the error code is not a certificate error, it is mapped to 0.
 NET_EXPORT CertStatus MapNetErrorToCertStatus(int error);
 
 // Maps the most serious certificate error in the certificate status flags
 // to the equivalent network error code.
 NET_EXPORT int MapCertStatusToNetError(CertStatus cert_status);
 
+inline int CertificateTransparencyStateFromCertStatus(CertStatus cert_status) {

[wtc, 2013/11/27 20:00:49]

It may be better to return uint32...

Document this function.

[Eran M. (Google), 2013/11/27 23:01:42]

Gave a proper name to the enum,  added documentation.

+  return (cert_status >> CERTIFICATE_TRANSPARENCY_STATUS_SHIFT) &
+         CERTIFICATE_TRANSPARENCY_STATUS_MASK;
+}
+
 }  // namespace net
 
 #endif  // NET_CERT_CERT_STATUS_FLAGS_H_