Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(199)

Unified Diff: net/cert/cert_policy_enforcer.cc

Issue 782333002: Certificate Transparency: Adding finch and NetLog logging for EV certs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Addressing review comments Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/cert/cert_policy_enforcer.cc
diff --git a/net/cert/cert_policy_enforcer.cc b/net/cert/cert_policy_enforcer.cc
index c9ce7cc4a0873268a0fc910bb7906ff69ae44350..a956b860e209ecf96743de704084a507e0cac23d 100644
--- a/net/cert/cert_policy_enforcer.cc
+++ b/net/cert/cert_policy_enforcer.cc
@@ -6,15 +6,20 @@
#include <algorithm>
+#include "base/bind.h"
#include "base/build_time.h"
+#include "base/callback_helpers.h"
#include "base/metrics/field_trial.h"
#include "base/metrics/histogram.h"
#include "base/numerics/safe_conversions.h"
#include "base/strings/string_number_conversions.h"
+#include "base/values.h"
+#include "net/base/net_log.h"
#include "net/cert/ct_ev_whitelist.h"
#include "net/cert/ct_verify_result.h"
#include "net/cert/signed_certificate_timestamp.h"
#include "net/cert/x509_certificate.h"
+#include "net/cert/x509_certificate_net_log_param.h"
namespace net {
@@ -65,6 +70,14 @@ void LogCTComplianceStatusToUMA(CTComplianceStatus status) {
CT_COMPLIANCE_MAX);
}
+base::Value* NetLogNonCompliantCertCallback(X509Certificate* cert,
+ NetLog::LogLevel log_level) {
+ base::DictionaryValue* dict = new base::DictionaryValue();
+ dict->Set("non_compliant_cert",
+ NetLogX509CertificateCallback(cert, log_level));
+ return dict;
+}
+
} // namespace
CertPolicyEnforcer::CertPolicyEnforcer(size_t num_ct_logs,
@@ -78,7 +91,8 @@ CertPolicyEnforcer::~CertPolicyEnforcer() {
bool CertPolicyEnforcer::DoesConformToCTEVPolicy(
X509Certificate* cert,
const ct::EVCertsWhitelist* ev_whitelist,
- const ct::CTVerifyResult& ct_result) {
+ const ct::CTVerifyResult& ct_result,
+ const BoundNetLog& net_log) {
if (!require_ct_for_ev_)
return true;
@@ -96,6 +110,12 @@ bool CertPolicyEnforcer::DoesConformToCTEVPolicy(
}
LogCTComplianceStatusToUMA(CT_NOT_COMPLIANT);
+
+ NetLog::ParametersCallback net_log_callback =
+ base::Bind(&NetLogNonCompliantCertCallback, base::Unretained(cert));
+
+ net_log.AddEvent(NetLog::TYPE_NON_COMPLIANT_EV_CERT_ENCOUNTERED,
+ net_log_callback);
Ryan Sleevi 2014/12/09 20:50:42 Ok, I'm going to push back on this with a "Not LGT
Eran Messeri 2014/12/10 15:38:38 I understand the main concern is not logging all p
return false;
}

Powered by Google App Engine
This is Rietveld 408576698