Add information to SSLInfo about CT EV policy compliance

This CL adds a field to SSLInfo to record whether CT policies were enforced on the connection and details about the connection's compliance with the CT EV policy. This will eventually allow UI to explain to domain owners why their site's EV status might be getting stripped. This also lays the groundwork for introducing an Expect-CT policy, which will be applied on all certificates. //net will apply the expect CT policy and export the result via the new field in SSLInfo, so that code outside net can send a report if desired. BUG=568806 Review URL: https://codereview.chromium.org/1652603002 Cr-Commit-Position: refs/heads/master@{#376256}
author: estark <estark@chromium.org> 2016-02-18 13:01:12 -0800
committer: Commit bot <commit-bot@chromium.org> 2016-02-18 21:02:30 +0000
commit: 723b5eeb4486ac293b6574cfce33a4fb1012e09d (patch)
tree: 109a7d15e5bbfc68a3f14d65b01d09da7b15932f /net/cert
parent: a7a6196257751af4e1bf769d60cb566c437f28e8 (diff)
download: chromium_src-723b5eeb4486ac293b6574cfce33a4fb1012e09d.zip
chromium_src-723b5eeb4486ac293b6574cfce33a4fb1012e09d.tar.gz
chromium_src-723b5eeb4486ac293b6574cfce33a4fb1012e09d.tar.bz2
6 files changed, 164 insertions, 89 deletions
diff --git a/net/cert/ct_policy_enforcer.cc b/net/cert/ct_policy_enforcer.cc
index 32181d4..aa8838b 100644
--- a/net/cert/ct_policy_enforcer.cc
+++ b/net/cert/ct_policy_enforcer.cc
@@ -19,6 +19,7 @@
 #include "base/version.h"
 #include "net/cert/ct_ev_whitelist.h"
 #include "net/cert/ct_known_logs.h"
+#include "net/cert/ct_policy_status.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/signed_certificate_timestamp.h"
 #include "net/cert/x509_certificate.h"
@@ -78,11 +79,10 @@ void RoundedDownMonthDifference(const base::Time& start,
 }
 
 bool HasRequiredNumberOfSCTs(const X509Certificate& cert,
-                             const ct::CTVerifyResult& ct_result) {
-  size_t num_valid_scts = ct_result.verified_scts.size();
+                             const ct::SCTList& verified_scts) {
+  size_t num_valid_scts = verified_scts.size();
   size_t num_embedded_scts = base::checked_cast<size_t>(
-      std::count_if(ct_result.verified_scts.begin(),
-                    ct_result.verified_scts.end(), IsEmbeddedSCT));
+      std::count_if(verified_scts.begin(), verified_scts.end(), IsEmbeddedSCT));
 
   size_t num_non_embedded_scts = num_valid_scts - num_embedded_scts;
   // If at least two valid SCTs were delivered by means other than embedding
@@ -166,8 +166,8 @@ enum EVWhitelistStatus {
   EV_WHITELIST_MAX,
 };
 
-void LogCTComplianceStatusToUMA(CTComplianceStatus status,
-                                const ct::EVCertsWhitelist* ev_whitelist) {
+void LogCTEVComplianceStatusToUMA(CTComplianceStatus status,
+                                  const ct::EVCertsWhitelist* ev_whitelist) {
   UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVCertificateCTCompliance", status,
                             CT_COMPLIANCE_MAX);
   if (status == CT_NOT_COMPLIANT) {
@@ -185,18 +185,11 @@ void LogCTComplianceStatusToUMA(CTComplianceStatus status,
 }
 
 struct ComplianceDetails {
-  ComplianceDetails()
-      : ct_presence_required(false),
-        build_timely(false),
-        status(CT_NOT_COMPLIANT) {}
-
-  // Whether enforcement of the policy was required or not.
-  bool ct_presence_required;
-  // Whether the build is not older than 10 weeks. The value is meaningful only
-  // if |ct_presence_required| is true.
+  ComplianceDetails() : build_timely(false), status(CT_NOT_COMPLIANT) {}
+
+  // Whether the build is not older than 10 weeks.
   bool build_timely;
-  // Compliance status - meaningful only if |ct_presence_required| and
-  // |build_timely| are true.
+  // Compliance status - meaningful only if |build_timely| is true.
   CTComplianceStatus status;
   // EV whitelist version.
   base::Version whitelist_version;
@@ -208,17 +201,14 @@ scoped_ptr<base::Value> NetLogComplianceCheckResultCallback(
     NetLogCaptureMode capture_mode) {
   scoped_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
   dict->Set("certificate", NetLogX509CertificateCallback(cert, capture_mode));
-  dict->SetBoolean("policy_enforcement_required",
-                   details->ct_presence_required);
-  if (details->ct_presence_required) {
-    dict->SetBoolean("build_timely", details->build_timely);
-    if (details->build_timely) {
-      dict->SetString("ct_compliance_status",
-                      ComplianceStatusToString(details->status));
-      if (details->whitelist_version.IsValid())
-        dict->SetString("ev_whitelist_version",
-                        details->whitelist_version.GetString());
-    }
+  dict->SetBoolean("policy_enforcement_required", true);
+  dict->SetBoolean("build_timely", details->build_timely);
+  if (details->build_timely) {
+    dict->SetString("ct_compliance_status",
+                    ComplianceStatusToString(details->status));
+    if (details->whitelist_version.IsValid())
+      dict->SetString("ev_whitelist_version",
+                      details->whitelist_version.GetString());
   }
   return std::move(dict);
 }
@@ -259,10 +249,8 @@ bool IsCertificateInWhitelist(const X509Certificate& cert,
 
 void CheckCTEVPolicyCompliance(X509Certificate* cert,
                                const ct::EVCertsWhitelist* ev_whitelist,
-                               const ct::CTVerifyResult& ct_result,
+                               const ct::SCTList& verified_scts,
                                ComplianceDetails* result) {
-  result->ct_presence_required = true;
-
   if (!IsBuildTimely())
     return;
   result->build_timely = true;
@@ -275,14 +263,13 @@ void CheckCTEVPolicyCompliance(X509Certificate* cert,
     return;
   }
 
-  if (!HasRequiredNumberOfSCTs(*cert, ct_result)) {
+  if (!HasRequiredNumberOfSCTs(*cert, verified_scts)) {
     result->status = CT_NOT_COMPLIANT;
     return;
   }
 
-  if (AllSCTsPastDistinctSCTRequirementEnforcementDate(
-          ct_result.verified_scts) &&
-      !HasEnoughDiverseSCTs(ct_result.verified_scts)) {
+  if (AllSCTsPastDistinctSCTRequirementEnforcementDate(verified_scts) &&
+      !HasEnoughDiverseSCTs(verified_scts)) {
     result->status = CT_NOT_ENOUGH_DIVERSE_SCTS;
     return;
   }
@@ -292,14 +279,14 @@ void CheckCTEVPolicyCompliance(X509Certificate* cert,
 
 }  // namespace
 
-bool CTPolicyEnforcer::DoesConformToCTEVPolicy(
+ct::EVPolicyCompliance CTPolicyEnforcer::DoesConformToCTEVPolicy(
     X509Certificate* cert,
     const ct::EVCertsWhitelist* ev_whitelist,
-    const ct::CTVerifyResult& ct_result,
+    const ct::SCTList& verified_scts,
     const BoundNetLog& net_log) {
   ComplianceDetails details;
 
-  CheckCTEVPolicyCompliance(cert, ev_whitelist, ct_result, &details);
+  CheckCTEVPolicyCompliance(cert, ev_whitelist, verified_scts, &details);
 
   NetLog::ParametersCallback net_log_callback =
       base::Bind(&NetLogComplianceCheckResultCallback, base::Unretained(cert),
@@ -308,18 +295,25 @@ bool CTPolicyEnforcer::DoesConformToCTEVPolicy(
   net_log.AddEvent(NetLog::TYPE_EV_CERT_CT_COMPLIANCE_CHECKED,
                    net_log_callback);
 
-  if (!details.ct_presence_required)
-    return true;
-
   if (!details.build_timely)
-    return false;
+    return ct::EVPolicyCompliance::EV_POLICY_BUILD_NOT_TIMELY;
 
-  LogCTComplianceStatusToUMA(details.status, ev_whitelist);
+  LogCTEVComplianceStatusToUMA(details.status, ev_whitelist);
 
-  if (details.status == CT_IN_WHITELIST || details.status == CT_ENOUGH_SCTS)
-    return true;
+  switch (details.status) {
+    case CT_NOT_COMPLIANT:
+      return ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS;
+    case CT_IN_WHITELIST:
+      return ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST;
+    case CT_ENOUGH_SCTS:
+      return ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS;
+    case CT_NOT_ENOUGH_DIVERSE_SCTS:
+      return ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS;
+    case CT_COMPLIANCE_MAX:
+      return ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
+  }
 
-  return false;
+  return ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
 }
 
 }  // namespace net
diff --git a/net/cert/ct_policy_enforcer.h b/net/cert/ct_policy_enforcer.h
index 8c29da5e..a2db8f0 100644
--- a/net/cert/ct_policy_enforcer.h
+++ b/net/cert/ct_policy_enforcer.h
@@ -1,25 +1,30 @@
 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
+
 #ifndef NET_CERT_CT_POLICY_ENFORCER_H
 #define NET_CERT_CT_POLICY_ENFORCER_H
 
 #include <stddef.h>
+#include <vector>
 
 #include "net/base/net_export.h"
+#include "net/cert/signed_certificate_timestamp.h"
 #include "net/log/net_log.h"
 
 namespace net {
 
 namespace ct {
 
-struct CTVerifyResult;
 class EVCertsWhitelist;
+enum class EVPolicyCompliance;
 
 }  // namespace ct
 
 class X509Certificate;
 
+using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>;
+
 // Class for checking that a given certificate conforms to security-related
 // policies.
 class NET_EXPORT CTPolicyEnforcer {
@@ -27,16 +32,17 @@ class NET_EXPORT CTPolicyEnforcer {
   CTPolicyEnforcer() {}
   virtual ~CTPolicyEnforcer() {}
 
-  // Returns true if the collection of SCTs for the given certificate
-  // conforms with the CT/EV policy. Conformance details are logged to
-  // |net_log|.
-  // |cert| is the certificate for which the SCTs apply.
-  // |ct_result| must contain the result of verifying any SCTs associated with
-  // |cert| prior to invoking this method.
-  virtual bool DoesConformToCTEVPolicy(X509Certificate* cert,
-                                       const ct::EVCertsWhitelist* ev_whitelist,
-                                       const ct::CTVerifyResult& ct_result,
-                                       const BoundNetLog& net_log);
+  // Returns the CT/EV policy compliance status for a given certificate
+  // and collection of SCTs.
+  // |cert| is the certificate for which to check compliance, and
+  // |verified_scts| contains any/all SCTs associated with |cert| that
+  // have been verified (well-formed, issued by known logs, and applying to
+  // |cert|).
+  virtual ct::EVPolicyCompliance DoesConformToCTEVPolicy(
+      X509Certificate* cert,
+      const ct::EVCertsWhitelist* ev_whitelist,
+      const SCTList& verified_scts,
+      const BoundNetLog& net_log);
 };
 
 }  // namespace net
diff --git a/net/cert/ct_policy_enforcer_unittest.cc b/net/cert/ct_policy_enforcer_unittest.cc
index 4355252..c6c61b3 100644
--- a/net/cert/ct_policy_enforcer_unittest.cc
+++ b/net/cert/ct_policy_enforcer_unittest.cc
@@ -12,6 +12,7 @@
 #include "crypto/sha2.h"
 #include "net/base/test_data_directory.h"
 #include "net/cert/ct_ev_whitelist.h"
+#include "net/cert/ct_policy_status.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/x509_certificate.h"
 #include "net/test/cert_test_util.h"
@@ -65,6 +66,8 @@ class CTPolicyEnforcerTest : public ::testing::Test {
     non_google_log_id_.assign(crypto::kSHA256Length, 'A');
   }
 
+  // TODO(eranm): Remove the use of CTVerifyResult in this file and just
+  // use lists of verified SCTs. https://crbug.com/587921
   void FillResultWithSCTsOfOrigin(
       ct::SignedCertificateTimestamp::Origin desired_origin,
       size_t num_scts,
@@ -123,15 +126,17 @@ class CTPolicyEnforcerTest : public ::testing::Test {
     for (size_t i = 0; i < required_scts - 1; ++i) {
       FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
                                  1, std::vector<std::string>(), false, &result);
-      EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-          cert.get(), nullptr, result, BoundNetLog()))
+      EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
+                policy_enforcer_->DoesConformToCTEVPolicy(
+                    cert.get(), nullptr, result.verified_scts, BoundNetLog()))
           << " for: " << (end - start).InDays() << " and " << required_scts
           << " scts=" << result.verified_scts.size() << " i=" << i;
     }
     FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                                std::vector<std::string>(), false, &result);
-    EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
-        cert.get(), nullptr, result, BoundNetLog()))
+    EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
+              policy_enforcer_->DoesConformToCTEVPolicy(
+                  cert.get(), nullptr, result.verified_scts, BoundNetLog()))
         << " for: " << (end - start).InDays() << " and " << required_scts
         << " scts=" << result.verified_scts.size();
   }
@@ -148,8 +153,9 @@ TEST_F(CTPolicyEnforcerTest,
   ct::CTVerifyResult result;
   FillResultWithRepeatedLogID(google_log_id_, 2, true, &result);
 
-  EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), nullptr, result, BoundNetLog()));
+  EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
+            policy_enforcer_->DoesConformToCTEVPolicy(
+                chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
 }
 
 TEST_F(CTPolicyEnforcerTest,
@@ -157,16 +163,18 @@ TEST_F(CTPolicyEnforcerTest,
   ct::CTVerifyResult result;
   FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result);
 
-  EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), nullptr, result, BoundNetLog()));
+  EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
+            policy_enforcer_->DoesConformToCTEVPolicy(
+                chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
 }
 
 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) {
   ct::CTVerifyResult result;
   FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result);
 
-  EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
-                                                        result, BoundNetLog()));
+  EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
+            policy_enforcer_->DoesConformToCTEVPolicy(
+                chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
 }
 
 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
@@ -174,8 +182,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
   FillResultWithSCTsOfOrigin(
       ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
 
-  EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
-                                                        result, BoundNetLog()));
+  EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
+            policy_enforcer_->DoesConformToCTEVPolicy(
+                chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
 }
 
 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
@@ -184,8 +193,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
                              &result);
 
-  EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
-                                                        result, BoundNetLog()));
+  EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
+            policy_enforcer_->DoesConformToCTEVPolicy(
+                chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
 }
 
 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
@@ -198,14 +208,18 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);
 
-  EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), non_including_whitelist.get(), result, BoundNetLog()));
+  EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
+            policy_enforcer_->DoesConformToCTEVPolicy(
+                chain_.get(), non_including_whitelist.get(),
+                result.verified_scts, BoundNetLog()));
 
   // ... but should be OK if whitelisted.
   scoped_refptr<ct::EVCertsWhitelist> whitelist(
       new DummyEVCertsWhitelist(true, true));
-  EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), whitelist.get(), result, BoundNetLog()));
+  EXPECT_EQ(
+      ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST,
+      policy_enforcer_->DoesConformToCTEVPolicy(
+          chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog()));
 }
 
 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
@@ -214,13 +228,17 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
                              &result);
-  EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-      no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));
+  EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
+            policy_enforcer_->DoesConformToCTEVPolicy(
+                no_valid_dates_cert.get(), nullptr, result.verified_scts,
+                BoundNetLog()));
   // ... but should be OK if whitelisted.
   scoped_refptr<ct::EVCertsWhitelist> whitelist(
       new DummyEVCertsWhitelist(true, true));
-  EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), whitelist.get(), result, BoundNetLog()));
+  EXPECT_EQ(
+      ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST,
+      policy_enforcer_->DoesConformToCTEVPolicy(
+          chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog()));
 }
 
 TEST_F(CTPolicyEnforcerTest,
@@ -274,8 +292,10 @@ TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);
-  EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), whitelist.get(), result, BoundNetLog()));
+  EXPECT_EQ(
+      ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST,
+      policy_enforcer_->DoesConformToCTEVPolicy(
+          chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog()));
 }
 
 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
@@ -285,16 +305,19 @@ TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);
-  EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), whitelist.get(), result, BoundNetLog()));
+  EXPECT_EQ(
+      ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
+      policy_enforcer_->DoesConformToCTEVPolicy(
+          chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog()));
 }
 
 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) {
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);
-  EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), nullptr, result, BoundNetLog()));
+  EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
+            policy_enforcer_->DoesConformToCTEVPolicy(
+                chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
 }
 
 }  // namespace
diff --git a/net/cert/ct_policy_status.h b/net/cert/ct_policy_status.h
new file mode 100644
index 0000000..e234cb7
--- /dev/null
+++ b/net/cert/ct_policy_status.h
@@ -0,0 +1,39 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_CT_POLICY_STATUS_H
+#define NET_CERT_CT_POLICY_STATUS_H
+
+namespace net {
+
+namespace ct {
+
+// Information about a connection's compliance with the CT EV
+// certificate policy.
+enum class EVPolicyCompliance {
+  // The certificate was not EV, so the EV policy doesn't apply.
+  EV_POLICY_DOES_NOT_APPLY,
+  // The connection complied with the EV certificate policy by being
+  // included on the EV whitelist.
+  EV_POLICY_COMPLIES_VIA_WHITELIST,
+  // The connection complied with the EV certificate policy by
+  // including SCTs that satisfy the policy.
+  EV_POLICY_COMPLIES_VIA_SCTS,
+  // The connection did not have enough SCTs to retain its EV
+  // status.
+  EV_POLICY_NOT_ENOUGH_SCTS,
+  // The connection did not have diverse enough SCTs to retain its
+  // EV status.
+  EV_POLICY_NOT_DIVERSE_SCTS,
+  // The connection cannot be considered compliant because the build
+  // isn't timely and therefore log information might be out of date
+  // (for example a log might no longer be considered trustworthy).
+  EV_POLICY_BUILD_NOT_TIMELY,
+};
+
+}  // namespace ct
+
+}  // namespace net
+
+#endif  // NET_CERT_CT_POLICY_STATUS_H
diff --git a/net/cert/ct_verify_result.cc b/net/cert/ct_verify_result.cc
index c62a18a..5e89b8f 100644
--- a/net/cert/ct_verify_result.cc
+++ b/net/cert/ct_verify_result.cc
@@ -4,11 +4,15 @@
 
 #include "net/cert/ct_verify_result.h"
 
+#include "net/cert/ct_policy_status.h"
+
 namespace net {
 
 namespace ct {
 
-CTVerifyResult::CTVerifyResult() {}
+CTVerifyResult::CTVerifyResult()
+    : ct_policies_applied(false),
+      ev_policy_compliance(ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY) {}
 
 CTVerifyResult::~CTVerifyResult() {}
 
diff --git a/net/cert/ct_verify_result.h b/net/cert/ct_verify_result.h
index aa90164..e434fb8 100644
--- a/net/cert/ct_verify_result.h
+++ b/net/cert/ct_verify_result.h
@@ -7,17 +7,20 @@
 
 #include <vector>
 
+#include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/signed_certificate_timestamp.h"
 
 namespace net {
 
 namespace ct {
 
+enum class EVPolicyCompliance;
+
 typedef std::vector<scoped_refptr<SignedCertificateTimestamp> > SCTList;
 
-// Holds Signed Certificate Timestamps, depending on their verification results.
-// More information could be tracked here about SCTs, but for the current UI
-// this categorization is enough.
+// Holds Signed Certificate Timestamps, depending on their verification
+// results, and information about CT policies that were applied on the
+// connection.
 struct NET_EXPORT CTVerifyResult {
   CTVerifyResult();
   ~CTVerifyResult();
@@ -28,6 +31,12 @@ struct NET_EXPORT CTVerifyResult {
   SCTList invalid_scts;
   // SCTs from unknown logs and as such are unverifiable.
   SCTList unknown_logs_scts;
+
+  // True if any CT policies were applied on this connection.
+  bool ct_policies_applied;
+  // The result of evaluating whether the connection complies with the
+  // EV CT policy.
+  EVPolicyCompliance ev_policy_compliance;
 };
 
 }  // namespace ct
author	estark <estark@chromium.org>	2016-02-18 13:01:12 -0800
committer	Commit bot <commit-bot@chromium.org>	2016-02-18 21:02:30 +0000
commit	723b5eeb4486ac293b6574cfce33a4fb1012e09d (patch)
tree	109a7d15e5bbfc68a3f14d65b01d09da7b15932f /net/cert
parent	a7a6196257751af4e1bf769d60cb566c437f28e8 (diff)
download	chromium_src-723b5eeb4486ac293b6574cfce33a4fb1012e09d.zip chromium_src-723b5eeb4486ac293b6574cfce33a4fb1012e09d.tar.gz chromium_src-723b5eeb4486ac293b6574cfce33a4fb1012e09d.tar.bz2