CT: Adding preliminary Certificate Transparency support to Chromium.

chrome/browser/io_thread.cc

Index: chrome/browser/io_thread.cc
diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc
index 42645ea3425335a2a1c92fa9ffd74865e39603d0..74edebf430837616ed1f2b195cd200390042bb74 100644
--- a/chrome/browser/io_thread.cc
+++ b/chrome/browser/io_thread.cc
@@ -6,6 +6,7 @@
 
 #include <vector>
 
+#include "base/base64.h"
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
@@ -50,6 +51,7 @@
 #include "net/base/network_time_notifier.h"
 #include "net/base/sdch_manager.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_verifier.h"
 #include "net/cookies/cookie_monster.h"
 #include "net/dns/host_cache.h"
 #include "net/dns/host_resolver.h"
@@ -82,6 +84,13 @@
 #include "policy/policy_constants.h"
 #endif
 
+#if !defined(USE_OPENSSL)
+#include "net/cert/ct_log_verifier.h"
+#include "net/cert/single_log_ct_verifier.h"
+#else
+#error "This Chromium build will not support Certificate Transparency."
+#endif
+
 #if defined(USE_NSS) || defined(OS_IOS)
 #include "net/ocsp/nss_ocsp.h"
 #endif
@@ -204,6 +213,8 @@ ConstructProxyScriptFetcherContext(IOThread::Globals* globals,
   context->set_cert_verifier(globals->cert_verifier.get());
   context->set_transport_security_state(
       globals->transport_security_state.get());
+  context->set_cert_transparency_verifier(
+      globals->cert_transparency_verifier.get());
   context->set_http_auth_handler_factory(
       globals->http_auth_handler_factory.get());
   context->set_proxy_service(globals->proxy_script_fetcher_proxy_service.get());
@@ -232,6 +243,8 @@ ConstructSystemRequestContext(IOThread::Globals* globals,
   context->set_cert_verifier(globals->cert_verifier.get());
   context->set_transport_security_state(
       globals->transport_security_state.get());
+  context->set_cert_transparency_verifier(
+      globals->cert_transparency_verifier.get());
   context->set_http_auth_handler_factory(
       globals->http_auth_handler_factory.get());
   context->set_proxy_service(globals->system_proxy_service.get());
@@ -534,6 +547,35 @@ void IOThread::InitAsync() {
         DataReductionProxySettings::GetDataReductionProxies();
   }
 #endif  // defined(OS_ANDROID) || defined(OS_IOS)
+#if !defined(USE_OPENSSL)
+  if (command_line.HasSwitch(switches::kEnableCertificateTransparency)) {
+    std::string switch_value = command_line.GetSwitchValueASCII(
+        switches::kEnableCertificateTransparency);
+    size_t delim_pos = switch_value.find(":");
+    if (delim_pos == std::string::npos) {
+      LOG(DFATAL) << "CT log description not provided (switch format" <<
+                  " is 'description:base64_key')";
+    }
+    std::string log_description(switch_value.substr(0, delim_pos));
+    std::string ct_public_key_data;
+    LOG(INFO) << "Log's public key supplied.";
+    if (!base::Base64Decode(switch_value.substr(delim_pos + 1),
+                            &ct_public_key_data)) {
+      LOG(DFATAL) << "Unable to decode CT public key.";
+    } else {
+      LOG(INFO) << "Log's public key decoded.";
+      scoped_ptr<net::CTLogVerifier> google_log_verifier(
+          net::CTLogVerifier::Create(ct_public_key_data, log_description));
+      if (!google_log_verifier) {
+        LOG(DFATAL) << "Unable to parse CT public key.";
+      } else {
+      LOG(INFO) << "Log's public key parsed.";
+        globals_->cert_transparency_verifier.reset(
+            new net::SingleLogCTVerifier(google_log_verifier.Pass()));
+      }
+    }
+  }
+#endif
   globals_->http_auth_handler_factory.reset(CreateDefaultAuthHandlerFactory(
       globals_->host_resolver.get()));
   globals_->http_server_properties.reset(new net::HttpServerPropertiesImpl());