Add enterprise policy to allow locally issued SHA-1 certificates.

components/ssl_config/ssl_config_service_manager_pref.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include "components/ssl_config/ssl_config_service_manager.h"
 
 #include <stdint.h>
 
 #include <algorithm>
 #include <string>
 #include <vector>
@@ skipping 154 matching lines @@
 
   // Processes changes to the disabled cipher suites preference, updating the
   // cached list of parsed SSL/TLS cipher suites that are disabled.
   void OnDisabledCipherSuitesChange(PrefService* local_state);
 
   PrefChangeRegistrar local_state_change_registrar_;
 
   // The local_state prefs (should only be accessed from UI thread)
   BooleanPrefMember rev_checking_enabled_;
   BooleanPrefMember rev_checking_required_local_anchors_;
+  BooleanPrefMember sha1_local_anchors_enabled_;
   StringPrefMember ssl_version_min_;
   StringPrefMember ssl_version_max_;
   BooleanPrefMember dhe_enabled_;
 
   // The cached list of disabled SSL cipher suites.
   std::vector<uint16_t> disabled_cipher_suites_;
 
   scoped_refptr<SSLConfigServicePref> ssl_config_service_;
 
   scoped_refptr<base::SingleThreadTaskRunner> io_task_runner_;
@@ skipping 18 matching lines @@
 
   PrefChangeRegistrar::NamedChangeCallback local_state_callback =
       base::Bind(&SSLConfigServiceManagerPref::OnPreferenceChanged,
                  base::Unretained(this), local_state);
 
   rev_checking_enabled_.Init(ssl_config::prefs::kCertRevocationCheckingEnabled,
                              local_state, local_state_callback);
   rev_checking_required_local_anchors_.Init(
       ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors,
       local_state, local_state_callback);
+  sha1_local_anchors_enabled_.Init(
+      ssl_config::prefs::kCertEnableSha1LocalAnchors, local_state,
+      local_state_callback);
   ssl_version_min_.Init(ssl_config::prefs::kSSLVersionMin, local_state,
                         local_state_callback);
   ssl_version_max_.Init(ssl_config::prefs::kSSLVersionMax, local_state,
                         local_state_callback);
   dhe_enabled_.Init(ssl_config::prefs::kDHEEnabled, local_state,
                     local_state_callback);
 
   local_state_change_registrar_.Init(local_state);
   local_state_change_registrar_.Add(ssl_config::prefs::kCipherSuiteBlacklist,
                                     local_state_callback);
 
   OnDisabledCipherSuitesChange(local_state);
 
   // Initialize from UI thread.  This is okay as there shouldn't be anything on
   // the IO thread trying to access it yet.
   GetSSLConfigFromPrefs(&ssl_config_service_->cached_config_);
 }
 
 // static
 void SSLConfigServiceManagerPref::RegisterPrefs(PrefRegistrySimple* registry) {
   net::SSLConfig default_config;
   registry->RegisterBooleanPref(
       ssl_config::prefs::kCertRevocationCheckingEnabled,
       default_config.rev_checking_enabled);
   registry->RegisterBooleanPref(
       ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors,
       default_config.rev_checking_required_local_anchors);
+  registry->RegisterBooleanPref(ssl_config::prefs::kCertEnableSha1LocalAnchors,
+                                default_config.sha1_local_anchors_enabled);
   registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMin,
                                std::string());
   registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMax,
                                std::string());
   registry->RegisterListPref(ssl_config::prefs::kCipherSuiteBlacklist);
   registry->RegisterBooleanPref(ssl_config::prefs::kDHEEnabled,
                                 default_config.dhe_enabled);
 }
 
 net::SSLConfigService* SSLConfigServiceManagerPref::Get() {
@@ skipping 20 matching lines @@
 void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
     net::SSLConfig* config) {
   // rev_checking_enabled was formerly a user-settable preference, but now
   // it is managed-only.
   if (rev_checking_enabled_.IsManaged())
     config->rev_checking_enabled = rev_checking_enabled_.GetValue();
   else
     config->rev_checking_enabled = false;
   config->rev_checking_required_local_anchors =
       rev_checking_required_local_anchors_.GetValue();
+  config->sha1_local_anchors_enabled = sha1_local_anchors_enabled_.GetValue();
   std::string version_min_str = ssl_version_min_.GetValue();
   std::string version_max_str = ssl_version_max_.GetValue();
   config->version_min = net::kDefaultSSLVersionMin;
   config->version_max = net::kDefaultSSLVersionMax;
   uint16_t version_min = SSLProtocolVersionFromString(version_min_str);
   uint16_t version_max = SSLProtocolVersionFromString(version_max_str);
   if (version_min) {
     config->version_min = version_min;
   }
   if (version_max) {
@@ skipping 19 matching lines @@
     PrefService* local_state,
     const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) {
   return new SSLConfigServiceManagerPref(local_state, io_task_runner);
 }
 
 // static
 void SSLConfigServiceManager::RegisterPrefs(PrefRegistrySimple* registry) {
   SSLConfigServiceManagerPref::RegisterPrefs(registry);
 }
 }  // namespace ssl_config