Move the CTLogList out of //net

The hardcoded list of CT logs is only safe for clients that support
regular updates and the capability of rapid updates, such as Google
Chrome. Hardcoding a list log logs in products that are not regularly
updated runs the risk of ossifying or fragmenting the CT ecosystem.

To avoid accidental misuse, move from //net into
//components/certificate_transparency, moving it further away from
the notion as a "base service" and more into "an optional component
with caveats".

BUG=702062

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo;master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs
Change-Id: I6be05436a916779bd5c8fcf7fe93b120bda47828
Reviewed-on: https://chromium-review.googlesource.com/1052073
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Eran Messeri <eranm@chromium.org>
Reviewed-by: Ryan Hamilton <rch@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#557993}

chrome/browser/io_thread.cc

@@ -41,6 +41,7 @@
 #include "chrome/common/chrome_features.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/pref_names.h"
+#include "components/certificate_transparency/ct_known_logs.h"
 #include "components/data_reduction_proxy/core/browser/data_reduction_proxy_prefs.h"
 #include "components/data_usage/core/data_use_aggregator.h"
 #include "components/data_usage/core/data_use_amortizer.h"
@@ -65,7 +66,6 @@
 #include "net/cert/caching_cert_verifier.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_proc.h"
-#include "net/cert/ct_known_logs.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/multi_threaded_cert_verifier.h"
 #include "net/dns/host_cache.h"
@@ -522,10 +522,6 @@ void IOThread::Init() {
                         CRYPTO_needs_hwcap2_workaround());
 #endif
 
-  std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs(
-      net::ct::CreateLogVerifiersForKnownLogs());
-  globals_->ct_logs.assign(ct_logs.begin(), ct_logs.end());
-
   ConstructSystemRequestContext();
 
   UpdateDnsClientEnabled();

chrome/browser/io_thread.h

@@ -44,11 +44,6 @@ class ExternalDataUseObserver;
 }
 #endif  // defined(OS_ANDROID)
 
-namespace certificate_transparency {
-class TreeStateTracker;
-class STHObserver;
-}
-
 namespace chrome_browser_net {
 class DnsProbeService;
 }
@@ -67,7 +62,6 @@ class EventRouterForwarder;
 
 namespace net {
 class CertVerifier;
-class CTLogVerifier;
 class HostResolver;
 class HttpAuthHandlerFactory;
 class HttpAuthPreferences;
@@ -124,7 +118,6 @@ class IOThread : public content::BrowserThreadDelegate {
     std::unique_ptr<android::ExternalDataUseObserver>
         external_data_use_observer;
 #endif  // defined(OS_ANDROID)
-    std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs;
     std::unique_ptr<net::HttpAuthPreferences> http_auth_preferences;
 
     // NetworkQualityEstimator only for use in dummy in-process
@@ -193,17 +186,9 @@ class IOThread : public content::BrowserThreadDelegate {
   // Returns the callback for updating data use prefs.
   metrics::UpdateUsagePrefCallbackType GetMetricsDataUseForwarder();
 
-  // Registers the |observer| for new STH notifications.
-  void RegisterSTHObserver(certificate_transparency::STHObserver* observer);
-
-  // Un-registers the |observer|.
-  void UnregisterSTHObserver(certificate_transparency::STHObserver* observer);
-
   // Configures |builder|'s ProxyResolutionService based on prefs and policies.
   void SetUpProxyService(network::URLRequestContextBuilderMojo* builder) const;
 
-  certificate_transparency::TreeStateTracker* ct_tree_tracker() const;
-
  private:
   // BrowserThreadDelegate implementation, runs on the IO thread.
   // This handles initialization and destruction of state that must

chrome/browser/net/default_network_context_params.cc

@@ -17,6 +17,7 @@
 #include "chrome/common/chrome_content_client.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/pref_names.h"
+#include "components/certificate_transparency/ct_known_logs.h"
 #include "components/policy/core/common/policy_namespace.h"
 #include "components/policy/core/common/policy_service.h"
 #include "components/policy/policy_constants.h"
@@ -26,7 +27,6 @@
 #include "content/public/common/content_features.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/user_agent.h"
-#include "net/cert/ct_known_logs.h"
 #include "services/proxy_resolver/public/mojom/proxy_resolver.mojom.h"
 
 network::mojom::NetworkContextParamsPtr CreateDefaultNetworkContextParams() {
@@ -73,7 +73,7 @@ network::mojom::NetworkContextParamsPtr CreateDefaultNetworkContextParams() {
 #if !defined(OS_ANDROID)
   // CT is only enabled on Desktop platforms for now.
   network_context_params->enforce_chrome_ct_policy = true;
-  for (const auto& ct_log : net::ct::GetKnownLogs()) {
+  for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
     // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
     network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
     log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);

chromecast/browser/url_request_context_factory.cc

@@ -27,7 +27,7 @@
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/ct_policy_status.h"
-#include "net/cert/do_nothing_ct_verifier.h"
+#include "net/cert/multi_log_ct_verifier.h"
 #include "net/cert_net/nss_ocsp.h"
 #include "net/cookies/cookie_store.h"
 #include "net/dns/host_resolver.h"
@@ -231,8 +231,7 @@ void URLRequestContextFactory::InitializeSystemContextDependencies() {
   cert_verifier_ = net::CertVerifier::CreateDefault();
   ssl_config_service_ = new net::SSLConfigServiceDefaults;
   transport_security_state_.reset(new net::TransportSecurityState());
-  // Certificate transparency is current disabled for Chromecast.
-  cert_transparency_verifier_.reset(new net::DoNothingCTVerifier());
+  cert_transparency_verifier_.reset(new net::MultiLogCTVerifier());
   ct_policy_enforcer_.reset(new net::DefaultCTPolicyEnforcer());
 
   http_auth_handler_factory_ =

components/certificate_transparency/BUILD.gn

@@ -6,6 +6,8 @@ static_library("certificate_transparency") {
   sources = [
     "chrome_ct_policy_enforcer.cc",
     "chrome_ct_policy_enforcer.h",
+    "ct_known_logs.cc",
+    "ct_known_logs.h",
     "ct_policy_manager.cc",
     "ct_policy_manager.h",
     "features.cc",
@@ -27,6 +29,7 @@ static_library("certificate_transparency") {
   deps = [
     "//base",
     "//components/base32",
+    "//components/certificate_transparency/data:ct_log_list",
     "//components/prefs",
     "//components/url_formatter",
     "//components/url_matcher",
@@ -39,6 +42,7 @@ source_set("unit_tests") {
   testonly = true
   sources = [
     "chrome_ct_policy_enforcer_unittest.cc",
+    "ct_known_logs_unittest.cc",
     "ct_policy_manager_unittest.cc",
     "log_dns_client_unittest.cc",
     "mock_log_dns_traffic.cc",
@@ -51,6 +55,7 @@ source_set("unit_tests") {
     ":certificate_transparency",
     "//base/test:test_support",
     "//components/base32",
+    "//components/certificate_transparency/data:ct_log_list",
     "//components/prefs:test_support",
     "//net:test_support",
     "//testing/gmock",

components/certificate_transparency/chrome_ct_policy_enforcer.cc

@@ -20,7 +20,7 @@
 #include "base/time/time.h"
 #include "base/values.h"
 #include "base/version.h"
-#include "net/cert/ct_known_logs.h"
+#include "components/certificate_transparency/ct_known_logs.h"
 #include "net/cert/ct_policy_status.h"
 #include "net/cert/signed_certificate_timestamp.h"
 #include "net/cert/x509_certificate.h"
@@ -135,7 +135,7 @@ CTPolicyCompliance CheckCTPolicyCompliance(
   base::Time issuance_date = base::Time::Max();
   for (const auto& sct : verified_scts) {
     base::Time unused;
-    if (net::ct::IsLogDisqualified(sct->log_id, &unused))
+    if (IsLogDisqualified(sct->log_id, &unused))
       continue;
     issuance_date = std::min(sct->timestamp, issuance_date);
   }
@@ -150,7 +150,7 @@ CTPolicyCompliance CheckCTPolicyCompliance(
   for (const auto& sct : verified_scts) {
     base::Time disqualification_date;
     bool is_disqualified =
-        net::ct::IsLogDisqualified(sct->log_id, &disqualification_date);
+        IsLogDisqualified(sct->log_id, &disqualification_date);
     if (is_disqualified &&
         sct->origin != net::ct::SignedCertificateTimestamp::SCT_EMBEDDED) {
       // For OCSP and TLS delivered SCTs, only SCTs that are valid at the
@@ -158,7 +158,7 @@ CTPolicyCompliance CheckCTPolicyCompliance(
       continue;
     }
 
-    if (net::ct::IsLogOperatedByGoogle(sct->log_id)) {
+    if (IsLogOperatedByGoogle(sct->log_id)) {
       has_valid_google_sct |= !is_disqualified;
       if (sct->origin == net::ct::SignedCertificateTimestamp::SCT_EMBEDDED)
         has_embedded_google_sct = true;

net/cert/ct_known_logs.cc → components/certificate_transparency/ct_known_logs.cc

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/cert/ct_known_logs.h"
+#include "components/certificate_transparency/ct_known_logs.h"
 
 #include <stddef.h>
 #include <string.h>
@@ -12,43 +12,16 @@
 
 #include "base/logging.h"
 #include "base/macros.h"
+#include "base/stl_util.h"
 #include "base/time/time.h"
 #include "crypto/sha2.h"
 
-#if !defined(OS_NACL)
-#include "net/cert/ct_log_verifier.h"
-#endif
-
-namespace net {
-
-namespace ct {
+namespace certificate_transparency {
 
 namespace {
-
-#include "net/data/ssl/certificate_transparency/log_list-inc.cc"
-
+#include "components/certificate_transparency/data/log_list-inc.cc"
 }  // namespace
 
-#if !defined(OS_NACL)
-std::vector<scoped_refptr<const CTLogVerifier>>
-CreateLogVerifiersForKnownLogs() {
-  std::vector<scoped_refptr<const CTLogVerifier>> verifiers;
-
-  for (const auto& log : GetKnownLogs()) {
-    scoped_refptr<const CTLogVerifier> log_verifier = CTLogVerifier::Create(
-        base::StringPiece(log.log_key, log.log_key_length), log.log_name,
-        log.log_dns_domain);
-    // Make sure no null logs enter verifiers. Parsing of all statically
-    // configured logs should always succeed, unless there has been binary or
-    // memory corruption.
-    CHECK(log_verifier);
-    verifiers.push_back(std::move(log_verifier));
-  }
-
-  return verifiers;
-}
-#endif
-
 std::vector<CTLogInfo> GetKnownLogs() {
   // Add all qualified logs.
   std::vector<CTLogInfo> logs(std::begin(kCTLogList), std::end(kCTLogList));
@@ -73,7 +46,7 @@ bool IsLogOperatedByGoogle(base::StringPiece log_id) {
 
 bool IsLogDisqualified(base::StringPiece log_id,
                        base::Time* disqualification_date) {
-  CHECK_EQ(log_id.size(), arraysize(kDisqualifiedCTLogList[0].log_id) - 1);
+  CHECK_EQ(log_id.size(), base::size(kDisqualifiedCTLogList[0].log_id) - 1);
 
   auto* p = std::lower_bound(
       std::begin(kDisqualifiedCTLogList), std::end(kDisqualifiedCTLogList),
@@ -91,6 +64,4 @@ bool IsLogDisqualified(base::StringPiece log_id,
   return true;
 }
 
-}  // namespace ct
-
-}  // namespace net
+}  // namespace certificate_transparency

net/cert/ct_known_logs.h → components/certificate_transparency/ct_known_logs.h

@@ -2,25 +2,20 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef NET_CERT_CT_KNOWN_LOGS_H_
-#define NET_CERT_CT_KNOWN_LOGS_H_
+#ifndef COMPONENTS_CERTIFICATE_TRANSPARENCY_CT_KNOWN_LOGS_H_
+#define COMPONENTS_CERTIFICATE_TRANSPARENCY_CT_KNOWN_LOGS_H_
 
 #include <vector>
 
 #include "base/memory/ref_counted.h"
 #include "base/strings/string_piece.h"
 #include "build/build_config.h"
-#include "net/base/net_export.h"
 
 namespace base {
 class Time;
 }  // namespace base
 
-namespace net {
-
-class CTLogVerifier;
-
-namespace ct {
+namespace certificate_transparency {
 
 struct CTLogInfo {
   // The DER-encoded SubjectPublicKeyInfo for the log.
@@ -36,24 +31,15 @@ struct CTLogInfo {
   const char* log_dns_domain;
 };
 
-#if !defined(OS_NACL)
-// CreateLogVerifiersForKnownLogs returns a vector of CT logs for all the known
-// logs. This set includes logs that are presently qualified for inclusion and
-// logs which were previously qualifying, but have since been disqualified. To
-// determine the status of a given log, use |IsLogDisqualified()|.
-NET_EXPORT std::vector<scoped_refptr<const CTLogVerifier>>
-CreateLogVerifiersForKnownLogs();
-#endif
-
 // Returns information about all known logs, which includes those that are
 // presently qualified for inclusion and logs which were previously qualified,
 // but have since been disqualified. To determine the status of a given log
 // (via its log ID), use |IsLogDisqualified()|.
-NET_EXPORT std::vector<CTLogInfo> GetKnownLogs();
+std::vector<CTLogInfo> GetKnownLogs();
 
 // Returns true if the log identified by |log_id| (the SHA-256 hash of the
 // log's DER-encoded SPKI) is operated by Google.
-NET_EXPORT bool IsLogOperatedByGoogle(base::StringPiece log_id);
+bool IsLogOperatedByGoogle(base::StringPiece log_id);
 
 // Returns true if the log identified by |log_id| (the SHA-256 hash of the
 // log's DER-encoded SPKI) has been disqualified, and sets
@@ -61,11 +47,9 @@ NET_EXPORT bool IsLogOperatedByGoogle(base::StringPiece log_id);
 // are embedded in certificates issued after |*disqualification_date| should
 // not be trusted, nor contribute to any uniqueness or freshness
 // requirements.
-NET_EXPORT bool IsLogDisqualified(base::StringPiece log_id,
-                                  base::Time* disqualification_date);
-
-}  // namespace ct
+bool IsLogDisqualified(base::StringPiece log_id,
+                       base::Time* disqualification_date);
 
-}  // namespace net
+}  // namespace certificate_transparency
 
-#endif  // NET_CERT_CT_KNOWN_LOGS_H_
+#endif  // COMPONENTS_CERTIFICATE_TRANSPARENCY_CT_KNOWN_LOGS_H_

net/cert/ct_known_logs_unittest.cc → components/certificate_transparency/ct_known_logs_unittest.cc

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/cert/ct_known_logs.h"
+#include "components/certificate_transparency/ct_known_logs.h"
 
 #include <stddef.h>
 #include <stdint.h>
@@ -14,12 +14,10 @@
 #include "crypto/sha2.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
-namespace net {
-
-namespace ct {
+namespace certificate_transparency {
 
 namespace {
-#include "net/data/ssl/certificate_transparency/log_list-inc.cc"
+#include "components/certificate_transparency/data/log_list-inc.cc"
 }  // namespace
 
 TEST(CTKnownLogsTest, GoogleIDsAreSorted) {
@@ -37,6 +35,4 @@ TEST(CTKnownLogsTest, DisallowedLogsAreSortedByLogID) {
       }));
 }
 
-}  // namespace ct
-
-}  // namespace net
+}  // namespace certificate_transparency

net/data/ssl/certificate_transparency/BUILD.gn → components/certificate_transparency/data/BUILD.gn

@@ -3,7 +3,8 @@
 # found in the LICENSE file.
 
 action_foreach("ct_log_list") {
-  script = "//net/tools/ct_log_list/make_ct_known_logs_list.py"
+  script =
+      "//components/certificate_transparency/tools/make_ct_known_logs_list.py"
   sources = [
     "log_list.json",
   ]

net/tools/ct_log_list/PRESUBMIT.py → components/certificate_transparency/tools/PRESUBMIT.py

@@ -9,9 +9,9 @@
 def _RunMakeCTLogListTests(input_api, output_api):
   """Runs make_ct_known_logs_list unittests if related files were modified."""
   files = (input_api.os_path.normpath(x) for x in
-           ('net/tools/ct_log_list/make_ct_known_logs_list.py',
-            'net/tools/ct_log_list/make_ct_known_logs_list_unittest.py',
-            'net/data/ssl/certificate_transparency/log_list.json'))
+           ('components/certificate_transparency/tools/make_ct_known_logs_list.py',
+            'components/certificate_transparency/tools/make_ct_known_logs_list_unittest.py',
+            'components/certificate_transparency/data/log_list.json'))
   if not any(f in (af.LocalPath() for af in input_api.change.AffectedFiles())
              for f in files):
     return []

content/shell/browser/shell_url_request_context_getter.cc

@@ -26,7 +26,6 @@
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/ct_policy_status.h"
-#include "net/cert/do_nothing_ct_verifier.h"
 #include "net/cookies/cookie_store.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/mapped_host_resolver.h"
@@ -131,7 +130,6 @@ net::URLRequestContext* ShellURLRequestContextGetter::GetURLRequestContext() {
     builder.set_user_agent(GetShellUserAgent());
 
     builder.SetCertVerifier(GetCertVerifier());
-    builder.set_ct_verifier(std::make_unique<net::DoNothingCTVerifier>());
 
     std::unique_ptr<net::ProxyResolutionService> proxy_resolution_service =
         GetProxyService();

ios/components/io_thread/ios_io_thread.mm

@@ -37,8 +37,6 @@
 #include "ios/web/public/web_client.h"
 #include "ios/web/public/web_thread.h"
 #include "net/cert/cert_verifier.h"
-#include "net/cert/ct_known_logs.h"
-#include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/multi_log_ct_verifier.h"
@@ -312,14 +310,7 @@ void IOSIOThread::Init() {
 
   globals_->transport_security_state.reset(new net::TransportSecurityState());
 
-  std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs(
-      net::ct::CreateLogVerifiersForKnownLogs());
-
-  net::MultiLogCTVerifier* ct_verifier = new net::MultiLogCTVerifier();
-  globals_->cert_transparency_verifier.reset(ct_verifier);
-  // Add built-in logs
-  ct_verifier->AddLogs(ct_logs);
-
+  globals_->cert_transparency_verifier.reset(new net::MultiLogCTVerifier());
   globals_->ct_policy_enforcer.reset(new net::DefaultCTPolicyEnforcer());
 
   globals_->ssl_config_service = new net::SSLConfigServiceDefaults();

net/BUILD.gn

@@ -167,8 +167,6 @@ component("net") {
     "cert/client_cert_verifier.h",
     "cert/crl_set.cc",
     "cert/crl_set.h",
-    "cert/ct_known_logs.cc",
-    "cert/ct_known_logs.h",
     "cert/ct_policy_enforcer.cc",
     "cert/ct_policy_enforcer.h",
     "cert/ct_policy_status.h",
@@ -369,7 +367,6 @@ component("net") {
     ":net_resources",
     "//base",
     "//net/base/registry_controlled_domains",
-    "//net/data/ssl/certificate_transparency:ct_log_list",
     "//third_party/protobuf:protobuf_lite",
     "//url:url_features",
   ]
@@ -4761,7 +4758,6 @@ test("net_unittests") {
     "cert/cert_verify_proc_mac_unittest.cc",
     "cert/cert_verify_proc_unittest.cc",
     "cert/crl_set_unittest.cc",
-    "cert/ct_known_logs_unittest.cc",
     "cert/ct_log_response_parser_unittest.cc",
     "cert/ct_log_verifier_unittest.cc",
     "cert/ct_objects_extractor_unittest.cc",
@@ -5372,7 +5368,6 @@ test("net_unittests") {
     "//crypto:platform",
     "//crypto:test_support",
     "//net/base/registry_controlled_domains",
-    "//net/data/ssl/certificate_transparency:ct_log_list",
     "//net/http:transport_security_state_unittest_data",
     "//net/http:transport_security_state_unittest_data_default",
     "//testing/gmock",

net/third_party/quic/tools/quic_client_bin.cc

@@ -47,7 +47,6 @@
 #include "net/base/net_errors.h"
 #include "net/base/privacy_mode.h"
 #include "net/cert/cert_verifier.h"
-#include "net/cert/ct_known_logs.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/multi_log_ct_verifier.h"
@@ -268,7 +267,6 @@ int main(int argc, char* argv[]) {
   std::unique_ptr<TransportSecurityState> transport_security_state(
       new TransportSecurityState);
   std::unique_ptr<MultiLogCTVerifier> ct_verifier(new MultiLogCTVerifier());
-  ct_verifier->AddLogs(net::ct::CreateLogVerifiersForKnownLogs());
   std::unique_ptr<net::CTPolicyEnforcer> ct_policy_enforcer(
       new net::DefaultCTPolicyEnforcer());
   std::unique_ptr<ProofVerifier> proof_verifier;

net/tools/quic/quic_simple_client_bin.cc

@@ -48,7 +48,6 @@
 #include "net/base/net_errors.h"
 #include "net/base/privacy_mode.h"
 #include "net/cert/cert_verifier.h"
-#include "net/cert/ct_known_logs.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/multi_log_ct_verifier.h"
@@ -266,7 +265,6 @@ int main(int argc, char* argv[]) {
   std::unique_ptr<TransportSecurityState> transport_security_state(
       new TransportSecurityState);
   std::unique_ptr<MultiLogCTVerifier> ct_verifier(new MultiLogCTVerifier());
-  ct_verifier->AddLogs(net::ct::CreateLogVerifiersForKnownLogs());
   std::unique_ptr<net::CTPolicyEnforcer> ct_policy_enforcer(
       new net::DefaultCTPolicyEnforcer());
   std::unique_ptr<ProofVerifier> proof_verifier;

net/url_request/url_request_context_builder.cc

@@ -18,7 +18,6 @@
 #include "net/base/net_errors.h"
 #include "net/base/network_delegate_impl.h"
 #include "net/cert/cert_verifier.h"
-#include "net/cert/ct_known_logs.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/ct_verifier.h"
@@ -488,10 +487,8 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
   if (ct_verifier_) {
     storage->set_cert_transparency_verifier(std::move(ct_verifier_));
   } else {
-    std::unique_ptr<MultiLogCTVerifier> ct_verifier =
-        std::make_unique<MultiLogCTVerifier>();
-    ct_verifier->AddLogs(ct::CreateLogVerifiersForKnownLogs());
-    storage->set_cert_transparency_verifier(std::move(ct_verifier));
+    storage->set_cert_transparency_verifier(
+        std::make_unique<MultiLogCTVerifier>());
   }
   if (ct_policy_enforcer_) {
     storage->set_ct_policy_enforcer(std::move(ct_policy_enforcer_));

services/network/network_context_cert_transparency_unittest.cc

@@ -21,7 +21,6 @@
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
 #include "net/cert/cert_verify_result.h"
-#include "net/cert/ct_known_logs.h"
 #include "net/cert/ct_policy_status.h"
 #include "net/cert/ct_serialization.h"
 #include "net/cert/ct_verifier.h"