Refactor Certificate Transparency policy enforcement in //net
The current structure of //net is that there is a base
CTPolicyEnforcer that implements the "CT in Chrome" policy documented
at https://github.com/chromium/ct-policy/blob/master/ct_policy.md ,
and embedders or implementors that wish to override this can derive
from this base and override the concrete virtual method.
However, the CT policy expressed by the CTPolicyEnforcer is
intrinsically tied to the set of logs - both notions like "one Google,
and one non-Google log" (from the policy), but also the ability to
update and maintain those logs over the lifetime of the product. While
this is true for Chrome, this is not true for a number of embedders.
As part of moving the CT configuration 'out' of //net and closer to
the product-level configuration, this changes the CTPolicyEnforcer
to be a pure virtual base, and provides a DefaultCTPolicyEnforcer that
always treats the build as 'out of date' (equivalent to not making any
statement about CT, as it lacks timely details about the logs or the
status of the policy). Because EV treatment right now is mixed between
the cert layer (which flags CERT_STATUS_IS_EV) and the socket layer
(which removes CERT_STATUS_IS_EV if not CT qualified), the socket layer
is updated to allow 'out of date' CT status to grant EV. A future change
will move the EV policy check out of the socket and closer to the CT
policy, so that embedders like Chrome/Chromium can ensure an out of
date log list can result in EV status removal.
The Chrome-specific policy is now moved into
//components/certificate_transparency, the highest it can be moved while
still being usable by the Network Service. The Network Service gains a
new configuration parameter to configure enforcement of the Chrome CT
policy, which works for both the in-process URLRequestContext used by
Chrome and the out-of-process Network Service, as a temporary solution.
This is a significant change in the API contract of the
URLRequestContextBuilder, as it's now effectively moving to disable
CT-by-default for //net embedders other than Chrome/Chromium. This is
intentional, as the widescale rollout of enforcing CT is coupled to
reliable and rapid update mechanisms, and having stale clients with
old lists of logs or old policies can negatively impact the CT
ecosystem - both site operators worried about compatibility with these
products and for CAs wanting to ensure their certificates reliably work.
Mobile versions of Chrome/Chromium are, for the time being, also move to
disable enforcement, similar to how static HPKP is disabled for Android
and iOS. Additional work will be done to ensure that the list of logs
is reliably updatable for these clients, which will then facilitate
enabling CT enforcement.
BUG=702062
Cq-Include-Trybots: master.tryserver.chromium.android:android_cronet_tester;master.tryserver.chromium.linux:linux_mojo;master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs
Change-Id: Ic5145b6759d8843cb9134e7718e5834c7b5bb010
Reviewed-on: https://chromium-review.googlesource.com/1020160
Commit-Queue: Ryan Sleevi <[email protected]>
Reviewed-by: Matt Menke <[email protected]>
Reviewed-by: Emily Stark <[email protected]>
Reviewed-by: Jochen Eisinger <[email protected]>
Cr-Commit-Position: refs/heads/master@{#557070}diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index 464ae90..b3a71959 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -7216,7 +7216,7 @@
ct::CTPolicyCompliance CheckCompliance(
X509Certificate* cert,
- const SCTList& verified_scts,
+ const ct::SCTList& verified_scts,
const NetLogWithSource& net_log) override {
return default_result_;
}
@@ -10779,8 +10779,7 @@
}
void SetUp() override {
- context_.SetCTPolicyEnforcer(
- std::make_unique<AllowAnyCertCTPolicyEnforcer>());
+ context_.SetCTPolicyEnforcer(std::make_unique<DefaultCTPolicyEnforcer>());
SetupContext();
context_.Init();
@@ -10847,18 +10846,6 @@
}
protected:
- class AllowAnyCertCTPolicyEnforcer : public CTPolicyEnforcer {
- public:
- AllowAnyCertCTPolicyEnforcer() = default;
- ~AllowAnyCertCTPolicyEnforcer() override = default;
-
- ct::CTPolicyCompliance CheckCompliance(
- X509Certificate* cert,
- const SCTList& verified_scts,
- const NetLogWithSource& net_log) override {
- return ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS;
- }
- };
// SetupContext configures the URLRequestContext that will be used for making
// connetions to testserver. This can be overridden in test subclasses for
// different behaviour.
