diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc --- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc.certificate-transparency 2019-09-03 22:08:28.931786496 +0200 +++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc 2019-09-03 22:15:24.743555759 +0200 @@ -17,6 +17,7 @@ #include "chrome/common/pref_names.h" #include "chrome/test/base/in_process_browser_test.h" #include "components/prefs/pref_service.h" +#include "services/network/public/cpp/network_service_buildflags.h" #include "services/network/public/mojom/network_context.mojom.h" #include "services/network/public/mojom/network_service.mojom.h" #include "testing/gmock/include/gmock/gmock.h" @@ -297,3 +298,55 @@ IN_PROC_BROWSER_TEST_P(SystemNetworkCont INSTANTIATE_TEST_SUITE_P(, SystemNetworkContextManagerStubResolverBrowsertest, ::testing::Values(false, true)); + +class SystemNetworkContextManagerCertificateTransparencyBrowsertest + : public SystemNetworkContextManagerBrowsertest, + public testing::WithParamInterface> { + public: + SystemNetworkContextManagerCertificateTransparencyBrowsertest() { + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + GetParam()); + } + ~SystemNetworkContextManagerCertificateTransparencyBrowsertest() override { + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + base::nullopt); + } +}; + +#if BUILDFLAG(IS_CT_SUPPORTED) +IN_PROC_BROWSER_TEST_P( + SystemNetworkContextManagerCertificateTransparencyBrowsertest, + CertificateTransparencyConfig) { + network::mojom::NetworkContextParamsPtr context_params = + g_browser_process->system_network_context_manager() + ->CreateDefaultNetworkContextParams(); + + const bool kDefault = +#if defined(GOOGLE_CHROME_BUILD) && defined(OFFICIAL_BUILD) && \ + !defined(OS_ANDROID) + true; +#else + false; +#endif + + EXPECT_EQ(GetParam().value_or(kDefault), + context_params->enforce_chrome_ct_policy); + EXPECT_NE(GetParam().value_or(kDefault), context_params->ct_logs.empty()); + + if (GetParam().value_or(kDefault)) { + bool has_google_log = false; + bool has_disqualified_log = false; + for (const auto& ct_log : context_params->ct_logs) { + has_google_log |= ct_log->operated_by_google; + has_disqualified_log |= ct_log->disqualified_at.has_value(); + } + EXPECT_TRUE(has_google_log); + EXPECT_TRUE(has_disqualified_log); + } +} +#endif + +INSTANTIATE_TEST_SUITE_P( + , + SystemNetworkContextManagerCertificateTransparencyBrowsertest, + ::testing::Values(base::nullopt, true, false)); diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc --- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency 2019-08-26 21:02:05.000000000 +0200 +++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc 2019-09-03 22:13:26.451198970 +0200 @@ -4,11 +4,13 @@ #include "chrome/browser/net/system_network_context_manager.h" +#include #include #include #include #include "base/bind.h" +#include "base/build_time.h" #include "base/command_line.h" #include "base/feature_list.h" #include "base/logging.h" @@ -51,6 +53,7 @@ #include "content/public/common/mime_handler_view_mode.h" #include "content/public/common/service_names.mojom.h" #include "content/public/common/user_agent.h" +#include "crypto/sha2.h" #include "mojo/public/cpp/bindings/associated_interface_ptr.h" #include "net/dns/public/util.h" #include "net/net_buildflags.h" @@ -81,6 +84,20 @@ namespace { +constexpr bool kCertificateTransparencyEnabled = +#if defined(GOOGLE_CHROME_BUILD) && defined(OFFICIAL_BUILD) && \ + !defined(OS_ANDROID) + // Certificate Transparency is only enabled if: + // - Desktop (!OS_ANDROID); OS_IOS does not use this file + // - base::GetBuildTime() is deterministic to the source (OFFICIAL_BUILD) + // - The build in reliably updatable (GOOGLE_CHROME_BUILD) + true; +#else + false; +#endif + +bool g_enable_certificate_transparency = kCertificateTransparencyEnabled; + // The global instance of the SystemNetworkContextmanager. SystemNetworkContextManager* g_system_network_context_manager = nullptr; @@ -686,14 +703,35 @@ SystemNetworkContextManager::CreateDefau bool http_09_on_non_default_ports_enabled = false; #if !defined(OS_ANDROID) - // CT is only enabled on Desktop platforms for now. - network_context_params->enforce_chrome_ct_policy = true; - for (const auto& ct_log : certificate_transparency::GetKnownLogs()) { - // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication. - network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New(); - log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length); - log_info->name = ct_log.log_name; - network_context_params->ct_logs.push_back(std::move(log_info)); + + if (g_enable_certificate_transparency) { + network_context_params->enforce_chrome_ct_policy = true; + network_context_params->ct_log_update_time = base::GetBuildTime(); + + std::vector operated_by_google_logs = + certificate_transparency::GetLogsOperatedByGoogle(); + std::vector> disqualified_logs = + certificate_transparency::GetDisqualifiedLogs(); + for (const auto& ct_log : certificate_transparency::GetKnownLogs()) { + // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication. + network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New(); + log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length); + log_info->name = ct_log.log_name; + + std::string log_id = crypto::SHA256HashString(log_info->public_key); + log_info->operated_by_google = + std::binary_search(std::begin(operated_by_google_logs), + std::end(operated_by_google_logs), log_id); + auto it = std::lower_bound( + std::begin(disqualified_logs), std::end(disqualified_logs), log_id, + [](const auto& disqualified_log, const std::string& log_id) { + return disqualified_log.first < log_id; + }); + if (it != std::end(disqualified_logs) && it->first == log_id) { + log_info->disqualified_at = it->second; + } + network_context_params->ct_logs.push_back(std::move(log_info)); + } } const base::Value* value = @@ -756,6 +794,12 @@ SystemNetworkContextManager::GetHttpAuth return CreateHttpAuthDynamicParams(g_browser_process->local_state()); } +void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + base::Optional enabled) { + g_enable_certificate_transparency = + enabled.value_or(kCertificateTransparencyEnabled); +} + network::mojom::NetworkContextParamsPtr SystemNetworkContextManager::CreateNetworkContextParams() { // TODO(mmenke): Set up parameters here (in memory cookie store, etc). diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h --- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h.certificate-transparency 2019-08-26 21:02:05.000000000 +0200 +++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h 2019-09-03 22:08:28.931786496 +0200 @@ -158,6 +158,12 @@ class SystemNetworkContextManager { static network::mojom::HttpAuthDynamicParamsPtr GetHttpAuthDynamicParamsForTesting(); + // Enables Certificate Transparency and enforcing the Chrome Certificate + // Transparency Policy. For test use only. Use base::nullopt_t to reset to + // the default state. + static void SetEnableCertificateTransparencyForTesting( + base::Optional enabled); + private: class URLLoaderFactoryForSystem; diff -up chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc --- chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc.certificate-transparency 2019-08-26 21:02:05.000000000 +0200 +++ chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc 2019-09-03 22:08:28.932786508 +0200 @@ -4834,7 +4834,7 @@ IN_PROC_BROWSER_TEST_P(SSLPolicyTestComm browser()->tab_strip_model()->GetActiveWebContents()->GetTitle()); } -IN_PROC_BROWSER_TEST_F(PolicyTest, +IN_PROC_BROWSER_TEST_F(CertificateTransparencyPolicyTest, CertificateTransparencyEnforcementDisabledForCas) { net::EmbeddedTestServer https_server_ok(net::EmbeddedTestServer::TYPE_HTTPS); https_server_ok.SetSSLConfig(net::EmbeddedTestServer::CERT_OK); diff -up chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc --- chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200 +++ chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc 2019-09-03 22:08:28.932786508 +0200 @@ -8,6 +8,7 @@ #include "base/callback.h" #include "base/run_loop.h" #include "base/test/scoped_feature_list.h" +#include "chrome/browser/net/system_network_context_manager.h" #include "chrome/browser/profiles/profile.h" #include "chrome/browser/ssl/cert_verifier_browser_test.h" #include "chrome/browser/ui/browser.h" @@ -27,7 +28,17 @@ namespace { // received by a server. class ExpectCTBrowserTest : public CertVerifierBrowserTest { public: - ExpectCTBrowserTest() : CertVerifierBrowserTest() {} + ExpectCTBrowserTest() : CertVerifierBrowserTest() { + // Expect-CT reporting depends on actually enforcing Certificate + // Transparency. + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + true); + } + + ~ExpectCTBrowserTest() override { + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + base::nullopt); + } void SetUpOnMainThread() override { run_loop_ = std::make_unique(); diff -up chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc --- chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200 +++ chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc 2019-09-03 22:08:28.932786508 +0200 @@ -457,6 +457,13 @@ class SecurityStateTabHelperTest : publi SecurityStateTabHelperTest() : https_server_(net::EmbeddedTestServer::TYPE_HTTPS) { https_server_.ServeFilesFromSourceDirectory(GetChromeTestDataDir()); + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + true); + } + + ~SecurityStateTabHelperTest() override { + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + base::nullopt); } void SetUpOnMainThread() override { diff -up chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc --- chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200 +++ chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc 2019-09-03 22:08:28.934786531 +0200 @@ -2008,8 +2008,14 @@ class CertificateTransparencySSLUITest : public: CertificateTransparencySSLUITest() : CertVerifierBrowserTest(), - https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {} - ~CertificateTransparencySSLUITest() override {} + https_server_(net::EmbeddedTestServer::TYPE_HTTPS) { + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + true); + } + ~CertificateTransparencySSLUITest() override { + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + base::nullopt); + } void SetUpOnMainThread() override { CertVerifierBrowserTest::SetUpOnMainThread(); diff -up chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h.certificate-transparency chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h --- chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h.certificate-transparency 2019-08-26 21:02:14.000000000 +0200 +++ chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h 2019-09-03 22:08:28.934786531 +0200 @@ -45,6 +45,19 @@ class ChromeCTPolicyEnforcer : public ne void SetClockForTesting(const base::Clock* clock) { clock_ = clock; } + // TODO(https://crbug.com/999240): These are exposed to allow end-to-end + // testing by higher layers (i.e. that the ChromeCTPolicyEnforcer is + // correctly constructed). When either this issue or https://crbug.com/848277 + // are fixed, the configuration can be tested independently, and these can + // be removed. + const std::vector& operated_by_google_logs_for_testing() { + return operated_by_google_logs_; + } + const std::vector>& + disqualified_logs_for_testing() { + return disqualified_logs_; + } + private: // Returns true if the log identified by |log_id| (the SHA-256 hash of the // log's DER-encoded SPKI) has been disqualified, and sets diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency chromium-76.0.3809.132/services/network/network_context.cc --- chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency 2019-08-26 21:02:33.000000000 +0200 +++ chromium-76.0.3809.132/services/network/network_context.cc 2019-09-03 22:17:27.977834857 +0200 @@ -35,6 +35,7 @@ #include "components/prefs/pref_registry_simple.h" #include "components/prefs/pref_service.h" #include "components/prefs/pref_service_factory.h" +#include "crypto/sha2.h" #include "mojo/public/cpp/bindings/strong_binding.h" #include "net/base/layered_network_delegate.h" #include "net/base/load_flags.h" @@ -1851,16 +1852,6 @@ URLRequestContextOwner NetworkContext::A base::FeatureList::IsEnabled(features::kNetworkErrorLogging)); #endif // BUILDFLAG(ENABLE_REPORTING) -#if BUILDFLAG(IS_CT_SUPPORTED) - if (params_->enforce_chrome_ct_policy) { - builder->set_ct_policy_enforcer( - std::make_unique( - base::GetBuildTime(), - certificate_transparency::GetDisqualifiedLogs(), - certificate_transparency::GetLogsOperatedByGoogle())); - } -#endif // BUILDFLAG(IS_CT_SUPPORTED) - net::HttpNetworkSession::Params session_params; bool is_quic_force_disabled = false; if (network_service_ && network_service_->quic_disabled()) @@ -1910,8 +1901,20 @@ URLRequestContextOwner NetworkContext::A #if BUILDFLAG(IS_CT_SUPPORTED) std::vector> ct_logs; + std::vector> disqualified_logs; + std::vector operated_by_google_logs; + if (!params_->ct_logs.empty()) { for (const auto& log : params_->ct_logs) { + if (log->operated_by_google || log->disqualified_at) { + std::string log_id = crypto::SHA256HashString(log->public_key); + if (log->operated_by_google) + operated_by_google_logs.push_back(log_id); + if (log->disqualified_at) { + disqualified_logs.push_back( + std::make_pair(log_id, log->disqualified_at.value())); + } + } scoped_refptr log_verifier = net::CTLogVerifier::Create(log->public_key, log->name); if (!log_verifier) { @@ -1924,6 +1927,17 @@ URLRequestContextOwner NetworkContext::A ct_verifier->AddLogs(ct_logs); builder->set_ct_verifier(std::move(ct_verifier)); } + + if (params_->enforce_chrome_ct_policy) { + std::sort(std::begin(operated_by_google_logs), + std::end(operated_by_google_logs)); + std::sort(std::begin(disqualified_logs), std::end(disqualified_logs)); + + builder->set_ct_policy_enforcer( + std::make_unique( + params_->ct_log_update_time, disqualified_logs, + operated_by_google_logs)); + } #endif // BUILDFLAG(IS_CT_SUPPORTED) const base::CommandLine* command_line = diff -up chromium-76.0.3809.132/services/network/network_context_unittest.cc.certificate-transparency chromium-76.0.3809.132/services/network/network_context_unittest.cc --- chromium-76.0.3809.132/services/network/network_context_unittest.cc.certificate-transparency 2019-08-26 21:02:33.000000000 +0200 +++ chromium-76.0.3809.132/services/network/network_context_unittest.cc 2019-09-03 22:20:22.382888089 +0200 @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. +#include #include #include #include @@ -38,10 +39,12 @@ #include "base/threading/thread_task_runner_handle.h" #include "base/time/default_clock.h" #include "base/time/default_tick_clock.h" +#include "base/time/time.h" #include "build/build_config.h" #include "components/network_session_configurator/browser/network_session_configurator.h" #include "components/network_session_configurator/common/network_switches.h" #include "components/prefs/testing_pref_service.h" +#include "crypto/sha2.h" #include "mojo/public/cpp/bindings/interface_request.h" #include "mojo/public/cpp/bindings/strong_binding.h" #include "mojo/public/cpp/system/data_pipe_utils.h" @@ -113,6 +116,11 @@ #include "url/scheme_host_port.h" #include "url/url_constants.h" +#if BUILDFLAG(IS_CT_SUPPORTED) +#include "components/certificate_transparency/chrome_ct_policy_enforcer.h" +#include "services/network/public/mojom/ct_log_info.mojom.h" +#endif + #if BUILDFLAG(ENABLE_REPORTING) #include "net/network_error_logging/network_error_logging_service.h" #include "net/reporting/reporting_cache.h" @@ -5566,6 +5574,72 @@ TEST_F(NetworkContextTest, BlockAllCooki EXPECT_EQ("None", response_body); } +#if BUILDFLAG(IS_CT_SUPPORTED) +TEST_F(NetworkContextTest, CertificateTransparencyConfig) { + mojom::NetworkContextParamsPtr params = CreateContextParams(); + params->enforce_chrome_ct_policy = true; + params->ct_log_update_time = base::Time::Now(); + + // The log public keys do not matter for the test, so invalid keys are used. + // However, because the log IDs are derived from the SHA-256 hash of the log + // key, the log keys are generated such that qualified logs are in the form + // of four digits (e.g. "0000", "1111"), while disqualified logs are in the + // form of four letters (e.g. "AAAA", "BBBB"). + + for (int i = 0; i < 6; ++i) { + network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New(); + // Shift to ASCII '0' (0x30) + log_info->public_key = std::string(4, 0x30 + static_cast(i)); + log_info->name = std::string(4, 0x30 + static_cast(i)); + log_info->operated_by_google = i % 2; + + params->ct_logs.push_back(std::move(log_info)); + } + for (int i = 0; i < 3; ++i) { + network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New(); + // Shift to ASCII 'A' (0x41) + log_info->public_key = std::string(4, 0x41 + static_cast(i)); + log_info->name = std::string(4, 0x41 + static_cast(i)); + log_info->operated_by_google = false; + log_info->disqualified_at = base::TimeDelta::FromSeconds(i); + + params->ct_logs.push_back(std::move(log_info)); + } + std::unique_ptr network_context = + CreateContextWithParams(std::move(params)); + + net::CTPolicyEnforcer* request_enforcer = + network_context->url_request_context()->ct_policy_enforcer(); + ASSERT_TRUE(request_enforcer); + + // Completely unsafe if |enforce_chrome_ct_policy| is false. + certificate_transparency::ChromeCTPolicyEnforcer* policy_enforcer = + reinterpret_cast( + request_enforcer); + + EXPECT_TRUE(std::is_sorted( + policy_enforcer->operated_by_google_logs_for_testing().begin(), + policy_enforcer->operated_by_google_logs_for_testing().end())); + EXPECT_TRUE( + std::is_sorted(policy_enforcer->disqualified_logs_for_testing().begin(), + policy_enforcer->disqualified_logs_for_testing().end())); + + EXPECT_THAT( + policy_enforcer->operated_by_google_logs_for_testing(), + ::testing::UnorderedElementsAreArray({crypto::SHA256HashString("1111"), + crypto::SHA256HashString("3333"), + crypto::SHA256HashString("5555")})); + EXPECT_THAT(policy_enforcer->disqualified_logs_for_testing(), + ::testing::UnorderedElementsAre( + ::testing::Pair(crypto::SHA256HashString("AAAA"), + base::TimeDelta::FromSeconds(0)), + ::testing::Pair(crypto::SHA256HashString("BBBB"), + base::TimeDelta::FromSeconds(1)), + ::testing::Pair(crypto::SHA256HashString("CCCC"), + base::TimeDelta::FromSeconds(2)))); +} +#endif + } // namespace } // namespace network diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom --- chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200 +++ chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom 2019-09-03 22:08:28.936786554 +0200 @@ -4,6 +4,8 @@ module network.mojom; +import "mojo/public/mojom/base/time.mojom"; + // A single Certificate Transparency Log configuration. struct CTLogInfo { // The DER-encoded SubjectPublicKeyInfo of the log. @@ -14,4 +16,13 @@ struct CTLogInfo { // The human-readable, log-supplied log name. Note that this will not be // translated. string name; + + // Whether or not the log should should be considered a Google Log for the + // purposes of enforcing the "Certificate Transparency in Chrome" policy. + bool operated_by_google = false; + + // If set, the time since the Unix Epoch when the log was disqualified. This + // is used to determine the "once or currently qualified" status of the log. + // If the log is currently qualified, this will not be set. + mojo_base.mojom.TimeDelta? disqualified_at; }; diff -up chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom --- chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200 +++ chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom 2019-09-03 22:08:28.936786554 +0200 @@ -238,15 +238,6 @@ struct NetworkContextParams { [EnableIf=is_android] bool check_clear_text_permitted = false; - // True if the "Certificate Transparency in Chrome" policy (see - // https://github.com/chromium/ct-policy/blob/master/ct_policy.md) should - // be enforced for certificates and connections. - // - // See //net/docs/certificate-transparency.md before setting this flag to - // true. - [EnableIf=is_ct_supported] - bool enforce_chrome_ct_policy = false; - // Enables HTTP/0.9 on ports other than 80 for HTTP and 443 for HTTPS. bool http_09_on_non_default_ports_enabled = false; @@ -299,6 +290,15 @@ struct NetworkContextParams { // servers, so they can discover misconfigurations. bool enable_certificate_reporting = false; + // True if the "Certificate Transparency in Chrome" policy (see + // https://github.com/chromium/ct-policy/blob/master/ct_policy.md) should + // be enforced for certificates and connections. + // + // See //net/docs/certificate-transparency.md before setting this flag to + // true. + [EnableIf=is_ct_supported] + bool enforce_chrome_ct_policy = false; + // Enables Expect CT reporting, which sends reports for opted-in sites that // don't serve sufficient Certificate Transparency information. [EnableIf=is_ct_supported] @@ -310,6 +310,13 @@ struct NetworkContextParams { [EnableIf=is_ct_supported] array ct_logs; + // When the Certificate Transparency logs in |ct_logs| were last updated. If + // |enforce_chrome_ct_policy| is set, and |ct_log_update_time| is not + // sufficiently recent, enforcement of the "Certificate Transparency in + // Chrome" policy will be disabled. + [EnableIf=is_ct_supported] + mojo_base.mojom.Time ct_log_update_time; + // Specifies the path to the directory where NSS will store its database. [EnableIf=is_chromeos] mojo_base.mojom.FilePath? nss_path;