Disable Certificate Transparency enforcement for Chromecast.

A dummy CTVerifier and CTPolicyEnforcer is used to turn off parsing, validation, and evaluation of results. BUG= internal b/34104027 Review-Url: https://codereview.chromium.org/2621083004 Cr-Commit-Position: refs/heads/master@{#443030}

Disable Certificate Transparency enforcement for Chromecast.
A dummy CTVerifier and CTPolicyEnforcer is used to turn off parsing, validation, and evaluation of results. BUG= internal b/34104027 Review-Url: https://codereview.chromium.org/2621083004 Cr-Commit-Position: refs/heads/master@{#443030}
1962aeba · ryanchung · Commit bot · 2d4b91cc · 1962aeba
Commit 1962aeba authored Jan 11, 2017 by ryanchung Committed by Commit bot Jan 11, 2017
Show whitespace changes
Inline Side-by-side

Showing with 27 additions and 3 deletions

chromecast/browser/url_request_context_factory.cc chromecast/browser/url_request_context_factory.cc +27 -3

No files found.
--- a/chromecast/browser/url_request_context_factory.cc
+++ b/chromecast/browser/url_request_context_factory.cc
@@ -21,7 +21,8 @@
 #include "content/public/common/url_constants.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
-#include "net/cert/multi_log_ct_verifier.h"
+#include "net/cert/ct_policy_status.h"
+#include "net/cert/do_nothing_ct_verifier.h"
 #include "net/cert_net/nss_ocsp.h"
 #include "net/cookies/cookie_store.h"
 #include "net/dns/host_resolver.h"
@@ -47,6 +48,28 @@ namespace {

 const char kCookieStoreFile[] = "Cookies";

+// A CTPolicyEnforcer that accepts all certificates.
+class IgnoresCTPolicyEnforcer : public net::CTPolicyEnforcer {
+ public:
+  IgnoresCTPolicyEnforcer() = default;
+  ~IgnoresCTPolicyEnforcer() override = default;
+
+  net::ct::CertPolicyCompliance DoesConformToCertPolicy(
+      net::X509Certificate* cert,
+      const net::SCTList& verified_scts,
+      const net::NetLogWithSource& net_log) override {
+    return net::ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS;
+  }
+
+  net::ct::EVPolicyCompliance DoesConformToCTEVPolicy(
+      net::X509Certificate* cert,
+      const net::ct::EVCertsWhitelist* ev_whitelist,
+      const net::SCTList& verified_scts,
+      const net::NetLogWithSource& net_log) override {
+    return net::ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
+  }
+};
+
 }  // namespace

 // Private classes to expose URLRequestContextGetter that call back to the
@@ -205,8 +228,9 @@ void URLRequestContextFactory::InitializeSystemContextDependencies() {
  cert_verifier_ = net::CertVerifier::CreateDefault();
  ssl_config_service_ = new net::SSLConfigServiceDefaults;
  transport_security_state_.reset(new net::TransportSecurityState());
-  cert_transparency_verifier_.reset(new net::MultiLogCTVerifier());
-  ct_policy_enforcer_.reset(new net::CTPolicyEnforcer());
+  // Certificate transparency is current disabled for Chromecast.
+  cert_transparency_verifier_.reset(new net::DoNothingCTVerifier());
+  ct_policy_enforcer_.reset(new IgnoresCTPolicyEnforcer());

  http_auth_handler_factory_ =
      net::HttpAuthHandlerFactory::CreateDefault(host_resolver_.get());