Add information to SSLInfo about CT EV policy compliance
This CL adds a field to SSLInfo to record whether CT policies were
enforced on the connection and details about the connection's compliance
with the CT EV policy.
This will eventually allow UI to explain to domain owners why their
site's EV status might be getting stripped.
This also lays the groundwork for introducing an Expect-CT policy, which
will be applied on all certificates. //net will apply the expect CT
policy and export the result via the new field in SSLInfo, so that code
outside net can send a report if desired.
BUG=568806
Review URL: https://codereview.chromium.org/1652603002
Cr-Commit-Position: refs/heads/master@{#376256}
diff --git a/net/cert/ct_policy_enforcer.h b/net/cert/ct_policy_enforcer.h
index 8c29da5e..a2db8f0 100644
--- a/net/cert/ct_policy_enforcer.h
+++ b/net/cert/ct_policy_enforcer.h
@@ -1,25 +1,30 @@
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
+
#ifndef NET_CERT_CT_POLICY_ENFORCER_H
#define NET_CERT_CT_POLICY_ENFORCER_H
#include <stddef.h>
+#include <vector>
#include "net/base/net_export.h"
+#include "net/cert/signed_certificate_timestamp.h"
#include "net/log/net_log.h"
namespace net {
namespace ct {
-struct CTVerifyResult;
class EVCertsWhitelist;
+enum class EVPolicyCompliance;
} // namespace ct
class X509Certificate;
+using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>;
+
// Class for checking that a given certificate conforms to security-related
// policies.
class NET_EXPORT CTPolicyEnforcer {
@@ -27,16 +32,17 @@
CTPolicyEnforcer() {}
virtual ~CTPolicyEnforcer() {}
- // Returns true if the collection of SCTs for the given certificate
- // conforms with the CT/EV policy. Conformance details are logged to
- // |net_log|.
- // |cert| is the certificate for which the SCTs apply.
- // |ct_result| must contain the result of verifying any SCTs associated with
- // |cert| prior to invoking this method.
- virtual bool DoesConformToCTEVPolicy(X509Certificate* cert,
- const ct::EVCertsWhitelist* ev_whitelist,
- const ct::CTVerifyResult& ct_result,
- const BoundNetLog& net_log);
+ // Returns the CT/EV policy compliance status for a given certificate
+ // and collection of SCTs.
+ // |cert| is the certificate for which to check compliance, and
+ // |verified_scts| contains any/all SCTs associated with |cert| that
+ // have been verified (well-formed, issued by known logs, and applying to
+ // |cert|).
+ virtual ct::EVPolicyCompliance DoesConformToCTEVPolicy(
+ X509Certificate* cert,
+ const ct::EVCertsWhitelist* ev_whitelist,
+ const SCTList& verified_scts,
+ const BoundNetLog& net_log);
};
} // namespace net
