Add enterprise policy to allow locally issued SHA-1 certificates.

net/cert/cert_verify_proc.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include <stdint.h>
 
 #include <algorithm>
 
@@ skipping 422 matching lines @@
   if (verify_result->has_sha1)
     verify_result->cert_status |= CERT_STATUS_SHA1_SIGNATURE_PRESENT;
 
   // Flag certificates using weak signature algorithms.
   // The CA/Browser Forum Baseline Requirements (beginning with v1.2.1)
   // prohibits SHA-1 certificates from being issued beginning on
   // 1 January 2016. Ideally, all of SHA-1 in new certificates would be
   // disabled on this date, but enterprises need more time to transition.
   // As the risk is greatest for publicly trusted certificates, prevent
   // those certificates from being trusted from that date forward.
+  //
+  // TODO(mattm): apply the SHA-1 deprecation check to all certs unless
+  // CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS flag is present.
   if (verify_result->has_md5 ||
       (verify_result->has_sha1_leaf && verify_result->is_issued_by_known_root &&
        IsPastSHA1DeprecationDate(*cert))) {
     verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
     // Avoid replacing a more serious error, such as an OS/library failure,
     // by ensuring that if verification failed, it failed with a certificate
     // error.
     if (rv == OK || IsCertificateError(rv))
       rv = MapCertStatusToNetError(verify_result->cert_status);
   }
@@ skipping 253 matching lines @@
     return true;
 
   // For certificates issued after 1 April 2015: 39 months.
   if (start >= time_2015_04_01 && month_diff > 39)
     return true;
 
   return false;
 }
 
 }  // namespace net