Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(168)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verifier.h

Issue 2239963002: Add enterprise policy to allow locally issued SHA-1 certificates. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« components/policy/resources/policy_templates.json ('K') | « components/ssl_config/ssl_config_service_manager_pref.cc ('k') | net/cert/cert_verify_proc.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef NET_CERT_CERT_VERIFIER_H_ 5 #ifndef NET_CERT_CERT_VERIFIER_H_
6 #define NET_CERT_CERT_VERIFIER_H_ 6 #define NET_CERT_CERT_VERIFIER_H_
7 7
8 #include <memory> 8 #include <memory>
9 #include <string> 9 #include <string>
10 #include <vector> 10 #include <vector>
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after
68 // If set, this is equivalent to VERIFY_REV_CHECKING_ENABLED, in that it 68 // If set, this is equivalent to VERIFY_REV_CHECKING_ENABLED, in that it
69 // enables online revocation checking via CRLs or OCSP, but only 69 // enables online revocation checking via CRLs or OCSP, but only
70 // for certificates issued by non-public trust anchors. Failure to check 70 // for certificates issued by non-public trust anchors. Failure to check
71 // revocation is treated as a hard failure. 71 // revocation is treated as a hard failure.
72 // Note: If VERIFY_CERT_IO_ENABLE is not also supplied, certificates 72 // Note: If VERIFY_CERT_IO_ENABLE is not also supplied, certificates
73 // that chain to local trust anchors will likely fail - for example, due to 73 // that chain to local trust anchors will likely fail - for example, due to
74 // lacking fresh cached revocation issue (Windows) or because OCSP stapling 74 // lacking fresh cached revocation issue (Windows) or because OCSP stapling
75 // can only provide information for the leaf, and not for any 75 // can only provide information for the leaf, and not for any
76 // intermediates. 76 // intermediates.
77 VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS = 1 << 4, 77 VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS = 1 << 4,
78
79 // If set, certificates with SHA-1 signatures will be allowed, but only if
80 // they are issued by non-public trust anchors.
81 VERIFY_ENABLE_SHA1_LOCAL_ANCHORS = 1 << 5,
78 }; 82 };
79 83
80 // Parameters to verify |certificate| against the supplied 84 // Parameters to verify |certificate| against the supplied
81 // |hostname| as an SSL server. 85 // |hostname| as an SSL server.
82 // 86 //
83 // |hostname| should be a canonicalized hostname (in A-Label form) or IP 87 // |hostname| should be a canonicalized hostname (in A-Label form) or IP
84 // address in string form, following the rules of a URL host portion. In 88 // address in string form, following the rules of a URL host portion. In
85 // the case of |hostname| being a domain name, it may contain a trailing 89 // the case of |hostname| being a domain name, it may contain a trailing
86 // dot (e.g. "example.com."), as used to signal to DNS not to perform 90 // dot (e.g. "example.com."), as used to signal to DNS not to perform
87 // suffix search, and it will safely be ignored. If |hostname| is an IPv6 91 // suffix search, and it will safely be ignored. If |hostname| is an IPv6
(...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after
169 virtual bool SupportsOCSPStapling(); 173 virtual bool SupportsOCSPStapling();
170 174
171 // Creates a CertVerifier implementation that verifies certificates using 175 // Creates a CertVerifier implementation that verifies certificates using
172 // the preferred underlying cryptographic libraries. 176 // the preferred underlying cryptographic libraries.
173 static std::unique_ptr<CertVerifier> CreateDefault(); 177 static std::unique_ptr<CertVerifier> CreateDefault();
174 }; 178 };
175 179
176 } // namespace net 180 } // namespace net
177 181
178 #endif // NET_CERT_CERT_VERIFIER_H_ 182 #endif // NET_CERT_CERT_VERIFIER_H_
OLDNEW
« components/policy/resources/policy_templates.json ('K') | « components/ssl_config/ssl_config_service_manager_pref.cc ('k') | net/cert/cert_verify_proc.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698