chromium/src
0
Fork 0
Code Activity

refactor CTPolicyEnforcer to be run by CertVerifyProc

Browse Source 
Previously it was run at the socket layer in the network service.

Bug: 848277
Change-Id: I1839d1846979d6c266be5674073b400ea24d4bce
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5097060
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Stefano Duo <stefanoduo@google.com>
Reviewed-by: Sorin Jianu <sorin@chromium.org>
Reviewed-by: Lambros Lambrou <lambroslambrou@chromium.org>
Reviewed-by: Anqing Zhao <anqing@chromium.org>
Commit-Queue: Matt Mueller <mattm@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Code-Coverage: findit-for-me@appspot.gserviceaccount.com <findit-for-me@appspot.gserviceaccount.com>
Reviewed-by: Tsuyoshi Horo <horo@chromium.org>
Reviewed-by: Carlos IL <carlosil@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1238178}
This commit is contained in:
Matt Mueller
2023-12-15 19:05:40 +00:00
committed by Chromium LUCI CQ
parent c2a2758e79
commit 635c4a0fd2
83 changed files with 605 additions and 919 deletions
chrome/browser
component_updater
pki_metadata_component_installer.cc
net
system_network_context_manager.ccsystem_network_context_manager.h
policy
test
certificate_transparency_policy_browsertest.cc
ssl
certificate_transparency_browsertest.cc
components
certificate_transparency
chrome_ct_policy_enforcer.ccchrome_ct_policy_enforcer.hchrome_ct_policy_enforcer_unittest.cc
cronet
url_request_context_config.cc
content/browser/web_package
signed_exchange_handler_unittest.cc
net
cert
cert_verifier.cccert_verify_proc.cccert_verify_proc.hcert_verify_proc_builtin.cccert_verify_proc_builtin.hcert_verify_proc_builtin_unittest.cccert_verify_proc_unittest.ccct_policy_enforcer.hnss_cert_database_unittest.cctest_root_certs_unittest.cc
cert_net
cert_net_fetcher_url_request_unittest.cc
http
http_network_layer_unittest.cchttp_network_session.cchttp_network_session.hhttp_response_body_drainer_unittest.cchttp_stream_factory_unittest.cc
proxy_resolution
pac_file_fetcher_impl_unittest.cc
quic
crypto
proof_verifier_chromium.ccproof_verifier_chromium.hproof_verifier_chromium_test.cc
crypto_test_utils_chromium.ccdedicated_web_transport_http3_client.ccquic_end_to_end_unittest.ccquic_network_transaction_unittest.ccquic_stream_factory.ccquic_stream_factory.hquic_stream_factory_fuzzer.ccquic_stream_factory_test.cc
socket
ssl_client_socket.ccssl_client_socket.hssl_client_socket_impl.ccssl_client_socket_impl.hssl_client_socket_unittest.ccssl_connect_job_unittest.ccssl_server_socket_unittest.cctransport_client_socket_pool_unittest.cctransport_connect_job_unittest.cc
spdy
spdy_test_util_common.ccspdy_test_util_common.h
third_party
quiche
overrides
quiche_platform_impl
quiche_default_proof_providers_impl.cc
tools
cert_verify_tool
cert_verify_comparision_tool.cccert_verify_tool.cc
url_request
url_request_context.ccurl_request_context.hurl_request_context_builder.ccurl_request_context_builder.hurl_request_quic_unittest.ccurl_request_test_util.ccurl_request_test_util.hurl_request_unittest.cc
remoting/protocol
ssl_hmac_channel_authenticator.ccssl_hmac_channel_authenticator.h
services
cert_verifier
BUILD.gnDEPS
cert_net_url_loader
cert_net_fetcher_url_loader_unittest.cc
cert_verifier_creation.cccert_verifier_service_factory.cccert_verifier_service_factory.hcert_verifier_service_factory_unittest.cc
public
mojom
cert_verifier_service_factory.mojom
network
network_context.ccnetwork_context.hnetwork_context_unittest.ccnetwork_service.ccnetwork_service.hproxy_resolving_client_socket_factory.cc
public
mojom
network_context.mojomnetwork_service.mojom
sct_auditing
sct_auditing_handler_unittest.cc
socket_factory.cc
test
test_network_context.h
tls_socket_factory.cctls_socket_factory.h

5
chrome/browser/component_updater/pki_metadata_component_installer.cc

@ -323,10 +323,9 @@ void PKIMetadataComponentInstallerService::UpdateNetworkServiceCTListOnUI(
base::Seconds(proto->log_list().timestamp().seconds()) +
base::Nanoseconds(proto->log_list().timestamp().nanos());
content::GetCertVerifierServiceFactory()->UpdateCtLogList(
std::move(log_list_mojo), done_callback);
std::move(log_list_mojo), update_time, done_callback);
network_service->UpdateCtLogList(
std::move(log_list_mojo_clone_network_service), update_time,
done_callback);
std::move(log_list_mojo_clone_network_service), done_callback);
// Send the updated popular SCTs list to the network service, if available.
std::vector<std::vector<uint8_t>> popular_scts =

80
chrome/browser/net/system_network_context_manager.cc

@ -292,6 +292,41 @@ NetworkSandboxState IsNetworkSandboxEnabledInternal() {
: NetworkSandboxState::kDisabledByPlatform;
}
std::vector<network::mojom::CTLogInfoPtr> GetStaticCtLogListMojo() {
std::vector<std::pair<std::string, base::Time>> disqualified_logs =
certificate_transparency::GetDisqualifiedLogs();
std::vector<network::mojom::CTLogInfoPtr> log_list_mojo;
for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
log_info->id = crypto::SHA256HashString(log_info->public_key);
log_info->name = ct_log.log_name;
log_info->current_operator = ct_log.current_operator;
auto it = std::lower_bound(
std::begin(disqualified_logs), std::end(disqualified_logs),
log_info->id,
[](const auto& disqualified_log, const std::string& log_id) {
return disqualified_log.first < log_id;
});
if (it != std::end(disqualified_logs) && it->first == log_info->id) {
log_info->disqualified_at = it->second;
}
for (size_t i = 0; i < ct_log.previous_operators_length; i++) {
const auto& op = ct_log.previous_operators[i];
network::mojom::PreviousOperatorEntryPtr previous_operator =
network::mojom::PreviousOperatorEntry::New();
previous_operator->name = op.name;
previous_operator->end_time = op.end_time;
log_info->previous_operators.push_back(std::move(previous_operator));
}
log_list_mojo.push_back(std::move(log_info));
}
return log_list_mojo;
}
} // namespace
class SystemNetworkContextManager::NetworkProcessLaunchWatcher
@ -723,45 +758,11 @@ void SystemNetworkContextManager::OnNetworkServiceCreated(
// before the PKIMetadataComponentInstallerService
// ReconfigureAfterNetworkRestart call below.
if (IsCertificateTransparencyEnabled()) {
std::vector<std::pair<std::string, base::Time>> disqualified_logs =
certificate_transparency::GetDisqualifiedLogs();
std::vector<network::mojom::CTLogInfoPtr> log_list_mojo;
std::vector<network::mojom::CTLogInfoPtr>
log_list_mojo_clone_network_service;
for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
log_info->id = crypto::SHA256HashString(log_info->public_key);
log_info->name = ct_log.log_name;
log_info->current_operator = ct_log.current_operator;
auto it = std::lower_bound(
std::begin(disqualified_logs), std::end(disqualified_logs),
log_info->id,
[](const auto& disqualified_log, const std::string& log_id) {
return disqualified_log.first < log_id;
});
if (it != std::end(disqualified_logs) && it->first == log_info->id) {
log_info->disqualified_at = it->second;
}
for (size_t i = 0; i < ct_log.previous_operators_length; i++) {
const auto& op = ct_log.previous_operators[i];
network::mojom::PreviousOperatorEntryPtr previous_operator =
network::mojom::PreviousOperatorEntry::New();
previous_operator->name = op.name;
previous_operator->end_time = op.end_time;
log_info->previous_operators.push_back(std::move(previous_operator));
}
log_list_mojo_clone_network_service.push_back(log_info.Clone());
log_list_mojo.push_back(std::move(log_info));
}
content::GetCertVerifierServiceFactory()->UpdateCtLogList(
std::move(log_list_mojo), base::DoNothing());
network_service->UpdateCtLogList(
std::move(log_list_mojo_clone_network_service),
GetStaticCtLogListMojo(),
certificate_transparency::GetLogListTimestamp(), base::DoNothing());
network_service->UpdateCtLogList(GetStaticCtLogListMojo(),
base::DoNothing());
}
int max_connections_per_proxy =
@ -970,6 +971,11 @@ void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
certificate_transparency_enabled_for_testing_ = enabled;
}
void SystemNetworkContextManager::SetCTLogListTimelyForTesting() {
content::GetCertVerifierServiceFactory()->UpdateCtLogList(
GetStaticCtLogListMojo(), base::Time::Now(), base::DoNothing());
}
bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
if (certificate_transparency_enabled_for_testing_.has_value())
return certificate_transparency_enabled_for_testing_.value();

4
chrome/browser/net/system_network_context_manager.h

@ -166,6 +166,10 @@ class SystemNetworkContextManager {
static void SetEnableCertificateTransparencyForTesting(
absl::optional<bool> enabled);
// Reloads the static CT log lists but overriding the log list update time
// with the current time. For test use only.
void SetCTLogListTimelyForTesting();
static bool IsCertificateTransparencyEnabled();
static void set_stub_resolver_config_reader_for_testing(

12
chrome/browser/policy/test/certificate_transparency_policy_browsertest.cc

@ -7,7 +7,6 @@
#include "chrome/browser/interstitials/security_interstitial_page_test_utils.h"
#include "chrome/browser/net/system_network_context_manager.h"
#include "chrome/browser/policy/safe_browsing_policy_test.h"
#include "chrome/browser/profiles/profile.h"
#include "chrome/test/base/chrome_test_utils.h"
#include "components/policy/core/common/policy_map.h"
#include "components/policy/core/common/policy_types.h"
@ -16,7 +15,6 @@
#include "content/public/browser/browser_thread.h"
#include "content/public/browser/network_service_instance.h"
#include "content/public/browser/network_service_util.h"
#include "content/public/browser/storage_partition.h"
#include "content/public/test/browser_test.h"
#include "mojo/public/cpp/bindings/sync_call_restrictions.h"
#include "net/base/hash_value.h"
@ -66,10 +64,7 @@ class CertificateTransparencyPolicyTest : public SafeBrowsingPolicyTest {
IN_PROC_BROWSER_TEST_F(CertificateTransparencyPolicyTest,
CertificateTransparencyEnforcementDisabledForUrls) {
auto* profile = Profile::FromBrowserContext(
chrome_test_utils::GetActiveWebContents(this)->GetBrowserContext());
content::StoragePartition* partition = profile->GetDefaultStoragePartition();
partition->GetNetworkContext()->SetCTLogListAlwaysTimelyForTesting();
SystemNetworkContextManager::GetInstance()->SetCTLogListTimelyForTesting();
net::EmbeddedTestServer https_server_ok(net::EmbeddedTestServer::TYPE_HTTPS);
https_server_ok.SetSSLConfig(net::EmbeddedTestServer::CERT_OK);
@ -124,10 +119,7 @@ IN_PROC_BROWSER_TEST_F(CertificateTransparencyPolicyTest,
IN_PROC_BROWSER_TEST_F(CertificateTransparencyPolicyTest,
CertificateTransparencyEnforcementDisabledForCas) {
auto* profile = Profile::FromBrowserContext(
chrome_test_utils::GetActiveWebContents(this)->GetBrowserContext());
content::StoragePartition* partition = profile->GetDefaultStoragePartition();
partition->GetNetworkContext()->SetCTLogListAlwaysTimelyForTesting();
SystemNetworkContextManager::GetInstance()->SetCTLogListTimelyForTesting();
net::EmbeddedTestServer https_server_ok(net::EmbeddedTestServer::TYPE_HTTPS);
https_server_ok.SetSSLConfig(net::EmbeddedTestServer::CERT_OK);

5
chrome/browser/ssl/certificate_transparency_browsertest.cc

@ -20,7 +20,6 @@
#include "components/policy/policy_constants.h"
#include "components/prefs/testing_pref_service.h"
#include "content/public/browser/network_service_instance.h"
#include "content/public/browser/storage_partition.h"
#include "content/public/test/browser_test.h"
#include "crypto/sha2.h"
#include "net/base/hash_value.h"
@ -135,9 +134,7 @@ class CertificateTransparencyBrowserTest : public CertVerifierBrowserTest {
// Chrome CT Policy should be being enforced.
IN_PROC_BROWSER_TEST_F(CertificateTransparencyBrowserTest,
EnforcedAfterApril2018) {
content::StoragePartition* partition =
browser()->profile()->GetDefaultStoragePartition();
partition->GetNetworkContext()->SetCTLogListAlwaysTimelyForTesting();
SystemNetworkContextManager::GetInstance()->SetCTLogListTimelyForTesting();
ASSERT_TRUE(https_server()->Start());

16
components/certificate_transparency/chrome_ct_policy_enforcer.cc

@ -37,6 +37,8 @@ namespace certificate_transparency {
namespace {
// TODO(https://crbug.com/848277): move this under net/, and use it from
// CertVerifyResult::NetLogParams too.
const char* CTPolicyComplianceToString(CTPolicyCompliance status) {
switch (status) {
case CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS:
@ -64,6 +66,9 @@ base::Value::Dict NetLogCertComplianceCheckResultParams(
base::Value::Dict dict;
// TODO(mattm): This double-wrapping of the certificate list is weird. Remove
// this (probably requires updates to netlog-viewer).
// TODO(https://crbug.com/848277): or just remove the certificate list, this
// event is logged during CertVerifyProc now which already logs the
// certificates so it's a bit redundant.
base::Value::Dict certificate_dict;
certificate_dict.Set("certificates", net::NetLogX509CertificateList(cert));
dict.Set("certificate", std::move(certificate_dict));
@ -125,15 +130,6 @@ CTPolicyCompliance ChromeCTPolicyEnforcer::CheckCompliance(
return compliance;
}
void ChromeCTPolicyEnforcer::UpdateCTLogList(
base::Time update_time,
std::vector<std::pair<std::string, base::Time>> disqualified_logs,
std::map<std::string, OperatorHistoryEntry> log_operator_history) {
log_list_date_ = update_time;
disqualified_logs_ = std::move(disqualified_logs);
log_operator_history_ = std::move(log_operator_history);
}
bool ChromeCTPolicyEnforcer::IsLogDisqualified(
std::string_view log_id,
base::Time* disqualification_date) const {
@ -153,8 +149,6 @@ bool ChromeCTPolicyEnforcer::IsLogDisqualified(
}
bool ChromeCTPolicyEnforcer::IsLogDataTimely() const {
if (ct_log_list_always_timely_for_testing_)
return true;
// We consider built-in information to be timely for 10 weeks.
return (clock_->Now() - log_list_date_).InDays() < 70 /* 10 weeks */;
}

24
components/certificate_transparency/chrome_ct_policy_enforcer.h

@ -60,20 +60,11 @@ class COMPONENT_EXPORT(CERTIFICATE_TRANSPARENCY) ChromeCTPolicyEnforcer
std::map<std::string, OperatorHistoryEntry> log_operator_history,
const base::Clock* clock);
~ChromeCTPolicyEnforcer() override;
net::ct::CTPolicyCompliance CheckCompliance(
net::X509Certificate* cert,
const net::ct::SCTList& verified_scts,
const net::NetLogWithSource& net_log) const override;
// Updates the list of logs used for compliance checks. |disqualified_logs|
// is a map of log ID to disqualification date.
void UpdateCTLogList(
base::Time update_time,
std::vector<std::pair<std::string, base::Time>> disqualified_logs,
std::map<std::string, OperatorHistoryEntry> log_operator_history);
// TODO(https://crbug.com/999240): These are exposed to allow end-to-end
// testing by higher layers (i.e. that the ChromeCTPolicyEnforcer is
// correctly constructed). When either this issue or https://crbug.com/848277
@ -89,9 +80,8 @@ class COMPONENT_EXPORT(CERTIFICATE_TRANSPARENCY) ChromeCTPolicyEnforcer
return log_operator_history_;
}
void SetCTLogListAlwaysTimelyForTesting(bool always_timely) {
ct_log_list_always_timely_for_testing_ = always_timely;
}
protected:
~ChromeCTPolicyEnforcer() override;
private:
FRIEND_TEST_ALL_PREFIXES(ChromeCTPolicyEnforcerTest,
@ -117,19 +107,15 @@ class COMPONENT_EXPORT(CERTIFICATE_TRANSPARENCY) ChromeCTPolicyEnforcer
std::string GetOperatorForLog(std::string log_id, base::Time timestamp) const;
// Map of SHA-256(SPKI) to log disqualification date.
std::vector<std::pair<std::string, base::Time>> disqualified_logs_;
const std::vector<std::pair<std::string, base::Time>> disqualified_logs_;
std::map<std::string, OperatorHistoryEntry> log_operator_history_;
const std::map<std::string, OperatorHistoryEntry> log_operator_history_;
const raw_ptr<const base::Clock> clock_;
// The time at which |disqualified_logs_| and |log_operator_history_| were
// generated.
base::Time log_list_date_;
// If set, the CT log list will be considered timely regardless of its last
// update time.
bool ct_log_list_always_timely_for_testing_ = false;
const base::Time log_list_date_;
};
} // namespace certificate_transparency

118
components/certificate_transparency/chrome_ct_policy_enforcer_unittest.cc

@ -9,6 +9,7 @@
#include <utility>
#include "base/build_time.h"
#include "base/memory/scoped_refptr.h"
#include "base/strings/string_number_conversions.h"
#include "base/test/scoped_feature_list.h"
#include "base/test/simple_test_clock.h"
@ -60,10 +61,10 @@ class ChromeCTPolicyEnforcerTest : public ::testing::Test {
clock_.SetNow(test_now_);
}
std::unique_ptr<ChromeCTPolicyEnforcer> MakeChromeCTPolicyEnforcer(
scoped_refptr<ChromeCTPolicyEnforcer> MakeChromeCTPolicyEnforcer(
std::vector<std::pair<std::string, base::Time>> disqualified_logs,
std::map<std::string, OperatorHistoryEntry> log_operator_history) {
return std::make_unique<ChromeCTPolicyEnforcer>(
return base::MakeRefCounted<ChromeCTPolicyEnforcer>(
test_now_, std::move(disqualified_logs),
std::move(log_operator_history), &clock_);
}
@ -173,7 +174,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, DoesNotConformToCTPolicyNotEnoughFreshSCTs) {
AddDisqualifiedLogSCT(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
false, &disqualified_log, &scts);
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer({disqualified_log}, operator_history);
EXPECT_EQ(
CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
@ -237,7 +238,7 @@ TEST_F(ChromeCTPolicyEnforcerTest,
AddDisqualifiedLogSCT(SignedCertificateTimestamp::SCT_EMBEDDED, false,
&disqualified_log, &scts);
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer({disqualified_log}, operator_history);
EXPECT_EQ(
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
@ -268,7 +269,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, ConformsToCTPolicyWithNonEmbeddedSCTs) {
std::map<std::string, OperatorHistoryEntry> operator_history;
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), operator_history);
EXPECT_EQ(
@ -284,7 +285,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, EnforcementDisabledByBinaryAge) {
std::map<std::string, OperatorHistoryEntry> operator_history;
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), operator_history);
EXPECT_EQ(
@ -306,7 +307,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, ConformsToCTPolicyWithEmbeddedSCTs) {
std::map<std::string, OperatorHistoryEntry> operator_history;
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), operator_history);
EXPECT_EQ(
@ -334,7 +335,7 @@ TEST_F(ChromeCTPolicyEnforcerTest,
std::map<std::string, OperatorHistoryEntry> operator_history;
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), operator_history);
EXPECT_EQ(
@ -361,7 +362,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, ConformsToCTPolicyWithPooledEmbeddedSCTs) {
std::map<std::string, OperatorHistoryEntry> operator_history;
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), operator_history);
EXPECT_EQ(
@ -377,7 +378,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, DoesNotConformToCTPolicyNotEnoughSCTs) {
std::map<std::string, OperatorHistoryEntry> operator_history;
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), operator_history);
EXPECT_EQ(
@ -402,7 +403,7 @@ TEST_F(ChromeCTPolicyEnforcerTest,
std::map<std::string, OperatorHistoryEntry> operator_history;
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer({disqualified_log}, operator_history);
// |chain_| is valid for 10 years - over 180 days - so requires 3 SCTs.
@ -424,7 +425,7 @@ TEST_F(ChromeCTPolicyEnforcerTest,
std::map<std::string, OperatorHistoryEntry> operator_history;
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer({disqualified_log}, operator_history);
// |chain_| is valid for 10 years - over 180 days - so requires 3 SCTs.
@ -449,7 +450,7 @@ TEST_F(ChromeCTPolicyEnforcerTest,
std::map<std::string, OperatorHistoryEntry> operator_history;
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer({disqualified_log}, operator_history);
// |chain_| is valid for 10 years - over 180 days - so requires 3 SCTs.
@ -458,75 +459,6 @@ TEST_F(ChromeCTPolicyEnforcerTest,
policy_enforcer->CheckCompliance(chain_.get(), scts, NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, UpdateCTLogList) {
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(),
std::map<std::string, OperatorHistoryEntry>());
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
2, &scts);
std::vector<std::pair<std::string, base::Time>> disqualified_logs;
std::map<std::string, OperatorHistoryEntry> operator_history;
for (auto sct : scts) {
OperatorHistoryEntry entry;
entry.current_operator_ = "Operator";
operator_history[sct->log_id] = entry;
}
policy_enforcer->UpdateCTLogList(base::Time::Now(), disqualified_logs,
operator_history);
// The check should fail since the logs all have the same operator.
EXPECT_EQ(
CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer->CheckCompliance(chain_.get(), scts, NetLogWithSource()));
// Update the list again, this time including diverse operators.
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
policy_enforcer->UpdateCTLogList(base::Time::Now(), disqualified_logs,
operator_history);
// The check should now succeed.
EXPECT_EQ(
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer->CheckCompliance(chain_.get(), scts, NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, TimestampUpdates) {
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(),
std::map<std::string, OperatorHistoryEntry>());
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
1, &scts);
// Clear the log list and set the last updated time to more than 10 weeks ago.
std::vector<std::pair<std::string, base::Time>> disqualified_logs;
std::map<std::string, OperatorHistoryEntry> log_operator_history;
FillOperatorHistoryWithDiverseOperators(scts, &log_operator_history);
policy_enforcer->UpdateCTLogList(base::Time::Now() - base::Days(71),
disqualified_logs, log_operator_history);
// The check should return build not timely even though there are not enough
// SCTs.
EXPECT_EQ(
CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY,
policy_enforcer->CheckCompliance(chain_.get(), scts, NetLogWithSource()));
// Update the last update time value again, this time with a recent time.
policy_enforcer->UpdateCTLogList(base::Time::Now(), disqualified_logs,
log_operator_history);
// The check should now fail
EXPECT_EQ(
CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer->CheckCompliance(chain_.get(), scts, NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, IsLogDisqualifiedTimestamp) {
// Clear the log list and add 2 disqualified logs, one with a disqualification
// date in the past and one in the future.
@ -540,7 +472,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, IsLogDisqualifiedTimestamp) {
disqualified_logs.emplace_back(kModifiedTestLogID, future_disqualification);
disqualified_logs.emplace_back(kTestLogID, past_disqualification);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(disqualified_logs, log_operator_history);
base::Time disqualification_time;
@ -563,7 +495,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, IsLogDisqualifiedReturnsFalseOnUnknownLog) {
disqualified_logs.emplace_back(kModifiedTestLogID,
base::Time::Now() - base::Days(1));
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(disqualified_logs, log_operator_history);
base::Time unused;
@ -593,7 +525,7 @@ TEST_F(ChromeCTPolicyEnforcerTest,
}
std::sort(std::begin(disqualified_logs), std::end(disqualified_logs));
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(disqualified_logs, log_operator_history);
// SCTs should comply since retirement date is in the future.
@ -624,7 +556,7 @@ TEST_F(ChromeCTPolicyEnforcerTest,
FillOperatorHistoryWithDiverseOperators(scts, &log_operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(disqualified_logs, log_operator_history);
// SCTs should not comply since retirement date is in the past.
@ -693,7 +625,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, UpdatedSCTRequirements) {
// diversity.
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), operator_history);
CTPolicyCompliance expected;
@ -728,7 +660,7 @@ TEST_F(ChromeCTPolicyEnforcerTest,
operator_history[sct->log_id] = entry;
}
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), operator_history);
EXPECT_EQ(
@ -743,7 +675,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, ConformsToCTPolicyDifferentOperators) {
std::map<std::string, OperatorHistoryEntry> operator_history;
FillOperatorHistoryWithDiverseOperators(scts, &operator_history);
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), operator_history);
EXPECT_EQ(
@ -767,7 +699,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, ConformsToPolicyDueToOperatorSwitch) {
operator_history[scts[1]->log_id].previous_operators_.emplace_back(
"Different Operator", scts[1]->timestamp + base::Seconds(1));
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), operator_history);
EXPECT_EQ(
@ -788,7 +720,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, DoesNotConformToPolicyDueToOperatorSwitch) {
operator_history[scts[1]->log_id].previous_operators_.emplace_back(
"Operator 0", scts[1]->timestamp + base::Seconds(1));
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), operator_history);
EXPECT_EQ(
@ -810,7 +742,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, MultipleOperatorSwitches) {
operator_history[scts[1]->log_id].previous_operators_.emplace_back(
"Operator 0", scts[1]->timestamp + base::Seconds(1));
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), operator_history);
EXPECT_EQ(
@ -836,7 +768,7 @@ TEST_F(ChromeCTPolicyEnforcerTest, MultipleOperatorSwitchesBeforeSCTTimestamp) {
operator_history[scts[1]->log_id].previous_operators_.emplace_back(
"Yet Another Different Operator", scts[1]->timestamp - base::Seconds(1));
std::unique_ptr<ChromeCTPolicyEnforcer> policy_enforcer =
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), operator_history);
EXPECT_EQ(

6
components/cronet/url_request_context_config.cc

@ -24,8 +24,6 @@
#include "net/cert/caching_cert_verifier.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/cert_verify_proc.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/multi_threaded_cert_verifier.h"
#include "net/dns/context_host_resolver.h"
#include "net/dns/host_resolver.h"
@ -827,10 +825,6 @@ void URLRequestContextConfig::ConfigureURLRequestContextBuilder(
if (mock_cert_verifier)
context_builder->SetCertVerifier(std::move(mock_cert_verifier));
// Certificate Transparency is intentionally ignored in Cronet.
// See //net/docs/certificate-transparency.md for more details.
context_builder->set_ct_policy_enforcer(
std::make_unique<net::DefaultCTPolicyEnforcer>());
// TODO(mef): Use |config| to set cookies.
}

59
content/browser/web_package/signed_exchange_handler_unittest.cc

@ -159,15 +159,6 @@ class GMockCertVerifier : public net::CertVerifier {
MOCK_METHOD1(RemoveObserver, void(Observer* observer));
};
class MockCTPolicyEnforcer : public net::CTPolicyEnforcer {
public:
MOCK_CONST_METHOD3(
CheckCompliance,
net::ct::CTPolicyCompliance(net::X509Certificate* cert,
const net::ct::SCTList& verified_scts,
const net::NetLogWithSource& net_log));
};
class MockSCTAuditingDelegate : public net::SCTAuditingDelegate {
public:
MOCK_METHOD(bool, IsSCTAuditingEnabled, ());
@ -208,14 +199,7 @@ class SignedExchangeHandlerTest
cert_fetcher_factory_ =
std::make_unique<MockSignedExchangeCertFetcherFactory>();
mock_cert_fetcher_factory_ = cert_fetcher_factory_.get();
mock_ct_policy_enforcer_ = std::make_unique<MockCTPolicyEnforcer>();
mock_sct_auditing_delegate_ = std::make_unique<MockSCTAuditingDelegate>();
// Lets mock CT policy enforcer return CT_POLICY_COMPLIES_VIA_SCTS by
// default. This may be overridden by test cases.
EXPECT_CALL(*mock_ct_policy_enforcer_, CheckCompliance(_, _, _))
.WillRepeatedly(
Return(net::ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
}
void TearDown() override {
@ -255,6 +239,10 @@ class SignedExchangeHandlerTest
result.cert_status = net::OK;
result.ocsp_result.response_status = bssl::OCSPVerifyResult::PROVIDED;
result.ocsp_result.revocation_status = bssl::OCSPRevocationStatus::GOOD;
// Return CT_POLICY_COMPLIES_VIA_SCTS by default. This may be overridden by
// test cases.
result.policy_compliance =
net::ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS;
return result;
}
@ -322,14 +310,11 @@ class SignedExchangeHandlerTest
return *resource_response_;
}
// Creates a URLRequestContext that uses |mock_ct_policy_enforcer_|.
// Creates a URLRequestContext that uses |mock_sct_auditing_delegate_|.
std::unique_ptr<net::URLRequestContext> CreateTestURLRequestContext() {
// We consume these mock objects, so register expectations beforehand.
DCHECK(mock_ct_policy_enforcer_);
DCHECK(mock_sct_auditing_delegate_);
auto context_builder = net::CreateTestURLRequestContextBuilder();
context_builder->set_ct_policy_enforcer(
std::move(mock_ct_policy_enforcer_));
context_builder->set_sct_auditing_delegate(
std::move(mock_sct_auditing_delegate_));
return context_builder->Build();
@ -399,7 +384,6 @@ class SignedExchangeHandlerTest
raw_ptr<MockSignedExchangeCertFetcherFactory>
mock_cert_fetcher_factory_;
std::unique_ptr<net::CertVerifier> cert_verifier_;
std::unique_ptr<MockCTPolicyEnforcer> mock_ct_policy_enforcer_;
std::unique_ptr<MockSCTAuditingDelegate> mock_sct_auditing_delegate_;
raw_ptr<net::MockSourceStream> source_;
std::unique_ptr<SignedExchangeHandler> handler_;
@ -872,11 +856,10 @@ TEST_P(SignedExchangeHandlerTest, NotEnoughSCTsFromPubliclyTrustedCert) {
net::CertVerifyResult cert_result = CreateCertVerifyResult();
cert_result.is_issued_by_known_root = true;
cert_result.policy_compliance =
net::ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
SetupMockCertVerifier("prime256v1-sha256.public.pem", cert_result);
// Lets the mock CT policy enforcer return CT_POLICY_NOT_ENOUGH_SCTS.
EXPECT_CALL(*mock_ct_policy_enforcer_, CheckCompliance(_, _, _))
.WillOnce(Return(net::ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
SetSourceStreamContents("test.example.org_test.sxg");
@ -913,12 +896,10 @@ TEST_P(SignedExchangeHandlerTest, ReportUsesNetworkIsolationKey) {
net::CertVerifyResult cert_result = CreateCertVerifyResult();
cert_result.is_issued_by_known_root = true;
cert_result.policy_compliance =
net::ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
SetupMockCertVerifier("prime256v1-sha256.public.pem", cert_result);
// Lets the mock CT policy enforcer return CT_POLICY_NOT_ENOUGH_SCTS.
EXPECT_CALL(*mock_ct_policy_enforcer_, CheckCompliance(_, _, _))
.WillOnce(Return(net::ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
SetSourceStreamContents("test.example.org_test.sxg");
std::unique_ptr<net::URLRequestContext> url_request_context =
@ -991,12 +972,10 @@ TEST_P(SignedExchangeHandlerTest, CTNotRequiredForLocalAnchors) {
net::CertVerifyResult cert_result = CreateCertVerifyResult();
cert_result.is_issued_by_known_root = false; // Local anchor.
cert_result.policy_compliance =
net::ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
SetupMockCertVerifier("prime256v1-sha256.public.pem", cert_result);
// Lets the mock CT policy enforcer return CT_POLICY_NOT_ENOUGH_SCTS.
EXPECT_CALL(*mock_ct_policy_enforcer_, CheckCompliance(_, _, _))
.WillOnce(Return(net::ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
SetSourceStreamContents("test.example.org_test.sxg");
CreateSignedExchangeHandler(CreateTestURLRequestContext());
@ -1038,16 +1017,6 @@ TEST_P(SignedExchangeHandlerTest, CTVerifierParams) {
auto bad_sct = base::MakeRefCounted<net::ct::SignedCertificateTimestamp>();
fake_sct_list.emplace_back(bad_sct, net::ct::SCT_STATUS_INVALID_TIMESTAMP);
EXPECT_CALL(*mock_ct_policy_enforcer_,
CheckCompliance(CertEqualsIncludingChain(original_cert),
ElementsAre(good_sct), _ /* net_log */))
.WillOnce(
Return(net::ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
auto context_builder = net::CreateTestURLRequestContextBuilder();
context_builder->set_ct_policy_enforcer(std::move(mock_ct_policy_enforcer_));
auto test_url_request_context = context_builder->Build();
// Mock a verify result including the SCTs.
auto verify_result = CreateCertVerifyResult();
verify_result.scts = fake_sct_list;
@ -1058,7 +1027,7 @@ TEST_P(SignedExchangeHandlerTest, CTVerifierParams) {
net::MockSourceStream::ASYNC);
source_->AddReadResult(nullptr, 0, net::OK, net::MockSourceStream::ASYNC);
CreateSignedExchangeHandler(std::move(test_url_request_context));
CreateSignedExchangeHandler(CreateTestURLRequestContext());
WaitForHeader();
ASSERT_TRUE(read_header());
@ -1085,8 +1054,8 @@ TEST_P(SignedExchangeHandlerTest, SCTAuditingReportEnqueued) {
cert_result.is_issued_by_known_root = true;
SetupMockCertVerifier("prime256v1-sha256.public.pem", cert_result);
// The mock CT policy enforcer will return CT_POLICY_COMPLIES_VIA_SCTS, as
// configured in SetUp().
// The mock cert verifier will return CT_POLICY_COMPLIES_VIA_SCTS, as
// configured in CreateCertVerifyResult().
// Add SCTAuditingDelegate mock results.
EXPECT_CALL(*mock_sct_auditing_delegate_, IsSCTAuditingEnabled())

5
net/cert/cert_verifier.cc

@ -36,6 +36,7 @@ class DefaultCertVerifyProcFactory : public net::CertVerifyProcFactory {
return CertVerifyProc::CreateBuiltinWithChromeRootStore(
std::move(cert_net_fetcher), impl_params.crl_set,
std::make_unique<net::DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
base::OptionalToPtr(impl_params.root_store_data), instance_params);
}
#endif
@ -43,11 +44,13 @@ class DefaultCertVerifyProcFactory : public net::CertVerifyProcFactory {
return CertVerifyProc::CreateBuiltinWithChromeRootStore(
std::move(cert_net_fetcher), impl_params.crl_set,
std::make_unique<net::DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
base::OptionalToPtr(impl_params.root_store_data), instance_params);
#elif BUILDFLAG(IS_FUCHSIA)
return CertVerifyProc::CreateBuiltinVerifyProc(
std::move(cert_net_fetcher), impl_params.crl_set,
std::make_unique<net::DoNothingCTVerifier>(), instance_params);
std::make_unique<net::DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(), instance_params);
#else
return CertVerifyProc::CreateSystemVerifyProc(std::move(cert_net_fetcher),
impl_params.crl_set);

6
net/cert/cert_verify_proc.cc

@ -416,10 +416,12 @@ scoped_refptr<CertVerifyProc> CertVerifyProc::CreateBuiltinVerifyProc(
scoped_refptr<CertNetFetcher> cert_net_fetcher,
scoped_refptr<CRLSet> crl_set,
std::unique_ptr<CTVerifier> ct_verifier,
scoped_refptr<CTPolicyEnforcer> ct_policy_enforcer,
const InstanceParams instance_params) {
return CreateCertVerifyProcBuiltin(
std::move(cert_net_fetcher), std::move(crl_set), std::move(ct_verifier),
CreateSslSystemTrustStore(), instance_params);
std::move(ct_policy_enforcer), CreateSslSystemTrustStore(),
instance_params);
}
#endif
@ -429,6 +431,7 @@ scoped_refptr<CertVerifyProc> CertVerifyProc::CreateBuiltinWithChromeRootStore(
scoped_refptr<CertNetFetcher> cert_net_fetcher,
scoped_refptr<CRLSet> crl_set,
std::unique_ptr<CTVerifier> ct_verifier,
scoped_refptr<CTPolicyEnforcer> ct_policy_enforcer,
const ChromeRootStoreData* root_store_data,
const InstanceParams instance_params) {
std::unique_ptr<TrustStoreChrome> chrome_root =
@ -436,6 +439,7 @@ scoped_refptr<CertVerifyProc> CertVerifyProc::CreateBuiltinWithChromeRootStore(
: std::make_unique<TrustStoreChrome>();
return CreateCertVerifyProcBuiltin(
std::move(cert_net_fetcher), std::move(crl_set), std::move(ct_verifier),
std::move(ct_policy_enforcer),
CreateSslSystemTrustStoreChromeRoot(std::move(chrome_root)),
instance_params);
}

4
net/cert/cert_verify_proc.h

@ -16,6 +16,7 @@
#include "net/base/hash_value.h"
#include "net/base/net_export.h"
#include "net/cert/ct_log_verifier.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_verifier.h"
#include "net/net_buildflags.h"
@ -88,6 +89,7 @@ class NET_EXPORT CertVerifyProc
scoped_refptr<CRLSet> crl_set;
std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs;
scoped_refptr<net::CTPolicyEnforcer> ct_policy_enforcer;
#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
absl::optional<net::ChromeRootStoreData> root_store_data;
#endif
@ -148,6 +150,7 @@ class NET_EXPORT CertVerifyProc
scoped_refptr<CertNetFetcher> cert_net_fetcher,
scoped_refptr<CRLSet> crl_set,
std::unique_ptr<CTVerifier> ct_verifier,
scoped_refptr<CTPolicyEnforcer> ct_policy_enforcer,
const InstanceParams instance_params);
#endif
@ -159,6 +162,7 @@ class NET_EXPORT CertVerifyProc
scoped_refptr<CertNetFetcher> cert_net_fetcher,
scoped_refptr<CRLSet> crl_set,
std::unique_ptr<CTVerifier> ct_verifier,
scoped_refptr<CTPolicyEnforcer> ct_policy_enforcer,
const ChromeRootStoreData* root_store_data,
const InstanceParams instance_params);
#endif

54
net/cert/cert_verify_proc_builtin.cc

@ -22,6 +22,7 @@
#include "net/cert/cert_verifier.h"
#include "net/cert/cert_verify_proc.h"
#include "net/cert/cert_verify_result.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_verifier.h"
#include "net/cert/ev_root_ca_metadata.h"
#include "net/cert/internal/cert_issuer_source_aia.h"
@ -244,6 +245,7 @@ class PathBuilderDelegateDataImpl : public bssl::CertPathBuilderDelegateData {
bssl::OCSPVerifyResult stapled_ocsp_verify_result;
SignedCertificateTimestampAndStatusList scts;
ct::CTPolicyCompliance ct_policy_compliance;
};
// TODO(eroman): The path building code in this file enforces its idea of weak
@ -258,6 +260,7 @@ class PathBuilderDelegateImpl : public bssl::SimplePathBuilderDelegate {
PathBuilderDelegateImpl(
const CRLSet* crl_set,
CTVerifier* ct_verifier,
const CTPolicyEnforcer* ct_policy_enforcer,
CertNetFetcher* net_fetcher,
VerificationType verification_type,
bssl::SimplePathBuilderDelegate::DigestPolicy digest_policy,
@ -272,6 +275,7 @@ class PathBuilderDelegateImpl : public bssl::SimplePathBuilderDelegate {
: bssl::SimplePathBuilderDelegate(1024, digest_policy),
crl_set_(crl_set),
ct_verifier_(ct_verifier),
ct_policy_enforcer_(ct_policy_enforcer),
net_fetcher_(net_fetcher),
verification_type_(verification_type),
flags_(flags),
@ -339,19 +343,22 @@ class PathBuilderDelegateImpl : public bssl::SimplePathBuilderDelegate {
if (policy.check_revocation)
*checked_revocation_for_some_path_ = true;
PathBuilderDelegateDataImpl* delegate_data =
PathBuilderDelegateDataImpl::GetOrCreate(path);
// Check the revocation status for each certificate in the chain according
// to |policy|. Depending on the policy, errors will be added to the
// respective certificates, so |errors->ContainsHighSeverityErrors()| will
// reflect the revocation status of the chain after this call.
CheckValidatedChainRevocation(
path->certs, policy, deadline_, stapled_leaf_ocsp_response_,
net_fetcher_, &path->errors,
&PathBuilderDelegateDataImpl::GetOrCreate(path)
->stapled_ocsp_verify_result);
CheckValidatedChainRevocation(path->certs, policy, deadline_,
stapled_leaf_ocsp_response_, net_fetcher_,
&path->errors,
&delegate_data->stapled_ocsp_verify_result);
// TODO(https://crbug.com/1211074): making a temporary X509Certificate just
// to pass into CTVerifier is silly, refactor so that it takes
// CRYPTO_BUFFER/etc.
// TODO(https://crbug.com/1211074, https://crbug.com/848277): making a
// temporary X509Certificate just to pass into CTVerifier and
// CTPolicyEnforcer is silly, refactor so they take CRYPTO_BUFFER or
// ParsedCertificate or something.
std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
if (path->certs.size() > 1) {
intermediates.push_back(bssl::UpRef(path->certs[1]->cert_buffer()));
@ -359,9 +366,17 @@ class PathBuilderDelegateImpl : public bssl::SimplePathBuilderDelegate {
auto cert_for_ct_verify = X509Certificate::CreateFromBuffer(
bssl::UpRef(path->certs[0]->cert_buffer()), std::move(intermediates));
ct_verifier_->Verify(cert_for_ct_verify.get(), stapled_leaf_ocsp_response_,
sct_list_from_tls_extension_,
&PathBuilderDelegateDataImpl::GetOrCreate(path)->scts,
sct_list_from_tls_extension_, &delegate_data->scts,
*net_log_);
ct::SCTList verified_scts;
for (const auto& sct_and_status : delegate_data->scts) {
if (sct_and_status.status == ct::SCT_STATUS_OK) {
verified_scts.push_back(sct_and_status.sct);
}
}
delegate_data->ct_policy_compliance = ct_policy_enforcer_->CheckCompliance(
cert_for_ct_verify.get(), verified_scts, *net_log_);
}
// Selects a revocation policy based on the CertVerifier flags and the given
@ -450,6 +465,7 @@ class PathBuilderDelegateImpl : public bssl::SimplePathBuilderDelegate {
raw_ptr<const CRLSet> crl_set_;
raw_ptr<CTVerifier> ct_verifier_;
raw_ptr<const CTPolicyEnforcer> ct_policy_enforcer_;
raw_ptr<CertNetFetcher> net_fetcher_;
const VerificationType verification_type_;
const int flags_;
@ -475,6 +491,7 @@ class CertVerifyProcBuiltin : public CertVerifyProc {
CertVerifyProcBuiltin(scoped_refptr<CertNetFetcher> net_fetcher,
scoped_refptr<CRLSet> crl_set,
std::unique_ptr<CTVerifier> ct_verifier,
scoped_refptr<CTPolicyEnforcer> ct_policy_enforcer,
std::unique_ptr<SystemTrustStore> system_trust_store,
const CertVerifyProc::InstanceParams& instance_params);
@ -492,6 +509,7 @@ class CertVerifyProcBuiltin : public CertVerifyProc {
const scoped_refptr<CertNetFetcher> net_fetcher_;
const std::unique_ptr<CTVerifier> ct_verifier_;
const scoped_refptr<CTPolicyEnforcer> ct_policy_enforcer_;
const std::unique_ptr<SystemTrustStore> system_trust_store_;
bssl::TrustStoreInMemory additional_trust_store_;
};
@ -500,11 +518,13 @@ CertVerifyProcBuiltin::CertVerifyProcBuiltin(
scoped_refptr<CertNetFetcher> net_fetcher,
scoped_refptr<CRLSet> crl_set,
std::unique_ptr<CTVerifier> ct_verifier,
scoped_refptr<CTPolicyEnforcer> ct_policy_enforcer,
std::unique_ptr<SystemTrustStore> system_trust_store,
const CertVerifyProc::InstanceParams& instance_params)
: CertVerifyProc(std::move(crl_set)),
net_fetcher_(std::move(net_fetcher)),
ct_verifier_(std::move(ct_verifier)),
ct_policy_enforcer_(std::move(ct_policy_enforcer)),
system_trust_store_(std::move(system_trust_store)) {
DCHECK(system_trust_store_);
@ -691,6 +711,7 @@ bssl::CertPathBuilder::Result TryBuildPath(
base::StringPiece sct_list,
const CRLSet* crl_set,
CTVerifier* ct_verifier,
const CTPolicyEnforcer* ct_policy_enforcer,
CertNetFetcher* net_fetcher,
const EVRootCAMetadata* ev_metadata,
bool* checked_revocation,
@ -707,8 +728,8 @@ bssl::CertPathBuilder::Result TryBuildPath(
}
PathBuilderDelegateImpl path_builder_delegate(
crl_set, ct_verifier, net_fetcher, verification_type, digest_policy,
flags, trust_store, ocsp_response, sct_list, ev_metadata,
crl_set, ct_verifier, ct_policy_enforcer, net_fetcher, verification_type,
digest_policy, flags, trust_store, ocsp_response, sct_list, ev_metadata,
checked_revocation, deadline, net_log);
absl::optional<CertIssuerSourceAia> aia_cert_issuer_source;
@ -822,6 +843,7 @@ int AssignVerifyResult(X509Certificate* input_cert,
if (delegate_data) {
verify_result->ocsp_result = delegate_data->stapled_ocsp_verify_result;
verify_result->scts = std::move(delegate_data->scts);
verify_result->policy_compliance = delegate_data->ct_policy_compliance;
}
return IsCertStatusError(verify_result->cert_status)
@ -952,8 +974,8 @@ int CertVerifyProcBuiltin::VerifyInternal(
target, &intermediates, &trust_store, der_verification_time, deadline,
cur_attempt.verification_type, cur_attempt.digest_policy, flags,
ocsp_response, sct_list, crl_set(), ct_verifier_.get(),
net_fetcher_.get(), ev_metadata, &checked_revocation_for_some_path,
net_log);
ct_policy_enforcer_.get(), net_fetcher_.get(), ev_metadata,
&checked_revocation_for_some_path, net_log);
base::UmaHistogramCounts10000("Net.CertVerifier.PathBuilderIterationCount",
result.iteration_count);
@ -1006,11 +1028,13 @@ scoped_refptr<CertVerifyProc> CreateCertVerifyProcBuiltin(
scoped_refptr<CertNetFetcher> net_fetcher,
scoped_refptr<CRLSet> crl_set,
std::unique_ptr<CTVerifier> ct_verifier,
scoped_refptr<CTPolicyEnforcer> ct_policy_enforcer,
std::unique_ptr<SystemTrustStore> system_trust_store,
const CertVerifyProc::InstanceParams& instance_params) {
return base::MakeRefCounted<CertVerifyProcBuiltin>(
std::move(net_fetcher), std::move(crl_set), std::move(ct_verifier),
std::move(system_trust_store), instance_params);
std::move(ct_policy_enforcer), std::move(system_trust_store),
instance_params);
}
base::TimeDelta GetCertVerifyProcBuiltinTimeLimitForTesting() {

3
net/cert/cert_verify_proc_builtin.h

@ -11,12 +11,12 @@
#include "base/time/time.h"
#include "net/base/net_export.h"
#include "net/cert/cert_verify_proc.h"
#include "net/cert/ct_verifier.h"
namespace net {
class CertNetFetcher;
class CRLSet;
class CTPolicyEnforcer;
class CTVerifier;
class SystemTrustStore;
@ -27,6 +27,7 @@ NET_EXPORT scoped_refptr<CertVerifyProc> CreateCertVerifyProcBuiltin(
scoped_refptr<CertNetFetcher> net_fetcher,
scoped_refptr<CRLSet> crl_set,
std::unique_ptr<CTVerifier> ct_verifier,
scoped_refptr<CTPolicyEnforcer> ct_policy_enforcer,
std::unique_ptr<SystemTrustStore> system_trust_store,
const CertVerifyProc::InstanceParams& instance_params);

62
net/cert/cert_verify_proc_builtin_unittest.cc

@ -172,6 +172,17 @@ class MockCTVerifier : public CTVerifier {
const NetLogWithSource&));
};
class MockCTPolicyEnforcer : public CTPolicyEnforcer {
public:
MOCK_CONST_METHOD3(CheckCompliance,
ct::CTPolicyCompliance(X509Certificate* cert,
const ct::SCTList&,
const NetLogWithSource&));
protected:
~MockCTPolicyEnforcer() override = default;
};
} // namespace
class CertVerifyProcBuiltinTest : public ::testing::Test {
@ -195,10 +206,11 @@ class CertVerifyProcBuiltinTest : public ::testing::Test {
instance_params.additional_trust_anchors = additional_trust_anchors;
auto mock_ct_verifier = std::make_unique<MockCTVerifier>();
mock_ct_verifier_ = mock_ct_verifier.get();
mock_ct_policy_enforcer_ = base::MakeRefCounted<MockCTPolicyEnforcer>();
verify_proc_ = CreateCertVerifyProcBuiltin(
cert_net_fetcher_, CRLSet::EmptyCRLSetForTesting(),
std::move(mock_ct_verifier), std::move(mock_system_trust_store),
instance_params);
std::move(mock_ct_verifier), mock_ct_policy_enforcer_,
std::move(mock_system_trust_store), instance_params);
}
void Verify(scoped_refptr<X509Certificate> cert,
@ -265,6 +277,9 @@ class CertVerifyProcBuiltinTest : public ::testing::Test {
net::URLRequestContext* context() { return context_.get(); }
MockCTVerifier* mock_ct_verifier() { return mock_ct_verifier_; }
MockCTPolicyEnforcer* mock_ct_policy_enforcer() {
return mock_ct_policy_enforcer_.get();
}
private:
base::test::TaskEnvironment task_environment_{
@ -279,6 +294,7 @@ class CertVerifyProcBuiltinTest : public ::testing::Test {
scoped_refptr<CertVerifyProc> verify_proc_;
raw_ptr<MockCTVerifier> mock_ct_verifier_ = nullptr;
scoped_refptr<MockCTPolicyEnforcer> mock_ct_policy_enforcer_;
raw_ptr<MockSystemTrustStore> mock_system_trust_store_ = nullptr;
scoped_refptr<CertNetFetcherURLRequest> cert_net_fetcher_;
};
@ -360,6 +376,9 @@ TEST_F(CertVerifyProcBuiltinTest, CallsCtVerifierAndReturnsSctStatus) {
sct_and_status_list.push_back(sct_and_status);
EXPECT_CALL(*mock_ct_verifier(), Verify(_, kOcspResponse, kSctList, _, _))
.WillOnce(testing::SetArgPointee<3>(sct_and_status_list));
EXPECT_CALL(*mock_ct_policy_enforcer(), CheckCompliance(_, _, _))
.WillRepeatedly(
testing::Return(ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS));
scoped_refptr<X509Certificate> chain = leaf->GetX509CertificateChain();
ASSERT_TRUE(chain.get());
@ -376,13 +395,52 @@ TEST_F(CertVerifyProcBuiltinTest, CallsCtVerifierAndReturnsSctStatus) {
ASSERT_EQ(verify_result.scts.size(), 1u);
EXPECT_EQ(verify_result.scts.front().status, kSctVerifyStatus);
EXPECT_EQ(verify_result.scts.front().sct->log_id, kLogId);
EXPECT_EQ(verify_result.policy_compliance,
ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS);
}
#if defined(PLATFORM_USES_CHROMIUM_EV_METADATA)
TEST_F(CertVerifyProcBuiltinTest, EVCertStatusMaintainedForCompliantCert) {
auto [leaf, root] = CertBuilder::CreateSimpleChain2();
static const char kEVTestCertPolicy[] = "1.2.3.4";
leaf->SetCertificatePolicies({kEVTestCertPolicy});
ScopedTestEVPolicy scoped_test_ev_policy(
EVRootCAMetadata::GetInstance(),
X509Certificate::CalculateFingerprint256(root->GetCertBuffer()),
kEVTestCertPolicy);
InitializeVerifyProc(
/*additional_trust_anchors=*/{root->GetX509Certificate()});
EXPECT_CALL(*mock_ct_verifier(), Verify(_, _, _, _, _));
EXPECT_CALL(*mock_ct_policy_enforcer(), CheckCompliance(_, _, _))
.WillRepeatedly(
testing::Return(ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
scoped_refptr<X509Certificate> chain = leaf->GetX509CertificateChain();
ASSERT_TRUE(chain.get());
base::HistogramTester histogram_tester;
CertVerifyResult verify_result;
NetLogSource verify_net_log_source;
TestCompletionCallback callback;
Verify(chain.get(), "www.example.com", /*flags=*/0, &verify_result,
&verify_net_log_source, callback.callback());
int error = callback.WaitForResult();
EXPECT_THAT(error, IsOk());
EXPECT_EQ(verify_result.policy_compliance,
ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS);
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
}
#endif
TEST_F(CertVerifyProcBuiltinTest, DoesNotCallsCtVerifierOnFailedPaths) {
// Chain where the root is not trusted.
auto [leaf, intermediate, root] = CertBuilder::CreateSimpleChain3();
EXPECT_CALL(*mock_ct_verifier(), Verify(_, _, _, _, _)).Times(0);
EXPECT_CALL(*mock_ct_policy_enforcer(), CheckCompliance(_, _, _)).Times(0);
scoped_refptr<X509Certificate> chain = leaf->GetX509CertificateChain();
ASSERT_TRUE(chain.get());

7
net/cert/cert_verify_proc_unittest.cc

@ -34,6 +34,7 @@
#include "net/cert/cert_verify_proc_builtin.h"
#include "net/cert/cert_verify_result.h"
#include "net/cert/crl_set.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/do_nothing_ct_verifier.h"
#include "net/cert/ev_root_ca_metadata.h"
#include "net/cert/internal/system_trust_store.h"
@ -218,14 +219,16 @@ scoped_refptr<CertVerifyProc> CreateCertVerifyProc(
case CERT_VERIFY_PROC_BUILTIN:
return CreateCertVerifyProcBuiltin(
std::move(cert_net_fetcher), std::move(crl_set),
std::make_unique<DoNothingCTVerifier>(), CreateSslSystemTrustStore(),
instance_params);
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
CreateSslSystemTrustStore(), instance_params);
#endif
#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
case CERT_VERIFY_PROC_BUILTIN_CHROME_ROOTS:
return CreateCertVerifyProcBuiltin(
std::move(cert_net_fetcher), std::move(crl_set),
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
CreateSslSystemTrustStoreChromeRoot(
std::make_unique<net::TrustStoreChrome>()),
instance_params);

16
net/cert/ct_policy_enforcer.h

@ -7,6 +7,7 @@
#include <stddef.h>
#include "base/memory/ref_counted.h"
#include "net/base/net_export.h"
#include "net/cert/signed_certificate_timestamp.h"
@ -25,10 +26,9 @@ class X509Certificate;
//
// See //net/docs/certificate-transparency.md for more details regarding the
// usage of CT in //net and risks that may exist when defining a CT policy.
class NET_EXPORT CTPolicyEnforcer {
class NET_EXPORT CTPolicyEnforcer
: public base::RefCountedThreadSafe<CTPolicyEnforcer> {
public:
virtual ~CTPolicyEnforcer() = default;
// Returns the CT certificate policy compliance status for a given
// certificate and collection of SCTs.
// |cert| is the certificate for which to check compliance, and
@ -39,6 +39,12 @@ class NET_EXPORT CTPolicyEnforcer {
X509Certificate* cert,
const ct::SCTList& verified_scts,
const NetLogWithSource& net_log) const = 0;
protected:
virtual ~CTPolicyEnforcer() = default;
private:
friend class base::RefCountedThreadSafe<CTPolicyEnforcer>;
};
// A default implementation of Certificate Transparency policies that is
@ -48,12 +54,14 @@ class NET_EXPORT CTPolicyEnforcer {
class NET_EXPORT DefaultCTPolicyEnforcer : public net::CTPolicyEnforcer {
public:
DefaultCTPolicyEnforcer() = default;
~DefaultCTPolicyEnforcer() override = default;
ct::CTPolicyCompliance CheckCompliance(
X509Certificate* cert,
const ct::SCTList& verified_scts,
const NetLogWithSource& net_log) const override;
protected:
~DefaultCTPolicyEnforcer() override = default;
};
} // namespace net

33
net/cert/nss_cert_database_unittest.cc

@ -853,6 +853,7 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert) {
CertVerifyProc::CreateBuiltinWithChromeRootStore(
/*cert_net_fetcher=*/nullptr, crl_set_,
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
/*root_store_data=*/nullptr,
/*instance_params=*/{}));
int flags = 0;
@ -893,7 +894,9 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
scoped_refptr<CertVerifyProc> verify_proc(
CertVerifyProc::CreateBuiltinWithChromeRootStore(
/*cert_net_fetcher=*/nullptr, crl_set_,
std::make_unique<DoNothingCTVerifier>(), /*root_store_data=*/nullptr,
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
/*root_store_data=*/nullptr,
/*instance_params=*/{}));
int flags = 0;
CertVerifyResult verify_result;
@ -934,7 +937,9 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
scoped_refptr<CertVerifyProc> verify_proc(
CertVerifyProc::CreateBuiltinWithChromeRootStore(
/*cert_net_fetcher=*/nullptr, crl_set_,
std::make_unique<DoNothingCTVerifier>(), /*root_store_data=*/nullptr,
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
/*root_store_data=*/nullptr,
/*instance_params=*/{}));
int flags = 0;
CertVerifyResult verify_result;
@ -985,7 +990,9 @@ TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
scoped_refptr<CertVerifyProc> verify_proc(
CertVerifyProc::CreateBuiltinWithChromeRootStore(
/*cert_net_fetcher=*/nullptr, crl_set_,
std::make_unique<DoNothingCTVerifier>(), /*root_store_data=*/nullptr,
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
/*root_store_data=*/nullptr,
/*instance_params=*/{}));
int flags = 0;
CertVerifyResult verify_result;
@ -1030,7 +1037,9 @@ TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
scoped_refptr<CertVerifyProc> verify_proc(
CertVerifyProc::CreateBuiltinWithChromeRootStore(
/*cert_net_fetcher=*/nullptr, crl_set_,
std::make_unique<DoNothingCTVerifier>(), /*root_store_data=*/nullptr,
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
/*root_store_data=*/nullptr,
/*instance_params=*/{}));
int flags = 0;
CertVerifyResult verify_result;
@ -1091,7 +1100,9 @@ TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) {
scoped_refptr<CertVerifyProc> verify_proc(
CertVerifyProc::CreateBuiltinWithChromeRootStore(
/*cert_net_fetcher=*/nullptr, crl_set_,
std::make_unique<DoNothingCTVerifier>(), /*root_store_data=*/nullptr,
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
/*root_store_data=*/nullptr,
/*instance_params=*/{}));
int flags = 0;
CertVerifyResult verify_result;
@ -1159,7 +1170,9 @@ TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) {
scoped_refptr<CertVerifyProc> verify_proc(
CertVerifyProc::CreateBuiltinWithChromeRootStore(
/*cert_net_fetcher=*/nullptr, crl_set_,
std::make_unique<DoNothingCTVerifier>(), /*root_store_data=*/nullptr,
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
/*root_store_data=*/nullptr,
/*instance_params=*/{}));
int flags = 0;
CertVerifyResult verify_result;
@ -1225,7 +1238,9 @@ TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) {
scoped_refptr<CertVerifyProc> verify_proc(
CertVerifyProc::CreateBuiltinWithChromeRootStore(
/*cert_net_fetcher=*/nullptr, crl_set_,
std::make_unique<DoNothingCTVerifier>(), /*root_store_data=*/nullptr,
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
/*root_store_data=*/nullptr,
/*instance_params=*/{}));
int flags = 0;
CertVerifyResult verify_result;
@ -1291,7 +1306,9 @@ TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) {
scoped_refptr<CertVerifyProc> verify_proc(
CertVerifyProc::CreateBuiltinWithChromeRootStore(
/*cert_net_fetcher=*/nullptr, crl_set_,
std::make_unique<DoNothingCTVerifier>(), /*root_store_data=*/nullptr,
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
/*root_store_data=*/nullptr,
/*instance_params=*/{}));
int flags = 0;
CertVerifyResult verify_result;

3
net/cert/test_root_certs_unittest.cc

@ -41,6 +41,7 @@ scoped_refptr<CertVerifyProc> CreateCertVerifyProc() {
return CertVerifyProc::CreateBuiltinWithChromeRootStore(
/*cert_net_fetcher=*/nullptr, CRLSet::BuiltinCRLSet().get(),
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
/*root_store_data=*/nullptr, /*instance_params=*/{});
}
#endif
@ -48,11 +49,13 @@ scoped_refptr<CertVerifyProc> CreateCertVerifyProc() {
return CertVerifyProc::CreateBuiltinWithChromeRootStore(
/*cert_net_fetcher=*/nullptr, CRLSet::BuiltinCRLSet().get(),
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
/*root_store_data=*/nullptr, /*instance_params=*/{});
#elif BUILDFLAG(IS_FUCHSIA)
return CertVerifyProc::CreateBuiltinVerifyProc(
/*cert_net_fetcher=*/nullptr, CRLSet::BuiltinCRLSet().get(),
std::make_unique<DoNothingCTVerifier>(),
base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
/*instance_params=*/{});
#else
return CertVerifyProc::CreateSystemVerifyProc(/*cert_net_fetcher=*/nullptr,

1
net/cert_net/cert_net_fetcher_url_request_unittest.cc

@ -14,7 +14,6 @@
#include "base/run_loop.h"
#include "base/synchronization/lock.h"
#include "net/cert/cert_net_fetcher.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/cert/multi_log_ct_verifier.h"
#include "net/dns/mock_host_resolver.h"

3
net/http/http_network_layer_unittest.cc

@ -8,7 +8,6 @@
#include <utility>
#include "base/strings/stringprintf.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/dns/mock_host_resolver.h"
#include "net/http/http_network_session.h"
@ -55,7 +54,6 @@ class HttpNetworkLayerTest : public PlatformTest, public WithTaskEnvironment {
session_context.host_resolver = &host_resolver_;
session_context.cert_verifier = cert_verifier_.get();
session_context.transport_security_state = transport_security_state_.get();
session_context.ct_policy_enforcer = &ct_policy_enforcer_;
session_context.proxy_resolution_service = proxy_resolution_service_.get();
session_context.ssl_config_service = ssl_config_service_.get();
session_context.http_server_properties = &http_server_properties_;
@ -71,7 +69,6 @@ class HttpNetworkLayerTest : public PlatformTest, public WithTaskEnvironment {
MockHostResolverBase::RuleResolver::GetLocalhostResult()};
std::unique_ptr<CertVerifier> cert_verifier_;
std::unique_ptr<TransportSecurityState> transport_security_state_;
DefaultCTPolicyEnforcer ct_policy_enforcer_;
std::unique_ptr<ProxyResolutionService> proxy_resolution_service_;
std::unique_ptr<SSLConfigService> ssl_config_service_;
QuicContext quic_context_;

3
net/http/http_network_session.cc

@ -97,7 +97,6 @@ HttpNetworkSessionContext::HttpNetworkSessionContext()
host_resolver(nullptr),
cert_verifier(nullptr),
transport_security_state(nullptr),
ct_policy_enforcer(nullptr),
sct_auditing_delegate(nullptr),
proxy_resolution_service(nullptr),
proxy_delegate(nullptr),
@ -141,7 +140,6 @@ HttpNetworkSession::HttpNetworkSession(const HttpNetworkSessionParams& params,
ssl_client_context_(context.ssl_config_service,
context.cert_verifier,
context.transport_security_state,
context.ct_policy_enforcer,
&ssl_client_session_cache_,
context.sct_auditing_delegate),
quic_stream_factory_(context.net_log,
@ -150,7 +148,6 @@ HttpNetworkSession::HttpNetworkSession(const HttpNetworkSessionParams& params,
context.client_socket_factory,
context.http_server_properties,
context.cert_verifier,
context.ct_policy_enforcer,
context.transport_security_state,
context.sct_auditing_delegate,
context.socket_performance_watcher_factory,

2
net/http/http_network_session.h

@ -45,7 +45,6 @@ class Value;
namespace net {
class CTPolicyEnforcer;
class CertVerifier;
class ClientSocketFactory;
class ClientSocketPool;
@ -190,7 +189,6 @@ struct NET_EXPORT HttpNetworkSessionContext {
raw_ptr<HostResolver> host_resolver;
raw_ptr<CertVerifier> cert_verifier;
raw_ptr<TransportSecurityState> transport_security_state;
raw_ptr<CTPolicyEnforcer> ct_policy_enforcer;
raw_ptr<SCTAuditingDelegate> sct_auditing_delegate;
raw_ptr<ProxyResolutionService, DanglingUntriaged> proxy_resolution_service;
raw_ptr<ProxyDelegate> proxy_delegate;

3
net/http/http_response_body_drainer_unittest.cc

@ -23,7 +23,6 @@
#include "net/base/io_buffer.h"
#include "net/base/net_errors.h"
#include "net/base/test_completion_callback.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/http/http_network_session.h"
#include "net/http/http_server_properties.h"
@ -254,7 +253,6 @@ class HttpResponseBodyDrainerTest : public TestWithTaskEnvironment {
context.http_server_properties = http_server_properties_.get();
context.cert_verifier = &cert_verifier_;
context.transport_security_state = &transport_security_state_;
context.ct_policy_enforcer = &ct_policy_enforcer_;
context.quic_context = &quic_context_;
return std::make_unique<HttpNetworkSession>(HttpNetworkSessionParams(),
context);
@ -265,7 +263,6 @@ class HttpResponseBodyDrainerTest : public TestWithTaskEnvironment {
std::unique_ptr<HttpServerProperties> http_server_properties_;
MockCertVerifier cert_verifier_;
TransportSecurityState transport_security_state_;
DefaultCTPolicyEnforcer ct_policy_enforcer_;
QuicContext quic_context_;
MockClientSocketFactory socket_factory_;
const std::unique_ptr<HttpNetworkSession> session_;

7
net/http/http_stream_factory_unittest.cc

@ -35,7 +35,6 @@
#include "net/base/schemeful_site.h"
#include "net/base/test_completion_callback.h"
#include "net/base/test_proxy_delegate.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/cert/multi_log_ct_verifier.h"
#include "net/dns/mock_host_resolver.h"
@ -876,9 +875,7 @@ TEST_F(HttpStreamFactoryTest, QuicProxyMarkedAsBad) {
session_context.cert_verifier = &cert_verifier;
TransportSecurityState transport_security_state;
session_context.transport_security_state = &transport_security_state;
DefaultCTPolicyEnforcer ct_policy_enforcer;
QuicContext quic_context;
session_context.ct_policy_enforcer = &ct_policy_enforcer;
session_context.proxy_resolution_service = proxy_resolution_service.get();
session_context.ssl_config_service = &ssl_config_service;
session_context.http_server_properties = &http_server_properties;
@ -2022,7 +2019,6 @@ class HttpStreamFactoryBidirectionalQuicTest
session_context.quic_crypto_client_stream_factory =
&crypto_client_stream_factory_;
session_context.transport_security_state = &transport_security_state_;
session_context.ct_policy_enforcer = &ct_policy_enforcer_;
session_context.host_resolver = &host_resolver_;
session_context.proxy_resolution_service = proxy_resolution_service_.get();
session_context.ssl_config_service = ssl_config_service_.get();
@ -2082,7 +2078,6 @@ class HttpStreamFactoryBidirectionalQuicTest
MockCryptoClientStreamFactory crypto_client_stream_factory_;
HttpServerProperties http_server_properties_;
TransportSecurityState transport_security_state_;
DefaultCTPolicyEnforcer ct_policy_enforcer_;
MockHostResolver host_resolver_{
/*default_result=*/
MockHostResolverBase::RuleResolver::GetLocalhostResult()};
@ -3444,7 +3439,6 @@ class ProcessAlternativeServicesTest : public TestWithTaskEnvironment {
session_context_.cert_verifier = &cert_verifier_;
session_context_.transport_security_state = &transport_security_state_;
session_context_.client_socket_factory = &socket_factory_;
session_context_.ct_policy_enforcer = &ct_policy_enforcer_;
session_context_.ssl_config_service = &ssl_config_service_;
session_context_.http_server_properties = &http_server_properties_;
session_context_.quic_context = &quic_context_;
@ -3460,7 +3454,6 @@ class ProcessAlternativeServicesTest : public TestWithTaskEnvironment {
MockHostResolver host_resolver_;
MockCertVerifier cert_verifier_;
TransportSecurityState transport_security_state_;
DefaultCTPolicyEnforcer ct_policy_enforcer_;
protected:
HttpServerProperties http_server_properties_;

1
net/proxy_resolution/pac_file_fetcher_impl_unittest.cc

@ -23,7 +23,6 @@
#include "net/base/load_flags.h"
#include "net/base/network_delegate_impl.h"
#include "net/base/test_completion_callback.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/cert/multi_log_ct_verifier.h"
#include "net/disk_cache/disk_cache.h"

36
net/quic/crypto/proof_verifier_chromium.cc

@ -21,8 +21,6 @@
#include "net/base/network_anonymization_key.h"
#include "net/cert/cert_status_flags.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/ct_verifier.h"
#include "net/cert/sct_auditing_delegate.h"
#include "net/cert/x509_util.h"
@ -54,7 +52,6 @@ class ProofVerifierChromium::Job {
public:
Job(ProofVerifierChromium* proof_verifier,
CertVerifier* cert_verifier,
CTPolicyEnforcer* ct_policy_enforcer,
TransportSecurityState* transport_security_state,
SCTAuditingDelegate* sct_auditing_delegate,
int cert_verify_flags,
@ -129,7 +126,7 @@ class ProofVerifierChromium::Job {
bool ShouldAllowUnknownRootForHost(const std::string& hostname);
int CheckCTCompliance();
int CheckCTRequirements();
// Proof verifier to notify when this jobs completes.
raw_ptr<ProofVerifierChromium> proof_verifier_;
@ -138,8 +135,6 @@ class ProofVerifierChromium::Job {
raw_ptr<CertVerifier> verifier_;
std::unique_ptr<CertVerifier::Request> cert_verifier_request_;
raw_ptr<CTPolicyEnforcer> policy_enforcer_;
raw_ptr<TransportSecurityState> transport_security_state_;
raw_ptr<SCTAuditingDelegate> sct_auditing_delegate_;
@ -174,14 +169,12 @@ class ProofVerifierChromium::Job {
ProofVerifierChromium::Job::Job(
ProofVerifierChromium* proof_verifier,
CertVerifier* cert_verifier,
CTPolicyEnforcer* ct_policy_enforcer,
TransportSecurityState* transport_security_state,
SCTAuditingDelegate* sct_auditing_delegate,
int cert_verify_flags,
const NetLogWithSource& net_log)
: proof_verifier_(proof_verifier),
verifier_(cert_verifier),
policy_enforcer_(ct_policy_enforcer),
transport_security_state_(transport_security_state),
sct_auditing_delegate_(sct_auditing_delegate),
cert_verify_flags_(cert_verify_flags),
@ -189,7 +182,6 @@ ProofVerifierChromium::Job::Job(
net_log_(net_log) {
CHECK(proof_verifier_);
CHECK(verifier_);
CHECK(policy_enforcer_);
CHECK(transport_security_state_);
}
@ -404,7 +396,7 @@ int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
// If the connection was good, check HPKP and CT status simultaneously,
// but prefer to treat the HPKP error as more serious, if there was one.
if (result == OK) {
int ct_result = CheckCTCompliance();
int ct_result = CheckCTRequirements();
TransportSecurityState::PKPStatus pin_validity =
transport_security_state_->CheckPublicKeyPins(
HostPortPair(hostname_, port_),
@ -505,19 +497,10 @@ bool ProofVerifierChromium::Job::VerifySignature(
return true;
}
int ProofVerifierChromium::Job::CheckCTCompliance() {
int ProofVerifierChromium::Job::CheckCTRequirements() {
const CertVerifyResult& cert_verify_result =
verify_details_->cert_verify_result;
ct::SCTList verified_scts;
for (const auto& sct_and_status : cert_verify_result.scts) {
if (sct_and_status.status == ct::SCT_STATUS_OK)
verified_scts.push_back(sct_and_status.sct);
}
verify_details_->cert_verify_result.policy_compliance =
policy_enforcer_->CheckCompliance(cert_verify_result.verified_cert.get(),
verified_scts, net_log_);
TransportSecurityState::CTRequirementsStatus ct_requirement_status =
transport_security_state_->CheckCTRequirements(
HostPortPair(hostname_, port_),
@ -545,19 +528,16 @@ int ProofVerifierChromium::Job::CheckCTCompliance() {
ProofVerifierChromium::ProofVerifierChromium(
CertVerifier* cert_verifier,
CTPolicyEnforcer* ct_policy_enforcer,
TransportSecurityState* transport_security_state,
SCTAuditingDelegate* sct_auditing_delegate,
std::set<std::string> hostnames_to_allow_unknown_roots,
const NetworkAnonymizationKey& network_anonymization_key)
: cert_verifier_(cert_verifier),
ct_policy_enforcer_(ct_policy_enforcer),
transport_security_state_(transport_security_state),
sct_auditing_delegate_(sct_auditing_delegate),
hostnames_to_allow_unknown_roots_(hostnames_to_allow_unknown_roots),
network_anonymization_key_(network_anonymization_key) {
DCHECK(cert_verifier_);
DCHECK(ct_policy_enforcer_);
DCHECK(transport_security_state_);
}
@ -584,9 +564,8 @@ quic::QuicAsyncStatus ProofVerifierChromium::VerifyProof(
const ProofVerifyContextChromium* chromium_context =
reinterpret_cast<const ProofVerifyContextChromium*>(verify_context);
std::unique_ptr<Job> job = std::make_unique<Job>(
this, cert_verifier_, ct_policy_enforcer_, transport_security_state_,
sct_auditing_delegate_, chromium_context->cert_verify_flags,
chromium_context->net_log);
this, cert_verifier_, transport_security_state_, sct_auditing_delegate_,
chromium_context->cert_verify_flags, chromium_context->net_log);
quic::QuicAsyncStatus status = job->VerifyProof(
hostname, port, server_config, quic_version, chlo_hash, certs, cert_sct,
signature, error_details, verify_details, std::move(callback));
@ -615,9 +594,8 @@ quic::QuicAsyncStatus ProofVerifierChromium::VerifyCertChain(
const ProofVerifyContextChromium* chromium_context =
reinterpret_cast<const ProofVerifyContextChromium*>(verify_context);
std::unique_ptr<Job> job = std::make_unique<Job>(
this, cert_verifier_, ct_policy_enforcer_, transport_security_state_,
sct_auditing_delegate_, chromium_context->cert_verify_flags,
chromium_context->net_log);
this, cert_verifier_, transport_security_state_, sct_auditing_delegate_,
chromium_context->cert_verify_flags, chromium_context->net_log);
quic::QuicAsyncStatus status =
job->VerifyCertChain(hostname, port, certs, ocsp_response, cert_sct,
error_details, verify_details, std::move(callback));

3
net/quic/crypto/proof_verifier_chromium.h

@ -22,7 +22,6 @@
namespace net {
class CTPolicyEnforcer;
class CertVerifier;
class SCTAuditingDelegate;
class TransportSecurityState;
@ -72,7 +71,6 @@ class NET_EXPORT_PRIVATE ProofVerifierChromium : public quic::ProofVerifier {
public:
ProofVerifierChromium(
CertVerifier* cert_verifier,
CTPolicyEnforcer* ct_policy_enforcer,
TransportSecurityState* transport_security_state,
SCTAuditingDelegate* sct_auditing_delegate,
std::set<std::string> hostnames_to_allow_unknown_roots,
@ -120,7 +118,6 @@ class NET_EXPORT_PRIVATE ProofVerifierChromium : public quic::ProofVerifier {
// Underlying verifier used to verify certificates.
const raw_ptr<CertVerifier> cert_verifier_;
const raw_ptr<CTPolicyEnforcer> ct_policy_enforcer_;
const raw_ptr<TransportSecurityState> transport_security_state_;

111
net/quic/crypto/proof_verifier_chromium_test.cc

@ -67,15 +67,6 @@ class FailsTestCertVerifier : public CertVerifier {
void RemoveObserver(Observer* observer) override {}
};
// A mock CTPolicyEnforcer that returns a custom verification result.
class MockCTPolicyEnforcer : public CTPolicyEnforcer {
public:
MOCK_CONST_METHOD3(CheckCompliance,
ct::CTPolicyCompliance(X509Certificate* cert,
const ct::SCTList&,
const NetLogWithSource&));
};
class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate {
public:
MOCK_METHOD3(IsCTRequiredForHost,
@ -175,10 +166,6 @@ class ProofVerifierChromiumTest : public ::testing::Test {
NetLogWithSource())) {}
void SetUp() override {
EXPECT_CALL(ct_policy_enforcer_, CheckCompliance(_, _, _))
.WillRepeatedly(
Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
static const char kTestCert[] = "quic-chain.pem";
test_cert_ = ImportCertFromFile(GetTestCertsDirectory(), kTestCert);
ASSERT_TRUE(test_cert_);
@ -188,6 +175,8 @@ class ProofVerifierChromiumTest : public ::testing::Test {
dummy_result_.verified_cert = test_cert_;
dummy_result_.is_issued_by_known_root = true;
dummy_result_.policy_compliance =
ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
}
std::string GetTestSignature() {
@ -205,7 +194,6 @@ class ProofVerifierChromiumTest : public ::testing::Test {
protected:
TransportSecurityState transport_security_state_;
MockCTPolicyEnforcer ct_policy_enforcer_;
std::unique_ptr<quic::ProofVerifyContext> verify_context_;
std::unique_ptr<quic::ProofVerifyDetails> details_;
@ -220,7 +208,7 @@ TEST_F(ProofVerifierChromiumTest, VerifyProof) {
MockCertVerifier dummy_verifier;
dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result_, OK);
ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
ProofVerifierChromium proof_verifier(&dummy_verifier,
&transport_security_state_, nullptr, {},
NetworkAnonymizationKey());
@ -254,7 +242,7 @@ TEST_F(ProofVerifierChromiumTest, VerifyProof) {
// verification fails.
TEST_F(ProofVerifierChromiumTest, FailsIfCertFails) {
MockCertVerifier dummy_verifier;
ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
ProofVerifierChromium proof_verifier(&dummy_verifier,
&transport_security_state_, nullptr, {},
NetworkAnonymizationKey());
@ -283,7 +271,7 @@ TEST_F(ProofVerifierChromiumTest, PassesCertVerifierRequestParams) {
ParamRecordingMockCertVerifier dummy_verifier;
dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result, OK);
ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
ProofVerifierChromium proof_verifier(&dummy_verifier,
&transport_security_state_, nullptr, {},
NetworkAnonymizationKey());
@ -308,7 +296,7 @@ TEST_F(ProofVerifierChromiumTest, PassesCertVerifierRequestParams) {
// signature fails.
TEST_F(ProofVerifierChromiumTest, FailsIfSignatureFails) {
FailsTestCertVerifier cert_verifier;
ProofVerifierChromium proof_verifier(&cert_verifier, &ct_policy_enforcer_,
ProofVerifierChromium proof_verifier(&cert_verifier,
&transport_security_state_, nullptr, {},
NetworkAnonymizationKey());
@ -320,49 +308,6 @@ TEST_F(ProofVerifierChromiumTest, FailsIfSignatureFails) {
ASSERT_EQ(quic::QUIC_FAILURE, status);
}
// Tests that the certificate policy enforcer is consulted for EV
// and the certificate is allowed to be EV.
TEST_F(ProofVerifierChromiumTest, PreservesEVIfAllowed) {
dummy_result_.cert_status = CERT_STATUS_IS_EV;
MockCertVerifier dummy_verifier;
dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result_, OK);
EXPECT_CALL(ct_policy_enforcer_, CheckCompliance(_, _, _))
.WillRepeatedly(
Return(ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
&transport_security_state_, nullptr, {},
NetworkAnonymizationKey());
auto callback = std::make_unique<DummyProofVerifierCallback>();
quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
kTestHostname, kTestPort, kTestConfig, kTestTransportVersion,
kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
verify_context_.get(), &error_details_, &details_, std::move(callback));
ASSERT_EQ(quic::QUIC_SUCCESS, status);
ASSERT_TRUE(details_.get());
ProofVerifyDetailsChromium* verify_details =
static_cast<ProofVerifyDetailsChromium*>(details_.get());
EXPECT_EQ(dummy_result_.cert_status,
verify_details->cert_verify_result.cert_status);
// Repeat the test with VerifyCertChain.
callback = std::make_unique<DummyProofVerifierCallback>();
status = proof_verifier.VerifyCertChain(
kTestHostname, kTestPort, certs_, kTestEmptyOCSPResponse, kTestEmptySCT,
verify_context_.get(), &error_details_, &details_, &tls_alert_,
std::move(callback));
ASSERT_EQ(quic::QUIC_SUCCESS, status);
ASSERT_TRUE(details_.get());
verify_details = static_cast<ProofVerifyDetailsChromium*>(details_.get());
EXPECT_EQ(dummy_result_.cert_status,
verify_details->cert_verify_result.cert_status);
}
HashValueVector MakeHashValueVector(uint8_t tag) {
HashValue hash(HASH_VALUE_SHA256);
memset(hash.data(), tag, hash.size());
@ -378,7 +323,7 @@ TEST_F(ProofVerifierChromiumTest, IsFatalErrorNotSetForNonFatalError) {
dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result_,
ERR_CERT_DATE_INVALID);
ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
ProofVerifierChromium proof_verifier(&dummy_verifier,
&transport_security_state_, nullptr, {},
NetworkAnonymizationKey());
@ -414,7 +359,7 @@ TEST_F(ProofVerifierChromiumTest, IsFatalErrorSetForFatalError) {
const base::Time expiry = base::Time::Now() + base::Seconds(1000);
transport_security_state_.AddHSTS(kTestHostname, expiry, true);
ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
ProofVerifierChromium proof_verifier(&dummy_verifier,
&transport_security_state_, nullptr, {},
NetworkAnonymizationKey());
@ -453,7 +398,7 @@ TEST_F(ProofVerifierChromiumTest, PKPEnforced) {
transport_security_state_.SetPinningListAlwaysTimelyForTesting(true);
ScopedTransportSecurityStateSource scoped_security_state_source;
ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
ProofVerifierChromium proof_verifier(&dummy_verifier,
&transport_security_state_, nullptr, {},
NetworkAnonymizationKey());
@ -504,8 +449,8 @@ TEST_F(ProofVerifierChromiumTest, PKPBypassFlagSet) {
ScopedTransportSecurityStateSource scoped_security_state_source;
ProofVerifierChromium proof_verifier(
&dummy_verifier, &ct_policy_enforcer_, &transport_security_state_,
nullptr, {kCTAndPKPHost}, NetworkAnonymizationKey());
&dummy_verifier, &transport_security_state_, nullptr, {kCTAndPKPHost},
NetworkAnonymizationKey());
auto callback = std::make_unique<DummyProofVerifierCallback>();
quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@ -556,7 +501,7 @@ TEST_F(ProofVerifierChromiumTest, PKPReport) {
MockCertVerifier dummy_verifier;
dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result_, OK);
ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
ProofVerifierChromium proof_verifier(&dummy_verifier,
&transport_security_state_, nullptr, {},
network_anonymization_key);
@ -601,6 +546,8 @@ TEST_F(ProofVerifierChromiumTest, PKPReport) {
TEST_F(ProofVerifierChromiumTest, CTIsRequired) {
dummy_result_.is_issued_by_known_root = true;
dummy_result_.public_key_hashes = MakeHashValueVector(0x01);
dummy_result_.policy_compliance =
ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
MockCertVerifier dummy_verifier;
dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result_, OK);
@ -614,11 +561,8 @@ TEST_F(ProofVerifierChromiumTest, CTIsRequired) {
EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(kTestHostname, _, _))
.WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
CTRequirementLevel::REQUIRED));
EXPECT_CALL(ct_policy_enforcer_, CheckCompliance(_, _, _))
.WillRepeatedly(
Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
ProofVerifierChromium proof_verifier(&dummy_verifier,
&transport_security_state_, nullptr, {},
NetworkAnonymizationKey());
@ -657,6 +601,8 @@ TEST_F(ProofVerifierChromiumTest, PKPAndCTBothTested) {
net::features::kStaticKeyPinningEnforcement);
dummy_result_.is_issued_by_known_root = true;
dummy_result_.public_key_hashes = MakeHashValueVector(0x01);
dummy_result_.policy_compliance =
ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
MockCertVerifier dummy_verifier;
dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result_, OK);
@ -675,11 +621,8 @@ TEST_F(ProofVerifierChromiumTest, PKPAndCTBothTested) {
EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(kCTAndPKPHost, _, _))
.WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
CTRequirementLevel::REQUIRED));
EXPECT_CALL(ct_policy_enforcer_, CheckCompliance(_, _, _))
.WillRepeatedly(
Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
ProofVerifierChromium proof_verifier(&dummy_verifier,
&transport_security_state_, nullptr, {},
NetworkAnonymizationKey());
@ -721,7 +664,7 @@ TEST_F(ProofVerifierChromiumTest, UnknownRootRejected) {
MockCertVerifier dummy_verifier;
dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result_, OK);
ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
ProofVerifierChromium proof_verifier(&dummy_verifier,
&transport_security_state_, nullptr, {},
NetworkAnonymizationKey());
@ -753,8 +696,8 @@ TEST_F(ProofVerifierChromiumTest, UnknownRootAcceptedWithOverride) {
dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result_, OK);
ProofVerifierChromium proof_verifier(
&dummy_verifier, &ct_policy_enforcer_, &transport_security_state_,
nullptr, {kTestHostname}, NetworkAnonymizationKey());
&dummy_verifier, &transport_security_state_, nullptr, {kTestHostname},
NetworkAnonymizationKey());
auto callback = std::make_unique<DummyProofVerifierCallback>();
quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@ -788,7 +731,7 @@ TEST_F(ProofVerifierChromiumTest, UnknownRootAcceptedWithWildcardOverride) {
MockCertVerifier dummy_verifier;
dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result_, OK);
ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
ProofVerifierChromium proof_verifier(&dummy_verifier,
&transport_security_state_, nullptr,
{""}, NetworkAnonymizationKey());
@ -821,13 +764,11 @@ TEST_F(ProofVerifierChromiumTest, UnknownRootAcceptedWithWildcardOverride) {
// Tests that the SCTAuditingDelegate is called to enqueue SCT reports when
// verifying a good proof and cert.
TEST_F(ProofVerifierChromiumTest, SCTAuditingReportCollected) {
dummy_result_.policy_compliance =
ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS;
MockCertVerifier cert_verifier;
cert_verifier.AddResultForCert(test_cert_.get(), dummy_result_, OK);
EXPECT_CALL(ct_policy_enforcer_, CheckCompliance(_, _, _))
.WillRepeatedly(
Return(ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
MockSCTAuditingDelegate sct_auditing_delegate;
EXPECT_CALL(sct_auditing_delegate, IsSCTAuditingEnabled())
.WillRepeatedly(Return(true));
@ -838,8 +779,8 @@ TEST_F(ProofVerifierChromiumTest, SCTAuditingReportCollected) {
.Times(2);
ProofVerifierChromium proof_verifier(
&cert_verifier, &ct_policy_enforcer_, &transport_security_state_,
&sct_auditing_delegate, {}, NetworkAnonymizationKey());
&cert_verifier, &transport_security_state_, &sct_auditing_delegate, {},
NetworkAnonymizationKey());
auto callback = std::make_unique<DummyProofVerifierCallback>();
quic::QuicAsyncStatus status = proof_verifier.VerifyProof(

1
net/quic/crypto_test_utils_chromium.cc

@ -15,7 +15,6 @@
#include "net/cert/cert_status_flags.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/cert_verify_result.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_verifier.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/cert/multi_log_ct_verifier.h"

4
net/quic/dedicated_web_transport_http3_client.cc

@ -96,8 +96,8 @@ std::unique_ptr<quic::ProofVerifier> CreateProofVerifier(
hostnames_to_allow_unknown_roots.insert("");
}
return std::make_unique<ProofVerifierChromium>(
context->cert_verifier(), context->ct_policy_enforcer(),
context->transport_security_state(), context->sct_auditing_delegate(),
context->cert_verifier(), context->transport_security_state(),
context->sct_auditing_delegate(),
std::move(hostnames_to_allow_unknown_roots), anonymization_key);
}

3
net/quic/quic_end_to_end_unittest.cc

@ -18,7 +18,6 @@
#include "net/base/test_completion_callback.h"
#include "net/base/upload_bytes_element_reader.h"
#include "net/base/upload_data_stream.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/cert/multi_log_ct_verifier.h"
#include "net/dns/mapped_host_resolver.h"
@ -108,7 +107,6 @@ class QuicEndToEndTest : public ::testing::Test, public WithTaskEnvironment {
session_context_.host_resolver = &host_resolver_;
session_context_.cert_verifier = &cert_verifier_;
session_context_.transport_security_state = &transport_security_state_;
session_context_.ct_policy_enforcer = &ct_policy_enforcer_;
session_context_.proxy_resolution_service = proxy_resolution_service_.get();
session_context_.ssl_config_service = ssl_config_service_.get();
session_context_.http_auth_handler_factory = auth_handler_factory_.get();
@ -217,7 +215,6 @@ class QuicEndToEndTest : public ::testing::Test, public WithTaskEnvironment {
MappedHostResolver host_resolver_;
MockCertVerifier cert_verifier_;
TransportSecurityState transport_security_state_;
DefaultCTPolicyEnforcer ct_policy_enforcer_;
std::unique_ptr<SSLConfigServiceDefaults> ssl_config_service_;
std::unique_ptr<ProxyResolutionService> proxy_resolution_service_;
std::unique_ptr<HttpAuthHandlerFactory> auth_handler_factory_;

5
net/quic/quic_network_transaction_unittest.cc

@ -29,7 +29,6 @@
#include "net/base/schemeful_site.h"
#include "net/base/test_completion_callback.h"
#include "net/base/test_proxy_delegate.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/dns/mock_host_resolver.h"
#include "net/http/http_auth_handler_factory.h"
@ -566,7 +565,6 @@ class QuicNetworkTransactionTest
session_context_.host_resolver = &host_resolver_;
session_context_.cert_verifier = &cert_verifier_;
session_context_.transport_security_state = &transport_security_state_;
session_context_.ct_policy_enforcer = &ct_policy_enforcer_;
session_context_.socket_performance_watcher_factory =
&test_socket_performance_watcher_factory_;
session_context_.proxy_resolution_service = proxy_resolution_service_.get();
@ -956,7 +954,6 @@ class QuicNetworkTransactionTest
RuleResolver::GetLocalhostResult()};
MockCertVerifier cert_verifier_;
TransportSecurityState transport_security_state_;
DefaultCTPolicyEnforcer ct_policy_enforcer_;
TestSocketPerformanceWatcherFactory test_socket_performance_watcher_factory_;
std::unique_ptr<SSLConfigServiceDefaults> ssl_config_service_;
std::unique_ptr<ProxyResolutionService> proxy_resolution_service_;
@ -5786,7 +5783,6 @@ class QuicNetworkTransactionWithDestinationTest
session_context.host_resolver = &host_resolver_;
session_context.cert_verifier = &cert_verifier_;
session_context.transport_security_state = &transport_security_state_;
session_context.ct_policy_enforcer = &ct_policy_enforcer_;
session_context.socket_performance_watcher_factory =
&test_socket_performance_watcher_factory_;
session_context.ssl_config_service = ssl_config_service_.get();
@ -5949,7 +5945,6 @@ class QuicNetworkTransactionWithDestinationTest
RuleResolver::GetLocalhostResult()};
MockCertVerifier cert_verifier_;
TransportSecurityState transport_security_state_;
DefaultCTPolicyEnforcer ct_policy_enforcer_;
TestSocketPerformanceWatcherFactory test_socket_performance_watcher_factory_;
std::unique_ptr<SSLConfigServiceDefaults> ssl_config_service_;
std::unique_ptr<ProxyResolutionService> proxy_resolution_service_;

5
net/quic/quic_stream_factory.cc

@ -1095,7 +1095,6 @@ QuicStreamFactory::QuicStreamFactory(
ClientSocketFactory* client_socket_factory,
HttpServerProperties* http_server_properties,
CertVerifier* cert_verifier,
CTPolicyEnforcer* ct_policy_enforcer,
TransportSecurityState* transport_security_state,
SCTAuditingDelegate* sct_auditing_delegate,
SocketPerformanceWatcherFactory* socket_performance_watcher_factory,
@ -1107,7 +1106,6 @@ QuicStreamFactory::QuicStreamFactory(
client_socket_factory_(client_socket_factory),
http_server_properties_(http_server_properties),
cert_verifier_(cert_verifier),
ct_policy_enforcer_(ct_policy_enforcer),
transport_security_state_(transport_security_state),
sct_auditing_delegate_(sct_auditing_delegate),
quic_crypto_client_stream_factory_(quic_crypto_client_stream_factory),
@ -2362,8 +2360,7 @@ QuicStreamFactory::CreateCryptoConfigHandle(
std::unique_ptr<QuicCryptoClientConfigOwner> crypto_config_owner =
std::make_unique<QuicCryptoClientConfigOwner>(
std::make_unique<ProofVerifierChromium>(
cert_verifier_, ct_policy_enforcer_, transport_security_state_,
sct_auditing_delegate_,
cert_verifier_, transport_security_state_, sct_auditing_delegate_,
HostsFromOrigins(params_.origins_to_force_quic_on),
actual_network_anonymization_key),
std::make_unique<quic::QuicClientSessionCache>(), this);

3
net/quic/quic_stream_factory.h

@ -66,7 +66,6 @@ class QuicRandom;
namespace net {
class CTPolicyEnforcer;
class CertVerifier;
class ClientSocketFactory;
class HostResolver;
@ -291,7 +290,6 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
ClientSocketFactory* client_socket_factory,
HttpServerProperties* http_server_properties,
CertVerifier* cert_verifier,
CTPolicyEnforcer* ct_policy_enforcer,
TransportSecurityState* transport_security_state,
SCTAuditingDelegate* sct_auditing_delegate,
SocketPerformanceWatcherFactory* socket_performance_watcher_factory,
@ -631,7 +629,6 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
raw_ptr<ClientSocketFactory> client_socket_factory_;
raw_ptr<HttpServerProperties> http_server_properties_;
const raw_ptr<CertVerifier> cert_verifier_;
const raw_ptr<CTPolicyEnforcer> ct_policy_enforcer_;
const raw_ptr<TransportSecurityState> transport_security_state_;
const raw_ptr<SCTAuditingDelegate> sct_auditing_delegate_;
raw_ptr<QuicCryptoClientStreamFactory> quic_crypto_client_stream_factory_;

6
net/quic/quic_stream_factory_fuzzer.cc

@ -12,7 +12,6 @@
#include "base/task/sequenced_task_runner.h"
#include "net/base/network_anonymization_key.h"
#include "net/base/test_completion_callback.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/do_nothing_ct_verifier.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/cert/x509_certificate.h"
@ -86,7 +85,6 @@ struct FuzzerEnvironment {
TransportSecurityState transport_security_state;
quic::QuicTagVector connection_options;
quic::QuicTagVector client_connection_options;
DefaultCTPolicyEnforcer ct_policy_enforcer;
MockQuicContext quic_context;
};
@ -144,8 +142,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
env->net_log.net_log(), host_resolver.get(),
env->ssl_config_service.get(), &socket_factory,
&http_server_properties, env->cert_verifier.get(),
&env->ct_policy_enforcer, &env->transport_security_state, nullptr,
nullptr, &env->crypto_client_stream_factory, &env->quic_context);
&env->transport_security_state, nullptr, nullptr,
&env->crypto_client_stream_factory, &env->quic_context);
QuicStreamRequest request(factory.get());
TestCompletionCallback callback;

8
net/quic/quic_stream_factory_test.cc

@ -33,7 +33,6 @@
#include "net/base/net_errors.h"
#include "net/base/network_anonymization_key.h"
#include "net/base/schemeful_site.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/dns/mock_host_resolver.h"
#include "net/dns/public/dns_query_type.h"
@ -215,7 +214,6 @@ class MockQuicStreamFactory : public QuicStreamFactory {
ClientSocketFactory* client_socket_factory,
HttpServerProperties* http_server_properties,
CertVerifier* cert_verifier,
CTPolicyEnforcer* ct_policy_enforcer,
TransportSecurityState* transport_security_state,
SCTAuditingDelegate* sct_auditing_delegate,
SocketPerformanceWatcherFactory* socket_performance_watcher_factory,
@ -227,7 +225,6 @@ class MockQuicStreamFactory : public QuicStreamFactory {
client_socket_factory,
http_server_properties,
cert_verifier,
ct_policy_enforcer,
transport_security_state,
sct_auditing_delegate,
socket_performance_watcher_factory,
@ -296,7 +293,7 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
factory_ = std::make_unique<QuicStreamFactory>(
net_log_.net_log(), host_resolver_.get(), &ssl_config_service_,
socket_factory_.get(), http_server_properties_.get(),
cert_verifier_.get(), &ct_policy_enforcer_, &transport_security_state_,
cert_verifier_.get(), &transport_security_state_,
/*sct_auditing_delegate=*/nullptr,
/*SocketPerformanceWatcherFactory*/ nullptr,
&crypto_client_stream_factory_, &context_);
@ -955,7 +952,6 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
std::unique_ptr<HttpServerProperties> http_server_properties_;
std::unique_ptr<MockCertVerifier> cert_verifier_;
TransportSecurityState transport_security_state_;
DefaultCTPolicyEnforcer ct_policy_enforcer_;
std::unique_ptr<ScopedMockNetworkChangeNotifier>
scoped_mock_network_change_notifier_;
std::unique_ptr<QuicStreamFactory> factory_;
@ -2863,7 +2859,7 @@ TEST_P(QuicStreamFactoryTest, CloseSessionDuringCreation) {
auto factory = MockQuicStreamFactory(
net_log_.net_log(), host_resolver_.get(), &ssl_config_service_,
socket_factory_.get(), http_server_properties_.get(),
cert_verifier_.get(), &ct_policy_enforcer_, &transport_security_state_,
cert_verifier_.get(), &transport_security_state_,
/*sct_auditing_delegate=*/nullptr,
/*SocketPerformanceWatcherFactory*/ nullptr,
&crypto_client_stream_factory_, &context_);

3
net/socket/ssl_client_socket.cc

@ -81,18 +81,15 @@ SSLClientContext::SSLClientContext(
SSLConfigService* ssl_config_service,
CertVerifier* cert_verifier,
TransportSecurityState* transport_security_state,
CTPolicyEnforcer* ct_policy_enforcer,
SSLClientSessionCache* ssl_client_session_cache,
SCTAuditingDelegate* sct_auditing_delegate)
: ssl_config_service_(ssl_config_service),
cert_verifier_(cert_verifier),
transport_security_state_(transport_security_state),
ct_policy_enforcer_(ct_policy_enforcer),
ssl_client_session_cache_(ssl_client_session_cache),
sct_auditing_delegate_(sct_auditing_delegate) {
CHECK(cert_verifier_);
CHECK(transport_security_state_);
CHECK(ct_policy_enforcer_);
if (ssl_config_service_) {
config_ = ssl_config_service_->GetSSLContextConfig();

4
net/socket/ssl_client_socket.h

@ -23,7 +23,6 @@
namespace net {
class CTPolicyEnforcer;
class HostPortPair;
class SCTAuditingDelegate;
class SSLClientSessionCache;
@ -120,7 +119,6 @@ class NET_EXPORT SSLClientContext : public SSLConfigService::Observer,
SSLClientContext(SSLConfigService* ssl_config_service,
CertVerifier* cert_verifier,
TransportSecurityState* transport_security_state,
CTPolicyEnforcer* ct_policy_enforcer,
SSLClientSessionCache* ssl_client_session_cache,
SCTAuditingDelegate* sct_auditing_delegate);
@ -136,7 +134,6 @@ class NET_EXPORT SSLClientContext : public SSLConfigService::Observer,
TransportSecurityState* transport_security_state() {
return transport_security_state_;
}
CTPolicyEnforcer* ct_policy_enforcer() { return ct_policy_enforcer_; }
SSLClientSessionCache* ssl_client_session_cache() {
return ssl_client_session_cache_;
}
@ -223,7 +220,6 @@ class NET_EXPORT SSLClientContext : public SSLConfigService::Observer,
raw_ptr<SSLConfigService> ssl_config_service_;
raw_ptr<CertVerifier> cert_verifier_;
raw_ptr<TransportSecurityState> transport_security_state_;
raw_ptr<CTPolicyEnforcer> ct_policy_enforcer_;
raw_ptr<SSLClientSessionCache> ssl_client_session_cache_;
raw_ptr<SCTAuditingDelegate> sct_auditing_delegate_;

16
net/socket/ssl_client_socket_impl.cc

@ -42,8 +42,6 @@
#include "net/base/tracing.h"
#include "net/base/url_util.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/ct_verifier.h"
#include "net/cert/sct_auditing_delegate.h"
#include "net/cert/sct_status_flags.h"
@ -1249,7 +1247,7 @@ ssl_verify_result_t SSLClientSocketImpl::HandleVerifyResult() {
// If the connection was good, check HPKP and CT status simultaneously,
// but prefer to treat the HPKP error as more serious, if there was one.
if (result == OK) {
int ct_result = CheckCTCompliance();
int ct_result = CheckCTRequirements();
TransportSecurityState::PKPStatus pin_validity =
context_->transport_security_state()->CheckPublicKeyPins(
host_and_port_, server_cert_verify_result_.is_issued_by_known_root,
@ -1300,17 +1298,7 @@ ssl_verify_result_t SSLClientSocketImpl::HandleVerifyResult() {
return ssl_verify_invalid;
}
int SSLClientSocketImpl::CheckCTCompliance() {
ct::SCTList verified_scts;
for (const auto& sct_and_status : server_cert_verify_result_.scts) {
if (sct_and_status.status == ct::SCT_STATUS_OK)
verified_scts.push_back(sct_and_status.sct);
}
server_cert_verify_result_.policy_compliance =
context_->ct_policy_enforcer()->CheckCompliance(
server_cert_verify_result_.verified_cert.get(), verified_scts,
net_log_);
int SSLClientSocketImpl::CheckCTRequirements() {
TransportSecurityState::CTRequirementsStatus ct_requirement_status =
context_->transport_security_state()->CheckCTRequirements(
host_and_port_, server_cert_verify_result_.is_issued_by_known_root,

2
net/socket/ssl_client_socket_impl.h

@ -151,7 +151,7 @@ class SSLClientSocketImpl : public SSLClientSocket,
static ssl_verify_result_t VerifyCertCallback(SSL* ssl, uint8_t* out_alert);
ssl_verify_result_t VerifyCert();
ssl_verify_result_t HandleVerifyResult();
int CheckCTCompliance();
int CheckCTRequirements();
// Callback from the SSL layer that indicates the remote server is requesting
// a certificate for this client.

81
net/socket/ssl_client_socket_unittest.cc

@ -44,7 +44,6 @@
#include "net/base/test_completion_callback.h"
#include "net/cert/asn1_util.h"
#include "net/cert/cert_database.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/cert/mock_client_cert_verifier.h"
@ -582,15 +581,6 @@ class DeleteSocketCallback : public TestCompletionCallbackBase {
raw_ptr<StreamSocket, DanglingUntriaged> socket_;
};
// A mock CTPolicyEnforcer that returns a custom verification result.
class MockCTPolicyEnforcer : public CTPolicyEnforcer {
public:
MOCK_CONST_METHOD3(CheckCompliance,
ct::CTPolicyCompliance(X509Certificate* cert,
const ct::SCTList&,
const NetLogWithSource&));
};
class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate {
public:
MOCK_METHOD3(IsCTRequiredForHost,
@ -667,22 +657,16 @@ class SSLClientSocketTest : public PlatformTest, public WithTaskEnvironment {
std::make_unique<TestSSLConfigService>(SSLContextConfig())),
cert_verifier_(std::make_unique<ParamRecordingMockCertVerifier>()),
transport_security_state_(std::make_unique<TransportSecurityState>()),
ct_policy_enforcer_(std::make_unique<MockCTPolicyEnforcer>()),
ssl_client_session_cache_(std::make_unique<SSLClientSessionCache>(
SSLClientSessionCache::Config())),
context_(
std::make_unique<SSLClientContext>(ssl_config_service_.get(),
cert_verifier_.get(),
transport_security_state_.get(),
ct_policy_enforcer_.get(),
ssl_client_session_cache_.get(),
nullptr)) {
cert_verifier_->set_default_result(OK);
cert_verifier_->set_async(true);
EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(_, _, _))
.WillRepeatedly(
Return(ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
}
protected:
@ -788,19 +772,6 @@ class SSLClientSocketTest : public PlatformTest, public WithTaskEnvironment {
result);
}
// Adds the server certificate with provided cert status.
// Must be called after StartEmbeddedTestServer has been called.
void AddServerCertStatusToSSLConfig(CertStatus status,
SSLConfig* ssl_config) {
ASSERT_TRUE(embedded_test_server());
scoped_refptr<X509Certificate> server_cert =
embedded_test_server()->GetCertificate();
CertVerifyResult verify_result;
verify_result.cert_status = status;
verify_result.verified_cert = server_cert;
cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
}
absl::optional<SSLInfo> LastSSLInfoFromServer() {
// EmbeddedTestServer callbacks run on another thread, so protect this
// with a lock.
@ -815,7 +786,6 @@ class SSLClientSocketTest : public PlatformTest, public WithTaskEnvironment {
std::unique_ptr<TestSSLConfigService> ssl_config_service_;
std::unique_ptr<ParamRecordingMockCertVerifier> cert_verifier_;
std::unique_ptr<TransportSecurityState> transport_security_state_;
std::unique_ptr<MockCTPolicyEnforcer> ct_policy_enforcer_;
std::unique_ptr<SSLClientSessionCache> ssl_client_session_cache_;
std::unique_ptr<SSLClientContext> context_;
std::unique_ptr<SSLClientSocket> sock_;
@ -1465,7 +1435,7 @@ TEST_P(SSLClientSocketVersionTest, SocketDestroyedDuringVerify) {
HangingCertVerifier verifier;
context_ = std::make_unique<SSLClientContext>(
ssl_config_service_.get(), &verifier, transport_security_state_.get(),
ct_policy_enforcer_.get(), ssl_client_session_cache_.get(), nullptr);
ssl_client_session_cache_.get(), nullptr);
TestCompletionCallback callback;
auto transport = std::make_unique<TCPClientSocket>(
@ -2752,31 +2722,6 @@ TEST_P(SSLClientSocketVersionTest, ConnectSignedCertTimestampsTLSExtension) {
context_ = nullptr;
}
// Test that when a CT verifier and a CTPolicyEnforcer are defined, and
// the EV certificate used conforms to the CT/EV policy, its EV status
// is maintained.
TEST_P(SSLClientSocketVersionTest, EVCertStatusMaintainedForCompliantCert) {
ASSERT_TRUE(
StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
SSLConfig ssl_config;
AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config);
// Emulate compliance of the certificate to the policy.
EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(_, _, _))
.WillRepeatedly(
Return(ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
int rv;
ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
EXPECT_THAT(rv, IsOk());
SSLInfo result;
ASSERT_TRUE(sock_->GetSSLInfo(&result));
EXPECT_TRUE(result.cert_status & CERT_STATUS_IS_EV);
}
// Tests that OCSP stapling is requested, as per Certificate Transparency (RFC
// 6962).
TEST_P(SSLClientSocketVersionTest, ConnectSignedCertTimestampsEnablesOCSP) {
@ -4273,6 +4218,8 @@ TEST_P(SSLClientSocketVersionTest, CTIsRequired) {
verify_result.verified_cert = server_cert;
verify_result.public_key_hashes =
MakeHashValueVector(kGoodHashValueVectorInput);
verify_result.policy_compliance =
ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
// Set up CT
@ -4285,9 +4232,6 @@ TEST_P(SSLClientSocketVersionTest, CTIsRequired) {
IsCTRequiredForHost(host_port_pair().host(), _, _))
.WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
CTRequirementLevel::REQUIRED));
EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
.WillRepeatedly(
Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
SSLConfig ssl_config;
int rv;
@ -4315,6 +4259,8 @@ TEST_P(SSLClientSocketVersionTest, IgnoreCertificateErrorsBypassesRequiredCT) {
verify_result.verified_cert = server_cert;
verify_result.public_key_hashes =
MakeHashValueVector(kGoodHashValueVectorInput);
verify_result.policy_compliance =
ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
// Set up CT
@ -4327,9 +4273,6 @@ TEST_P(SSLClientSocketVersionTest, IgnoreCertificateErrorsBypassesRequiredCT) {
IsCTRequiredForHost(host_port_pair().host(), _, _))
.WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
CTRequirementLevel::REQUIRED));
EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
.WillRepeatedly(
Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
SSLConfig ssl_config;
ssl_config.ignore_certificate_errors = true;
@ -4362,6 +4305,8 @@ TEST_P(SSLClientSocketVersionTest, PKPMoreImportantThanCT) {
verify_result.verified_cert = server_cert;
verify_result.public_key_hashes =
MakeHashValueVector(kBadHashValueVectorInput);
verify_result.policy_compliance =
ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
transport_security_state_->EnableStaticPinsForTesting();
@ -4379,9 +4324,6 @@ TEST_P(SSLClientSocketVersionTest, PKPMoreImportantThanCT) {
EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(kCTHost, _, _))
.WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
CTRequirementLevel::REQUIRED));
EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
.WillRepeatedly(
Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
SSLConfig ssl_config;
int rv;
@ -4411,6 +4353,8 @@ TEST_P(SSLClientSocketVersionTest, SCTAuditingReportCollected) {
verify_result.verified_cert = server_cert;
verify_result.public_key_hashes =
MakeHashValueVector(kGoodHashValueVectorInput);
verify_result.policy_compliance =
ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS;
cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
// Set up CT and auditing delegate.
@ -4419,15 +4363,12 @@ TEST_P(SSLClientSocketVersionTest, SCTAuditingReportCollected) {
EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(_, _, _))
.WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
CTRequirementLevel::REQUIRED));
EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
.WillRepeatedly(
Return(ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
MockSCTAuditingDelegate sct_auditing_delegate;
context_ = std::make_unique<SSLClientContext>(
ssl_config_service_.get(), cert_verifier_.get(),
transport_security_state_.get(), ct_policy_enforcer_.get(),
ssl_client_session_cache_.get(), &sct_auditing_delegate);
transport_security_state_.get(), ssl_client_session_cache_.get(),
&sct_auditing_delegate);
EXPECT_CALL(sct_auditing_delegate, IsSCTAuditingEnabled())
.WillRepeatedly(Return(true));

3
net/socket/ssl_connect_job_unittest.cc

@ -24,7 +24,6 @@
#include "net/base/network_isolation_key.h"
#include "net/base/proxy_chain.h"
#include "net/base/proxy_server.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/dns/mock_host_resolver.h"
#include "net/dns/public/secure_dns_policy.h"
@ -196,7 +195,6 @@ class SSLConnectJobTest : public WithTaskEnvironment, public testing::Test {
session_context.host_resolver = &host_resolver_;
session_context.cert_verifier = &cert_verifier_;
session_context.transport_security_state = &transport_security_state_;
session_context.ct_policy_enforcer = &ct_policy_enforcer_;
session_context.proxy_resolution_service = proxy_resolution_service_.get();
session_context.client_socket_factory = &socket_factory_;
session_context.ssl_config_service = ssl_config_service_.get();
@ -214,7 +212,6 @@ class SSLConnectJobTest : public WithTaskEnvironment, public testing::Test {
RuleResolver::GetLocalhostResult()};
MockCertVerifier cert_verifier_;
TransportSecurityState transport_security_state_;
DefaultCTPolicyEnforcer ct_policy_enforcer_;
const std::unique_ptr<ProxyResolutionService> proxy_resolution_service_;
const std::unique_ptr<TestSSLConfigService> ssl_config_service_;
const std::unique_ptr<HttpAuthHandlerFactory> http_auth_handler_factory_;

20
net/socket/ssl_server_socket_unittest.cc

@ -46,8 +46,6 @@
#include "net/base/ip_endpoint.h"
#include "net/base/net_errors.h"
#include "net/cert/cert_status_flags.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/cert/mock_client_cert_verifier.h"
#include "net/cert/signed_certificate_timestamp_and_status.h"
@ -108,18 +106,6 @@ const uint16_t kEcdheCiphers[] = {
0xcca9, // ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
};
class MockCTPolicyEnforcer : public CTPolicyEnforcer {
public:
MockCTPolicyEnforcer() = default;
~MockCTPolicyEnforcer() override = default;
ct::CTPolicyCompliance CheckCompliance(
X509Certificate* cert,
const ct::SCTList& verified_scts,
const NetLogWithSource& net_log) const override {
return ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS;
}
};
class FakeDataChannel {
public:
FakeDataChannel() = default;
@ -366,7 +352,6 @@ class SSLServerSocketTest : public PlatformTest, public WithTaskEnvironment {
cert_verifier_(std::make_unique<MockCertVerifier>()),
client_cert_verifier_(std::make_unique<MockClientCertVerifier>()),
transport_security_state_(std::make_unique<TransportSecurityState>()),
ct_policy_enforcer_(std::make_unique<MockCTPolicyEnforcer>()),
ssl_client_session_cache_(std::make_unique<SSLClientSessionCache>(
SSLClientSessionCache::Config())) {}
@ -393,8 +378,8 @@ class SSLServerSocketTest : public PlatformTest, public WithTaskEnvironment {
client_context_ = std::make_unique<SSLClientContext>(
ssl_config_service_.get(), cert_verifier_.get(),
transport_security_state_.get(), ct_policy_enforcer_.get(),
ssl_client_session_cache_.get(), nullptr);
transport_security_state_.get(), ssl_client_session_cache_.get(),
nullptr);
}
protected:
@ -522,7 +507,6 @@ class SSLServerSocketTest : public PlatformTest, public WithTaskEnvironment {
std::unique_ptr<MockCertVerifier> cert_verifier_;
std::unique_ptr<MockClientCertVerifier> client_cert_verifier_;
std::unique_ptr<TransportSecurityState> transport_security_state_;
std::unique_ptr<MockCTPolicyEnforcer> ct_policy_enforcer_;
std::unique_ptr<SSLClientSessionCache> ssl_client_session_cache_;
std::unique_ptr<SSLClientContext> client_context_;
std::unique_ptr<SSLServerContext> server_context_;

1
net/socket/transport_client_socket_pool_unittest.cc

@ -29,7 +29,6 @@
#include "net/base/proxy_string_util.h"
#include "net/base/schemeful_site.h"
#include "net/base/test_completion_callback.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/dns/mock_host_resolver.h"
#include "net/dns/public/secure_dns_policy.h"

3
net/socket/transport_connect_job_unittest.cc

@ -17,7 +17,6 @@
#include "net/base/ip_address.h"
#include "net/base/ip_endpoint.h"
#include "net/base/net_errors.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/dns/mock_host_resolver.h"
#include "net/dns/public/secure_dns_policy.h"
@ -98,11 +97,9 @@ class TransportConnectJobTest : public WithTaskEnvironment,
TestSSLConfigService ssl_config_service_{SSLContextConfig{}};
MockCertVerifier cert_verifier_;
TransportSecurityState transport_security_state_;
DefaultCTPolicyEnforcer ct_policy_enforcer_;
SSLClientContext ssl_client_context_{&ssl_config_service_,
&cert_verifier_,
&transport_security_state_,
&ct_policy_enforcer_,
/*ssl_client_session_cache=*/nullptr,
/*sct_auditing_delegate=*/nullptr};
const CommonConnectJobParams common_connect_job_params_;

3
net/spdy/spdy_test_util_common.cc

@ -20,7 +20,6 @@
#include "net/base/features.h"
#include "net/base/host_port_pair.h"
#include "net/base/http_user_agent_settings.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/cert/signed_certificate_timestamp_and_status.h"
@ -302,7 +301,6 @@ SpdySessionDependencies::SpdySessionDependencies(
MockHostResolverBase::RuleResolver::GetLocalhostResult())),
cert_verifier(std::make_unique<MockCertVerifier>()),
transport_security_state(std::make_unique<TransportSecurityState>()),
ct_policy_enforcer(std::make_unique<DefaultCTPolicyEnforcer>()),
proxy_resolution_service(std::move(proxy_resolution_service)),
ssl_config_service(std::make_unique<SSLConfigServiceDefaults>()),
socket_factory(std::make_unique<MockClientSocketFactory>()),
@ -385,7 +383,6 @@ HttpNetworkSessionContext SpdySessionDependencies::CreateSessionContext(
context.cert_verifier = session_deps->cert_verifier.get();
context.transport_security_state =
session_deps->transport_security_state.get();
context.ct_policy_enforcer = session_deps->ct_policy_enforcer.get();
context.proxy_resolution_service =
session_deps->proxy_resolution_service.get();
context.http_user_agent_settings =

2
net/spdy/spdy_test_util_common.h

@ -45,7 +45,6 @@ class GURL;
namespace net {
class CTPolicyEnforcer;
class ClientSocketFactory;
class HashValue;
class HostPortPair;
@ -182,7 +181,6 @@ struct SpdySessionDependencies {
std::unique_ptr<HostResolver> alternate_host_resolver;
std::unique_ptr<MockCertVerifier> cert_verifier;
std::unique_ptr<TransportSecurityState> transport_security_state;
std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer;
std::unique_ptr<ProxyResolutionService> proxy_resolution_service;
std::unique_ptr<HttpUserAgentSettings> http_user_agent_settings;
std::unique_ptr<SSLConfigService> ssl_config_service;

3
net/third_party/quiche/overrides/quiche_platform_impl/quiche_default_proof_providers_impl.cc vendored

@ -12,7 +12,6 @@
#include "net/base/network_isolation_key.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/ct_log_verifier.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/http/transport_security_state.h"
#include "net/quic/crypto/proof_source_chromium.h"
#include "net/quic/crypto/proof_verifier_chromium.h"
@ -60,7 +59,6 @@ class ProofVerifierChromiumWithOwnership : public net::ProofVerifierChromium {
std::string host)
: net::ProofVerifierChromium(
cert_verifier.get(),
&ct_policy_enforcer_,
&transport_security_state_,
/*sct_auditing_delegate=*/nullptr,
UnknownRootAllowlistForHost(host),
@ -71,7 +69,6 @@ class ProofVerifierChromiumWithOwnership : public net::ProofVerifierChromium {
private:
std::unique_ptr<net::CertVerifier> cert_verifier_;
net::DefaultCTPolicyEnforcer ct_policy_enforcer_;
net::TransportSecurityState transport_security_state_;
};

1
net/tools/cert_verify_tool/cert_verify_comparision_tool.cc

@ -140,6 +140,7 @@ std::unique_ptr<CertVerifyImpl> CreateCertVerifyImplFromName(
net::CreateCertVerifyProcBuiltin(
std::move(cert_net_fetcher), net::CRLSet::BuiltinCRLSet(),
std::make_unique<net::DoNothingCTVerifier>(),
base::MakeRefCounted<net::DefaultCTPolicyEnforcer>(),
net::CreateSslSystemTrustStoreChromeRoot(
std::make_unique<net::TrustStoreChrome>()),
{}));

1
net/tools/cert_verify_tool/cert_verify_tool.cc

@ -267,6 +267,7 @@ std::unique_ptr<CertVerifyImpl> CreateCertVerifyImplFromName(
std::move(cert_net_fetcher), std::move(crl_set),
// TODO(https://crbug.com/848277): support CT.
std::make_unique<net::DoNothingCTVerifier>(),
base::MakeRefCounted<net::DefaultCTPolicyEnforcer>(),
CreateSystemTrustStore(impl_name, root_store_type), {}));
}

5
net/url_request/url_request_context.cc

@ -20,7 +20,6 @@
#include "net/base/network_delegate.h"
#include "net/base/proxy_delegate.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/sct_auditing_delegate.h"
#include "net/cookies/cookie_store.h"
#include "net/dns/host_resolver.h"
@ -198,10 +197,6 @@ void URLRequestContext::set_transport_security_state(
std::unique_ptr<TransportSecurityState> state) {
transport_security_state_ = std::move(state);
}
void URLRequestContext::set_ct_policy_enforcer(
std::unique_ptr<CTPolicyEnforcer> enforcer) {
ct_policy_enforcer_ = std::move(enforcer);
}
void URLRequestContext::set_sct_auditing_delegate(
std::unique_ptr<SCTAuditingDelegate> delegate) {
sct_auditing_delegate_ = std::move(delegate);

7
net/url_request/url_request_context.h

@ -32,7 +32,6 @@ namespace net {
class CertVerifier;
class ClientSocketFactory;
class CookieStore;
class CTPolicyEnforcer;
class HostResolver;
class HttpAuthHandlerFactory;
class HttpNetworkSession;
@ -167,10 +166,6 @@ class NET_EXPORT URLRequestContext final {
return transport_security_state_.get();
}
CTPolicyEnforcer* ct_policy_enforcer() const {
return ct_policy_enforcer_.get();
}
SCTAuditingDelegate* sct_auditing_delegate() const {
return sct_auditing_delegate_.get();
}
@ -275,7 +270,6 @@ class NET_EXPORT URLRequestContext final {
void set_cookie_store(std::unique_ptr<CookieStore> cookie_store);
void set_transport_security_state(
std::unique_ptr<TransportSecurityState> state);
void set_ct_policy_enforcer(std::unique_ptr<CTPolicyEnforcer> enforcer);
void set_sct_auditing_delegate(std::unique_ptr<SCTAuditingDelegate> delegate);
void set_job_factory(std::unique_ptr<const URLRequestJobFactory> job_factory);
void set_throttler_manager(
@ -326,7 +320,6 @@ class NET_EXPORT URLRequestContext final {
std::unique_ptr<const HttpUserAgentSettings> http_user_agent_settings_;
std::unique_ptr<CookieStore> cookie_store_;
std::unique_ptr<TransportSecurityState> transport_security_state_;
std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer_;
std::unique_ptr<SCTAuditingDelegate> sct_auditing_delegate_;
std::unique_ptr<QuicContext> quic_context_;
std::unique_ptr<ClientSocketFactory> client_socket_factory_;

14
net/url_request/url_request_context_builder.cc

@ -23,7 +23,6 @@
#include "net/base/network_delegate_impl.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/ct_log_verifier.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_verifier.h"
#include "net/cert/multi_log_ct_verifier.h"
#include "net/cert/sct_auditing_delegate.h"
@ -86,7 +85,6 @@ void URLRequestContextBuilder::SetHttpNetworkSessionComponents(
session_context->cert_verifier = request_context->cert_verifier();
session_context->transport_security_state =
request_context->transport_security_state();
session_context->ct_policy_enforcer = request_context->ct_policy_enforcer();
session_context->sct_auditing_delegate =
request_context->sct_auditing_delegate();
session_context->proxy_resolution_service =
@ -147,11 +145,6 @@ void URLRequestContextBuilder::SetSpdyAndQuicEnabled(bool spdy_enabled,
http_network_session_params_.enable_quic = quic_enabled;
}
void URLRequestContextBuilder::set_ct_policy_enforcer(
std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer) {
ct_policy_enforcer_ = std::move(ct_policy_enforcer);
}
void URLRequestContextBuilder::set_sct_auditing_delegate(
std::unique_ptr<SCTAuditingDelegate> sct_auditing_delegate) {
sct_auditing_delegate_ = std::move(sct_auditing_delegate);
@ -423,13 +416,6 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
CertVerifier::CreateDefault(/*cert_net_fetcher=*/nullptr));
}
if (ct_policy_enforcer_) {
context->set_ct_policy_enforcer(std::move(ct_policy_enforcer_));
} else {
context->set_ct_policy_enforcer(
std::make_unique<DefaultCTPolicyEnforcer>());
}
if (sct_auditing_delegate_) {
context->set_sct_auditing_delegate(std::move(sct_auditing_delegate_));
}

4
net/url_request/url_request_context_builder.h

@ -51,7 +51,6 @@ namespace net {
class CertVerifier;
class ClientSocketFactory;
class CookieStore;
class CTPolicyEnforcer;
class HttpAuthHandlerFactory;
class HttpTransactionFactory;
class HttpUserAgentSettings;
@ -281,8 +280,6 @@ class NET_EXPORT URLRequestContextBuilder {
throttling_enabled_ = throttling_enabled;
}
void set_ct_policy_enforcer(
std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer);
void set_sct_auditing_delegate(
std::unique_ptr<SCTAuditingDelegate> sct_auditing_delegate);
void set_quic_context(std::unique_ptr<QuicContext> quic_context);
@ -446,7 +443,6 @@ class NET_EXPORT URLRequestContextBuilder {
std::unique_ptr<CookieStore> cookie_store_;
std::unique_ptr<HttpAuthHandlerFactory> http_auth_handler_factory_;
std::unique_ptr<CertVerifier> cert_verifier_;
std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer_;
std::unique_ptr<SCTAuditingDelegate> sct_auditing_delegate_;
std::unique_ptr<QuicContext> quic_context_;
std::unique_ptr<ClientSocketFactory> client_socket_factory_ = nullptr;

15
net/url_request/url_request_quic_unittest.cc

@ -17,8 +17,6 @@
#include "net/base/isolation_info.h"
#include "net/base/load_timing_info.h"
#include "net/base/network_delegate.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/dns/mapped_host_resolver.h"
#include "net/dns/mock_host_resolver.h"
@ -58,19 +56,6 @@ const char kHelloPath[] = "/hello.txt";
const char kHelloBodyValue[] = "Hello from QUIC Server";
const int kHelloStatus = 200;
class MockCTPolicyEnforcerNonCompliant : public CTPolicyEnforcer {
public:
MockCTPolicyEnforcerNonCompliant() = default;
~MockCTPolicyEnforcerNonCompliant() override = default;
ct::CTPolicyCompliance CheckCompliance(
X509Certificate* cert,
const ct::SCTList& verified_scts,
const NetLogWithSource& net_log) const override {
return ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS;
}
};
class URLRequestQuicTest
: public TestWithTaskEnvironment,
public ::testing::WithParamInterface<quic::ParsedQuicVersion> {

2
net/url_request/url_request_test_util.cc

@ -16,7 +16,6 @@
#include "base/threading/thread.h"
#include "net/base/host_port_pair.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/do_nothing_ct_verifier.h"
#include "net/cookies/cookie_setting_override.h"
#include "net/dns/mock_host_resolver.h"
@ -78,7 +77,6 @@ std::unique_ptr<URLRequestContextBuilder> CreateTestURLRequestContextBuilder() {
ConfiguredProxyResolutionService::CreateDirect());
builder->SetCertVerifier(
CertVerifier::CreateDefault(/*cert_net_fetcher=*/nullptr));
builder->set_ct_policy_enforcer(std::make_unique<DefaultCTPolicyEnforcer>());
builder->set_ssl_config_service(std::make_unique<SSLConfigServiceDefaults>());
builder->SetHttpAuthHandlerFactory(HttpAuthHandlerFactory::CreateDefault());
builder->SetHttpServerProperties(std::make_unique<HttpServerProperties>());

1
net/url_request/url_request_test_util.h

@ -28,7 +28,6 @@
#include "net/base/request_priority.h"
#include "net/base/transport_info.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cookies/cookie_inclusion_status.h"
#include "net/cookies/cookie_monster.h"
#include "net/cookies/cookie_setting_override.h"

2
net/url_request/url_request_unittest.cc

@ -73,8 +73,6 @@
#include "net/cert/cert_verifier.h"
#include "net/cert/coalescing_cert_verifier.h"
#include "net/cert/crl_set.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/do_nothing_ct_verifier.h"
#include "net/cert/ev_root_ca_metadata.h"
#include "net/cert/mock_cert_verifier.h"

5
remoting/protocol/ssl_hmac_channel_authenticator.cc

@ -20,8 +20,6 @@
#include "net/cert/cert_status_flags.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/cert_verify_result.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/signed_certificate_timestamp_and_status.h"
#include "net/cert/x509_certificate.h"
#include "net/http/transport_security_state.h"
@ -265,12 +263,9 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate(
socket_context_.transport_security_state =
std::make_unique<net::TransportSecurityState>();
socket_context_.cert_verifier = std::make_unique<FailingCertVerifier>();
socket_context_.ct_policy_enforcer =
std::make_unique<net::DefaultCTPolicyEnforcer>();
socket_context_.client_context = std::make_unique<net::SSLClientContext>(
nullptr /* default config */, socket_context_.cert_verifier.get(),
socket_context_.transport_security_state.get(),
socket_context_.ct_policy_enforcer.get(),
nullptr /* no session caching */, nullptr /* no sct auditing */);
net::SSLConfig ssl_config;

2
remoting/protocol/ssl_hmac_channel_authenticator.h

@ -15,7 +15,6 @@
namespace net {
class CertVerifier;
class CTPolicyEnforcer;
class DrainableIOBuffer;
class GrowableIOBuffer;
class SSLClientContext;
@ -86,7 +85,6 @@ class SslHmacChannelAuthenticator : public ChannelAuthenticator {
// Used in the CLIENT mode only.
std::unique_ptr<net::TransportSecurityState> transport_security_state;
std::unique_ptr<net::CertVerifier> cert_verifier;
std::unique_ptr<net::CTPolicyEnforcer> ct_policy_enforcer;
std::unique_ptr<net::SSLClientContext> client_context;
};

2
services/cert_verifier/BUILD.gn

@ -18,6 +18,7 @@ source_set("lib") {
deps = [
"//base",
"//build:chromeos_buildflags",
"//components/certificate_transparency",
"//net",
"//net/cert:root_store_proto_lite",
"//services/cert_verifier/cert_net_url_loader",
@ -46,6 +47,7 @@ source_set("tests") {
"//base",
"//base/test:test_support",
"//build:chromeos_buildflags",
"//components/certificate_transparency",
"//crypto:test_support",
"//net",
"//net:test_support",

1
services/cert_verifier/DEPS

@ -1,4 +1,5 @@
include_rules = [
"+components/certificate_transparency",
"+crypto",
"+net",
"+mojo/public/cpp",

1
services/cert_verifier/cert_net_url_loader/cert_net_fetcher_url_loader_unittest.cc

@ -15,7 +15,6 @@
#include "base/synchronization/lock.h"
#include "mojo/public/cpp/bindings/pending_remote.h"
#include "net/cert/cert_net_fetcher.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/mock_cert_verifier.h"
#include "net/cert/multi_log_ct_verifier.h"
#include "net/dns/mock_host_resolver.h"

23
services/cert_verifier/cert_verifier_creation.cc

@ -4,12 +4,16 @@
#include "services/cert_verifier/cert_verifier_creation.h"
#include "base/memory/scoped_refptr.h"
#include "base/types/optional_util.h"
#include "build/build_config.h"
#include "build/chromeos_buildflags.h"
#include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
#include "crypto/sha2.h"
#include "net/base/features.h"
#include "net/cert/cert_verify_proc.h"
#include "net/cert/crl_set.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/ct_verifier.h"
#include "net/cert/do_nothing_ct_verifier.h"
#include "net/cert/multi_threaded_cert_verifier.h"
@ -83,29 +87,37 @@ class CertVerifyProcFactoryImpl : public net::CertVerifyProcFactory {
const net::CertVerifyProc::ImplParams& impl_params,
const net::CertVerifyProc::InstanceParams& instance_params) override {
std::unique_ptr<net::CTVerifier> ct_verifier;
scoped_refptr<net::CTPolicyEnforcer> ct_policy_enforcer;
#if BUILDFLAG(IS_CT_SUPPORTED)
if (!impl_params.ct_logs.empty()) {
ct_verifier =
std::make_unique<net::MultiLogCTVerifier>(impl_params.ct_logs);
}
ct_policy_enforcer = impl_params.ct_policy_enforcer;
#endif
if (!ct_verifier) {
ct_verifier = std::make_unique<net::DoNothingCTVerifier>();
}
if (!ct_policy_enforcer) {
ct_policy_enforcer = base::MakeRefCounted<net::DefaultCTPolicyEnforcer>();
}
#if BUILDFLAG(CHROME_ROOT_STORE_ONLY)
return CreateNewCertVerifyProc(
cert_net_fetcher, impl_params.crl_set, std::move(ct_verifier),
std::move(ct_policy_enforcer),
base::OptionalToPtr(impl_params.root_store_data), instance_params);
#else
#if BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL)
if (impl_params.use_chrome_root_store) {
return CreateNewCertVerifyProc(
cert_net_fetcher, impl_params.crl_set, std::move(ct_verifier),
std::move(ct_policy_enforcer),
base::OptionalToPtr(impl_params.root_store_data), instance_params);
}
#endif
return CreateOldCertVerifyProc(cert_net_fetcher, impl_params.crl_set,
std::move(ct_verifier), instance_params);
return CreateOldCertVerifyProc(
cert_net_fetcher, impl_params.crl_set, std::move(ct_verifier),
std::move(ct_policy_enforcer), instance_params);
#endif
}
@ -121,11 +133,13 @@ class CertVerifyProcFactoryImpl : public net::CertVerifyProcFactory {
scoped_refptr<net::CertNetFetcher> cert_net_fetcher,
scoped_refptr<net::CRLSet> crl_set,
std::unique_ptr<net::CTVerifier> ct_verifier,
scoped_refptr<net::CTPolicyEnforcer> ct_policy_enforcer,
const net::CertVerifyProc::InstanceParams& instance_params) {
#if BUILDFLAG(IS_FUCHSIA)
return net::CreateCertVerifyProcBuiltin(
std::move(cert_net_fetcher), std::move(crl_set), std::move(ct_verifier),
net::CreateSslSystemTrustStore(), instance_params);
std::move(ct_policy_enforcer), net::CreateSslSystemTrustStore(),
instance_params);
#else
return net::CertVerifyProc::CreateSystemVerifyProc(
std::move(cert_net_fetcher), std::move(crl_set));
@ -140,6 +154,7 @@ class CertVerifyProcFactoryImpl : public net::CertVerifyProcFactory {
scoped_refptr<net::CertNetFetcher> cert_net_fetcher,
scoped_refptr<net::CRLSet> crl_set,
std::unique_ptr<net::CTVerifier> ct_verifier,
scoped_refptr<net::CTPolicyEnforcer> ct_policy_enforcer,
const net::ChromeRootStoreData* root_store_data,
const net::CertVerifyProc::InstanceParams& instance_params) {
std::unique_ptr<net::TrustStoreChrome> chrome_root =
@ -176,7 +191,7 @@ class CertVerifyProcFactoryImpl : public net::CertVerifyProcFactory {
#endif
return net::CreateCertVerifyProcBuiltin(
std::move(cert_net_fetcher), std::move(crl_set), std::move(ct_verifier),
std::move(trust_store), instance_params);
std::move(ct_policy_enforcer), std::move(trust_store), instance_params);
}
#endif // BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)

41
services/cert_verifier/cert_verifier_service_factory.cc

@ -14,6 +14,7 @@
#include "base/task/thread_pool.h"
#include "base/types/optional_util.h"
#include "build/build_config.h"
#include "crypto/sha2.h"
#include "mojo/public/cpp/bindings/callback_helpers.h"
#include "mojo/public/cpp/bindings/pending_receiver.h"
#include "mojo/public/cpp/bindings/pending_remote.h"
@ -29,6 +30,7 @@
#include "services/network/public/mojom/url_loader_factory.mojom.h"
#if BUILDFLAG(IS_CT_SUPPORTED)
#include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
#include "services/network/public/mojom/ct_log_info.mojom.h"
#endif
@ -129,6 +131,33 @@ scoped_refptr<net::CRLSet> ParseCRLSet(mojo_base::BigBuffer crl_set) {
return result;
}
#if BUILDFLAG(IS_CT_SUPPORTED)
// Filters `log_list` for disqualified logs, returning them as sorted vectors
// in `disqualified_logs`, and stores the operator history of all logs in
// `operator_history`, suitable for use with a `CTPolicyEnforcer`.
void GetCTPolicyConfigForCTLogInfo(
const std::vector<network::mojom::CTLogInfoPtr>& log_list,
std::vector<std::pair<std::string, base::Time>>* disqualified_logs,
std::map<std::string, certificate_transparency::OperatorHistoryEntry>*
operator_history) {
for (const auto& log : log_list) {
std::string log_id = crypto::SHA256HashString(log->public_key);
if (log->disqualified_at) {
disqualified_logs->emplace_back(log_id, log->disqualified_at.value());
}
certificate_transparency::OperatorHistoryEntry entry;
entry.current_operator_ = log->current_operator;
for (const auto& previous_operator : log->previous_operators) {
entry.previous_operators_.emplace_back(previous_operator->name,
previous_operator->end_time);
}
(*operator_history)[log_id] = entry;
}
std::sort(std::begin(*disqualified_logs), std::end(*disqualified_logs));
}
#endif
} // namespace
CertVerifierServiceFactoryImpl::CertVerifierServiceFactoryImpl(
@ -185,6 +214,7 @@ void CertVerifierServiceFactoryImpl::UpdateCRLSet(
#if BUILDFLAG(IS_CT_SUPPORTED)
void CertVerifierServiceFactoryImpl::UpdateCtLogList(
std::vector<network::mojom::CTLogInfoPtr> log_list,
base::Time update_time,
UpdateCtLogListCallback callback) {
std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs;
for (auto& log : log_list) {
@ -199,6 +229,17 @@ void CertVerifierServiceFactoryImpl::UpdateCtLogList(
proc_params_.ct_logs = std::move(ct_logs);
std::vector<std::pair<std::string, base::Time>> disqualified_logs;
std::map<std::string, certificate_transparency::OperatorHistoryEntry>
log_operator_history;
GetCTPolicyConfigForCTLogInfo(log_list, &disqualified_logs,
&log_operator_history);
proc_params_.ct_policy_enforcer =
base::MakeRefCounted<certificate_transparency::ChromeCTPolicyEnforcer>(
update_time, std::move(disqualified_logs),
std::move(log_operator_history));
UpdateVerifierServices();
std::move(callback).Run();

2
services/cert_verifier/cert_verifier_service_factory.h

@ -9,6 +9,7 @@
#include "base/memory/raw_ptr.h"
#include "base/memory/scoped_refptr.h"
#include "base/memory/weak_ptr.h"
#include "base/time/time.h"
#include "mojo/public/cpp/bindings/pending_receiver.h"
#include "mojo/public/cpp/bindings/pending_remote.h"
#include "mojo/public/cpp/bindings/receiver.h"
@ -62,6 +63,7 @@ class CertVerifierServiceFactoryImpl
callback) override;
#if BUILDFLAG(IS_CT_SUPPORTED)
void UpdateCtLogList(std::vector<network::mojom::CTLogInfoPtr> log_list,
base::Time update_time,
UpdateCtLogListCallback callback) override;
#endif
#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)

233
services/cert_verifier/cert_verifier_service_factory_unittest.cc

@ -42,6 +42,7 @@
#include "testing/platform_test.h"
#if BUILDFLAG(IS_CT_SUPPORTED)
#include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
#include "services/network/public/mojom/ct_log_info.mojom.h"
#endif
@ -549,80 +550,258 @@ TEST(CertVerifierServiceFactoryTest, UpdateCtLogList) {
// Should start with empty log list.
EXPECT_EQ(cv_service_factory_impl.get_impl_params().ct_logs.size(), 0u);
EXPECT_FALSE(cv_service_factory_impl.get_impl_params().ct_policy_enforcer);
auto log1_private_key = crypto::ECPrivateKey::Create();
std::vector<uint8_t> log1_spki;
ASSERT_TRUE(log1_private_key->ExportPublicKey(&log1_spki));
const std::string log1_id =
crypto::SHA256HashString(std::string(log1_spki.begin(), log1_spki.end()));
auto log2_private_key = crypto::ECPrivateKey::Create();
std::vector<uint8_t> log2_spki;
ASSERT_TRUE(log2_private_key->ExportPublicKey(&log2_spki));
const std::string log2_id =
crypto::SHA256HashString(std::string(log2_spki.begin(), log2_spki.end()));
const std::string kLog1Operator = "log operator";
const std::string kLog2Operator = "log2 operator";
const std::string kLog3Operator = "log3 operator";
// Test the 1st log list update.
{
std::vector<network::mojom::CTLogInfoPtr> log_list_mojo;
{
network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
log_info->public_key = std::string(log1_spki.begin(), log1_spki.end());
log_info->id = crypto::SHA256HashString(log_info->public_key);
log_info->id = log1_id;
log_info->name = "log name";
log_info->current_operator = "log operator";
log_info->current_operator = kLog1Operator;
log_list_mojo.push_back(std::move(log_info));
}
{
network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
log_info->public_key = std::string(log2_spki.begin(), log2_spki.end());
log_info->id = crypto::SHA256HashString(log_info->public_key);
log_info->id = log2_id;
log_info->name = "log2 name";
log_info->current_operator = "log2 operator";
log_info->current_operator = kLog2Operator;
log_list_mojo.push_back(std::move(log_info));
}
{
base::RunLoop run_loop;
cv_service_factory_remote->UpdateCtLogList(std::move(log_list_mojo),
run_loop.QuitClosure());
cv_service_factory_remote->UpdateCtLogList(
std::move(log_list_mojo), base::Time::Now(), run_loop.QuitClosure());
run_loop.Run();
}
ASSERT_EQ(cv_service_factory_impl.get_impl_params().ct_logs.size(), 2u);
EXPECT_EQ(cv_service_factory_impl.get_impl_params().ct_logs[0]->key_id(),
crypto::SHA256HashString(
std::string(log1_spki.begin(), log1_spki.end())));
EXPECT_EQ(cv_service_factory_impl.get_impl_params().ct_logs[1]->key_id(),
crypto::SHA256HashString(
std::string(log2_spki.begin(), log2_spki.end())));
net::CTPolicyEnforcer* request_enforcer =
cv_service_factory_impl.get_impl_params().ct_policy_enforcer.get();
ASSERT_TRUE(request_enforcer);
certificate_transparency::ChromeCTPolicyEnforcer* policy_enforcer =
reinterpret_cast<certificate_transparency::ChromeCTPolicyEnforcer*>(
request_enforcer);
std::map<std::string, certificate_transparency::OperatorHistoryEntry>
operator_history = policy_enforcer->operator_history_for_testing();
EXPECT_EQ(operator_history[log1_id].current_operator_, kLog1Operator);
EXPECT_EQ(operator_history[log2_id].current_operator_, kLog2Operator);
}
ASSERT_EQ(cv_service_factory_impl.get_impl_params().ct_logs.size(), 2u);
EXPECT_EQ(cv_service_factory_impl.get_impl_params().ct_logs[0]->key_id(),
crypto::SHA256HashString(
std::string(log1_spki.begin(), log1_spki.end())));
EXPECT_EQ(cv_service_factory_impl.get_impl_params().ct_logs[1]->key_id(),
crypto::SHA256HashString(
std::string(log2_spki.begin(), log2_spki.end())));
// Test a 2nd log list update.
{
std::vector<network::mojom::CTLogInfoPtr> log_list_mojo;
{
network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
log_info->public_key = std::string(log1_spki.begin(), log1_spki.end());
log_info->id = crypto::SHA256HashString(log_info->public_key);
log_info->id = log1_id;
log_info->name = "log name";
log_info->current_operator = "log operator";
log_info->current_operator = kLog1Operator;
log_list_mojo.push_back(std::move(log_info));
}
const std::string log3_public_key = "bad public key";
const std::string log3_id = crypto::SHA256HashString(log3_public_key);
{
network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
log_info->public_key = "bad public key";
log_info->id = crypto::SHA256HashString(log_info->public_key);
log_info->name = "log2 name";
log_info->current_operator = "log2 operator";
log_info->public_key = log3_public_key;
log_info->id = log3_id;
log_info->name = "log3 name";
log_info->current_operator = kLog3Operator;
log_list_mojo.push_back(std::move(log_info));
}
{
base::RunLoop run_loop;
cv_service_factory_remote->UpdateCtLogList(std::move(log_list_mojo),
run_loop.QuitClosure());
cv_service_factory_remote->UpdateCtLogList(
std::move(log_list_mojo), base::Time::Now(), run_loop.QuitClosure());
run_loop.Run();
}
// The log with the bad key should have been ignored.
ASSERT_EQ(cv_service_factory_impl.get_impl_params().ct_logs.size(), 1u);
EXPECT_EQ(cv_service_factory_impl.get_impl_params().ct_logs[0]->key_id(),
crypto::SHA256HashString(
std::string(log1_spki.begin(), log1_spki.end())));
net::CTPolicyEnforcer* request_enforcer =
cv_service_factory_impl.get_impl_params().ct_policy_enforcer.get();
ASSERT_TRUE(request_enforcer);
certificate_transparency::ChromeCTPolicyEnforcer* policy_enforcer =
reinterpret_cast<certificate_transparency::ChromeCTPolicyEnforcer*>(
request_enforcer);
// CTPolicyEnforcer doesn't parse the key, so it accepts both logs.
std::map<std::string, certificate_transparency::OperatorHistoryEntry>
operator_history = policy_enforcer->operator_history_for_testing();
EXPECT_EQ(operator_history[log1_id].current_operator_, kLog1Operator);
EXPECT_EQ(operator_history[log3_id].current_operator_, kLog3Operator);
}
}
TEST(CertVerifierServiceFactoryTest, CTPolicyEnforcerConfig) {
base::test::TaskEnvironment task_environment;
mojo::Remote<mojom::CertVerifierServiceFactory> cv_service_factory_remote;
CertVerifierServiceFactoryImpl cv_service_factory_impl(
cv_service_factory_remote.BindNewPipeAndPassReceiver());
std::vector<network::mojom::CTLogInfoPtr> log_list_mojo;
// The log public keys do not matter for the test, so invalid keys are used.
// However, because the log IDs are derived from the SHA-256 hash of the log
// key, the log keys are generated such that qualified logs are in the form
// of four digits (e.g. "0000", "1111"), while disqualified logs are in the
// form of four letters (e.g. "AAAA", "BBBB").
for (int i = 0; i < 6; ++i) {
network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
// Shift to ASCII '0' (0x30)
log_info->public_key = std::string(4, 0x30 + static_cast<char>(i));
log_info->name = std::string(4, 0x30 + static_cast<char>(i));
if (i % 2) {
log_info->current_operator = "Google";
} else {
log_info->current_operator = "Not Google";
}
log_list_mojo.push_back(std::move(log_info));
}
for (int i = 0; i < 3; ++i) {
network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
// Shift to ASCII 'A' (0x41)
log_info->public_key = std::string(4, 0x41 + static_cast<char>(i));
log_info->name = std::string(4, 0x41 + static_cast<char>(i));
log_info->disqualified_at = base::Time::FromTimeT(i);
log_info->current_operator = "Not Google Either";
log_list_mojo.push_back(std::move(log_info));
}
// The log with the bad key should have been ignored.
ASSERT_EQ(cv_service_factory_impl.get_impl_params().ct_logs.size(), 1u);
EXPECT_EQ(cv_service_factory_impl.get_impl_params().ct_logs[0]->key_id(),
crypto::SHA256HashString(
std::string(log1_spki.begin(), log1_spki.end())));
base::RunLoop run_loop;
cv_service_factory_remote->UpdateCtLogList(
std::move(log_list_mojo), base::Time::Now(), run_loop.QuitClosure());
run_loop.Run();
net::CTPolicyEnforcer* request_enforcer =
cv_service_factory_impl.get_impl_params().ct_policy_enforcer.get();
ASSERT_TRUE(request_enforcer);
certificate_transparency::ChromeCTPolicyEnforcer* policy_enforcer =
reinterpret_cast<certificate_transparency::ChromeCTPolicyEnforcer*>(
request_enforcer);
EXPECT_TRUE(
std::is_sorted(policy_enforcer->disqualified_logs_for_testing().begin(),
policy_enforcer->disqualified_logs_for_testing().end()));
EXPECT_THAT(policy_enforcer->disqualified_logs_for_testing(),
::testing::UnorderedElementsAre(
::testing::Pair(crypto::SHA256HashString("AAAA"),
base::Time::FromTimeT(0)),
::testing::Pair(crypto::SHA256HashString("BBBB"),
base::Time::FromTimeT(1)),
::testing::Pair(crypto::SHA256HashString("CCCC"),
base::Time::FromTimeT(2))));
std::map<std::string, certificate_transparency::OperatorHistoryEntry>
operator_history = policy_enforcer->operator_history_for_testing();
for (auto log : policy_enforcer->disqualified_logs_for_testing()) {
EXPECT_EQ(operator_history[log.first].current_operator_,
"Not Google Either");
EXPECT_TRUE(operator_history[log.first].previous_operators_.empty());
}
}
TEST(CertVerifierServiceFactoryTest,
CTPolicyEnforcerConfigWithOperatorSwitches) {
base::test::TaskEnvironment task_environment;
mojo::Remote<mojom::CertVerifierServiceFactory> cv_service_factory_remote;
CertVerifierServiceFactoryImpl cv_service_factory_impl(
cv_service_factory_remote.BindNewPipeAndPassReceiver());
std::vector<network::mojom::CTLogInfoPtr> log_list_mojo;
// The log public keys do not matter for the test, so invalid keys are used.
// However, because the log IDs are derived from the SHA-256 hash of the log
// key, the log keys are generated such that the log that never switched
// operator is "0000", while the one that did is "AAAA".
network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
// Shift to ASCII '0' (0x30)
log_info->public_key = std::string(4, 0x30);
log_info->name = std::string(4, 0x30);
log_info->current_operator = "Forever Operator";
log_list_mojo.push_back(std::move(log_info));
log_info = network::mojom::CTLogInfo::New();
// Shift to ASCII 'A' (0x41)
log_info->public_key = std::string(4, 0x41);
log_info->name = std::string(4, 0x41);
log_info->current_operator = "Changed Operator";
for (int i = 0; i < 3; i++) {
network::mojom::PreviousOperatorEntryPtr previous_operator =
network::mojom::PreviousOperatorEntry::New();
previous_operator->name = "Operator " + base::NumberToString(i);
previous_operator->end_time = base::Time::FromTimeT(i);
log_info->previous_operators.push_back(std::move(previous_operator));
}
log_list_mojo.push_back(std::move(log_info));
base::RunLoop run_loop;
cv_service_factory_remote->UpdateCtLogList(
std::move(log_list_mojo), base::Time::Now(), run_loop.QuitClosure());
run_loop.Run();
net::CTPolicyEnforcer* request_enforcer =
cv_service_factory_impl.get_impl_params().ct_policy_enforcer.get();
ASSERT_TRUE(request_enforcer);
certificate_transparency::ChromeCTPolicyEnforcer* policy_enforcer =
reinterpret_cast<certificate_transparency::ChromeCTPolicyEnforcer*>(
request_enforcer);
std::map<std::string, certificate_transparency::OperatorHistoryEntry>
operator_history = policy_enforcer->operator_history_for_testing();
EXPECT_EQ(
operator_history[crypto::SHA256HashString("0000")].current_operator_,
"Forever Operator");
EXPECT_TRUE(operator_history[crypto::SHA256HashString("0000")]
.previous_operators_.empty());
EXPECT_EQ(
operator_history[crypto::SHA256HashString("AAAA")].current_operator_,
"Changed Operator");
EXPECT_THAT(
operator_history[crypto::SHA256HashString("AAAA")].previous_operators_,
::testing::ElementsAre(
::testing::Pair("Operator 0", base::Time::FromTimeT(0)),
::testing::Pair("Operator 1", base::Time::FromTimeT(1)),
::testing::Pair("Operator 2", base::Time::FromTimeT(2))));
}
#endif

7
services/cert_verifier/public/mojom/cert_verifier_service_factory.mojom

@ -7,6 +7,7 @@ module cert_verifier.mojom;
import "mojo/public/mojom/base/big_buffer.mojom";
import "mojo/public/mojom/base/file_path.mojom";
import "mojo/public/mojom/base/read_only_buffer.mojom";
import "mojo/public/mojom/base/time.mojom";
import "services/network/public/mojom/cert_verifier_service.mojom";
import "services/network/public/mojom/network_param.mojom";
@ -75,9 +76,11 @@ interface CertVerifierServiceFactory {
// or ReadOnlyFile instead of BigBuffer for this and ChromeRootStore.
UpdateCRLSet(mojo_base.mojom.BigBuffer crl_set) => ();
// Updates the log list used for CT verification.
// Updates the log list used for CT verification. `update_time` should
// contain the log list timestamp.
[EnableIf=is_ct_supported]
UpdateCtLogList(array<network.mojom.CTLogInfo> log_list) => ();
UpdateCtLogList(array<network.mojom.CTLogInfo> log_list,
mojo_base.mojom.Time update_time) => ();
// Updates the ChromeRootStore used by the CertVerifierServiceFactory with a
// new version. The callback will be run once the update has been processed

84
services/network/network_context.cc

@ -48,7 +48,6 @@
#include "components/prefs/pref_service_factory.h"
#include "components/url_matcher/url_matcher.h"
#include "components/url_matcher/url_util.h"
#include "crypto/sha2.h"
#include "mojo/public/cpp/bindings/pending_receiver.h"
#include "net/base/features.h"
#include "net/base/isolation_info.h"
@ -148,9 +147,10 @@
#include "url/gurl.h"
#if BUILDFLAG(IS_CT_SUPPORTED)
#include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
#include "components/certificate_transparency/chrome_require_ct_delegate.h"
#include "components/certificate_transparency/ct_known_logs.h"
// gn check does not account for BUILDFLAG(). So, for iOS builds, it will
// complain about a missing dependency on the target exposing this header. Add a
// nogncheck to stop it from yelling.
#include "components/certificate_transparency/chrome_require_ct_delegate.h" // nogncheck
#include "services/network/sct_auditing/sct_auditing_cache.h"
#include "services/network/sct_auditing/sct_auditing_handler.h"
#endif // BUILDFLAG(IS_CT_SUPPORTED)
@ -398,31 +398,6 @@ void SCTAuditingDelegate::MaybeEnqueueReport(
context_->MaybeEnqueueSCTReport(host_port_pair, validated_certificate_chain,
signed_certificate_timestamps);
}
// Filters `log_list` for disqualified logs, returning them as sorted vectors
// in `disqualified_logs`, and stores the operator history of all logs in
// `operator_history`, suitable for use with a `CTPolicyEnforcer`.
void GetCTPolicyConfigForCTLogInfo(
const std::vector<mojom::CTLogInfoPtr>& log_list,
std::vector<std::pair<std::string, base::Time>>* disqualified_logs,
std::map<std::string, certificate_transparency::OperatorHistoryEntry>*
operator_history) {
for (const auto& log : log_list) {
std::string log_id = crypto::SHA256HashString(log->public_key);
if (log->disqualified_at) {
disqualified_logs->emplace_back(log_id, log->disqualified_at.value());
}
certificate_transparency::OperatorHistoryEntry entry;
entry.current_operator_ = log->current_operator;
for (const auto& previous_operator : log->previous_operators) {
entry.previous_operators_.emplace_back(previous_operator->name,
previous_operator->end_time);
}
(*operator_history)[log_id] = entry;
}
std::sort(std::begin(*disqualified_logs), std::end(*disqualified_logs));
}
#endif // BUILDFLAG(IS_CT_SUPPORTED)
// Obtains a full data file path from a NetworkContextFilePaths, a class member
@ -1477,24 +1452,12 @@ void NetworkContext::SetCTPolicy(mojom::CTPolicyPtr ct_policy) {
ct_policy->excluded_legacy_spkis);
}
int NetworkContext::CheckCTComplianceForSignedExchange(
int NetworkContext::CheckCTRequirementsForSignedExchange(
net::CertVerifyResult& cert_verify_result,
const net::X509Certificate& certificate,
const net::HostPortPair& host_port_pair) {
net::X509Certificate* verified_cert = cert_verify_result.verified_cert.get();
net::ct::SCTList verified_scts;
for (const auto& sct_and_status : cert_verify_result.scts) {
if (sct_and_status.status == net::ct::SCT_STATUS_OK)
verified_scts.push_back(sct_and_status.sct);
}
cert_verify_result.policy_compliance =
url_request_context_->ct_policy_enforcer()->CheckCompliance(
verified_cert, verified_scts,
net::NetLogWithSource::Make(
url_request_context_->net_log(),
net::NetLogSourceType::CERT_VERIFIER_JOB));
net::TransportSecurityState::CTRequirementsStatus ct_requirement_status =
url_request_context_->transport_security_state()->CheckCTRequirements(
host_port_pair, cert_verify_result.is_issued_by_known_root,
@ -1544,31 +1507,10 @@ void NetworkContext::MaybeEnqueueSCTReport(
signed_certificate_timestamps);
}
void NetworkContext::SetCTLogListAlwaysTimelyForTesting() {
if (!ct_policy_enforcer_)
return;
ct_policy_enforcer_->SetCTLogListAlwaysTimelyForTesting(true);
}
void NetworkContext::SetSCTAuditingMode(mojom::SCTAuditingMode mode) {
sct_auditing_handler()->SetMode(mode);
}
void NetworkContext::OnCTLogListUpdated(
const std::vector<network::mojom::CTLogInfoPtr>& log_list,
base::Time update_time) {
if (!ct_policy_enforcer_)
return;
std::vector<std::pair<std::string, base::Time>> disqualified_logs;
std::map<std::string, certificate_transparency::OperatorHistoryEntry>
log_operator_history;
GetCTPolicyConfigForCTLogInfo(log_list, &disqualified_logs,
&log_operator_history);
ct_policy_enforcer_->UpdateCTLogList(update_time,
std::move(disqualified_logs),
std::move(log_operator_history));
}
void NetworkContext::CanSendSCTAuditingReport(
base::OnceCallback<void(bool)> callback) {
// If the NetworkContextClient hasn't been set yet or has disconnected for
@ -2420,20 +2362,6 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext(
*command_line, nullptr, std::move(cert_verifier)));
#if BUILDFLAG(IS_CT_SUPPORTED)
if (params_->enforce_chrome_ct_policy) {
std::vector<std::pair<std::string, base::Time>> disqualified_logs;
std::map<std::string, certificate_transparency::OperatorHistoryEntry>
log_operator_history;
GetCTPolicyConfigForCTLogInfo(network_service_->log_list(),
&disqualified_logs, &log_operator_history);
auto ct_policy_enforcer =
std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
network_service_->ct_log_list_update_time(),
std::move(disqualified_logs), std::move(log_operator_history));
ct_policy_enforcer_ = ct_policy_enforcer.get();
builder.set_ct_policy_enforcer(std::move(ct_policy_enforcer));
}
builder.set_sct_auditing_delegate(
std::make_unique<SCTAuditingDelegate>(weak_factory_.GetWeakPtr()));
#endif // BUILDFLAG(IS_CT_SUPPORTED)
@ -2967,7 +2895,7 @@ void NetworkContext::OnVerifyCertForSignedExchangeComplete(
std::string pinning_failure_log;
if (result == net::OK) {
#if BUILDFLAG(IS_CT_SUPPORTED)
int ct_result = CheckCTComplianceForSignedExchange(
int ct_result = CheckCTRequirementsForSignedExchange(
*pending_cert_verify->result, *pending_cert_verify->certificate,
net::HostPortPair::FromURL(pending_cert_verify->url));
#endif // BUILDFLAG(IS_CT_SUPPORTED)

11
services/network/network_context.h

@ -102,7 +102,6 @@ class URLRequestContextBuilder;
namespace certificate_transparency {
class ChromeRequireCTDelegate;
class ChromeCTPolicyEnforcer;
} // namespace certificate_transparency
namespace domain_reliability {
@ -324,11 +323,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkContext
const net::X509Certificate* validated_certificate_chain,
const net::SignedCertificateTimestampAndStatusList&
signed_certificate_timestamps);
void SetCTLogListAlwaysTimelyForTesting() override;
void SetSCTAuditingMode(mojom::SCTAuditingMode mode) override;
void OnCTLogListUpdated(
const std::vector<network::mojom::CTLogInfoPtr>& log_list,
base::Time update_time);
SCTAuditingHandler* sct_auditing_handler() {
return sct_auditing_handler_.get();
}
@ -748,7 +743,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkContext
// TODO(crbug.com/828447): This code is more-or-less duplicated in
// SSLClientSocket and QUIC. Fold this into some CertVerifier-shaped class
// in //net.
int CheckCTComplianceForSignedExchange(
int CheckCTRequirementsForSignedExchange(
net::CertVerifyResult& cert_verify_result,
const net::X509Certificate& certificate,
const net::HostPortPair& host_port_pair);
@ -885,10 +880,6 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkContext
std::unique_ptr<certificate_transparency::ChromeRequireCTDelegate>
require_ct_delegate_;
// Owned by the URLRequestContext.
raw_ptr<certificate_transparency::ChromeCTPolicyEnforcer>
ct_policy_enforcer_ = nullptr;
std::unique_ptr<SCTAuditingHandler> sct_auditing_handler_;
#endif // BUILDFLAG(IS_CT_SUPPORTED)

155
services/network/network_context_unittest.cc

@ -155,11 +155,6 @@
#include "url/scheme_host_port.h"
#include "url/url_constants.h"
#if BUILDFLAG(IS_CT_SUPPORTED)
#include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
#include "services/network/public/mojom/ct_log_info.mojom.h"
#endif
#if BUILDFLAG(ENABLE_REPORTING)
#include "net/network_error_logging/network_error_logging_service.h"
#include "net/reporting/reporting_cache.h"
@ -6558,156 +6553,6 @@ TEST_F(NetworkContextTest, BlockAllCookies) {
EXPECT_EQ("None", response_body);
}
#if BUILDFLAG(IS_CT_SUPPORTED)
TEST_F(NetworkContextTest, CertificateTransparencyConfig) {
// Configure CT logs in network service.
std::vector<network::mojom::CTLogInfoPtr> log_list_mojo;
// The log public keys do not matter for the test, so invalid keys are used.
// However, because the log IDs are derived from the SHA-256 hash of the log
// key, the log keys are generated such that qualified logs are in the form
// of four digits (e.g. "0000", "1111"), while disqualified logs are in the
// form of four letters (e.g. "AAAA", "BBBB").
for (int i = 0; i < 6; ++i) {
network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
// Shift to ASCII '0' (0x30)
log_info->public_key = std::string(4, 0x30 + static_cast<char>(i));
log_info->name = std::string(4, 0x30 + static_cast<char>(i));
if (i % 2) {
log_info->current_operator = "Google";
} else {
log_info->current_operator = "Not Google";
}
log_list_mojo.push_back(std::move(log_info));
}
for (int i = 0; i < 3; ++i) {
network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
// Shift to ASCII 'A' (0x41)
log_info->public_key = std::string(4, 0x41 + static_cast<char>(i));
log_info->name = std::string(4, 0x41 + static_cast<char>(i));
log_info->disqualified_at = base::Time::FromTimeT(i);
log_info->current_operator = "Not Google Either";
log_list_mojo.push_back(std::move(log_info));
}
base::RunLoop run_loop;
network_service()->UpdateCtLogList(std::move(log_list_mojo),
base::Time::Now(), run_loop.QuitClosure());
run_loop.Run();
// Configure CT params in network context.
mojom::NetworkContextParamsPtr params =
CreateNetworkContextParamsForTesting();
params->enforce_chrome_ct_policy = true;
std::unique_ptr<NetworkContext> network_context =
CreateContextWithParams(std::move(params));
net::CTPolicyEnforcer* request_enforcer =
network_context->url_request_context()->ct_policy_enforcer();
ASSERT_TRUE(request_enforcer);
// Completely unsafe if |enforce_chrome_ct_policy| is false.
certificate_transparency::ChromeCTPolicyEnforcer* policy_enforcer =
reinterpret_cast<certificate_transparency::ChromeCTPolicyEnforcer*>(
request_enforcer);
EXPECT_TRUE(
std::is_sorted(policy_enforcer->disqualified_logs_for_testing().begin(),
policy_enforcer->disqualified_logs_for_testing().end()));
EXPECT_THAT(policy_enforcer->disqualified_logs_for_testing(),
::testing::UnorderedElementsAre(
::testing::Pair(crypto::SHA256HashString("AAAA"),
base::Time::FromTimeT(0)),
::testing::Pair(crypto::SHA256HashString("BBBB"),
base::Time::FromTimeT(1)),
::testing::Pair(crypto::SHA256HashString("CCCC"),
base::Time::FromTimeT(2))));
std::map<std::string, certificate_transparency::OperatorHistoryEntry>
operator_history = policy_enforcer->operator_history_for_testing();
for (auto log : policy_enforcer->disqualified_logs_for_testing()) {
EXPECT_EQ(operator_history[log.first].current_operator_,
"Not Google Either");
EXPECT_TRUE(operator_history[log.first].previous_operators_.empty());
}
}
TEST_F(NetworkContextTest, CertificateTransparencyConfigWithOperatorSwitches) {
// Configure CT logs in network service.
std::vector<network::mojom::CTLogInfoPtr> log_list_mojo;
// The log public keys do not matter for the test, so invalid keys are used.
// However, because the log IDs are derived from the SHA-256 hash of the log
// key, the log keys are generated such that the log that never switched
// operator is "0000", while the one that did is "AAAA".
network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
// Shift to ASCII '0' (0x30)
log_info->public_key = std::string(4, 0x30);
log_info->name = std::string(4, 0x30);
log_info->current_operator = "Forever Operator";
log_list_mojo.push_back(std::move(log_info));
log_info = network::mojom::CTLogInfo::New();
// Shift to ASCII 'A' (0x41)
log_info->public_key = std::string(4, 0x41);
log_info->name = std::string(4, 0x41);
log_info->current_operator = "Changed Operator";
for (int i = 0; i < 3; i++) {
network::mojom::PreviousOperatorEntryPtr previous_operator =
network::mojom::PreviousOperatorEntry::New();
previous_operator->name = "Operator " + base::NumberToString(i);
previous_operator->end_time = base::Time::FromTimeT(i);
log_info->previous_operators.push_back(std::move(previous_operator));
}
log_list_mojo.push_back(std::move(log_info));
base::RunLoop run_loop;
network_service()->UpdateCtLogList(std::move(log_list_mojo),
base::Time::Now(), run_loop.QuitClosure());
run_loop.Run();
// Configure CT params in network context.
mojom::NetworkContextParamsPtr params =
CreateNetworkContextParamsForTesting();
params->enforce_chrome_ct_policy = true;
std::unique_ptr<NetworkContext> network_context =
CreateContextWithParams(std::move(params));
net::CTPolicyEnforcer* request_enforcer =
network_context->url_request_context()->ct_policy_enforcer();
ASSERT_TRUE(request_enforcer);
// Completely unsafe if |enforce_chrome_ct_policy| is false.
certificate_transparency::ChromeCTPolicyEnforcer* policy_enforcer =
reinterpret_cast<certificate_transparency::ChromeCTPolicyEnforcer*>(
request_enforcer);
std::map<std::string, certificate_transparency::OperatorHistoryEntry>
operator_history = policy_enforcer->operator_history_for_testing();
EXPECT_EQ(
operator_history[crypto::SHA256HashString("0000")].current_operator_,
"Forever Operator");
EXPECT_TRUE(operator_history[crypto::SHA256HashString("0000")]
.previous_operators_.empty());
EXPECT_EQ(
operator_history[crypto::SHA256HashString("AAAA")].current_operator_,
"Changed Operator");
EXPECT_THAT(
operator_history[crypto::SHA256HashString("AAAA")].previous_operators_,
::testing::ElementsAre(
::testing::Pair("Operator 0", base::Time::FromTimeT(0)),
::testing::Pair("Operator 1", base::Time::FromTimeT(1)),
::testing::Pair("Operator 2", base::Time::FromTimeT(2))));
}
#endif
TEST_F(NetworkContextTest, AddHttpAuthCacheEntry) {
std::unique_ptr<NetworkContext> network_context =
CreateContextWithParams(CreateNetworkContextParamsForTesting());

5
services/network/network_service.cc

@ -958,14 +958,9 @@ void NetworkService::ConfigureSCTAuditing(
}
void NetworkService::UpdateCtLogList(std::vector<mojom::CTLogInfoPtr> log_list,
base::Time update_time,
UpdateCtLogListCallback callback) {
log_list_ = std::move(log_list);
ct_log_list_update_time_ = update_time;
for (auto* context : network_contexts_) {
context->OnCTLogListUpdated(log_list_, update_time);
}
std::move(callback).Run();
}

7
services/network/network_service.h

@ -201,7 +201,6 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkService
void ConfigureSCTAuditing(
mojom::SCTAuditingConfigurationPtr configuration) override;
void UpdateCtLogList(std::vector<mojom::CTLogInfoPtr> log_list,
base::Time update_time,
UpdateCtLogListCallback callback) override;
void UpdateCtKnownPopularSCTs(
const std::vector<std::vector<uint8_t>>& sct_hashes,
@ -315,10 +314,6 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkService
const std::vector<mojom::CTLogInfoPtr>& log_list() const { return log_list_; }
base::Time ct_log_list_update_time() const {
return ct_log_list_update_time_;
}
bool is_ct_enforcement_enabled_for_testing() const {
return ct_enforcement_enabled_;
}
@ -478,8 +473,6 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkService
std::vector<mojom::CTLogInfoPtr> log_list_;
base::Time ct_log_list_update_time_;
bool ct_enforcement_enabled_ = true;
#endif // BUILDFLAG(IS_CT_SUPPORTED)

1
services/network/proxy_resolving_client_socket_factory.cc

@ -26,7 +26,6 @@ ProxyResolvingClientSocketFactory::ProxyResolvingClientSocketFactory(
session_context.cert_verifier = request_context->cert_verifier();
session_context.transport_security_state =
request_context->transport_security_state();
session_context.ct_policy_enforcer = request_context->ct_policy_enforcer();
session_context.sct_auditing_delegate =
request_context->sct_auditing_delegate();
session_context.proxy_resolution_service =

4
services/network/public/mojom/network_context.mojom

@ -1634,10 +1634,6 @@ interface NetworkContext {
// minimum delay has not yet passed.
ForceDomainReliabilityUploadsForTesting() => ();
// If called, the CT log list will be considered always timely.
[EnableIf=is_ct_supported]
SetCTLogListAlwaysTimelyForTesting();
// Set the SCT auditing mode for this NetworkContext.
[EnableIf=is_ct_supported]
SetSCTAuditingMode(SCTAuditingMode mode);

8
services/network/public/mojom/network_service.mojom

@ -337,13 +337,9 @@ interface NetworkService {
[EnableIf=is_ct_supported]
ConfigureSCTAuditing(SCTAuditingConfiguration configuration);
// Updates the log list used for CT verification. `update_time` should
// contain the timestamp that the log list was considered fresh/current, in
// order to ensure that CT is not enforced if the log list is too out of
// date.
// Updates the log list used for CT auditing.
[EnableIf=is_ct_supported]
UpdateCtLogList(array<CTLogInfo> log_list,
mojo_base.mojom.Time update_time) => ();
UpdateCtLogList(array<CTLogInfo> log_list) => ();
// Updates the list of popular SCTs queried during CT hashdance auditing.
[EnableIf=is_ct_supported]

4
services/network/sct_auditing/sct_auditing_handler_unittest.cc

@ -87,7 +87,7 @@ class SCTAuditingHandlerTest : public testing::Test {
std::vector<mojom::CTLogInfoPtr> log_list;
log_list.emplace_back(std::move(log));
base::RunLoop run_loop;
network_service_->UpdateCtLogList(std::move(log_list), base::Time::Now(),
network_service_->UpdateCtLogList(std::move(log_list),
run_loop.QuitClosure());
run_loop.Run();
@ -953,7 +953,7 @@ TEST_F(SCTAuditingHandlerTest, LogNotFound) {
{
std::vector<mojom::CTLogInfoPtr> log_list;
base::RunLoop run_loop;
network_service_->UpdateCtLogList(std::move(log_list), base::Time::Now(),
network_service_->UpdateCtLogList(std::move(log_list),
run_loop.QuitClosure());
run_loop.Run();
}

1
services/network/socket_factory.cc

@ -12,7 +12,6 @@
#include "net/base/completion_once_callback.h"
#include "net/base/net_errors.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/multi_log_ct_verifier.h"
#include "net/http/http_network_session.h"
#include "net/log/net_log.h"

1
services/network/test/test_network_context.h

@ -149,7 +149,6 @@ class TestNetworkContext : public mojom::NetworkContext {
void SetEnableReferrers(bool enable_referrers) override {}
#if BUILDFLAG(IS_CT_SUPPORTED)
void SetCTPolicy(mojom::CTPolicyPtr ct_policy) override {}
void SetCTLogListAlwaysTimelyForTesting() override {}
void SetSCTAuditingMode(mojom::SCTAuditingMode mode) override {}
#endif // BUILDFLAG(IS_CT_SUPPORTED)
void CreateUDPSocket(

5
services/network/tls_socket_factory.cc

@ -11,7 +11,6 @@
#include "net/base/completion_once_callback.h"
#include "net/base/net_errors.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/ct_policy_enforcer.h"
#include "net/cert/multi_log_ct_verifier.h"
#include "net/http/http_network_session.h"
#include "net/http/transport_security_state.h"
@ -53,7 +52,6 @@ TLSSocketFactory::TLSSocketFactory(net::URLRequestContext* url_request_context)
: ssl_client_context_(url_request_context->ssl_config_service(),
url_request_context->cert_verifier(),
url_request_context->transport_security_state(),
url_request_context->ct_policy_enforcer(),
nullptr /* Disables SSL session caching */,
url_request_context->sct_auditing_delegate()),
client_socket_factory_(nullptr),
@ -121,13 +119,10 @@ void TLSSocketFactory::CreateTLSClientSocket(
no_verification_cert_verifier_ = std::make_unique<FakeCertVerifier>();
no_verification_transport_security_state_ =
std::make_unique<net::TransportSecurityState>();
no_verification_ct_policy_enforcer_ =
std::make_unique<net::DefaultCTPolicyEnforcer>();
no_verification_ssl_client_context_ =
std::make_unique<net::SSLClientContext>(
ssl_config_service_, no_verification_cert_verifier_.get(),
no_verification_transport_security_state_.get(),
no_verification_ct_policy_enforcer_.get(),
nullptr /* no session cache */,
nullptr /* disable sct auditing */);
}

1
services/network/tls_socket_factory.h

@ -85,7 +85,6 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) TLSSocketFactory {
std::unique_ptr<net::CertVerifier> no_verification_cert_verifier_;
std::unique_ptr<net::TransportSecurityState>
no_verification_transport_security_state_;
std::unique_ptr<net::CTPolicyEnforcer> no_verification_ct_policy_enforcer_;
std::unique_ptr<net::SSLClientContext> no_verification_ssl_client_context_;
net::SSLClientContext ssl_client_context_;