Move the CTLogList out of //net

The hardcoded list of CT logs is only safe for clients that support regular updates and the capability of rapid updates, such as Google Chrome. Hardcoding a list log logs in products that are not regularly updated runs the risk of ossifying or fragmenting the CT ecosystem. To avoid accidental misuse, move from //net into //components/certificate_transparency, moving it further away from the notion as a "base service" and more into "an optional component with caveats". BUG=702062 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo;master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs Change-Id: I6be05436a916779bd5c8fcf7fe93b120bda47828 Reviewed-on: https://chromium-review.googlesource.com/1052073 Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Eran Messeri <eranm@chromium.org> Reviewed-by: Ryan Hamilton <rch@chromium.org> Reviewed-by: Jochen Eisinger <jochen@chromium.org> Cr-Commit-Position: refs/heads/master@{#557993}

Move the CTLogList out of //net
The hardcoded list of CT logs is only safe for clients that support regular updates and the capability of rapid updates, such as Google Chrome. Hardcoding a list log logs in products that are not regularly updated runs the risk of ossifying or fragmenting the CT ecosystem. To avoid accidental misuse, move from //net into //components/certificate_transparency, moving it further away from the notion as a "base service" and more into "an optional component with caveats". BUG=702062 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo;master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs Change-Id: I6be05436a916779bd5c8fcf7fe93b120bda47828 Reviewed-on: https://chromium-review.googlesource.com/1052073 Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Eran Messeri <eranm@chromium.org> Reviewed-by: Ryan Hamilton <rch@chromium.org> Reviewed-by: Jochen Eisinger <jochen@chromium.org> Cr-Commit-Position: refs/heads/master@{#557993}
24711fe3 · Ryan Sleevi · Commit Bot · 92e04464 · 24711fe3 · 24711fe3
Commit 24711fe3 authored May 11, 2018 by Ryan Sleevi Committed by Commit Bot May 11, 2018
21 changed files
--- a/chrome/browser/io_thread.cc
+++ b/chrome/browser/io_thread.cc
@@ -41,6 +41,7 @@
 #include "chrome/common/chrome_features.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/pref_names.h"
+#include "components/certificate_transparency/ct_known_logs.h"
 #include "components/data_reduction_proxy/core/browser/data_reduction_proxy_prefs.h"
 #include "components/data_usage/core/data_use_aggregator.h"
 #include "components/data_usage/core/data_use_amortizer.h"
@@ -65,7 +66,6 @@
 #include "net/cert/caching_cert_verifier.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_proc.h"
-#include "net/cert/ct_known_logs.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/multi_threaded_cert_verifier.h"
 #include "net/dns/host_cache.h"
@@ -522,10 +522,6 @@ void IOThread::Init() {
                        CRYPTO_needs_hwcap2_workaround());
 #endif
-  std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs(
-      net::ct::CreateLogVerifiersForKnownLogs());
-  globals_->ct_logs.assign(ct_logs.begin(), ct_logs.end());
  ConstructSystemRequestContext();
  UpdateDnsClientEnabled();

--- a/chrome/browser/io_thread.h
+++ b/chrome/browser/io_thread.h
@@ -44,11 +44,6 @@ class ExternalDataUseObserver;
 }
 #endif  // defined(OS_ANDROID)
-namespace certificate_transparency {
-class TreeStateTracker;
-class STHObserver;
-}
 namespace chrome_browser_net {
 class DnsProbeService;
 }
@@ -67,7 +62,6 @@ class EventRouterForwarder;
 namespace net {
 class CertVerifier;
-class CTLogVerifier;
 class HostResolver;
 class HttpAuthHandlerFactory;
 class HttpAuthPreferences;
@@ -124,7 +118,6 @@ class IOThread : public content::BrowserThreadDelegate {
    std::unique_ptr<android::ExternalDataUseObserver>
        external_data_use_observer;
 #endif  // defined(OS_ANDROID)
-    std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs;
    std::unique_ptr<net::HttpAuthPreferences> http_auth_preferences;
    // NetworkQualityEstimator only for use in dummy in-process
@@ -193,17 +186,9 @@ class IOThread : public content::BrowserThreadDelegate {
  // Returns the callback for updating data use prefs.
  metrics::UpdateUsagePrefCallbackType GetMetricsDataUseForwarder();
-  // Registers the |observer| for new STH notifications.
-  void RegisterSTHObserver(certificate_transparency::STHObserver* observer);
-  // Un-registers the |observer|.
-  void UnregisterSTHObserver(certificate_transparency::STHObserver* observer);
  // Configures |builder|'s ProxyResolutionService based on prefs and policies.
  void SetUpProxyService(network::URLRequestContextBuilderMojo* builder) const;
-  certificate_transparency::TreeStateTracker* ct_tree_tracker() const;
 private:
  // BrowserThreadDelegate implementation, runs on the IO thread.
  // This handles initialization and destruction of state that must

--- a/chrome/browser/net/default_network_context_params.cc
+++ b/chrome/browser/net/default_network_context_params.cc
@@ -17,6 +17,7 @@
 #include "chrome/common/chrome_content_client.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/pref_names.h"
+#include "components/certificate_transparency/ct_known_logs.h"
 #include "components/policy/core/common/policy_namespace.h"
 #include "components/policy/core/common/policy_service.h"
 #include "components/policy/policy_constants.h"
@@ -26,7 +27,6 @@
 #include "content/public/common/content_features.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/user_agent.h"
-#include "net/cert/ct_known_logs.h"
 #include "services/proxy_resolver/public/mojom/proxy_resolver.mojom.h"
 network::mojom::NetworkContextParamsPtr CreateDefaultNetworkContextParams() {
@@ -73,7 +73,7 @@ network::mojom::NetworkContextParamsPtr CreateDefaultNetworkContextParams() {
 #if !defined(OS_ANDROID)
  // CT is only enabled on Desktop platforms for now.
  network_context_params->enforce_chrome_ct_policy = true;
-  for (const auto& ct_log : net::ct::GetKnownLogs()) {
+  for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
    // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
    network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
    log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);

--- a/chromecast/browser/url_request_context_factory.cc
+++ b/chromecast/browser/url_request_context_factory.cc
@@ -27,7 +27,7 @@
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/ct_policy_status.h"
-#include "net/cert/do_nothing_ct_verifier.h"
+#include "net/cert/multi_log_ct_verifier.h"
 #include "net/cert_net/nss_ocsp.h"
 #include "net/cookies/cookie_store.h"
 #include "net/dns/host_resolver.h"
@@ -231,8 +231,7 @@ void URLRequestContextFactory::InitializeSystemContextDependencies() {
  cert_verifier_ = net::CertVerifier::CreateDefault();
  ssl_config_service_ = new net::SSLConfigServiceDefaults;
  transport_security_state_.reset(new net::TransportSecurityState());
-  // Certificate transparency is current disabled for Chromecast.
+  cert_transparency_verifier_.reset(new net::MultiLogCTVerifier());
-  cert_transparency_verifier_.reset(new net::DoNothingCTVerifier());
  ct_policy_enforcer_.reset(new net::DefaultCTPolicyEnforcer());
  http_auth_handler_factory_ =

--- a/components/certificate_transparency/BUILD.gn
+++ b/components/certificate_transparency/BUILD.gn
@@ -6,6 +6,8 @@ static_library("certificate_transparency") {
  sources = [
    "chrome_ct_policy_enforcer.cc",
    "chrome_ct_policy_enforcer.h",
+    "ct_known_logs.cc",
+    "ct_known_logs.h",
    "ct_policy_manager.cc",
    "ct_policy_manager.h",
    "features.cc",
@@ -27,6 +29,7 @@ static_library("certificate_transparency") {
  deps = [
    "//base",
    "//components/base32",
+    "//components/certificate_transparency/data:ct_log_list",
    "//components/prefs",
    "//components/url_formatter",
    "//components/url_matcher",
@@ -39,6 +42,7 @@ source_set("unit_tests") {
  testonly = true
  sources = [
    "chrome_ct_policy_enforcer_unittest.cc",
+    "ct_known_logs_unittest.cc",
    "ct_policy_manager_unittest.cc",
    "log_dns_client_unittest.cc",
    "mock_log_dns_traffic.cc",
@@ -51,6 +55,7 @@ source_set("unit_tests") {
    ":certificate_transparency",
    "//base/test:test_support",
    "//components/base32",
+    "//components/certificate_transparency/data:ct_log_list",
    "//components/prefs:test_support",
    "//net:test_support",
    "//testing/gmock",

--- a/components/certificate_transparency/chrome_ct_policy_enforcer.cc
+++ b/components/certificate_transparency/chrome_ct_policy_enforcer.cc
@@ -20,7 +20,7 @@
 #include "base/time/time.h"
 #include "base/values.h"
 #include "base/version.h"
-#include "net/cert/ct_known_logs.h"
+#include "components/certificate_transparency/ct_known_logs.h"
 #include "net/cert/ct_policy_status.h"
 #include "net/cert/signed_certificate_timestamp.h"
 #include "net/cert/x509_certificate.h"
@@ -135,7 +135,7 @@ CTPolicyCompliance CheckCTPolicyCompliance(
  base::Time issuance_date = base::Time::Max();
  for (const auto& sct : verified_scts) {
    base::Time unused;
-    if (net::ct::IsLogDisqualified(sct->log_id, &unused))
+    if (IsLogDisqualified(sct->log_id, &unused))
      continue;
    issuance_date = std::min(sct->timestamp, issuance_date);
  }
@@ -150,7 +150,7 @@ CTPolicyCompliance CheckCTPolicyCompliance(
  for (const auto& sct : verified_scts) {
    base::Time disqualification_date;
    bool is_disqualified =
-        net::ct::IsLogDisqualified(sct->log_id, &disqualification_date);
+        IsLogDisqualified(sct->log_id, &disqualification_date);
    if (is_disqualified &&
        sct->origin != net::ct::SignedCertificateTimestamp::SCT_EMBEDDED) {
      // For OCSP and TLS delivered SCTs, only SCTs that are valid at the
@@ -158,7 +158,7 @@ CTPolicyCompliance CheckCTPolicyCompliance(
      continue;
    }
-    if (net::ct::IsLogOperatedByGoogle(sct->log_id)) {
+    if (IsLogOperatedByGoogle(sct->log_id)) {
      has_valid_google_sct |= !is_disqualified;
      if (sct->origin == net::ct::SignedCertificateTimestamp::SCT_EMBEDDED)
        has_embedded_google_sct = true;

--- a/net/cert/ct_known_logs.cc
+++ b/net/cert/ct_known_logs.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
-#include "net/cert/ct_known_logs.h"
+#include "components/certificate_transparency/ct_known_logs.h"
 #include <stddef.h>
 #include <string.h>
@@ -12,43 +12,16 @@
 #include "base/logging.h"
 #include "base/macros.h"
+#include "base/stl_util.h"
 #include "base/time/time.h"
 #include "crypto/sha2.h"
-#if !defined(OS_NACL)
+namespace certificate_transparency {
-#include "net/cert/ct_log_verifier.h"
-#endif
-namespace net {
-namespace ct {
 namespace {
+#include "components/certificate_transparency/data/log_list-inc.cc"
-#include "net/data/ssl/certificate_transparency/log_list-inc.cc"
 }  // namespace
-#if !defined(OS_NACL)
-std::vector<scoped_refptr<const CTLogVerifier>>
-CreateLogVerifiersForKnownLogs() {
-  std::vector<scoped_refptr<const CTLogVerifier>> verifiers;
-  for (const auto& log : GetKnownLogs()) {
-    scoped_refptr<const CTLogVerifier> log_verifier = CTLogVerifier::Create(
-        base::StringPiece(log.log_key, log.log_key_length), log.log_name,
-        log.log_dns_domain);
-    // Make sure no null logs enter verifiers. Parsing of all statically
-    // configured logs should always succeed, unless there has been binary or
-    // memory corruption.
-    CHECK(log_verifier);
-    verifiers.push_back(std::move(log_verifier));
-  }
-  return verifiers;
-}
-#endif
 std::vector<CTLogInfo> GetKnownLogs() {
  // Add all qualified logs.
  std::vector<CTLogInfo> logs(std::begin(kCTLogList), std::end(kCTLogList));
@@ -73,7 +46,7 @@ bool IsLogOperatedByGoogle(base::StringPiece log_id) {
 bool IsLogDisqualified(base::StringPiece log_id,
                       base::Time* disqualification_date) {
-  CHECK_EQ(log_id.size(), arraysize(kDisqualifiedCTLogList[0].log_id) - 1);
+  CHECK_EQ(log_id.size(), base::size(kDisqualifiedCTLogList[0].log_id) - 1);
  auto* p = std::lower_bound(
      std::begin(kDisqualifiedCTLogList), std::end(kDisqualifiedCTLogList),
@@ -91,6 +64,4 @@ bool IsLogDisqualified(base::StringPiece log_id,
  return true;
 }
-}  // namespace ct
+}  // namespace certificate_transparency
-}  // namespace net
--- a/net/cert/ct_known_logs.h
+++ b/net/cert/ct_known_logs.h
@@ -2,25 +2,20 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
-#ifndef NET_CERT_CT_KNOWN_LOGS_H_
+#ifndef COMPONENTS_CERTIFICATE_TRANSPARENCY_CT_KNOWN_LOGS_H_
-#define NET_CERT_CT_KNOWN_LOGS_H_
+#define COMPONENTS_CERTIFICATE_TRANSPARENCY_CT_KNOWN_LOGS_H_
 #include <vector>
 #include "base/memory/ref_counted.h"
 #include "base/strings/string_piece.h"
 #include "build/build_config.h"
-#include "net/base/net_export.h"
 namespace base {
 class Time;
 }  // namespace base
-namespace net {
+namespace certificate_transparency {
-class CTLogVerifier;
-namespace ct {
 struct CTLogInfo {
  // The DER-encoded SubjectPublicKeyInfo for the log.
@@ -36,24 +31,15 @@ struct CTLogInfo {
  const char* log_dns_domain;
 };
-#if !defined(OS_NACL)
-// CreateLogVerifiersForKnownLogs returns a vector of CT logs for all the known
-// logs. This set includes logs that are presently qualified for inclusion and
-// logs which were previously qualifying, but have since been disqualified. To
-// determine the status of a given log, use |IsLogDisqualified()|.
-NET_EXPORT std::vector<scoped_refptr<const CTLogVerifier>>
-CreateLogVerifiersForKnownLogs();
-#endif
 // Returns information about all known logs, which includes those that are
 // presently qualified for inclusion and logs which were previously qualified,
 // but have since been disqualified. To determine the status of a given log
 // (via its log ID), use |IsLogDisqualified()|.
-NET_EXPORT std::vector<CTLogInfo> GetKnownLogs();
+std::vector<CTLogInfo> GetKnownLogs();
 // Returns true if the log identified by |log_id| (the SHA-256 hash of the
 // log's DER-encoded SPKI) is operated by Google.
-NET_EXPORT bool IsLogOperatedByGoogle(base::StringPiece log_id);
+bool IsLogOperatedByGoogle(base::StringPiece log_id);
 // Returns true if the log identified by |log_id| (the SHA-256 hash of the
 // log's DER-encoded SPKI) has been disqualified, and sets
@@ -61,11 +47,9 @@ NET_EXPORT bool IsLogOperatedByGoogle(base::StringPiece log_id);
 // are embedded in certificates issued after |*disqualification_date| should
 // not be trusted, nor contribute to any uniqueness or freshness
 // requirements.
-NET_EXPORT bool IsLogDisqualified(base::StringPiece log_id,
+bool IsLogDisqualified(base::StringPiece log_id,
                       base::Time* disqualification_date);
-}  // namespace ct
+}  // namespace certificate_transparency
-}  // namespace net
-#endif  // NET_CERT_CT_KNOWN_LOGS_H_
+#endif  // COMPONENTS_CERTIFICATE_TRANSPARENCY_CT_KNOWN_LOGS_H_
--- a/net/cert/ct_known_logs_unittest.cc
+++ b/net/cert/ct_known_logs_unittest.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
-#include "net/cert/ct_known_logs.h"
+#include "components/certificate_transparency/ct_known_logs.h"
 #include <stddef.h>
 #include <stdint.h>
@@ -14,12 +14,10 @@
 #include "crypto/sha2.h"
 #include "testing/gtest/include/gtest/gtest.h"
-namespace net {
+namespace certificate_transparency {
-namespace ct {
 namespace {
-#include "net/data/ssl/certificate_transparency/log_list-inc.cc"
+#include "components/certificate_transparency/data/log_list-inc.cc"
 }  // namespace
 TEST(CTKnownLogsTest, GoogleIDsAreSorted) {
@@ -37,6 +35,4 @@ TEST(CTKnownLogsTest, DisallowedLogsAreSortedByLogID) {
      }));
 }
-}  // namespace ct
+}  // namespace certificate_transparency
-}  // namespace net
--- a/net/data/ssl/certificate_transparency/BUILD.gn
+++ b/net/data/ssl/certificate_transparency/BUILD.gn
@@ -3,7 +3,8 @@
 # found in the LICENSE file.
 action_foreach("ct_log_list") {
-  script = "//net/tools/ct_log_list/make_ct_known_logs_list.py"
+  script =
+      "//components/certificate_transparency/tools/make_ct_known_logs_list.py"
  sources = [
    "log_list.json",
  ]

--- a/net/data/ssl/certificate_transparency/log_list.json
+++ b/net/data/ssl/certificate_transparency/log_list.json
--- a/net/tools/ct_log_list/PRESUBMIT.py
+++ b/net/tools/ct_log_list/PRESUBMIT.py
@@ -9,9 +9,9 @@
 def _RunMakeCTLogListTests(input_api, output_api):
  """Runs make_ct_known_logs_list unittests if related files were modified."""
  files = (input_api.os_path.normpath(x) for x in
-           ('net/tools/ct_log_list/make_ct_known_logs_list.py',
+           ('components/certificate_transparency/tools/make_ct_known_logs_list.py',
-            'net/tools/ct_log_list/make_ct_known_logs_list_unittest.py',
+            'components/certificate_transparency/tools/make_ct_known_logs_list_unittest.py',
-            'net/data/ssl/certificate_transparency/log_list.json'))
+            'components/certificate_transparency/data/log_list.json'))
  if not any(f in (af.LocalPath() for af in input_api.change.AffectedFiles())
             for f in files):
    return []

--- a/net/tools/ct_log_list/make_ct_known_logs_list.py
+++ b/net/tools/ct_log_list/make_ct_known_logs_list.py
--- a/net/tools/ct_log_list/make_ct_known_logs_list_unittest.py
+++ b/net/tools/ct_log_list/make_ct_known_logs_list_unittest.py
--- a/content/shell/browser/shell_url_request_context_getter.cc
+++ b/content/shell/browser/shell_url_request_context_getter.cc
@@ -26,7 +26,6 @@
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/ct_policy_status.h"
-#include "net/cert/do_nothing_ct_verifier.h"
 #include "net/cookies/cookie_store.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/mapped_host_resolver.h"
@@ -131,7 +130,6 @@ net::URLRequestContext* ShellURLRequestContextGetter::GetURLRequestContext() {
    builder.set_user_agent(GetShellUserAgent());
    builder.SetCertVerifier(GetCertVerifier());
-    builder.set_ct_verifier(std::make_unique<net::DoNothingCTVerifier>());
    std::unique_ptr<net::ProxyResolutionService> proxy_resolution_service =
        GetProxyService();

--- a/ios/components/io_thread/ios_io_thread.mm
+++ b/ios/components/io_thread/ios_io_thread.mm
@@ -37,8 +37,6 @@
 #include "ios/web/public/web_client.h"
 #include "ios/web/public/web_thread.h"
 #include "net/cert/cert_verifier.h"
-#include "net/cert/ct_known_logs.h"
-#include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/multi_log_ct_verifier.h"
@@ -312,14 +310,7 @@ void IOSIOThread::Init() {
  globals_->transport_security_state.reset(new net::TransportSecurityState());
-  std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs(
+  globals_->cert_transparency_verifier.reset(new net::MultiLogCTVerifier());
-      net::ct::CreateLogVerifiersForKnownLogs());
-  net::MultiLogCTVerifier* ct_verifier = new net::MultiLogCTVerifier();
-  globals_->cert_transparency_verifier.reset(ct_verifier);
-  // Add built-in logs
-  ct_verifier->AddLogs(ct_logs);
  globals_->ct_policy_enforcer.reset(new net::DefaultCTPolicyEnforcer());
  globals_->ssl_config_service = new net::SSLConfigServiceDefaults();

--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -167,8 +167,6 @@ component("net") {
    "cert/client_cert_verifier.h",
    "cert/crl_set.cc",
    "cert/crl_set.h",
-    "cert/ct_known_logs.cc",
-    "cert/ct_known_logs.h",
    "cert/ct_policy_enforcer.cc",
    "cert/ct_policy_enforcer.h",
    "cert/ct_policy_status.h",
@@ -369,7 +367,6 @@ component("net") {
    ":net_resources",
    "//base",
    "//net/base/registry_controlled_domains",
-    "//net/data/ssl/certificate_transparency:ct_log_list",
    "//third_party/protobuf:protobuf_lite",
    "//url:url_features",
  ]
@@ -4761,7 +4758,6 @@ test("net_unittests") {
    "cert/cert_verify_proc_mac_unittest.cc",
    "cert/cert_verify_proc_unittest.cc",
    "cert/crl_set_unittest.cc",
-    "cert/ct_known_logs_unittest.cc",
    "cert/ct_log_response_parser_unittest.cc",
    "cert/ct_log_verifier_unittest.cc",
    "cert/ct_objects_extractor_unittest.cc",
@@ -5372,7 +5368,6 @@ test("net_unittests") {
    "//crypto:platform",
    "//crypto:test_support",
    "//net/base/registry_controlled_domains",
-    "//net/data/ssl/certificate_transparency:ct_log_list",
    "//net/http:transport_security_state_unittest_data",
    "//net/http:transport_security_state_unittest_data_default",
    "//testing/gmock",

--- a/net/third_party/quic/tools/quic_client_bin.cc
+++ b/net/third_party/quic/tools/quic_client_bin.cc
@@ -47,7 +47,6 @@
 #include "net/base/net_errors.h"
 #include "net/base/privacy_mode.h"
 #include "net/cert/cert_verifier.h"
-#include "net/cert/ct_known_logs.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/multi_log_ct_verifier.h"
@@ -268,7 +267,6 @@ int main(int argc, char* argv[]) {
  std::unique_ptr<TransportSecurityState> transport_security_state(
      new TransportSecurityState);
  std::unique_ptr<MultiLogCTVerifier> ct_verifier(new MultiLogCTVerifier());
-  ct_verifier->AddLogs(net::ct::CreateLogVerifiersForKnownLogs());
  std::unique_ptr<net::CTPolicyEnforcer> ct_policy_enforcer(
      new net::DefaultCTPolicyEnforcer());
  std::unique_ptr<ProofVerifier> proof_verifier;

--- a/net/tools/quic/quic_simple_client_bin.cc
+++ b/net/tools/quic/quic_simple_client_bin.cc
@@ -48,7 +48,6 @@
 #include "net/base/net_errors.h"
 #include "net/base/privacy_mode.h"
 #include "net/cert/cert_verifier.h"
-#include "net/cert/ct_known_logs.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/multi_log_ct_verifier.h"
@@ -266,7 +265,6 @@ int main(int argc, char* argv[]) {
  std::unique_ptr<TransportSecurityState> transport_security_state(
      new TransportSecurityState);
  std::unique_ptr<MultiLogCTVerifier> ct_verifier(new MultiLogCTVerifier());
-  ct_verifier->AddLogs(net::ct::CreateLogVerifiersForKnownLogs());
  std::unique_ptr<net::CTPolicyEnforcer> ct_policy_enforcer(
      new net::DefaultCTPolicyEnforcer());
  std::unique_ptr<ProofVerifier> proof_verifier;

--- a/net/url_request/url_request_context_builder.cc
+++ b/net/url_request/url_request_context_builder.cc
@@ -18,7 +18,6 @@
 #include "net/base/net_errors.h"
 #include "net/base/network_delegate_impl.h"
 #include "net/cert/cert_verifier.h"
-#include "net/cert/ct_known_logs.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/ct_verifier.h"
@@ -488,10 +487,8 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
  if (ct_verifier_) {
    storage->set_cert_transparency_verifier(std::move(ct_verifier_));
  } else {
-    std::unique_ptr<MultiLogCTVerifier> ct_verifier =
+    storage->set_cert_transparency_verifier(
-        std::make_unique<MultiLogCTVerifier>();
+        std::make_unique<MultiLogCTVerifier>());
-    ct_verifier->AddLogs(ct::CreateLogVerifiersForKnownLogs());
-    storage->set_cert_transparency_verifier(std::move(ct_verifier));
  }
  if (ct_policy_enforcer_) {
    storage->set_ct_policy_enforcer(std::move(ct_policy_enforcer_));

--- a/services/network/network_context_cert_transparency_unittest.cc
+++ b/services/network/network_context_cert_transparency_unittest.cc
@@ -21,7 +21,6 @@
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
 #include "net/cert/cert_verify_result.h"
-#include "net/cert/ct_known_logs.h"
 #include "net/cert/ct_policy_status.h"
 #include "net/cert/ct_serialization.h"
 #include "net/cert/ct_verifier.h"