Enabling CRLSets; Capping the maximum component updates per request to go-updater to 1

[jumde]

fix brave/brave-browser#518
fix brave/brave-browser#2160
fix brave/brave-browser#3615

Description:

Revoked certificates don't show certificate error on all platforms. This PR enables CRLSets, a component managed by Google to show certificate errors for domains with revoked certificates.

Since, CRLSets is maintained by Google we will be proxying requests for CRLSets through crlsets[n].brave.com, crxdownload.brave.com (resources) and componentupdater.brave.com (component updates)

This PR also caps the maximum component updates per request to go-updater to 1, since go-updater cannot handle an update request with both Google and Brave components.

Submitter Checklist:

• Submitted a ticket for my issue if one did not already exist.
• Used Github auto-closing keywords in the commit message.
• Added/updated tests for this change (for new code or code which already has tests).
• Verified that these changes build without errors on
  • Windows
  • macOS
  • Linux
• Verified that these changes pass automated tests (npm test brave_unit_tests && npm test brave_browser_tests) on
  • Windows
  • macOS
  • Linux
• Ran git rebase master (if needed).
• Ran git rebase -i to squash commits (if needed).
• Tagged reviewers and labelled the pull request as needed.
• Request a security/privacy review as needed.
• Add appropriate QA labels (QA/Yes or QA/No) to include the closed issue in milestone

Test Plan:

For CRLSets

1. Open Brave with a fresh profile
2. No connections are initiated to google domains. (use fiddler or little snitch to verify)
3. CRLSets should be available in <Data-Dir>/CertificateRevocation/<CRLSET_ID>
4. CRLSet ID can be verified via chrome://components (should NOT be 0.0.0.0)
5. Navigate to revoked.badssl.com - Should show a certificate error

For Component Updates

1. Restart Brave Browser
2. Wait for 8 mins, and verify that no components show Update Error
3. Verify only MEI Preload | Brave Local Data Updater | Brave Ad Block Updater | Brave Tor Client Updater (OS) | CRLSet | PDF Viewer (PDF.js) and Brave HTTPS Everywhere Updater have non-zero version numbers by default

For QA

On macOS the system uses the system CRLSets, so to verify this is working verify that the CertificateRevocation directory has the correct CRLSet version.

Please verify that revoked.badssl.com does not show error on Windows/Linux.

For devs:

Please use: brave/brave-browser#3452 to verify the network audit passes. The changes to the go-updater are still in dev. Will be transitioned to prod once QA sign-off is received.

Reviewer Checklist:

• New files have MPL-2.0 license header.
• Request a security/privacy review as needed.
• Adequate test coverage exists to prevent regressions
• Verify test plan is specified in PR before merging to source

[NejcZdovc]

can we remove this line as brave/brave-browser#663 was fixed?

[diracdeltas]

i think the MPL header is still needed. at least in the reviewer checklist it says New files have MPL-2.0 license header.

[jumde]

cc: @bridiver -

Should we remove the New files have MPL-2.0 license header. item from the reviewer checklist. Or use this header:

/* Copyright (c) 2019 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */

[jumde]

PR builder passed: https://staging.ci.brave.com/job/brave-browser-build-pr/job/PR-3452/

[bsclifton]

++

[jumde]

PR builder successful run: https://staging.ci.brave.com/view/all/job/brave-browser-build-pr/job/crlsets/3/

[bbondy]

Congratulations on landing this, great to see it closed @jumde !

[bsclifton]

🙌

[jumde]

Thank you! @bbondy @bsclifton