Remove the EV Certs Whitelist

Introduced as part of the 2015/01/01 requirement that all EV
certificates should be accompanied by Certificate Transparency
information, the EVCertWhitelist contained the set of publicly
logged EV certificates issued prior to that date, to ensure they
maintained their EV status.

As an EV certificate is only valid for 27 months, the whitelist has
been shrinking over time, with the most recent update trimming it to
around 100 certificates.

However, as 27 months have passed since 2015/01/01, the whitelist is
no longer needed, and as such, the entire supporting infrastructure is
also no longer needed.

This rewinds the code by:
  - Removing the EVCertsWhitelist from //net
  - Removing the distinct EV CT policy from CTPolicyEnforcer
  - Unwinding the EV CT status from the CTVerifyResult and SSLInfo
  - Removing the specific Golomb-coded compressed CT EV whitelist logic
  - Removing the Component Updater version of the EV whitelist
  - Removing all metrics related to the EV whitelist

BUG=732427
TBR=lcwu@chromium.org,sergeyu@chromium.org,isherman@chromium.org

Review-Url: https://codereview.chromium.org/2937563002
Cr-Commit-Position: refs/heads/master@{#479343}

WATCHLISTS

@@ -271,7 +271,6 @@
     },
     'certificate_transparency': {
       'filepath': 'components/certificate_transparency/'\
-                  '|components/packed_ct_ev_whitelist/'\
                   '|net/cert/ct_'\
                   '|net/cert/multi_log_ct_verifier'\
                   '|net/cert/sct_status_flags.h'\

chrome/browser/BUILD.gn

@@ -247,8 +247,6 @@ split_static_library("browser") {
     "component_updater/component_updater_utils.h",
     "component_updater/cros_component_installer.cc",
     "component_updater/cros_component_installer.h",
-    "component_updater/ev_whitelist_component_installer.cc",
-    "component_updater/ev_whitelist_component_installer.h",
     "component_updater/file_type_policies_component_installer.cc",
     "component_updater/file_type_policies_component_installer.h",
     "component_updater/origin_trials_component_installer.cc",
@@ -1570,7 +1568,6 @@ split_static_library("browser") {
     "//components/offline_pages/features:features",
     "//components/omnibox/browser",
     "//components/os_crypt",
-    "//components/packed_ct_ev_whitelist",
     "//components/password_manager/content/browser",
     "//components/password_manager/core/browser",
     "//components/password_manager/core/common",

chrome/browser/chrome_browser_main.cc

@@ -53,7 +53,6 @@
 #include "chrome/browser/browser_process_platform_part.h"
 #include "chrome/browser/browser_shutdown.h"
 #include "chrome/browser/chrome_browser_main_extra_parts.h"
-#include "chrome/browser/component_updater/ev_whitelist_component_installer.h"
 #include "chrome/browser/component_updater/file_type_policies_component_installer.h"
 #include "chrome/browser/component_updater/origin_trials_component_installer.h"
 #include "chrome/browser/component_updater/pepper_flash_component_installer.h"
@@ -512,10 +511,6 @@ void RegisterComponentsForUpdate() {
     // network.
     // For Chrome OS this registration is delayed until user login.
     g_browser_process->crl_set_fetcher()->StartInitialLoad(cus, path);
-    // Registration of the EV Whitelist component here is not necessary for:
-    // 1. Android: Because it currently does not have the EV indicator.
-    // 2. Chrome OS: On Chrome OS this registration is delayed until user login.
-    RegisterEVWhitelistComponent(cus, path);
 
     // Registration of the STH set fetcher here is not done for:
     // Android: Because the story around CT on Mobile is not finalized yet.

chrome/browser/chromeos/login/session/user_session_manager.cc

@@ -62,7 +62,6 @@
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
 #include "chrome/browser/chromeos/tether/tether_service.h"
-#include "chrome/browser/component_updater/ev_whitelist_component_installer.h"
 #include "chrome/browser/component_updater/sth_set_component_installer.h"
 #include "chrome/browser/first_run/first_run.h"
 #include "chrome/browser/google/google_brand_chromeos.h"
@@ -1509,8 +1508,6 @@ void UserSessionManager::InitializeCertificateTransparencyComponents(
   if (!username_hash.empty() && cus) {
     const base::FilePath path =
         ProfileHelper::GetProfilePathByUserIdHash(username_hash);
-    // EV whitelist.
-    RegisterEVWhitelistComponent(cus, path);
     // STH set fetcher.
     RegisterSTHSetComponent(cus, path);
   }

chrome/browser/component_updater/DEPS

@@ -1,5 +1,4 @@
 include_rules = [
-  "+components/packed_ct_ev_whitelist/packed_ct_ev_whitelist.h",
   "+media/cdm/supported_cdm_versions.h",
   "+ppapi/thunk",
   "+third_party/widevine"

chromecast/browser/url_request_context_factory.cc

@@ -63,14 +63,6 @@ class IgnoresCTPolicyEnforcer : public net::CTPolicyEnforcer {
       const net::NetLogWithSource& net_log) override {
     return net::ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS;
   }
-
-  net::ct::EVPolicyCompliance DoesConformToCTEVPolicy(
-      net::X509Certificate* cert,
-      const net::ct::EVCertsWhitelist* ev_whitelist,
-      const net::SCTList& verified_scts,
-      const net::NetLogWithSource& net_log) override {
-    return net::ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
-  }
 };
 
 bool IgnoreCertificateErrors() {

components/BUILD.gn

@@ -202,7 +202,6 @@ test("components_unittests") {
       "//components/offline_pages/core/background:unit_tests",
       "//components/offline_pages/core/downloads:unit_tests",
       "//components/offline_pages/core/request_header:unit_tests",
-      "//components/packed_ct_ev_whitelist:unit_tests",
       "//components/password_manager/content/browser:unit_tests",
       "//components/payments/content:unit_tests",
       "//components/payments/content/utility:unit_tests",