Only disable SHA-1 for local trust anchors if there's a PrefService

SHA-1 is being phased out, and beginning with M57, SHA-1 certificates signed by locally installed trust anchors is being disabled by default. To re-enable, Enterprises should set an EnableSha1ForLocalAnchors policy to allow it. However, for platforms without enterprise policies, or for embedders, this raises a question about what the default state should be - enabled or disabled. As Chrome itself expects there to be non-trivial impact (thus, the policy, supported until 1 Jan 2019), it is safer to leave the current behaviour, enabling SHA-1 for these certs, on by default, and leave it to embedders to disable (via the SSLConfig/SSLConfigService). If embedders support preferences, that's seen as sufficient support to enable some degree of run-time control/flexibility, thus the default is moved from //net to //components/ssl_config. Embedders using //net will continue to support SHA-1 anchors by default, while embedders that include //components/ssl_config (and use it) will disable it by default. BUG=673036 Review-Url: https://codereview.chromium.org/2613533004 Cr-Commit-Position: refs/heads/master@{#441481}

Only disable SHA-1 for local trust anchors if there's a PrefService
SHA-1 is being phased out, and beginning with M57, SHA-1 certificates signed by locally installed trust anchors is being disabled by default. To re-enable, Enterprises should set an EnableSha1ForLocalAnchors policy to allow it. However, for platforms without enterprise policies, or for embedders, this raises a question about what the default state should be - enabled or disabled. As Chrome itself expects there to be non-trivial impact (thus, the policy, supported until 1 Jan 2019), it is safer to leave the current behaviour, enabling SHA-1 for these certs, on by default, and leave it to embedders to disable (via the SSLConfig/SSLConfigService). If embedders support preferences, that's seen as sufficient support to enable some degree of run-time control/flexibility, thus the default is moved from //net to //components/ssl_config. Embedders using //net will continue to support SHA-1 anchors by default, while embedders that include //components/ssl_config (and use it) will disable it by default. BUG=673036 Review-Url: https://codereview.chromium.org/2613533004 Cr-Commit-Position: refs/heads/master@{#441481}
f344fae1 · rsleevi · Commit bot · 05265d26 · f344fae1 · f344fae1
Commit f344fae1 authored Jan 04, 2017 by rsleevi Committed by Commit bot Jan 04, 2017
3 changed files
--- a/components/ssl_config/ssl_config_service_manager_pref.cc
+++ b/components/ssl_config/ssl_config_service_manager_pref.cc
@@ -240,7 +240,7 @@ void SSLConfigServiceManagerPref::RegisterPrefs(PrefRegistrySimple* registry) {
      ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors,
      default_config.rev_checking_required_local_anchors);
  registry->RegisterBooleanPref(ssl_config::prefs::kCertEnableSha1LocalAnchors,
-                                default_config.sha1_local_anchors_enabled);
+                                false);
  registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMin,
                               std::string());
  registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMax,

--- a/components/ssl_config/ssl_config_service_manager_pref_unittest.cc
+++ b/components/ssl_config/ssl_config_service_manager_pref_unittest.cc
@@ -199,3 +199,53 @@ TEST_F(SSLConfigServiceManagerPrefTest, TLS13Feature) {
  config_service->GetSSLConfig(&ssl_config);
  EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1_3, ssl_config.version_max);
 }
+// Tests that SHA-1 signatures for local trust anchors can be enabled.
+TEST_F(SSLConfigServiceManagerPrefTest, SHA1ForLocalAnchors) {
+  scoped_refptr<TestingPrefStore> local_state_store(new TestingPrefStore());
+  TestingPrefServiceSimple local_state;
+  SSLConfigServiceManager::RegisterPrefs(local_state.registry());
+  std::unique_ptr<SSLConfigServiceManager> config_manager(
+      SSLConfigServiceManager::CreateDefaultManager(
+          &local_state, base::ThreadTaskRunnerHandle::Get()));
+  ASSERT_TRUE(config_manager);
+  scoped_refptr<SSLConfigService> config_service(config_manager->Get());
+  ASSERT_TRUE(config_service);
+  // By default, SHA-1 local trust anchors should be enabled when not
+  // using any pref service.
+  SSLConfig config1;
+  EXPECT_TRUE(config1.sha1_local_anchors_enabled);
+  // Using a pref service without any preference set should result in
+  // SHA-1 local trust anchors being disabled.
+  SSLConfig config2;
+  config_service->GetSSLConfig(&config2);
+  EXPECT_FALSE(config2.sha1_local_anchors_enabled);
+  // Enabling the local preference should result in SHA-1 local trust anchors
+  // being enabled.
+  local_state.SetUserPref(ssl_config::prefs::kCertEnableSha1LocalAnchors,
+                          new base::FundamentalValue(true));
+  // Pump the message loop to notify the SSLConfigServiceManagerPref that the
+  // preferences changed.
+  base::RunLoop().RunUntilIdle();
+  SSLConfig config3;
+  config_service->GetSSLConfig(&config3);
+  EXPECT_TRUE(config3.sha1_local_anchors_enabled);
+  // Disabling the local preference should result in SHA-1 local trust
+  // anchors being disabled.
+  local_state.SetUserPref(ssl_config::prefs::kCertEnableSha1LocalAnchors,
+                          new base::FundamentalValue(false));
+  // Pump the message loop to notify the SSLConfigServiceManagerPref that the
+  // preferences changed.
+  base::RunLoop().RunUntilIdle();
+  SSLConfig config4;
+  config_service->GetSSLConfig(&config4);
+  EXPECT_FALSE(config4.sha1_local_anchors_enabled);
+}
--- a/net/ssl/ssl_config.cc
+++ b/net/ssl/ssl_config.cc
@@ -23,7 +23,7 @@ SSLConfig::CertAndStatus::~CertAndStatus() = default;
 SSLConfig::SSLConfig()
    : rev_checking_enabled(false),
      rev_checking_required_local_anchors(false),
-      sha1_local_anchors_enabled(false),
+      sha1_local_anchors_enabled(true),
      version_min(kDefaultSSLVersionMin),
      version_max(kDefaultSSLVersionMax),
      deprecated_cipher_suites_enabled(false),