Allow QUIC to honor SCTs delivered in X509 certificates.

net/tools/quic/quic_client_bin.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // A binary wrapper for QuicClient.
 // Connects to a host using QUIC, sends a request to the provided URL, and
 // displays the response.
 //
 // Some usage examples:
 //
@@ skipping 28 matching lines @@
 //   quic_client http://www.example.com --host=${IP}
 
 #include <iostream>
 
 #include "base/at_exit.h"
 #include "base/command_line.h"
 #include "base/message_loop/message_loop.h"
 #include "net/base/net_errors.h"
 #include "net/base/privacy_mode.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_known_logs.h"
+#include "net/cert/ct_log_verifier.h"
 #include "net/cert/multi_log_ct_verifier.h"
 #include "net/http/transport_security_state.h"
 #include "net/quic/chromium/crypto/proof_verifier_chromium.h"
 #include "net/quic/core/quic_flags.h"
 #include "net/quic/core/quic_packets.h"
 #include "net/quic/core/quic_server_id.h"
 #include "net/quic/platform/api/quic_socket_address.h"
 #include "net/quic/platform/api/quic_str_cat.h"
 #include "net/quic/platform/api/quic_text_utils.h"
 #include "net/spdy/spdy_header_block.h"
@@ skipping 192 matching lines @@
                               net::PRIVACY_MODE_DISABLED);
   net::QuicVersionVector versions = net::AllSupportedVersions();
   if (FLAGS_quic_version != -1) {
     versions.clear();
     versions.push_back(static_cast<net::QuicVersion>(FLAGS_quic_version));
   }
   // For secure QUIC we need to verify the cert chain.
   std::unique_ptr<CertVerifier> cert_verifier(CertVerifier::CreateDefault());
   std::unique_ptr<TransportSecurityState> transport_security_state(
       new TransportSecurityState);
-  std::unique_ptr<CTVerifier> ct_verifier(new MultiLogCTVerifier());
+  std::unique_ptr<MultiLogCTVerifier> ct_verifier(new MultiLogCTVerifier());
+  ct_verifier->AddLogs(net::ct::CreateLogVerifiersForKnownLogs());

[Ryan Sleevi, 2017/02/03 21:41:25]

Should the QUIC client instead be disabling CT enforcement? Is there a risk of
people using this in anything 'real'?

(context: CreateLogVerifiersForKnownLogs == safe (for the ecosystem) for 6 week
update cycles, unsafe for >)

This will work either way, but potentially cause ecosystem damage if people
started building products on this.

[Ryan Hamilton, 2017/02/03 22:02:37]

Ah! Thanks for checking. I believe there is no danger of anyone doing anything
"real" with this code. It's simply our toy client. Nobody should be building
anything real out of this.

I'd prefer not to disable CT because it's desirable for this client to serve as
a stand-in for chrome when debugging QUIC issues.

   std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer(new CTPolicyEnforcer());
   std::unique_ptr<ProofVerifier> proof_verifier;
   if (line->HasSwitch("disable-certificate-verification")) {
     proof_verifier.reset(new FakeProofVerifier());
   } else {
     proof_verifier.reset(new ProofVerifierChromium(
         cert_verifier.get(), ct_policy_enforcer.get(),
         transport_security_state.get(), ct_verifier.get()));
   }
   net::QuicClient client(net::QuicSocketAddress(ip_addr, port), server_id,
@@ skipping 85 matching lines @@
       return 0;
     } else {
       cout << "Request failed (redirect " << response_code << ")." << endl;
       return 1;
     }
   } else {
     cerr << "Request failed (" << response_code << ")." << endl;
     return 1;
   }
 }