Certificate Transparency: Adding finch and NetLog logging for EV certs

net/cert/cert_policy_enforcer.cc

Index: net/cert/cert_policy_enforcer.cc
diff --git a/net/cert/cert_policy_enforcer.cc b/net/cert/cert_policy_enforcer.cc
index c9ce7cc4a0873268a0fc910bb7906ff69ae44350..a956b860e209ecf96743de704084a507e0cac23d 100644
--- a/net/cert/cert_policy_enforcer.cc
+++ b/net/cert/cert_policy_enforcer.cc
@@ -6,15 +6,20 @@
 
 #include <algorithm>
 
+#include "base/bind.h"
 #include "base/build_time.h"
+#include "base/callback_helpers.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/strings/string_number_conversions.h"
+#include "base/values.h"
+#include "net/base/net_log.h"
 #include "net/cert/ct_ev_whitelist.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/signed_certificate_timestamp.h"
 #include "net/cert/x509_certificate.h"
+#include "net/cert/x509_certificate_net_log_param.h"
 
 namespace net {
 
@@ -65,6 +70,14 @@ void LogCTComplianceStatusToUMA(CTComplianceStatus status) {
                             CT_COMPLIANCE_MAX);
 }
 
+base::Value* NetLogNonCompliantCertCallback(X509Certificate* cert,
+                                            NetLog::LogLevel log_level) {
+  base::DictionaryValue* dict = new base::DictionaryValue();
+  dict->Set("non_compliant_cert",
+            NetLogX509CertificateCallback(cert, log_level));
+  return dict;
+}
+
 }  // namespace
 
 CertPolicyEnforcer::CertPolicyEnforcer(size_t num_ct_logs,
@@ -78,7 +91,8 @@ CertPolicyEnforcer::~CertPolicyEnforcer() {
 bool CertPolicyEnforcer::DoesConformToCTEVPolicy(
     X509Certificate* cert,
     const ct::EVCertsWhitelist* ev_whitelist,
-    const ct::CTVerifyResult& ct_result) {
+    const ct::CTVerifyResult& ct_result,
+    const BoundNetLog& net_log) {
   if (!require_ct_for_ev_)
     return true;
 
@@ -96,6 +110,12 @@ bool CertPolicyEnforcer::DoesConformToCTEVPolicy(
   }
 
   LogCTComplianceStatusToUMA(CT_NOT_COMPLIANT);
+
+  NetLog::ParametersCallback net_log_callback =
+      base::Bind(&NetLogNonCompliantCertCallback, base::Unretained(cert));
+
+  net_log.AddEvent(NetLog::TYPE_NON_COMPLIANT_EV_CERT_ENCOUNTERED,
+                   net_log_callback);

[Ryan Sleevi, 2014/12/09 20:50:42]

Ok, I'm going to push back on this with a "Not LGTM" for now. I know, I know, a
pain.

The problem is that you're only logging a failure path, instead of any of the
other (relevant) details that would be neded during debugging (namely, line 97,
100, 104, 109)

Rather than focusing on a single Event that indicates failure, you should look
to log a start/end event with relevant details. See the CertVerifier as an
example, where the begin event includes the input parameters (for example, the
ct_result, potentially whitelist metadata in the future) and the end event logs
the result (which of the paths this function exited)

[Eran Messeri, 2014/12/10 15:38:38]

I understand the main concern is not logging all paths and all relevant details
that are necessary to debug why the EV treatment was not granted.

Per your suggestion I have changed the code to log an event in all circumstances
with all details.

I have tried using BeginEvent/EndEvent but that ended up looking a bit funny, as
in practice the code is much simpler if I do all the checks and NetLog the
result (which contains all the information) in a single place.

   return false;
 }