Mark SHA-1 as deprecated

net/cert/cert_verify_proc.cc

Index: net/cert/cert_verify_proc.cc
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
index 25afb0e9f3caf0fea3ec77def4aea315128c6926..0be1bd95f12dee996387ebccbe69ea7daec0f6a0 100644
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -262,6 +262,23 @@ int CertVerifyProc::Verify(X509Certificate* cert,
       rv = MapCertStatusToNetError(verify_result->cert_status);
   }
 
+  // The date to begin warning about SHA-1 deprecation
+  // 2016-01-01 00:00:00 UTC
+  static const int64_t kSHA1DeprecationDate = INT64_C(13096080000000000);
+  if (verify_result->has_sha1 &&
+      verify_result->verified_cert->valid_expiry() >
+          base::Time::FromInternalValue(kSHA1DeprecationDate)) {
+    // The leaf certificate has a validity period beyond the (soft) SHA-1
+    // sunset date of 2016/1/1 and the (hard) SHA-1 sunset date of 2017/1/1,
+    // and SHA-1 appears in the chain. As such, flag it as deprecated.
+    //
+    // Note: Only the leaf validity period is checked, as it's expected that
+    // nearly all intermediates will exceed the 2016/2017 validity range. The
+    // purpose of this check is to discourage NEW SHA-1 certificates, which is
+    // why it's only necessary to check the leaf.
+    verify_result->cert_status |= CERT_STATUS_DEPRECATED_SIGNATURE_ALGORITHM;
+  }
+
   // Flag certificates from publicly-trusted CAs that are issued to intranet
   // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit
   // these to be issued until 1 November 2015, they represent a real risk for