Enable Certificate Transparency in the OpenSSL port.
Also add tests that assert OCSP responses and SCT extensions are returned in
the expected format.
BUG=408687
TEST=open https://embed.ct.digicert.com/ in Chrome for Android and
tap the lock icon. Popup should say "The identity of this
[...] and is publicly auditable."
Review URL: https://codereview.chromium.org/517083002
Cr-Commit-Position: refs/heads/master@{#293295}
diff --git a/net/socket/ssl_client_socket_openssl.h b/net/socket/ssl_client_socket_openssl.h
index 14ea3c8..9b02ac2 100644
--- a/net/socket/ssl_client_socket_openssl.h
+++ b/net/socket/ssl_client_socket_openssl.h
@@ -13,6 +13,7 @@
#include "net/base/completion_callback.h"
#include "net/base/io_buffer.h"
#include "net/cert/cert_verify_result.h"
+#include "net/cert/ct_verify_result.h"
#include "net/socket/client_socket_handle.h"
#include "net/socket/ssl_client_socket.h"
#include "net/ssl/channel_id_service.h"
@@ -34,6 +35,7 @@
namespace net {
class CertVerifier;
+class CTVerifier;
class SingleRequestCertVerifier;
class SSLCertRequestInfo;
class SSLInfo;
@@ -121,6 +123,7 @@
int DoVerifyCertComplete(int result);
void DoConnectCallback(int result);
X509Certificate* UpdateServerCert();
+ void VerifyCT();
void OnHandshakeIOComplete(int result);
void OnSendComplete(int result);
@@ -173,6 +176,13 @@
void CheckIfHandshakeFinished();
+ // Adds the SignedCertificateTimestamps from ct_verify_result_ to |ssl_info|.
+ // SCTs are held in three separate vectors in ct_verify_result, each
+ // vetor representing a particular verification state, this method associates
+ // each of the SCTs with the corresponding SCTVerifyStatus as it adds it to
+ // the |ssl_info|.signed_certificate_timestamps list.
+ void AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const;
+
bool transport_send_busy_;
bool transport_recv_busy_;
@@ -232,6 +242,10 @@
scoped_ptr<SingleRequestCertVerifier> verifier_;
base::TimeTicks start_cert_verification_time_;
+ // Certificate Transparency: Verifier and result holder.
+ ct::CTVerifyResult ct_verify_result_;
+ CTVerifier* cert_transparency_verifier_;
+
// The service for retrieving Channel ID keys. May be NULL.
ChannelIDService* channel_id_service_;