diff --git components/certificate_transparency/chrome_ct_policy_enforcer.cc components/certificate_transparency/chrome_ct_policy_enforcer.cc index a2e2b493def0..c08872260c68 100644 --- components/certificate_transparency/chrome_ct_policy_enforcer.cc +++ components/certificate_transparency/chrome_ct_policy_enforcer.cc @@ -36,15 +36,6 @@ namespace certificate_transparency { namespace { -// Returns true if the current build is recent enough to ensure that -// built-in security information (e.g. CT Logs) is fresh enough. -// TODO(eranm): Move to base or net/base -bool IsBuildTimely() { - const base::Time build_time = base::GetBuildTime(); - // We consider built-in information to be timely for 10 weeks. - return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; -} - // Returns a rounded-down months difference of |start| and |end|, // together with an indication of whether the last month was // a full month, because the range starts specified in the policy @@ -304,4 +295,16 @@ CTPolicyCompliance ChromeCTPolicyEnforcer::CheckCompliance( return compliance; } +// Returns true if the current build is recent enough to ensure that +// built-in security information (e.g. CT Logs) is fresh enough. +// TODO(eranm): Move to base or net/base +bool ChromeCTPolicyEnforcer::IsBuildTimely() const { + if (!enforce_net_security_expiration_) + return true; + + const base::Time build_time = base::GetBuildTime(); + // We consider built-in information to be timely for 10 weeks. + return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; +} + } // namespace certificate_transparency diff --git components/certificate_transparency/chrome_ct_policy_enforcer.h components/certificate_transparency/chrome_ct_policy_enforcer.h index f61ff0d0564a..e6727c7b1cbc 100644 --- components/certificate_transparency/chrome_ct_policy_enforcer.h +++ components/certificate_transparency/chrome_ct_policy_enforcer.h @@ -26,6 +26,17 @@ class ChromeCTPolicyEnforcer : public net::CTPolicyEnforcer { net::X509Certificate* cert, const net::ct::SCTList& verified_scts, const net::NetLogWithSource& net_log) override; + + void set_enforce_net_security_expiration(bool enforce) { + enforce_net_security_expiration_ = enforce; + } + + private: + // Returns true if the current build is recent enough to ensure that + // built-in security information (e.g. CT Logs) is fresh enough. + bool IsBuildTimely() const; + + bool enforce_net_security_expiration_ = true; }; } // namespace certificate_transparency diff --git net/http/transport_security_state.cc net/http/transport_security_state.cc index 2dc467772e86..fdb047099ff5 100644 --- net/http/transport_security_state.cc +++ net/http/transport_security_state.cc @@ -1153,8 +1153,10 @@ void TransportSecurityState::ClearReportCachesForTesting() { sent_expect_ct_reports_cache_.Clear(); } -// static -bool TransportSecurityState::IsBuildTimely() { +bool TransportSecurityState::IsBuildTimely() const { + if (!enforce_net_security_expiration_) + return true; + const base::Time build_time = base::GetBuildTime(); // We consider built-in information to be timely for 10 weeks. return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; diff --git net/http/transport_security_state.h net/http/transport_security_state.h index 9c65b59e4ec2..0ac0509abf78 100644 --- net/http/transport_security_state.h +++ net/http/transport_security_state.h @@ -561,6 +561,10 @@ class NET_EXPORT TransportSecurityState { // Expect-CT reports. void ClearReportCachesForTesting(); + void set_enforce_net_security_expiration(bool enforce) { + enforce_net_security_expiration_ = enforce; + } + private: friend class TransportSecurityStateTest; friend class TransportSecurityStateStaticFuzzer; @@ -581,7 +585,7 @@ class NET_EXPORT TransportSecurityState { // IsBuildTimely returns true if the current build is new enough ensure that // built in security information (i.e. HSTS preloading and pinning // information) is timely. - static bool IsBuildTimely(); + bool IsBuildTimely() const; // Helper method for actually checking pins. PKPStatus CheckPublicKeyPinsImpl( @@ -679,6 +683,8 @@ class NET_EXPORT TransportSecurityState { // True if public key pinning bypass is enabled for local trust anchors. bool enable_pkp_bypass_for_local_trust_anchors_; + bool enforce_net_security_expiration_ = true; + ExpectCTReporter* expect_ct_reporter_ = nullptr; RequireCTDelegate* require_ct_delegate_ = nullptr;