Add a CertVerifier flag to enable hard fail for local (non-public) trust anchors.

If revocation checking fails when chaining to a locally trusted root,
this will treat the certificate as revoked ('hard fail'). This does not
affect revocation checking when chained to public CAs.

BUG=258642
R=wtc
TBR=robertshield

Review URL: https://chromiumcodereview.appspot.com/18388005

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@214312 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 15 insertions, 3 deletions

diff --git a/net/ssl/ssl_config_service.cc b/net/ssl/ssl_config_service.cc
index 0561e7f..a2c34a2 100644
--- a/net/ssl/ssl_config_service.cc
+++ b/net/ssl/ssl_config_service.cc
@@ -37,6 +37,7 @@ SSLConfig::CertAndStatus::~CertAndStatus() {}
 
 SSLConfig::SSLConfig()
     : rev_checking_enabled(false),
+      rev_checking_required_local_anchors(false),
       version_min(g_default_version_min),
       version_max(g_default_version_max),
       cached_info_enabled(false),
@@ -154,14 +155,16 @@ void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
                                            const SSLConfig& new_config) {
   bool config_changed =
       (orig_config.rev_checking_enabled != new_config.rev_checking_enabled) ||
+      (orig_config.rev_checking_required_local_anchors !=
+       new_config.rev_checking_required_local_anchors) ||
       (orig_config.version_min != new_config.version_min) ||
       (orig_config.version_max != new_config.version_max) ||
       (orig_config.disabled_cipher_suites !=
-          new_config.disabled_cipher_suites) ||
+       new_config.disabled_cipher_suites) ||
       (orig_config.channel_id_enabled != new_config.channel_id_enabled) ||
       (orig_config.false_start_enabled != new_config.false_start_enabled) ||
       (orig_config.unrestricted_ssl3_fallback_enabled !=
-          new_config.unrestricted_ssl3_fallback_enabled);
+       new_config.unrestricted_ssl3_fallback_enabled);
 
   if (config_changed)
     NotifySSLConfigChange();
diff --git a/net/ssl/ssl_config_service.h b/net/ssl/ssl_config_service.h
index c3a892b..a6a2bc7 100644
--- a/net/ssl/ssl_config_service.h
+++ b/net/ssl/ssl_config_service.h
@@ -56,6 +56,15 @@ struct NET_EXPORT SSLConfig {
   // cached revocation information will be considered.
   bool rev_checking_enabled;
 
+  // rev_checking_required_local_anchors is true if revocation checking is
+  // required to succeed when certificates chain to local trust anchors (that
+  // is, non-public CAs). If revocation information cannot be obtained, such
+  // certificates will be treated as revoked ("hard-fail").
+  // Note: This is distinct from rev_checking_enabled. If true, it is
+  // equivalent to also setting rev_checking_enabled, but only when the
+  // certificate chain chains to a local (non-public) trust anchor.
+  bool rev_checking_required_local_anchors;
+
   // The minimum and maximum protocol versions that are enabled.
   // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on.
   // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.)
@@ -128,7 +137,7 @@ struct NET_EXPORT SSLConfig {
   // result in additional HTTP requests. (For example: to fetch missing
   // intermediates or to perform OCSP/CRL fetches.) It also implies that online
   // revocation checking is disabled.
-  // NOTE: currently only effective on Linux
+  // NOTE: Only used by NSS.
   bool cert_io_enabled;
 
   // The list of application level protocols supported. If set, this will