1 // Copyright 2017 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_SYMANTEC_CERTS_H_ 6 #define NET_CERT_SYMANTEC_CERTS_H_ 7 8 #include "net/base/hash_value.h" 9 10 namespace net { 11 12 // |kSymantecRoots| contains the set of known active and legacy root 13 // certificates operated by Symantec Corporation. These roots are subject to 14 // Certificate Transparency requirements and deprecation messages. See 15 // <https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html> 16 // and 17 // https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html 18 // for details about why. 19 // 20 // Pre-existing, independently operated sub-CAs are exempt from these 21 // policies, and are listed in |kSymantecExceptions|. 22 // 23 // The Managed Partner CAs are required to disclose via Certificate 24 // Transparency, and are listed in |kSymantecManagedCAs|. 25 NET_EXPORT_PRIVATE extern const SHA256HashValue kSymantecRoots[]; 26 NET_EXPORT_PRIVATE extern const size_t kSymantecRootsLength; 27 NET_EXPORT_PRIVATE extern const SHA256HashValue kSymantecExceptions[]; 28 NET_EXPORT_PRIVATE extern const size_t kSymantecExceptionsLength; 29 NET_EXPORT_PRIVATE extern const SHA256HashValue kSymantecManagedCAs[]; 30 NET_EXPORT_PRIVATE extern const size_t kSymantecManagedCAsLength; 31 32 // Returns true if |public_key_hashes| contains a certificate issued from 33 // Symantec's "legacy" PKI. This constraint excludes certificates that were 34 // issued by independently-operated subordinate CAs or from any "Managed CAs" 35 // that comply with 36 // https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html. 37 NET_EXPORT_PRIVATE bool IsLegacySymantecCert( 38 const HashValueVector& public_key_hashes); 39 40 } // namespace net 41 42 #endif // NET_CERT_SYMANTEC_CERTS_H_ 43