Add information to SSLInfo about CT EV policy compliance

This CL adds a field to SSLInfo to record whether CT policies were
enforced on the connection and details about the connection's compliance
with the CT EV policy.

This will eventually allow UI to explain to domain owners why their
site's EV status might be getting stripped.

This also lays the groundwork for introducing an Expect-CT policy, which
will be applied on all certificates. //net will apply the expect CT
policy and export the result via the new field in SSLInfo, so that code
outside net can send a report if desired.

BUG=568806

Review URL: https://codereview.chromium.org/1652603002

Cr-Commit-Position: refs/heads/master@{#376256}

1 files changed, 17 insertions, 5 deletions

diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 5619247..9526c1c 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -95,6 +95,7 @@
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_ev_whitelist.h"
 #include "net/cert/ct_policy_enforcer.h"
+#include "net/cert/ct_policy_status.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/scoped_nss_types.h"
@@ -2410,7 +2411,7 @@ bool SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
   ssl_info->cert = server_cert_verify_result_.verified_cert;
   ssl_info->unverified_cert = core_->state().server_cert;
 
-  AddSCTInfoToSSLInfo(ssl_info);
+  AddCTInfoToSSLInfo(ssl_info);
 
   ssl_info->connection_status =
       core_->state().ssl_connection_status;
@@ -3126,13 +3127,24 @@ void SSLClientSocketNSS::VerifyCT() {
   // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension
   // from the state after verification is complete, to conserve memory.
 
+  ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr);
+  ct_verify_result_.ev_policy_compliance =
+      ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
   if (policy_enforcer_ &&
       (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {
     scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
         SSLConfigService::GetEVCertsWhitelist();
-    if (!policy_enforcer_->DoesConformToCTEVPolicy(
+    ct::EVPolicyCompliance ev_policy_compliance =
+        policy_enforcer_->DoesConformToCTEVPolicy(
             server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(),
-            ct_verify_result_, net_log_)) {
+            ct_verify_result_.verified_scts, net_log_);
+    ct_verify_result_.ev_policy_compliance = ev_policy_compliance;
+    if (ev_policy_compliance !=
+            ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
+        ev_policy_compliance !=
+            ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
+        ev_policy_compliance !=
+            ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
       // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
       VLOG(1) << "EV certificate for "
               << server_cert_verify_result_.verified_cert->subject()
@@ -3158,8 +3170,8 @@ bool SSLClientSocketNSS::CalledOnValidThread() const {
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
-void SSLClientSocketNSS::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const {
-  ssl_info->UpdateSignedCertificateTimestamps(ct_verify_result_);
+void SSLClientSocketNSS::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const {
+  ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_);
 }
 
 // static