Report second-level domains for UMA on pin failure.

net/base/transport_security_state.cc

Index: net/base/transport_security_state.cc
===================================================================
--- net/base/transport_security_state.cc	(revision 107146)
+++ net/base/transport_security_state.cc	(working copy)
@@ -21,6 +21,7 @@
 #include "base/json/json_writer.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
+#include "base/metrics/histogram.h"
 #include "base/sha1.h"
 #include "base/string_number_conversions.h"
 #include "base/string_tokenizer.h"
@@ -37,6 +38,8 @@
 
 namespace net {
 
+static const char kPublicKeyPinFailure[] = "SSL.PublicKeyPinFailure";
+
 const long int TransportSecurityState::kMaxHSTSAgeSecs = 86400 * 365;  // 1 year
 
 TransportSecurityState::TransportSecurityState(const std::string& hsts_hosts)
@@ -248,7 +251,7 @@
           continue;
         if (*tokenizer.token_begin() != '=')
           return false;
-        DCHECK(tokenizer.token().length() ==  1);
+        DCHECK_EQ(tokenizer.token().length(), 1U);

[Chris Evans, 2011/10/26 22:49:46]

Style nit: the expectation usually comes first in the DCHECK_EQ macro.

         state = AFTER_MAX_AGE_EQUALS;
         break;
 
@@ -807,12 +810,49 @@
   return new_host;
 }
 
+// |ReportUMAOnPinFailure| uses these to report which domain was associated
+// with the public key pinning failure.
+//
+// DO NOT CHANGE THE ORDERING OF THESE NAMES OR REMOVE ANY OF THEM. Add new
+// domains at the END of the listing.

[Chris Evans, 2011/10/26 22:49:46]

Nit: clarify "END"? i.e. before and not after DOMAIN_NUM_EVENTS :)

[palmer, 2011/10/27 01:15:45]

Done.

+enum LowResolutionDomainName {
+  DOMAIN_NOT_PINNED,
+
+  DOMAIN_GOOGLE_COM,
+  DOMAIN_ANDROID_COM,
+  DOMAIN_GOOGLE_ANALYTICS_COM,
+  DOMAIN_GOOGLEPLEX_COM,
+  DOMAIN_YTIMG_COM,
+  DOMAIN_GOOGLEUSERCONTENT_COM,
+  DOMAIN_YOUTUBE_COM,
+  DOMAIN_GOOGLEAPIS_COM,
+  DOMAIN_GOOGLEADSERVICES_COM,
+  DOMAIN_GOOGLECODE_COM,
+  DOMAIN_APPSPOT_COM,
+  DOMAIN_GOOGLESYNDICATION_COM,
+  DOMAIN_DOUBLECLICK_NET,
+  DOMAIN_GSTATIC_COM,
+  DOMAIN_GMAIL_COM,
+  DOMAIN_GOOGLEMAIL_COM,
+  DOMAIN_GOOGLEGROUPS_COM,
+
+  DOMAIN_TORPROJECT_ORG,
+
+  DOMAIN_TWITTER_COM,
+  DOMAIN_TWIMG_COM,
+  DOMAIN_AKAMAIHD_NET,
+
+  // Boundary value for UMA_HISTOGRAM_ENUMERATION:
+  DOMAIN_NUM_EVENTS
+};
+
 struct HSTSPreload {
   uint8 length;
   bool include_subdomains;
   char dns_name[30];
   bool https_required;
   const char* const* required_hashes;
+  LowResolutionDomainName low_res_name;
 };
 
 static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries,
@@ -963,160 +1003,218 @@
 // slightly odd form removes the need for additional relocations records.
 static const struct HSTSPreload kPreloadedSTS[] = {
   // (*.)google.com, iff using SSL must use an acceptable certificate.
-  {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
+  {12, true, "\006google\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },

[Chris Evans, 2011/10/26 22:49:46]

Style nit: DOMAIN_GOOGLE_COM should probably be aligned with the "D" under ther
"1" ?

[palmer, 2011/10/27 01:15:45]

No, the style guide calls for 4 spaces of indentation on continuation lines.

   {25, true, "\013pinningtest\007appspot\003com", false,
-      kTestAcceptableCerts },
+      kTestAcceptableCerts, DOMAIN_APPSPOT_COM },
   // Now we force HTTPS for subtrees of google.com.
-  {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
-  {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
-  {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts },
-  {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts },
-  {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts },
+  {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM  },
+  {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   {25, true, "\014spreadsheets\006google\003com", true,
-      kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
   {22, false, "\011appengine\006google\003com", true,
-      kGoogleAcceptableCerts },
-  {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts },
-  {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts },
-  {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts },
-  {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
+  {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   {23, true, "\012talkgadget\006google\003com", true,
-      kGoogleAcceptableCerts },
-  {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
+  {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   {29, true, "\020hostedtalkgadget\006google\003com", true,
-      kGoogleAcceptableCerts },
-  {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
+  {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   // Other Google-related domains that must use HTTPS.
-  {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts },
+  {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_ANDROID_COM },
   {26, true, "\003ssl\020google-analytics\003com", true,
-      kGoogleAcceptableCerts },
-  {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts },
-  {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts },
-  {19, true, "\006groups\006google\003com", true, kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_ANALYTICS_COM },
+  {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEPLEX_COM },
+  {19, true, "\006groups\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   // Other Google-related domains that must use an acceptable certificate
   // iff using SSL.
-  {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts },
-  {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts },
-  {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts },
-  {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
-  {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
-  {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
-  {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
-  {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
-  {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
-  {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts },
+  {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_YTIMG_COM },
+  {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEUSERCONTENT_COM },
+  {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_YOUTUBE_COM },
+  {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEAPIS_COM },
+  {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEADSERVICES_COM },
+  {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLECODE_COM },
+  {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_APPSPOT_COM },
+  {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLESYNDICATION_COM },
+  {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts,
+      DOMAIN_DOUBLECLICK_NET },
+  {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GSTATIC_COM },
   // Exclude the learn.doubleclick.net subdomain because it uses a different
   // CA.
-  {23, true, "\005learn\013doubleclick\003net", false, 0 },
+  {23, true, "\005learn\013doubleclick\003net", false, 0,
+      DOMAIN_DOUBLECLICK_NET },
   // Now we force HTTPS for other sites that have requested it.
-  {16, false, "\003www\006paypal\003com", true, 0 },
-  {16, false, "\003www\006elanex\003biz", true, 0 },
-  {12, true,  "\006jottit\003com", true, 0 },
-  {19, true,  "\015sunshinepress\003org", true, 0 },
-  {21, false, "\003www\013noisebridge\003net", true, 0 },
-  {10, false, "\004neg9\003org", true, 0 },
-  {12, true, "\006riseup\003net", true, 0 },
-  {11, false, "\006factor\002cc", true, 0 },
-  {22, false, "\007members\010mayfirst\003org", true, 0 },
-  {22, false, "\007support\010mayfirst\003org", true, 0 },
-  {17, false, "\002id\010mayfirst\003org", true, 0 },
-  {20, false, "\005lists\010mayfirst\003org", true, 0 },
-  {19, true, "\015splendidbacon\003com", true, 0 },
-  {28, false, "\016aladdinschools\007appspot\003com", true, 0 },
-  {14, true, "\011ottospora\002nl", true, 0 },
-  {25, false, "\003www\017paycheckrecords\003com", true, 0 },
-  {14, false, "\010lastpass\003com", true, 0 },
-  {18, false, "\003www\010lastpass\003com", true, 0 },
-  {14, true, "\010keyerror\003com", true, 0 },
-  {13, false, "\010entropia\002de", true, 0 },
-  {17, false, "\003www\010entropia\002de", true, 0 },
-  {11, true, "\005romab\003com", true, 0 },
-  {16, false, "\012logentries\003com", true, 0 },
-  {20, false, "\003www\012logentries\003com", true, 0 },
-  {12, true, "\006stripe\003com", true, 0 },
-  {27, true, "\025cloudsecurityalliance\003org", true, 0 },
-  {15, true, "\005login\004sapo\002pt", true, 0 },
-  {19, true, "\015mattmccutchen\003net", true, 0 },
-  {11, true, "\006betnet\002fr", true, 0 },
-  {13, true, "\010uprotect\002it", true, 0 },
-  {14, false, "\010squareup\003com", true, 0 },
-  {9, true, "\004cert\002se", true, 0 },
-  {11, true, "\006crypto\002is", true, 0 },
-  {20, true, "\005simon\007butcher\004name", true, 0 },
-  {10, true, "\004linx\003net", true, 0 },
-  {13, false, "\007dropcam\003com", true, 0 },
-  {17, false, "\003www\007dropcam\003com", true, 0 },
-  {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
-  {13, false, "\007epoxate\003com", true, 0 },
-  {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
-  {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
-  {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
-  {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
-  {22, true, "\003www\014moneybookers\003com", true, 0 },
-  {17, false, "\013ledgerscope\003net", true, 0 },
-  {21, false, "\003www\013ledgerscope\003net", true, 0 },
-  {10, false, "\004kyps\003net", true, 0 },
-  {14, false, "\003www\004kyps\003net", true, 0 },
-  {17, true, "\003app\007recurly\003com", true, 0 },
-  {17, true, "\003api\007recurly\003com", true, 0 },
-  {13, false, "\007greplin\003com", true, 0 },
-  {17, false, "\003www\007greplin\003com", true, 0 },
-  {27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
-  {12, true, "\006ubertt\003org", true, 0 },
+  {16, false, "\003www\006paypal\003com", true, 0, DOMAIN_NOT_PINNED },
+  {16, false, "\003www\006elanex\003biz", true, 0, DOMAIN_NOT_PINNED },
+  {12, true,  "\006jottit\003com", true, 0, DOMAIN_NOT_PINNED },
+  {19, true,  "\015sunshinepress\003org", true, 0, DOMAIN_NOT_PINNED },
+  {21, false, "\003www\013noisebridge\003net", true, 0,
+      DOMAIN_NOT_PINNED },
+  {10, false, "\004neg9\003org", true, 0, DOMAIN_NOT_PINNED },
+  {12, true, "\006riseup\003net", true, 0, DOMAIN_NOT_PINNED },
+  {11, false, "\006factor\002cc", true, 0, DOMAIN_NOT_PINNED },
+  {22, false, "\007members\010mayfirst\003org", true, 0, DOMAIN_NOT_PINNED },
+  {22, false, "\007support\010mayfirst\003org", true, 0, DOMAIN_NOT_PINNED },
+  {17, false, "\002id\010mayfirst\003org", true, 0, DOMAIN_NOT_PINNED },
+  {20, false, "\005lists\010mayfirst\003org", true, 0, DOMAIN_NOT_PINNED },
+  {19, true, "\015splendidbacon\003com", true, 0, DOMAIN_NOT_PINNED },
+  {28, false, "\016aladdinschools\007appspot\003com", true, 0,
+      DOMAIN_APPSPOT_COM },
+  {14, true, "\011ottospora\002nl", true, 0, DOMAIN_NOT_PINNED },
+  {25, false, "\003www\017paycheckrecords\003com", true, 0,
+      DOMAIN_NOT_PINNED },
+  {14, false, "\010lastpass\003com", true, 0, DOMAIN_NOT_PINNED },
+  {18, false, "\003www\010lastpass\003com", true, 0, DOMAIN_NOT_PINNED },
+  {14, true, "\010keyerror\003com", true, 0, DOMAIN_NOT_PINNED },
+  {13, false, "\010entropia\002de", true, 0, DOMAIN_NOT_PINNED },
+  {17, false, "\003www\010entropia\002de", true, 0, DOMAIN_NOT_PINNED },
+  {11, true, "\005romab\003com", true, 0, DOMAIN_NOT_PINNED },
+  {16, false, "\012logentries\003com", true, 0, DOMAIN_NOT_PINNED },
+  {20, false, "\003www\012logentries\003com", true, 0, DOMAIN_NOT_PINNED },
+  {12, true, "\006stripe\003com", true, 0, DOMAIN_NOT_PINNED },
+  {27, true, "\025cloudsecurityalliance\003org", true, 0,
+      DOMAIN_NOT_PINNED },
+  {15, true, "\005login\004sapo\002pt", true, 0, DOMAIN_NOT_PINNED },
+  {19, true, "\015mattmccutchen\003net", true, 0, DOMAIN_NOT_PINNED },
+  {11, true, "\006betnet\002fr", true, 0, DOMAIN_NOT_PINNED },
+  {13, true, "\010uprotect\002it", true, 0, DOMAIN_NOT_PINNED },
+  {14, false, "\010squareup\003com", true, 0, DOMAIN_NOT_PINNED },
+  {9, true, "\004cert\002se", true, 0, DOMAIN_NOT_PINNED },
+  {11, true, "\006crypto\002is", true, 0, DOMAIN_NOT_PINNED },
+  {20, true, "\005simon\007butcher\004name", true, 0, DOMAIN_NOT_PINNED },
+  {10, true, "\004linx\003net", true, 0, DOMAIN_NOT_PINNED },
+  {13, false, "\007dropcam\003com", true, 0, DOMAIN_NOT_PINNED },
+  {17, false, "\003www\007dropcam\003com", true, 0, DOMAIN_NOT_PINNED },
+  {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0,
+      DOMAIN_NOT_PINNED },
+  {13, false, "\007epoxate\003com", true, 0, DOMAIN_NOT_PINNED },
+  {16, false, "\012torproject\003org", true, kTorAcceptableCerts,
+      DOMAIN_TORPROJECT_ORG },
+  {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts,
+      DOMAIN_TORPROJECT_ORG },
+  {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts,
+      DOMAIN_TORPROJECT_ORG },
+  {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts,
+      DOMAIN_TORPROJECT_ORG },
+  {22, true, "\003www\014moneybookers\003com", true, 0,
+      DOMAIN_NOT_PINNED },
+  {17, false, "\013ledgerscope\003net", true, 0, DOMAIN_NOT_PINNED },
+  {21, false, "\003www\013ledgerscope\003net", true, 0,
+      DOMAIN_NOT_PINNED },
+  {10, false, "\004kyps\003net", true, 0, DOMAIN_NOT_PINNED },
+  {14, false, "\003www\004kyps\003net", true, 0, DOMAIN_NOT_PINNED },
+  {17, true, "\003app\007recurly\003com", true, 0, DOMAIN_NOT_PINNED },
+  {17, true, "\003api\007recurly\003com", true, 0, DOMAIN_NOT_PINNED },
+  {13, false, "\007greplin\003com", true, 0, DOMAIN_NOT_PINNED },
+  {17, false, "\003www\007greplin\003com", true, 0, DOMAIN_NOT_PINNED },
+  {27, true, "\006luneta\016nearbuysystems\003com", true, 0,
+      DOMAIN_NOT_PINNED },
+  {12, true, "\006ubertt\003org", true, 0, DOMAIN_NOT_PINNED },
 
-  {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+  {13, false, "\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {17, true, "\003www\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {17, true, "\003api\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {19, true, "\005oauth\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {20, true, "\006mobile\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {17, true, "\003dev\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {22, true, "\010business\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
 
 #if 0
   // Twitter CDN pins disabled in order to track down pinning failures --agl
-  {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
-  {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
-  {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCerts },
+  {22, true, "\010platform\007twitter\003com", false,
+      kTwitterCDNAcceptableCerts, DOMAIN_TWITTER_COM },
+  {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts,
+      DOMAIN_TWIMG_COM },
+  {23, true, "\010twimg0-a\010akamaihd\003net", false,
+      kTwitterCDNAcceptableCerts, DOMAIN_AKAMAIHD_NET },
 #endif
 };
 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
 
 static const struct HSTSPreload kPreloadedSNISTS[] = {
   // These SNI-only domains must always use HTTPS.
-  {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
-  {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
-  {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
-  {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
+  {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GMAIL_COM },
+  {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEMAIL_COM },
+  {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GMAIL_COM },
+  {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEMAIL_COM },
   // These SNI-only domains must use an acceptable certificate iff using
   // HTTPS.
-  {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
+  {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts,
+     DOMAIN_GOOGLE_ANALYTICS_COM },
   // www. requires SNI.
-  {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
+  {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEGROUPS_COM },
 };
 static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
 
-// Returns true if there is an HSTSPreload entry for the host in |entries|, and
-// if its |required_hashes| member is identical (by address) to |certs|.
-static bool ScanForHostAndCerts(
+// Returns the HSTSPreload entry for the |canonicalized_host| in |entries|,
+// or NULL if there is none. Prefers exact hostname matches to those that
+// match only because HSTSPreload.include_subdomains is true.
+//
+// |canonicalized_host| should be the hostname as canonicalized by
+// CanonicalizeHost.
+static const struct HSTSPreload* GetHSTSPreload(
     const std::string& canonicalized_host,
     const struct HSTSPreload* entries,
-    size_t num_entries,
-    const char* const certs[]) {
-  bool hit = false;
+    size_t num_entries) {
+  const struct HSTSPreload* hit = NULL;
 
   for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
     for (size_t j = 0; j < num_entries; j++) {
-      const struct HSTSPreload& entry = entries[j];
+      const struct HSTSPreload* entry = entries + j;
 
-      if (i != 0 && !entry.include_subdomains)
+      if (i != 0 && !entry->include_subdomains)
         continue;
 
-      if (entry.length == canonicalized_host.size() - i &&
-          memcmp(entry.dns_name, &canonicalized_host[i], entry.length) == 0) {
-        hit = entry.required_hashes == certs;
-        // Return immediately upon exact match:
+      if (entry->length == canonicalized_host.size() - i &&
+          memcmp(entry->dns_name, &canonicalized_host[i], entry->length) == 0) {
+        // Return immediately upon exact match.
         if (i == 0)
-          return hit;
+          return entry;
+        hit = entry;
       }
     }
   }
@@ -1128,23 +1226,42 @@
 bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
                                                     bool sni_available) {
   std::string canonicalized_host = CanonicalizeHost(host);
+  const struct HSTSPreload* entry =
+      GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
 
-  if (ScanForHostAndCerts(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS,
-                          kGoogleAcceptableCerts)) {
+  if (entry && entry->required_hashes == kGoogleAcceptableCerts)
     return true;
-  }
 
   if (sni_available) {
-    if (ScanForHostAndCerts(canonicalized_host, kPreloadedSNISTS, kNumPreloadedSNISTS,
-                            kGoogleAcceptableCerts)) {
+    entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
+                           kNumPreloadedSNISTS);
+    if (entry && entry->required_hashes == kGoogleAcceptableCerts)
       return true;
-    }
   }
 
   return false;
 }
 
+// static
+void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host,
+                                                   bool sni_available) {
+  std::string canonicalized_host = CanonicalizeHost(host);
 
+  const struct HSTSPreload* entry =
+      GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
+
+  if (!entry && sni_available) {

[Chris Evans, 2011/10/26 22:49:46]

I think we can not pass in sni_available to make things simpler. If we don't get
the hit in the non-SNI list then can we just look in the SNI list
unconditionally?

[palmer, 2011/10/27 01:15:45]

I prefer that, but I was emulating the other functions in this class when I did
that.

Done for this function.

cevans and other reviewers: Should I generate another CL to de-sni_available-ize
the other functions, too? It would simplify our calling code nicely.

+    entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
+                           kNumPreloadedSNISTS);
+  }
+
+  if (!entry)
+    return;

[Chris Evans, 2011/10/26 22:49:46]

I guess this can't actually happen until we expose cert pinning to the web at
large? If it's a "can't happen", it should probably start life as a DCHECK?

+
+  UMA_HISTOGRAM_ENUMERATION(kPublicKeyPinFailure, entry->low_res_name,

[Chris Evans, 2011/10/26 22:49:46]

Bug -- there's a script that this might confuse (extract_histograms.py). The
"Blah.ConfunculatorStatus" string needs to be inline with this macro.

For that matter, I think you might still need to update the histograms list so
that the dashboard knows the "pretty" name for your histogram. See
tools/histograms/pretty-print.py. Can be done in a separate CL but best not to
forget.

[palmer, 2011/10/27 01:15:45]

Done.

The code I copied, 

./chrome/renderer/chrome_render_view_observer.cc:   
UMA_HISTOGRAM_ENUMERATION(kSSLInsecureContent,

has this bug also. Looks like you're the author of that code. :)
Ok, I updated histograms.xml and am creating a CL for it.

+                            DOMAIN_NUM_EVENTS);
+}
+
 // IsPreloadedSTS returns true if the canonicalized hostname should always be
 // considered to have STS enabled.
 bool TransportSecurityState::IsPreloadedSTS(