Add an enterprise policy preference for requiring revocation checks (hard fail) for local anchors

BUG=258642 Review URL: https://chromiumcodereview.appspot.com/18959003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@216045 0039d316-1c4b-4281-b951-d872f2087c98
author: rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-08-07 00:28:59 +0000
committer: rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-08-07 00:28:59 +0000
commit: 47ea65f514d695a05e1d957be9b17cde2ac51f33 (patch)
tree: 358edebf16e3292a4389125a5a4e651601678c50
parent: 2106b2c5b24189a3c566dd2253df7c5d6e547d27 (diff)
download: chromium_src-47ea65f514d695a05e1d957be9b17cde2ac51f33.zip
chromium_src-47ea65f514d695a05e1d957be9b17cde2ac51f33.tar.gz
chromium_src-47ea65f514d695a05e1d957be9b17cde2ac51f33.tar.bz2
7 files changed, 49 insertions, 2 deletions
diff --git a/chrome/app/policy/policy_templates.json b/chrome/app/policy/policy_templates.json
index 795679d..1cc9245 100644
--- a/chrome/app/policy/policy_templates.json
+++ b/chrome/app/policy/policy_templates.json
@@ -117,7 +117,7 @@
 #   persistent IDs for all fields (but not for groups!) are needed. These are
 #   specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
 #   because doing so would break the deployed wire format!
-#   For your editing convenience: highest ID currently used: 234
+#   For your editing convenience: highest ID currently used: 235
 #
 # Placeholders:
 #   The following placeholder strings are automatically substituted:
@@ -3248,6 +3248,24 @@
       If the policy is not set, or is set to false, then Chrome will not perform online revocation checks in Chrome 19 and later.''',
     },
     {
+      'name': 'RequireOnlineRevocationChecksForLocalAnchors',
+      'type': 'main',
+      'schema': { 'type': 'boolean' },
+      'supported_on': ['chrome_os:0.30-', 'chrome.linux:30-', 'chrome.win:30-'],
+      'features': {
+        'dynamic_refresh': True,
+        'per_profile': False,
+      },
+      'example_value': False,
+      'id': 235,
+      'caption': '''Whether online OCSP/CRL checks are required for local trust anchors''',
+      'desc': '''When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will always perform revocation checking for server certificates that successfully validate and are signed by locally-installed CA certificates.
+
+      If <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is unable to obtain revocation status information, such certificates will be treated as revoked ('hard-fail').
+
+      If this policy is not set, or it is set to false, then Chrome will use the existing online revocation checking settings.''',
+    },
+    {
       'name': 'ReportDeviceVersionInfo',
       'type': 'main',
       'schema': { 'type': 'boolean' },
diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc
index 44efff4..ba52876 100644
--- a/chrome/browser/net/ssl_config_service_manager_pref.cc
+++ b/chrome/browser/net/ssl_config_service_manager_pref.cc
@@ -171,6 +171,7 @@ class SSLConfigServiceManagerPref
 
   // The local_state prefs (should only be accessed from UI thread)
   BooleanPrefMember rev_checking_enabled_;
+  BooleanPrefMember rev_checking_required_local_anchors_;
   StringPrefMember ssl_version_min_;
   StringPrefMember ssl_version_max_;
   BooleanPrefMember channel_id_enabled_;
@@ -197,6 +198,10 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref(
 
   rev_checking_enabled_.Init(
       prefs::kCertRevocationCheckingEnabled, local_state, local_state_callback);
+  rev_checking_required_local_anchors_.Init(
+      prefs::kCertRevocationCheckingRequiredLocalAnchors,
+      local_state,
+      local_state_callback);
   ssl_version_min_.Init(
       prefs::kSSLVersionMin, local_state, local_state_callback);
   ssl_version_max_.Init(
@@ -206,7 +211,8 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref(
   ssl_record_splitting_disabled_.Init(
       prefs::kDisableSSLRecordSplitting, local_state, local_state_callback);
   unrestricted_ssl3_fallback_enabled_.Init(
-      prefs::kEnableUnrestrictedSSL3Fallback, local_state,
+      prefs::kEnableUnrestrictedSSL3Fallback,
+      local_state,
       local_state_callback);
 
   local_state_change_registrar_.Init(local_state);
@@ -225,6 +231,9 @@ void SSLConfigServiceManagerPref::RegisterPrefs(PrefRegistrySimple* registry) {
   net::SSLConfig default_config;
   registry->RegisterBooleanPref(prefs::kCertRevocationCheckingEnabled,
                                 default_config.rev_checking_enabled);
+  registry->RegisterBooleanPref(
+      prefs::kCertRevocationCheckingRequiredLocalAnchors,
+      default_config.rev_checking_required_local_anchors);
   std::string version_min_str =
       SSLProtocolVersionToString(default_config.version_min);
   std::string version_max_str =
@@ -271,6 +280,8 @@ void SSLConfigServiceManagerPref::OnPreferenceChanged(
 void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
     net::SSLConfig* config) {
   config->rev_checking_enabled = rev_checking_enabled_.GetValue();
+  config->rev_checking_required_local_anchors =
+      rev_checking_required_local_anchors_.GetValue();
   std::string version_min_str = ssl_version_min_.GetValue();
   std::string version_max_str = ssl_version_max_.GetValue();
   config->version_min = net::SSLConfigService::default_version_min();
diff --git a/chrome/browser/policy/configuration_policy_handler_list.cc b/chrome/browser/policy/configuration_policy_handler_list.cc
index 08a1a38..03c0711 100644
--- a/chrome/browser/policy/configuration_policy_handler_list.cc
+++ b/chrome/browser/policy/configuration_policy_handler_list.cc
@@ -189,6 +189,9 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = {
   { key::kEnableOnlineRevocationChecks,
     prefs::kCertRevocationCheckingEnabled,
     Value::TYPE_BOOLEAN },
+  { key::kRequireOnlineRevocationChecksForLocalAnchors,
+    prefs::kCertRevocationCheckingRequiredLocalAnchors,
+    Value::TYPE_BOOLEAN },
   { key::kAuthSchemes,
     prefs::kAuthSchemes,
     Value::TYPE_STRING },
diff --git a/chrome/browser/policy/configuration_policy_pref_store_unittest.cc b/chrome/browser/policy/configuration_policy_pref_store_unittest.cc
index d628d153b..dce901a 100644
--- a/chrome/browser/policy/configuration_policy_pref_store_unittest.cc
+++ b/chrome/browser/policy/configuration_policy_pref_store_unittest.cc
@@ -246,6 +246,8 @@ INSTANTIATE_TEST_CASE_P(
                       prefs::kDisableSSLRecordSplitting),
         PolicyAndPref(key::kEnableOnlineRevocationChecks,
                       prefs::kCertRevocationCheckingEnabled),
+        PolicyAndPref(key::kRequireOnlineRevocationChecksForLocalAnchors,
+                      prefs::kCertRevocationCheckingRequiredLocalAnchors),
         PolicyAndPref(key::kDisableAuthNegotiateCnameLookup,
                       prefs::kDisableAuthNegotiateCnameLookup),
         PolicyAndPref(key::kEnableAuthNegotiatePort,
diff --git a/chrome/common/pref_names.cc b/chrome/common/pref_names.cc
index 84189e1..64ea5b7 100644
--- a/chrome/common/pref_names.cc
+++ b/chrome/common/pref_names.cc
@@ -1318,6 +1318,8 @@ const char kProfileInfoCache[] = "profile.info_cache";
 
 // Prefs for SSLConfigServicePref.
 const char kCertRevocationCheckingEnabled[] = "ssl.rev_checking.enabled";
+const char kCertRevocationCheckingRequiredLocalAnchors[] =
+    "ssl.rev_checking.required_for_local_anchors";
 const char kSSLVersionMin[] = "ssl.version_min";
 const char kSSLVersionMax[] = "ssl.version_max";
 const char kCipherSuiteBlacklist[] = "ssl.cipher_suites.blacklist";
diff --git a/chrome/common/pref_names.h b/chrome/common/pref_names.h
index f4ced8e..7fe5493 100644
--- a/chrome/common/pref_names.h
+++ b/chrome/common/pref_names.h
@@ -443,6 +443,7 @@ extern const char kMessageCenterEnabledSyncNotifierIds[];
 
 // Local state prefs. Please add Profile prefs above instead.
 extern const char kCertRevocationCheckingEnabled[];
+extern const char kCertRevocationCheckingRequiredLocalAnchors[];
 extern const char kSSLVersionMin[];
 extern const char kSSLVersionMax[];
 extern const char kCipherSuiteBlacklist[];
diff --git a/chrome/test/data/policy/policy_test_cases.json b/chrome/test/data/policy/policy_test_cases.json
index b2db7bf..5ad4371 100644
--- a/chrome/test/data/policy/policy_test_cases.json
+++ b/chrome/test/data/policy/policy_test_cases.json
@@ -526,6 +526,16 @@
     ]
   },
 
+  "RequireOnlineRevocationChecksForLocalAnchors": {
+    "os": ["win", "linux", "chromeos"],
+    "test_policy": { "RequireOnlineRevocationChecksForLocalAnchors": true },
+    "pref_mappings": [
+      { "pref": "ssl.rev_checking.required_for_local_anchors",
+        "local_state": true
+      }
+    ]
+  },
+
   "AuthSchemes": {
     "os": ["win", "linux", "mac", "chromeos"],
     "test_policy": { "AuthSchemes": "AuthSchemes" },
author	rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-08-07 00:28:59 +0000
committer	rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-08-07 00:28:59 +0000
commit	47ea65f514d695a05e1d957be9b17cde2ac51f33 (patch)
tree	358edebf16e3292a4389125a5a4e651601678c50
parent	2106b2c5b24189a3c566dd2253df7c5d6e547d27 (diff)
download	chromium_src-47ea65f514d695a05e1d957be9b17cde2ac51f33.zip chromium_src-47ea65f514d695a05e1d957be9b17cde2ac51f33.tar.gz chromium_src-47ea65f514d695a05e1d957be9b17cde2ac51f33.tar.bz2