1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
// Copyright 2016 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// This file contains a set of root CAs which are required to disclose
// all certificates via Certificate Transparency, as well as exceptions
// for independent and disclosed sub-CAs.
//
// It is meant to be directly included in transport_security_state.cc
// within an unnamed namespace.
struct CTRequiredPolicy {
// A certificate MUST be disclosed via Certificate Transparency if it
// chains to or through one of the values contained in |roots|, which
// contains the SHA-256 hash of the issuing CA's SubjectPublicKeyInfo,
// the same format as HTTP Public Key Pinning.
const SHA256HashValue* roots;
// The number of entries in |roots|.
size_t roots_length;
// The date at which enforcement should begin, relative to the Unix
// Epoch. If equivalent to zero (base::TimeDelta()), then it is enforced
// for all certificates.
base::TimeDelta effective_date;
// However, if a certificate ALSO chains to or through one of
// |exceptions|, which also contains the SHA-256 hashes of the
// issuing CA's SubjectPublicKeyInfo, then even though it chained
// through |roots|, it will be exempt from CT requirements.
const SHA256HashValue* exceptions;
// The number of entries in |exceptions|.
size_t exceptions_length;
};
typedef CTRequiredPolicy CTRequiredPolicies[2];
const CTRequiredPolicies& GetCTRequiredPolicies() {
static const CTRequiredPolicy kCTRequiredPolicies[] = {
// See net/data/ssl/symantec/README.md
{
kSymantecRoots, kSymantecRootsLength,
// 1 June 2016, 00:00:00 GMT.
base::Seconds(1464739200),
kSymantecExceptions, kSymantecExceptionsLength,
},
{
kSymantecManagedCAs, kSymantecManagedCAsLength,
base::TimeDelta(), nullptr, 0
},
};
return kCTRequiredPolicies;
}
|
