From: csagan5 <32685696+csagan5@users.noreply.github.com>
Date: Fri, 10 Jun 2022 14:20:02 +0200
Subject: Enable Certificate Transparency

Reporting/auditing functionalities are disabled; a flag is exposed.
Add guard to make sure that certificate transparency stays enabled
by default.

License: GPL-3.0-only - https://spdx.org/licenses/GPL-3.0-only.html
Change-Id: I743519ccda7c357578c23b0a074292649b3afb3d
---
 chrome/browser/about_flags.cc                         | 5 +++++
 chrome/browser/browser_features.cc                    | 4 ++--
 chrome/browser/flag_descriptions.cc                   | 4 ++++
 chrome/browser/flag_descriptions.h                    | 3 +++
 chrome/browser/net/system_network_context_manager.cc  | 4 ----
 chrome/browser/ssl/sct_reporting_service.cc           | 5 +++++
 chrome/common/chrome_features.cc                      | 6 +-----
 net/http/transport_security_state.cc                  | 5 +++--
 net/url_request/report_sender.cc                      | 3 ++-
 services/network/network_context.cc                   | 2 +-
 services/network/sct_auditing/sct_auditing_handler.cc | 2 ++
 11 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
--- a/chrome/browser/about_flags.cc
+++ b/chrome/browser/about_flags.cc
@@ -8778,6 +8778,11 @@ const FeatureEntry kFeatureEntries[] = {
      flag_descriptions::kWebMidiDescription, kOsAll,
      FEATURE_VALUE_TYPE(features::kWebMidi)},
 #if BUILDFLAG(IS_ANDROID)
+    {"certificate-transparency-enabled",
+     flag_descriptions::kCTEnabledName,
+     flag_descriptions::kCTEnabledDescription, kOsAndroid,
+     FEATURE_VALUE_TYPE(features::kCertificateTransparencyAndroid)},
+
     {"use-real-color-space-for-android-video",
      flag_descriptions::kUseRealColorSpaceForAndroidVideoName,
      flag_descriptions::kUseRealColorSpaceForAndroidVideoDescription,
diff --git a/chrome/browser/browser_features.cc b/chrome/browser/browser_features.cc
--- a/chrome/browser/browser_features.cc
+++ b/chrome/browser/browser_features.cc
@@ -173,8 +173,8 @@ BASE_FEATURE(kWebUsbDeviceDetection,
 #if BUILDFLAG(IS_ANDROID)
 // Enables Certificate Transparency on Android.
 BASE_FEATURE(kCertificateTransparencyAndroid,
-             "CertificateTransparencyAndroid",
-             base::FEATURE_ENABLED_BY_DEFAULT);
+             "CertificateTransparencyAndroid",         // must be enabled
+             base::FEATURE_ENABLED_BY_DEFAULT);        // in Bromite
 #endif
 
 BASE_FEATURE(kLargeFaviconFromGoogle,
diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descriptions.cc
--- a/chrome/browser/flag_descriptions.cc
+++ b/chrome/browser/flag_descriptions.cc
@@ -6753,6 +6753,10 @@ const char kAutofillCreditCardUploadDescription[] =
 #endif  // defined(TOOLKIT_VIEWS) || BUILDFLAG(IS_ANDROID)
 
 #if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
+const char kCTEnabledName[] = "Enable Certificate Transparency";
+const char kCTEnabledDescription[] =
+    "Enables compliance against the Certificate Transparency Policy, with reporting disabled.";
+
 const char kElasticOverscrollName[] = "Elastic Overscroll";
 const char kElasticOverscrollDescription[] =
     "Enables Elastic Overscrolling on touchscreens and precision touchpads.";
diff --git a/chrome/browser/flag_descriptions.h b/chrome/browser/flag_descriptions.h
--- a/chrome/browser/flag_descriptions.h
+++ b/chrome/browser/flag_descriptions.h
@@ -3929,6 +3929,9 @@ extern const char kAutofillCreditCardUploadDescription[];
 #endif  // defined(TOOLKIT_VIEWS) || BUILDFLAG(IS_ANDROID)
 
 #if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
+extern const char kCTEnabledName[];
+extern const char kCTEnabledDescription[];
+
 extern const char kElasticOverscrollName[];
 extern const char kElasticOverscrollDescription[];
 #endif  // BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc
--- a/chrome/browser/net/system_network_context_manager.cc
+++ b/chrome/browser/net/system_network_context_manager.cc
@@ -920,7 +920,6 @@ void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
 bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
   if (certificate_transparency_enabled_for_testing_.has_value())
     return certificate_transparency_enabled_for_testing_.value();
-#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD)
 // TODO(carlosil): Figure out if we can/should remove the OFFICIAL_BUILD and
 // GOOGLE_CHROME_BRANDING checks now that enforcement does not rely on build
 // dates, and allow embedders to enforce.
@@ -934,9 +933,6 @@ bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
 #else
   return true;
 #endif  // BUILDFLAG(IS_ANDROID)
-#else
-  return false;
-#endif  // BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD)
 }
 
 network::mojom::NetworkContextParamsPtr
diff --git a/chrome/browser/ssl/sct_reporting_service.cc b/chrome/browser/ssl/sct_reporting_service.cc
--- a/chrome/browser/ssl/sct_reporting_service.cc
+++ b/chrome/browser/ssl/sct_reporting_service.cc
@@ -211,6 +211,11 @@ void SetSCTAuditingEnabledForStoragePartition(
 }  // namespace
 
 network::mojom::SCTAuditingMode SCTReportingService::GetReportingMode() {
+  if ((true)) {
+    // always disabled in Bromite
+    return network::mojom::SCTAuditingMode::kDisabled;
+  }
+
   if (profile_->IsOffTheRecord() ||
       !base::FeatureList::IsEnabled(features::kSCTAuditing)) {
     return network::mojom::SCTAuditingMode::kDisabled;
diff --git a/chrome/common/chrome_features.cc b/chrome/common/chrome_features.cc
--- a/chrome/common/chrome_features.cc
+++ b/chrome/common/chrome_features.cc
@@ -989,11 +989,7 @@ BASE_FEATURE(kSchedulerConfiguration,
 
 // Controls whether SCT audit reports are queued and the rate at which they
 // should be sampled. Default sampling rate is 1/10,000 certificates.
-#if BUILDFLAG(IS_ANDROID)
-BASE_FEATURE(kSCTAuditing, "SCTAuditing", base::FEATURE_DISABLED_BY_DEFAULT);
-#else
-BASE_FEATURE(kSCTAuditing, "SCTAuditing", base::FEATURE_ENABLED_BY_DEFAULT);
-#endif
+BASE_FEATURE(kSCTAuditing, "SCTAuditing", base::FEATURE_DISABLED_BY_DEFAULT); // disabled in Bromite
 constexpr base::FeatureParam<double> kSCTAuditingSamplingRate{
     &kSCTAuditing, "sampling_rate", 0.0001};
 
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -319,6 +319,7 @@ class HSTSPreloadDecoder : public net::extras::PreloadDecoder {
 
 bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) {
 #if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
+#error "BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) must be enabled"
   if (g_hsts_source == nullptr)
     return false;
 #endif
@@ -364,8 +365,8 @@ bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) {
 
 // static
 BASE_FEATURE(kCertificateTransparencyEnforcement,
-             "CertificateTransparencyEnforcement",
-             base::FEATURE_ENABLED_BY_DEFAULT);
+             "CertificateTransparencyEnforcement",            // must be enabled
+             base::FEATURE_ENABLED_BY_DEFAULT);               // in Bromite
 
 void SetTransportSecurityStateSourceForTesting(
     const TransportSecurityStateSource* source) {
diff --git a/net/url_request/report_sender.cc b/net/url_request/report_sender.cc
--- a/net/url_request/report_sender.cc
+++ b/net/url_request/report_sender.cc
@@ -87,7 +87,8 @@ void ReportSender::Send(
 
   URLRequest* raw_url_request = url_request.get();
   inflight_requests_[raw_url_request] = std::move(url_request);
-  raw_url_request->Start();
+  // pretend that request completed
+  OnResponseStarted(raw_url_request, OK);
 }
 
 void ReportSender::OnResponseStarted(URLRequest* request, int net_error) {
diff --git a/services/network/network_context.cc b/services/network/network_context.cc
--- a/services/network/network_context.cc
+++ b/services/network/network_context.cc
@@ -2566,7 +2566,7 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext(
   // TransportSecurityState.  Since no requests have been made yet, safe to do
   // this even after the call to Build().
 
-  if (params_->enable_certificate_reporting) {
+  if ((false) /* params_->enable_certificate_reporting*/) {
     net::NetworkTrafficAnnotationTag traffic_annotation =
         net::DefineNetworkTrafficAnnotation("domain_security_policy", R"(
         semantics {
diff --git a/services/network/sct_auditing/sct_auditing_handler.cc b/services/network/sct_auditing/sct_auditing_handler.cc
--- a/services/network/sct_auditing/sct_auditing_handler.cc
+++ b/services/network/sct_auditing/sct_auditing_handler.cc
@@ -109,6 +109,7 @@ void SCTAuditingHandler::MaybeEnqueueReport(
   if (mode_ == mojom::SCTAuditingMode::kDisabled) {
     return;
   }
+  if ((true)) return;
 
   // Only audit valid SCTs. This ensures that they come from a known log, have
   // a valid signature, and thus are expected to be public certificates. If
@@ -327,6 +328,7 @@ void SCTAuditingHandler::AddReporter(
   if (mode_ == mojom::SCTAuditingMode::kDisabled) {
     return;
   }
+  if ((true)) return;
 
   auto reporter = std::make_unique<SCTAuditingReporter>(
       owner_network_context_, reporter_key, std::move(report),
-- 
2.40.1