Log the certificate subjects from the server certificate sent via QUIC.

Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=285446

Review URL: https://codereview.chromium.org/418723002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@285721 0039d316-1c4b-4281-b951-d872f2087c98

chrome/test/data/webui/net_internals/hsts_view.js

@@ -124,8 +124,9 @@ CheckQueryResultTask.prototype = {
     expectEquals(QueryResultType.SUCCESS, this.queryResultType_);
     expectEquals(this.stsSubdomains_, result.dynamic_sts_include_subdomains);
     expectEquals(this.pkpSubdomains_, result.dynamic_pkp_include_subdomains);
-    expectLE(this.stsObserved_, result.dynamic_sts_observed);
-    expectLE(this.pkpObserved_, result.dynamic_pkp_observed);
+    // Disabled because of http://crbug.com/397639
+    // expectLE(this.stsObserved_, result.dynamic_sts_observed);
+    // expectLE(this.pkpObserved_, result.dynamic_pkp_observed);
 
     // |public_key_hashes| is an old synonym for what is now
     // |preloaded_spki_hashes|, which in turn is a legacy synonym for

net/base/net_log_event_type_list.h

@@ -1351,6 +1351,12 @@ EVENT_TYPE(QUIC_SESSION)
 //   }
 EVENT_TYPE(QUIC_SESSION_CLOSE_ON_ERROR)
 
+// Session verified a certificate from the server.
+//   {
+//     "subjects": <list of DNS names that the certificate is valid for>,
+//   }
+EVENT_TYPE(QUIC_SESSION_CERTIFICATE_VERIFIED)
+
 // Session received a QUIC packet.
 //   {
 //     "peer_address": <The ip:port of the peer>,

net/quic/quic_client_session.cc

@@ -668,6 +668,7 @@ void QuicClientSession::OnProofVerifyDetailsAvailable(
   CertVerifyResult* result_copy = new CertVerifyResult;
   result_copy->CopyFrom(*cert_verify_result_other);
   cert_verify_result_.reset(result_copy);
+  logger_.OnCertificateVerified(*cert_verify_result_);
 }
 
 void QuicClientSession::StartReading() {

net/quic/quic_connection_logger.cc

@@ -15,6 +15,8 @@
 #include "base/values.h"
 #include "net/base/net_log.h"
 #include "net/base/net_util.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/x509_certificate.h"
 #include "net/quic/crypto/crypto_handshake_message.h"
 #include "net/quic/crypto/crypto_protocol.h"
 #include "net/quic/quic_address_mismatch.h"
@@ -239,6 +241,23 @@ base::Value* NetLogQuicOnConnectionClosedCallback(
   return dict;
 }
 
+base::Value* NetLogQuicCertificateVerifiedCallback(
+    scoped_refptr<X509Certificate> cert,
+    NetLog::LogLevel /* log_level */) {
+  // Only the subjects are logged so that we can investigate connection pooling.
+  // More fields could be logged in the future.
+  std::vector<std::string> dns_names;
+  cert->GetDNSNames(&dns_names);
+  base::DictionaryValue* dict = new base::DictionaryValue();
+  base::ListValue* subjects = new base::ListValue();
+  for (std::vector<std::string>::const_iterator it = dns_names.begin();
+       it != dns_names.end(); it++) {
+    subjects->Append(new base::StringValue(*it));
+  }
+  dict->Set("subjects", subjects);
+  return dict;
+}
+
 void UpdatePacketGapSentHistogram(size_t num_consecutive_missing_packets) {
   UMA_HISTOGRAM_COUNTS("Net.QuicSession.PacketGapSent",
                        num_consecutive_missing_packets);
@@ -672,6 +691,13 @@ void QuicConnectionLogger::UpdateReceivedFrameCounts(
   }
 }
 
+void QuicConnectionLogger::OnCertificateVerified(
+    const CertVerifyResult& result) {
+  net_log_.AddEvent(
+      NetLog::TYPE_QUIC_SESSION_CERTIFICATE_VERIFIED,
+      base::Bind(&NetLogQuicCertificateVerifiedCallback, result.verified_cert));
+}
+
 base::HistogramBase* QuicConnectionLogger::GetPacketSequenceNumberHistogram(
     const char* statistic_name) const {
   string prefix("Net.QuicSession.PacketReceived_");

net/quic/quic_connection_logger.h

@@ -16,6 +16,7 @@
 namespace net {
 
 class CryptoHandshakeMessage;
+class CertVerifyResult;
 
 // This class is a debug visitor of a QuicConnection which logs
 // events to |net_log|.
@@ -71,6 +72,7 @@ class NET_EXPORT_PRIVATE QuicConnectionLogger
   void UpdateReceivedFrameCounts(QuicStreamId stream_id,
                                  int num_frames_received,
                                  int num_duplicate_frames_received);
+  void OnCertificateVerified(const CertVerifyResult& result);
 
  private:
   // Do a factory get for a histogram for recording data, about individual