Certificate Transparency: Adding finch and NetLog logging for EV certs

net/cert/cert_policy_enforcer.h

Index: net/cert/cert_policy_enforcer.h
diff --git a/net/cert/cert_policy_enforcer.h b/net/cert/cert_policy_enforcer.h
index e6c7960ac9a28fcc2211e39f2dabdb59974ed3c8..e20ef4a284b804680d6f750d60bc860725186517 100644
--- a/net/cert/cert_policy_enforcer.h
+++ b/net/cert/cert_policy_enforcer.h
@@ -7,6 +7,7 @@
 #include <stddef.h>
 
 #include "net/base/net_export.h"
+#include "net/base/net_log.h"
 
 namespace net {
 
@@ -30,21 +31,17 @@ class NET_EXPORT CertPolicyEnforcer {
   virtual ~CertPolicyEnforcer();
 
   // Returns true if the collection of SCTs for the given certificate
-  // conforms with the CT/EV policy.
+  // conforms with the CT/EV policy. If it is non-conforming, the certificate
+  // is logged to |net_log|.

[Ryan Sleevi, 2014/12/16 21:35:01]

This comment isn't accurate, since you always log to |net_log| ;)

[Eran Messeri, 2014/12/17 16:19:31]

Done - fixed.

   // |cert| is the certificate for which the SCTs apply.
   // |ct_result| must contain the result of verifying any SCTs associated with
   // |cert| prior to invoking this method.
   bool DoesConformToCTEVPolicy(X509Certificate* cert,
                                const ct::EVCertsWhitelist* ev_whitelist,
-                               const ct::CTVerifyResult& ct_result);
+                               const ct::CTVerifyResult& ct_result,
+                               const BoundNetLog& net_log);
 
  private:
-  bool IsCertificateInWhitelist(X509Certificate* cert,
-                                const ct::EVCertsWhitelist* ev_whitelist);
-
-  bool HasRequiredNumberOfSCTs(X509Certificate* cert,
-                               const ct::CTVerifyResult& ct_result);
-
   bool require_ct_for_ev_;
 };