Index: net/cert/cert_policy_enforcer.cc |
diff --git a/net/cert/cert_policy_enforcer.cc b/net/cert/cert_policy_enforcer.cc |
index c9ce7cc4a0873268a0fc910bb7906ff69ae44350..a956b860e209ecf96743de704084a507e0cac23d 100644 |
--- a/net/cert/cert_policy_enforcer.cc |
+++ b/net/cert/cert_policy_enforcer.cc |
@@ -6,15 +6,20 @@ |
#include <algorithm> |
+#include "base/bind.h" |
#include "base/build_time.h" |
+#include "base/callback_helpers.h" |
#include "base/metrics/field_trial.h" |
#include "base/metrics/histogram.h" |
#include "base/numerics/safe_conversions.h" |
#include "base/strings/string_number_conversions.h" |
+#include "base/values.h" |
+#include "net/base/net_log.h" |
#include "net/cert/ct_ev_whitelist.h" |
#include "net/cert/ct_verify_result.h" |
#include "net/cert/signed_certificate_timestamp.h" |
#include "net/cert/x509_certificate.h" |
+#include "net/cert/x509_certificate_net_log_param.h" |
namespace net { |
@@ -65,6 +70,14 @@ void LogCTComplianceStatusToUMA(CTComplianceStatus status) { |
CT_COMPLIANCE_MAX); |
} |
+base::Value* NetLogNonCompliantCertCallback(X509Certificate* cert, |
+ NetLog::LogLevel log_level) { |
+ base::DictionaryValue* dict = new base::DictionaryValue(); |
+ dict->Set("non_compliant_cert", |
+ NetLogX509CertificateCallback(cert, log_level)); |
+ return dict; |
+} |
+ |
} // namespace |
CertPolicyEnforcer::CertPolicyEnforcer(size_t num_ct_logs, |
@@ -78,7 +91,8 @@ CertPolicyEnforcer::~CertPolicyEnforcer() { |
bool CertPolicyEnforcer::DoesConformToCTEVPolicy( |
X509Certificate* cert, |
const ct::EVCertsWhitelist* ev_whitelist, |
- const ct::CTVerifyResult& ct_result) { |
+ const ct::CTVerifyResult& ct_result, |
+ const BoundNetLog& net_log) { |
if (!require_ct_for_ev_) |
return true; |
@@ -96,6 +110,12 @@ bool CertPolicyEnforcer::DoesConformToCTEVPolicy( |
} |
LogCTComplianceStatusToUMA(CT_NOT_COMPLIANT); |
+ |
+ NetLog::ParametersCallback net_log_callback = |
+ base::Bind(&NetLogNonCompliantCertCallback, base::Unretained(cert)); |
+ |
+ net_log.AddEvent(NetLog::TYPE_NON_COMPLIANT_EV_CERT_ENCOUNTERED, |
+ net_log_callback); |
Ryan Sleevi
2014/12/09 20:50:42
Ok, I'm going to push back on this with a "Not LGT
Eran Messeri
2014/12/10 15:38:38
I understand the main concern is not logging all p
|
return false; |
} |