add Enable-Certificate-Transparency.patch

build/bromite_patches_list.txt

@@ -173,3 +173,4 @@ Fix-build-error-for-v97.patch
 Fix-StartupTabPreloader-crash.patch
 Always-ask-for-permissions.patch
 Move-toptoolbar-to-bottom.patch
+Enable-Certificate-Transparency.patch

build/patches/Enable-Certificate-Transparency.patch

@@ -0,0 +1,235 @@
+From: Your Name <you@example.com>
+Date: Tue, 18 Jan 2022 16:02:06 +0000
+Subject: =?UTF-8?q?Enable=20Chrome=20Certificate=20Transparency=0Aand=20di?=
+ =?UTF-8?q?sable=20reporting.?=
+
+---
+ chrome/browser/about_flags.cc                              | 5 +++++
+ chrome/browser/browser_features.cc                         | 2 +-
+ .../component_updater/pki_metadata_component_installer.cc  | 2 +-
+ chrome/browser/flag_descriptions.cc                        | 4 ++++
+ chrome/browser/flag_descriptions.h                         | 3 +++
+ chrome/browser/net/system_network_context_manager.cc       | 4 ----
+ chrome/browser/ssl/sct_reporting_service.cc                | 2 +-
+ chrome/common/chrome_features.cc                           | 2 +-
+ net/http/transport_security_state.cc                       | 7 ++-----
+ net/url_request/report_sender.cc                           | 2 +-
+ services/network/network_context.cc                        | 6 +++---
+ services/network/public/cpp/features.gni                   | 2 +-
+ services/network/sct_auditing/sct_auditing_cache.cc        | 5 +----
+ 13 files changed, 24 insertions(+), 22 deletions(-)
+
+diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
+--- a/chrome/browser/about_flags.cc
++++ b/chrome/browser/about_flags.cc
+@@ -7816,6 +7816,11 @@ const FeatureEntry kFeatureEntries[] = {
+      flag_descriptions::kWebBluetoothBondOnDemandDescription, kOsWin | kOsLinux,
+      FEATURE_VALUE_TYPE(features::kWebBluetoothBondOnDemand)},
+ 
++    {"ct-enabled",
++     flag_descriptions::kCTEnabledName,
++     flag_descriptions::kCTEnabledDescription, kOsAndroid,
++     FEATURE_VALUE_TYPE(features::kCertificateTransparencyAndroid)},
++
+ #if BUILDFLAG(IS_CHROMEOS_ASH)
+     {"enable-libinput-to-handle-touchpad",
+      flag_descriptions::kEnableLibinputToHandleTouchpadName,
+diff --git a/chrome/browser/browser_features.cc b/chrome/browser/browser_features.cc
+--- a/chrome/browser/browser_features.cc
++++ b/chrome/browser/browser_features.cc
+@@ -124,7 +124,7 @@ const base::Feature kWebUsbDeviceDetection{"WebUsbDeviceDetection",
+ #if defined(OS_ANDROID)
+ // Enables Certificate Transparency on Android.
+ const base::Feature kCertificateTransparencyAndroid{
+-    "CertificateTransparencyAndroid", base::FEATURE_DISABLED_BY_DEFAULT};
++    "CertificateTransparencyAndroid", base::FEATURE_ENABLED_BY_DEFAULT};
+ #endif
+ 
+ }  // namespace features
+diff --git a/chrome/browser/component_updater/pki_metadata_component_installer.cc b/chrome/browser/component_updater/pki_metadata_component_installer.cc
+--- a/chrome/browser/component_updater/pki_metadata_component_installer.cc
++++ b/chrome/browser/component_updater/pki_metadata_component_installer.cc
+@@ -40,7 +40,7 @@ const char kGoogleOperatorName[] = "Google";
+ // The extension id is: efniojlnjndmcbiieegkicadnoecjjef
+ const uint8_t kPKIMetadataPublicKeySHA256[32] = {
+     0x45, 0xd8, 0xe9, 0xbd, 0x9d, 0x3c, 0x21, 0x88, 0x44, 0x6a, 0x82,
+-    0x03, 0xde, 0x42, 0x99, 0x45, 0x66, 0x25, 0xfe, 0xb3, 0xd1, 0xf8,
++    0x01, 0x02, 0x03, 0x04, 0x05, 0x66, 0x25, 0xfe, 0xb3, 0xd1, 0xf8,
+     0x11, 0x65, 0xb4, 0x6f, 0xd3, 0x1b, 0x21, 0x89, 0xbe, 0x9c};
+ 
+ const base::FilePath::CharType kCTConfigProtoFileName[] =
+diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descriptions.cc
+--- a/chrome/browser/flag_descriptions.cc
++++ b/chrome/browser/flag_descriptions.cc
+@@ -5522,6 +5522,10 @@ const char kUIDebugToolsDescription[] =
+     "Enables additional keyboard shortcuts to help debugging.";
+ #endif
+ 
++const char kCTEnabledName[] = "Enable Certificate Transparency";
++const char kCTEnabledDescription[] =
++    "Enables compliance against the Chrome CT Policy.";
++
+ #if defined(WEBRTC_USE_PIPEWIRE)
+ const char kWebrtcPipeWireCapturerName[] = "WebRTC PipeWire support";
+ const char kWebrtcPipeWireCapturerDescription[] =
+diff --git a/chrome/browser/flag_descriptions.h b/chrome/browser/flag_descriptions.h
+--- a/chrome/browser/flag_descriptions.h
++++ b/chrome/browser/flag_descriptions.h
+@@ -3232,6 +3232,9 @@ extern const char kUIDebugToolsName[];
+ extern const char kUIDebugToolsDescription[];
+ #endif
+ 
++extern const char kCTEnabledName[];
++extern const char kCTEnabledDescription[];
++
+ #if defined(WEBRTC_USE_PIPEWIRE)
+ extern const char kWebrtcPipeWireCapturerName[];
+ extern const char kWebrtcPipeWireCapturerDescription[];
+diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc
+--- a/chrome/browser/net/system_network_context_manager.cc
++++ b/chrome/browser/net/system_network_context_manager.cc
+@@ -776,7 +776,6 @@ void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
+ bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
+   if (certificate_transparency_enabled_for_testing_.has_value())
+     return certificate_transparency_enabled_for_testing_.value();
+-#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD)
+ // TODO(carlosil): Figure out if we can/should remove the OFFICIAL_BUILD and
+ // GOOGLE_CHROME_BRANDING checks now that enforcement does not rely on build
+ // dates, and allow embedders to enforce.
+@@ -790,9 +789,6 @@ bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
+ #else
+   return true;
+ #endif
+-#else
+-  return false;
+-#endif
+ }
+ 
+ network::mojom::NetworkContextParamsPtr
+diff --git a/chrome/browser/ssl/sct_reporting_service.cc b/chrome/browser/ssl/sct_reporting_service.cc
+--- a/chrome/browser/ssl/sct_reporting_service.cc
++++ b/chrome/browser/ssl/sct_reporting_service.cc
+@@ -112,7 +112,7 @@ void SCTReportingService::SetReportingEnabled(bool enabled) {
+   // Iterate over StoragePartitions for this Profile, and for each get the
+   // NetworkContext and enable or disable SCT auditing.
+   profile_->ForEachStoragePartition(
+-      base::BindRepeating(&SetSCTAuditingEnabledForStoragePartition, enabled));
++      base::BindRepeating(&SetSCTAuditingEnabledForStoragePartition, false));
+ 
+   if (!enabled)
+     content::GetNetworkService()->ClearSCTAuditingCache();
+diff --git a/chrome/common/chrome_features.cc b/chrome/common/chrome_features.cc
+--- a/chrome/common/chrome_features.cc
++++ b/chrome/common/chrome_features.cc
+@@ -910,7 +910,7 @@ const base::Feature kScrollCapture{"ScrollCapture",
+ // should be sampled. Default sampling rate is 1/10,000 certificates.
+ #if defined(OS_ANDROID)
+ const base::Feature kSCTAuditing{"SCTAuditing",
+-                                 base::FEATURE_DISABLED_BY_DEFAULT};
++                                 base::FEATURE_DISABLED_BY_DEFAULT}; // guard this
+ #else
+ const base::Feature kSCTAuditing{"SCTAuditing",
+                                  base::FEATURE_ENABLED_BY_DEFAULT};
+diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
+--- a/net/http/transport_security_state.cc
++++ b/net/http/transport_security_state.cc
+@@ -342,6 +342,7 @@ bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) {
+ #if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
+   if (g_hsts_source == nullptr)
+     return false;
++#error "BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) must be enabled"
+ #endif
+   bool found = false;
+ 
+@@ -385,7 +386,7 @@ bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) {
+ 
+ // static
+ const base::Feature TransportSecurityState::kDynamicExpectCTFeature{
+-    "DynamicExpectCT", base::FEATURE_ENABLED_BY_DEFAULT};
++    "DynamicExpectCT", base::FEATURE_DISABLED_BY_DEFAULT};
+ 
+ void SetTransportSecurityStateSourceForTesting(
+     const TransportSecurityStateSource* source) {
+@@ -411,10 +412,6 @@ TransportSecurityState::TransportSecurityState(
+           features::kPartitionExpectCTStateByNetworkIsolationKey)) {
+ // Static pinning is only enabled for official builds to make sure that
+ // others don't end up with pins that cannot be easily updated.
+-#if !BUILDFLAG(GOOGLE_CHROME_BRANDING) || defined(OS_ANDROID) || defined(OS_IOS)
+-  enable_static_pins_ = false;
+-  enable_static_expect_ct_ = false;
+-#endif
+   // Check that there no invalid entries in the static HSTS bypass list.
+   for (auto& host : hsts_host_bypass_list) {
+     DCHECK(host.find('.') == std::string::npos);
+diff --git a/net/url_request/report_sender.cc b/net/url_request/report_sender.cc
+--- a/net/url_request/report_sender.cc
++++ b/net/url_request/report_sender.cc
+@@ -87,7 +87,7 @@ void ReportSender::Send(const GURL& report_uri,
+ 
+   URLRequest* raw_url_request = url_request.get();
+   inflight_requests_[raw_url_request] = std::move(url_request);
+-  raw_url_request->Start();
++  OnResponseStarted(raw_url_request, OK);
+ }
+ 
+ void ReportSender::OnResponseStarted(URLRequest* request, int net_error) {
+diff --git a/services/network/network_context.cc b/services/network/network_context.cc
+--- a/services/network/network_context.cc
++++ b/services/network/network_context.cc
+@@ -2389,7 +2389,7 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext(
+   // TransportSecurityState.  Since no requests have been made yet, safe to do
+   // this even after the call to Build().
+ 
+-  if (params_->enable_certificate_reporting) {
++  if ((false /*params_->enable_certificate_reporting*/)) {
+     net::NetworkTrafficAnnotationTag traffic_annotation =
+         net::DefineNetworkTrafficAnnotation("domain_security_policy", R"(
+         semantics {
+@@ -2430,7 +2430,7 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext(
+ #endif  // defined(OS_ANDROID)
+ 
+ #if BUILDFLAG(IS_CT_SUPPORTED)
+-  if (params_->enable_expect_ct_reporting) {
++  if ((false)/*params_->enable_expect_ct_reporting*/) {
+     LazyCreateExpectCTReporter(result.url_request_context.get());
+     result.url_request_context->transport_security_state()->SetExpectCTReporter(
+         expect_ct_reporter_.get());
+@@ -2444,7 +2444,7 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext(
+   }
+ #endif  // BUILDFLAG(IS_CT_SUPPORTED)
+ 
+-  if (params_->enable_domain_reliability) {
++  if ((false)/*params_->enable_domain_reliability*/) {
+     domain_reliability_monitor_ =
+         std::make_unique<domain_reliability::DomainReliabilityMonitor>(
+             result.url_request_context.get(),
+diff --git a/services/network/public/cpp/features.gni b/services/network/public/cpp/features.gni
+--- a/services/network/public/cpp/features.gni
++++ b/services/network/public/cpp/features.gni
+@@ -7,7 +7,7 @@ import("//build/config/features.gni")
+ declare_args() {
+   # Certificate transparency is not supported on iOS.
+   # TODO(mmenke): It's actually not supported on Android, either.
+-  is_ct_supported = !is_ios
++  is_ct_supported = true
+ 
+   # Controls whether P2P is exposed by the network service.
+   # Optional to reduce avoid having Chrome on iOS depends on
+diff --git a/services/network/sct_auditing/sct_auditing_cache.cc b/services/network/sct_auditing/sct_auditing_cache.cc
+--- a/services/network/sct_auditing/sct_auditing_cache.cc
++++ b/services/network/sct_auditing/sct_auditing_cache.cc
+@@ -213,10 +213,7 @@ void SCTAuditingReporter::SendReport() {
+   // with no response body, so this uses DownloadHeadersOnly for simplicity.
+   // If the loader is destroyed, the callback will be canceled, so using
+   // base::Unretained here is safe.
+-  url_loader_->DownloadHeadersOnly(
+-      url_loader_factory_remote_.get(),
+-      base::BindOnce(&SCTAuditingReporter::OnSendReportComplete,
+-                     base::Unretained(this)));
++  std::move(done_callback_).Run(reporter_key_);
+ }
+ 
+ void SCTAuditingReporter::OnSendReportComplete(
+-- 
+2.20.1
+