Certificate Transparency: Add UMA for whitelist status

net/cert/cert_policy_enforcer.cc

Index: net/cert/cert_policy_enforcer.cc
diff --git a/net/cert/cert_policy_enforcer.cc b/net/cert/cert_policy_enforcer.cc
index 25e9325fd4309f954bb171c2c05d648897ad94c0..2de9585a62dc1bf8e9fe108f8723cffd8638cc1d 100644
--- a/net/cert/cert_policy_enforcer.cc
+++ b/net/cert/cert_policy_enforcer.cc
@@ -126,9 +126,13 @@ const char* ComplianceStatusToString(CTComplianceStatus status) {
   return "unknown";
 }
 
-void LogCTComplianceStatusToUMA(CTComplianceStatus status) {
+void LogCTComplianceStatusToUMA(CTComplianceStatus status,
+                                bool is_whitelist_valid) {
   UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVCertificateCTCompliance", status,
                             CT_COMPLIANCE_MAX);
+  if (status == CT_NOT_COMPLIANT)
+    UMA_HISTOGRAM_BOOLEAN("Net.SSL_EVWhitelistValidityForNonCompliantCert",
+                          is_whitelist_valid);
 }
 
 struct ComplianceDetails {
@@ -244,7 +248,8 @@ bool CertPolicyEnforcer::DoesConformToCTEVPolicy(
   if (!details.build_timely)
     return false;
 
-  LogCTComplianceStatusToUMA(details.status);
+  LogCTComplianceStatusToUMA(details.status,
+                             ev_whitelist ? ev_whitelist->IsValid() : false);

[jwd, 2015/03/09 15:26:41]

I'm concerned about combining the two false conditions here. Are you sure you
wouldn't rather track all three states (has valid, has invalid, doesn't have)
separately?

[Ryan Sleevi, 2015/03/09 21:44:43]

+1

[Eran Messeri, 2015/03/10 21:16:35]

Done - tracking all three states.

 
   if (details.status == CT_IN_WHITELIST || details.status == CT_ENOUGH_SCTS)
     return true;