Certificate Transparency: Require SCTs for EV certificates.

chrome/browser/io_thread.cc

Index: chrome/browser/io_thread.cc
diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc
index 87ab0c7d47889cdee63187f706e52eeec4d30fe3..51317b21e8180bdb0a760cb0c025a4b7a2449bc0 100644
--- a/chrome/browser/io_thread.cc
+++ b/chrome/browser/io_thread.cc
@@ -53,9 +53,11 @@
 #include "content/public/browser/cookie_store_factory.h"
 #include "net/base/host_mapping_rules.h"
 #include "net/base/net_util.h"
+#include "net/cert/cert_policy_enforcer.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_proc.h"
 #include "net/cert/ct_known_logs.h"
+#include "net/cert/ct_known_logs_static.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/multi_log_ct_verifier.h"
@@ -241,6 +243,7 @@ ConstructProxyScriptFetcherContext(IOThread::Globals* globals,
   context->set_net_log(net_log);
   context->set_host_resolver(globals->host_resolver.get());
   context->set_cert_verifier(globals->cert_verifier.get());
+  context->set_cert_policy_enforcer(globals->cert_policy_enforcer.get());
   context->set_transport_security_state(
       globals->transport_security_state.get());
   context->set_cert_transparency_verifier(
@@ -271,6 +274,7 @@ ConstructSystemRequestContext(IOThread::Globals* globals,
   context->set_net_log(net_log);
   context->set_host_resolver(globals->host_resolver.get());
   context->set_cert_verifier(globals->cert_verifier.get());
+  context->set_cert_policy_enforcer(globals->cert_policy_enforcer.get());
   context->set_transport_security_state(
       globals->transport_security_state.get());
   context->set_cert_transparency_verifier(
@@ -639,6 +643,16 @@ void IOThread::InitAsync() {
     }
   }
 
+  net::CertPolicyEnforcer* policy_enforcer = NULL;
+  // TODO(eranm): In M41 Certificate Transparency presence will be required
+  // by for EV certificates. Remove this flag for M41.

[Ryan Sleevi, 2014/11/06 00:16:43]

While I know the delays have been due to my review load, this won't make it in
for M40.

So this is for M41, which should remove this flag.

However, you will want to Finch gate it ( http://go/finch ). I can walk you
through that tomorrow morning if you want.

[Eran Messeri, 2014/11/20 11:49:56]

Per our offline discussion, this patch will be immediately followed up by a
patch introducing Finch support, but it would be useful to have this patch land
with the policy enforcement behind a flag so we can tell CAs they can already
test compliance.

+  if (command_line.HasSwitch(switches::kRequireCTForEV)) {
+    policy_enforcer = new net::CertPolicyEnforcer(kNumKnownCTLogs, true);
+  } else {
+    policy_enforcer = new net::CertPolicyEnforcer(kNumKnownCTLogs, false);
+  }
+  globals_->cert_policy_enforcer.reset(policy_enforcer);
+
   globals_->ssl_config_service = GetSSLConfigService();
 
   SetupDataReductionProxy(network_delegate);
@@ -995,6 +1009,7 @@ void IOThread::InitializeNetworkSessionParamsFromGlobals(
     net::HttpNetworkSession::Params* params) {
   params->host_resolver = globals.host_resolver.get();
   params->cert_verifier = globals.cert_verifier.get();
+  params->cert_policy_enforcer = globals.cert_policy_enforcer.get();
   params->channel_id_service = globals.system_channel_id_service.get();
   params->transport_security_state = globals.transport_security_state.get();
   params->ssl_config_service = globals.ssl_config_service.get();