Certificate Transparency: Require SCTs for EV certificates.

chrome/browser/io_thread.cc

Index: chrome/browser/io_thread.cc
diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc
index 7cbcf7b3bdcef08d97f8b0ca10cc0fd8e65e657d..4fa4eb5beec11d254d593e3a68647c2cbf1666a4 100644
--- a/chrome/browser/io_thread.cc
+++ b/chrome/browser/io_thread.cc
@@ -53,9 +53,11 @@
 #include "content/public/browser/cookie_store_factory.h"
 #include "net/base/host_mapping_rules.h"
 #include "net/base/net_util.h"
+#include "net/cert/cert_policy_enforcer.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_proc.h"
 #include "net/cert/ct_known_logs.h"
+#include "net/cert/ct_known_logs_static.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/multi_log_ct_verifier.h"
@@ -642,6 +644,15 @@ void IOThread::InitAsync() {
     }
   }
 
+  net::CertPolicyEnforcer* policy_enforcer = NULL;
+  // TODO(eranm): Control with Finch, crbug.com/437766
+  if (command_line.HasSwitch(switches::kRequireCTForEV)) {
+    policy_enforcer = new net::CertPolicyEnforcer(kNumKnownCTLogs, true);
+  } else {
+    policy_enforcer = new net::CertPolicyEnforcer(kNumKnownCTLogs, false);
+  }
+  globals_->cert_policy_enforcer.reset(policy_enforcer);
+
   globals_->ssl_config_service = GetSSLConfigService();
 
   SetupDataReductionProxy(network_delegate);
@@ -988,6 +999,7 @@ void IOThread::InitializeNetworkSessionParamsFromGlobals(
     net::HttpNetworkSession::Params* params) {
   params->host_resolver = globals.host_resolver.get();
   params->cert_verifier = globals.cert_verifier.get();
+  params->cert_policy_enforcer = globals.cert_policy_enforcer.get();
   params->channel_id_service = globals.system_channel_id_service.get();
   params->transport_security_state = globals.transport_security_state.get();
   params->ssl_config_service = globals.ssl_config_service.get();