TrustStoreMac: add debug info flag for SecTrustSettingsCopyTrustSettings errors

Change-Id: Ifc9eaf96914875fb6621a904c277e26e355e7b90
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3140645
Reviewed-by: Ryan Sleevi <[email protected]>
Commit-Queue: Matt Mueller <[email protected]>
Cr-Commit-Position: refs/heads/main@{#918853}

Author: matt-mueller

components/security_interstitials/content/cert_logger.proto

@@ -259,6 +259,7 @@ message TrialVerificationInfo {
     MAC_TRUST_SETTINGS_DICT_CONTAINS_RESULT = 9;
     MAC_TRUST_SETTINGS_DICT_INVALID_RESULT_TYPE = 10;
     MAC_TRUST_SETTINGS_DICT_CONTAINS_ALLOWED_ERROR = 11;
+    MAC_COPY_TRUST_SETTINGS_ERROR = 12;
   }
   // Debug flags from the trial verifier path building attempt, only populated
   // on reports from macOS.  Contains the union of flags from all the GetTrust

components/security_interstitials/content/certificate_error_report.cc

@@ -108,22 +108,22 @@ void AddVerifyFlagsToReport(
 void AddMacTrustFlagsToReport(
     int mac_trust_flags,
     ::google::protobuf::RepeatedField<int>* report_flags) {
-#define COPY_TRUST_FLAGS(flag)                            \
-  if (mac_trust_flags & net::TrustStoreMac::TRUST_##flag) \
-    report_flags->Add(                                    \
-        chrome_browser_ssl::TrialVerificationInfo::MAC_TRUST_##flag);
-
-  COPY_TRUST_FLAGS(SETTINGS_ARRAY_EMPTY);
-  COPY_TRUST_FLAGS(SETTINGS_DICT_EMPTY);
-  COPY_TRUST_FLAGS(SETTINGS_DICT_UNKNOWN_KEY);
-  COPY_TRUST_FLAGS(SETTINGS_DICT_CONTAINS_POLICY);
-  COPY_TRUST_FLAGS(SETTINGS_DICT_INVALID_POLICY_TYPE);
-  COPY_TRUST_FLAGS(SETTINGS_DICT_CONTAINS_APPLICATION);
-  COPY_TRUST_FLAGS(SETTINGS_DICT_CONTAINS_POLICY_STRING);
-  COPY_TRUST_FLAGS(SETTINGS_DICT_CONTAINS_KEY_USAGE);
-  COPY_TRUST_FLAGS(SETTINGS_DICT_CONTAINS_RESULT);
-  COPY_TRUST_FLAGS(SETTINGS_DICT_INVALID_RESULT_TYPE);
-  COPY_TRUST_FLAGS(SETTINGS_DICT_CONTAINS_ALLOWED_ERROR);
+#define COPY_TRUST_FLAGS(flag)                    \
+  if (mac_trust_flags & net::TrustStoreMac::flag) \
+    report_flags->Add(chrome_browser_ssl::TrialVerificationInfo::MAC_##flag);
+
+  COPY_TRUST_FLAGS(TRUST_SETTINGS_ARRAY_EMPTY);
+  COPY_TRUST_FLAGS(TRUST_SETTINGS_DICT_EMPTY);
+  COPY_TRUST_FLAGS(TRUST_SETTINGS_DICT_UNKNOWN_KEY);
+  COPY_TRUST_FLAGS(TRUST_SETTINGS_DICT_CONTAINS_POLICY);
+  COPY_TRUST_FLAGS(TRUST_SETTINGS_DICT_INVALID_POLICY_TYPE);
+  COPY_TRUST_FLAGS(TRUST_SETTINGS_DICT_CONTAINS_APPLICATION);
+  COPY_TRUST_FLAGS(TRUST_SETTINGS_DICT_CONTAINS_POLICY_STRING);
+  COPY_TRUST_FLAGS(TRUST_SETTINGS_DICT_CONTAINS_KEY_USAGE);
+  COPY_TRUST_FLAGS(TRUST_SETTINGS_DICT_CONTAINS_RESULT);
+  COPY_TRUST_FLAGS(TRUST_SETTINGS_DICT_INVALID_RESULT_TYPE);
+  COPY_TRUST_FLAGS(TRUST_SETTINGS_DICT_CONTAINS_ALLOWED_ERROR);
+  COPY_TRUST_FLAGS(COPY_TRUST_SETTINGS_ERROR);
 
 #undef COPY_TRUST_FLAGS
 }

net/cert/internal/trust_store_mac.cc

@@ -231,6 +231,7 @@ TrustStatus IsSecCertificateTrustedForPolicyInDomain(
   }
   if (err) {
     OSSTATUS_LOG(ERROR, err) << "SecTrustSettingsCopyTrustSettings error";
+    *debug_info |= TrustStoreMac::COPY_TRUST_SETTINGS_ERROR;
     return TrustStatus::UNSPECIFIED;
   }
   TrustStatus trust = IsTrustSettingsTrustedForPolicy(
@@ -326,6 +327,7 @@ TrustStatus IsCertificateTrustedForPolicy(const ParsedCertificate* cert,
         continue;
       }
       OSSTATUS_LOG(ERROR, err) << "SecTrustSettingsCopyTrustSettings error";
+      *debug_info |= TrustStoreMac::COPY_TRUST_SETTINGS_ERROR;
       continue;
     }
     if (out_is_known_root && trust_domain == kSecTrustSettingsDomainSystem) {

net/cert/internal/trust_store_mac.h

@@ -68,6 +68,10 @@ class NET_EXPORT TrustStoreMac : public TrustStore {
     // One of the trustSettings dictionaries contained a
     // kSecTrustSettingsAllowedError key.
     TRUST_SETTINGS_DICT_CONTAINS_ALLOWED_ERROR = 1 << 10,
+
+    // SecTrustSettingsCopyTrustSettings returned a value other than
+    // errSecSuccess or errSecItemNotFound.
+    COPY_TRUST_SETTINGS_ERROR = 1 << 11,
   };
 
   enum class TrustImplType {