• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright 2016 The Chromium Authors
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5// This file contains a set of root CAs which are required to disclose
6// all certificates via Certificate Transparency, as well as exceptions
7// for independent and disclosed sub-CAs.
8//
9// It is meant to be directly included in transport_security_state.cc
10// within an unnamed namespace.
11
12struct CTRequiredPolicy {
13  // A certificate MUST be disclosed via Certificate Transparency if it
14  // chains to or through one of the values contained in |roots|, which
15  // contains the SHA-256 hash of the issuing CA's SubjectPublicKeyInfo,
16  // the same format as HTTP Public Key Pinning.
17  // This field is not a raw_ptr<> because it was filtered by the rewriter for: #global-scope
18  RAW_PTR_EXCLUSION const SHA256HashValue* roots;
19
20  // The number of entries in |roots|.
21  size_t roots_length;
22
23  // The date at which enforcement should begin, relative to the Unix
24  // Epoch. If equivalent to zero (base::TimeDelta()), then it is enforced
25  // for all certificates.
26  base::TimeDelta effective_date;
27
28  // However, if a certificate ALSO chains to or through one of
29  // |exceptions|, which also contains the SHA-256 hashes of the
30  // issuing CA's SubjectPublicKeyInfo, then even though it chained
31  // through |roots|, it will be exempt from CT requirements.
32  // This field is not a raw_ptr<> because it was filtered by the rewriter for: #global-scope
33  RAW_PTR_EXCLUSION const SHA256HashValue* exceptions;
34
35  // The number of entries in |exceptions|.
36  size_t exceptions_length;
37};
38
39typedef CTRequiredPolicy CTRequiredPolicies[2];
40
41const CTRequiredPolicies& GetCTRequiredPolicies() {
42  static const CTRequiredPolicy kCTRequiredPolicies[] = {
43      // See net/data/ssl/symantec/README.md
44      {
45          kSymantecRoots, kSymantecRootsLength,
46          // 1 June 2016, 00:00:00 GMT.
47          base::Seconds(1464739200),
48          kSymantecExceptions, kSymantecExceptionsLength,
49      },
50      {
51          kSymantecManagedCAs, kSymantecManagedCAsLength,
52          base::TimeDelta(), nullptr, 0
53      },
54  };
55
56  return kCTRequiredPolicies;
57}
58