diff --git net/cert/ct_policy_enforcer.cc net/cert/ct_policy_enforcer.cc index 0f7778089273..40111e89a2e0 100644 --- net/cert/ct_policy_enforcer.cc +++ net/cert/ct_policy_enforcer.cc @@ -35,15 +35,6 @@ namespace net { namespace { -// Returns true if the current build is recent enough to ensure that -// built-in security information (e.g. CT Logs) is fresh enough. -// TODO(eranm): Move to base or net/base -bool IsBuildTimely() { - const base::Time build_time = base::GetBuildTime(); - // We consider built-in information to be timely for 10 weeks. - return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; -} - // Returns a rounded-down months difference of |start| and |end|, // together with an indication of whether the last month was // a full month, because the range starts specified in the policy @@ -302,4 +293,13 @@ ct::CTPolicyCompliance CTPolicyEnforcer::CheckCompliance( return compliance; } +bool CTPolicyEnforcer::IsBuildTimely() const { + if (!enforce_net_security_expiration_) + return true; + + const base::Time build_time = base::GetBuildTime(); + // We consider built-in information to be timely for 10 weeks. + return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; +} + } // namespace net diff --git net/cert/ct_policy_enforcer.h net/cert/ct_policy_enforcer.h index fb6f4847cfe9..aa4c1cdafb9f 100644 --- net/cert/ct_policy_enforcer.h +++ net/cert/ct_policy_enforcer.h @@ -42,6 +42,17 @@ class NET_EXPORT CTPolicyEnforcer { X509Certificate* cert, const SCTList& verified_scts, const NetLogWithSource& net_log); + + void set_enforce_net_security_expiration(bool enforce) { + enforce_net_security_expiration_ = enforce; + } + + private: + // Returns true if the current build is recent enough to ensure that + // built-in security information (e.g. CT Logs) is fresh enough. + bool IsBuildTimely() const; + + bool enforce_net_security_expiration_ = true; }; } // namespace net diff --git net/http/transport_security_state.cc net/http/transport_security_state.cc index a433afd02178..ff92489ed243 100644 --- net/http/transport_security_state.cc +++ net/http/transport_security_state.cc @@ -1553,8 +1553,10 @@ void TransportSecurityState::ClearReportCachesForTesting() { sent_expect_ct_reports_cache_.Clear(); } -// static -bool TransportSecurityState::IsBuildTimely() { +bool TransportSecurityState::IsBuildTimely() const { + if (!enforce_net_security_expiration_) + return true; + const base::Time build_time = base::GetBuildTime(); // We consider built-in information to be timely for 10 weeks. return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; diff --git net/http/transport_security_state.h net/http/transport_security_state.h index 79d3a1c3453f..d97e26b4b024 100644 --- net/http/transport_security_state.h +++ net/http/transport_security_state.h @@ -576,6 +576,10 @@ class NET_EXPORT TransportSecurityState { // Expect-CT reports. void ClearReportCachesForTesting(); + void set_enforce_net_security_expiration(bool enforce) { + enforce_net_security_expiration_ = enforce; + } + private: friend class TransportSecurityStateTest; friend class TransportSecurityStateStaticFuzzer; @@ -596,7 +600,7 @@ class NET_EXPORT TransportSecurityState { // IsBuildTimely returns true if the current build is new enough ensure that // built in security information (i.e. HSTS preloading and pinning // information) is timely. - static bool IsBuildTimely(); + bool IsBuildTimely() const; // Helper method for actually checking pins. PKPStatus CheckPublicKeyPinsImpl( @@ -705,6 +709,8 @@ class NET_EXPORT TransportSecurityState { // True if public key pinning bypass is enabled for local trust anchors. bool enable_pkp_bypass_for_local_trust_anchors_; + bool enforce_net_security_expiration_ = true; + ExpectCTReporter* expect_ct_reporter_ = nullptr; RequireCTDelegate* require_ct_delegate_ = nullptr;