Refactor TransportSecurityState.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 116 matching lines @@
 // set on Windows XP without error. There is some overhead from the server
 // sending the OCSP response if it supports the extension, for the subset of
 // XP clients who will request it but be unable to use it, but this is an
 // acceptable trade-off for simplicity of implementation.
 static bool IsOCSPStaplingSupported() {
   return true;
 }
 #elif defined(USE_NSS)
 typedef SECStatus
 (*CacheOCSPResponseFromSideChannelFunction)(
-    CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time,
-    SECItem *encodedResponse, void *pwArg);
+    CERTCertDBHandle* handle, CERTCertificate *cert, PRTime time,
+    SECItem* encodedResponse, void *pwArg);
 
 // On Linux, we dynamically link against the system version of libnss3.so. In
 // order to continue working on systems without up-to-date versions of NSS we
 // lookup CERT_CacheOCSPResponseFromSideChannel with dlsym.
 
 // RuntimeLibNSSFunctionPointers is a singleton which caches the results of any
 // runtime symbol resolution that we need.
 class RuntimeLibNSSFunctionPointers {
  public:
   CacheOCSPResponseFromSideChannelFunction
@@ skipping 1578 matching lines @@
 
   if (!start_cert_verification_time_.is_null()) {
     base::TimeDelta verify_time =
         base::TimeTicks::Now() - start_cert_verification_time_;
     if (result == OK)
         UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time);
     else
         UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time);
   }
 
-  PeerCertificateChain chain(nss_fd_);
-  for (unsigned i = 1; i < chain.size(); i++) {
-    if (strcmp(chain[i]->subjectName, "CN=meta") != 0)
-      continue;
-
-    base::StringPiece leaf_der(
-        reinterpret_cast<char*>(server_cert_nss_->derCert.data),
-        server_cert_nss_->derCert.len);
-    base::StringPiece leaf_spki;
-    if (!asn1::ExtractSPKIFromDERCert(leaf_der, &leaf_spki))
-      break;
-
-    static SECOidTag side_data_tag;
-    static bool side_data_tag_valid;
-    if (!side_data_tag_valid) {
-      // It's harmless if multiple threads enter this block concurrently.
-      static const uint8 kSideDataOID[] =
-          // 1.3.6.1.4.1.11129.2.1.4
-          // (iso.org.dod.internet.private.enterprises.google.googleSecurity.
-          //  certificateExtensions.sideData)
-          {0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x05};
-      SECOidData oid_data;
-      memset(&oid_data, 0, sizeof(oid_data));
-      oid_data.oid.data = const_cast<uint8*>(kSideDataOID);
-      oid_data.oid.len = sizeof(kSideDataOID);
-      oid_data.desc = "Certificate side data";
-      oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION;
-      side_data_tag = SECOID_AddEntry(&oid_data);
-      DCHECK_NE(SEC_OID_UNKNOWN, side_data_tag);
-      side_data_tag_valid = true;
-    }
-
-    SECItem side_data_item;
-    SECStatus rv = CERT_FindCertExtension(chain[i],
-        side_data_tag, &side_data_item);
-    if (rv != SECSuccess)
-      continue;
-
-    base::StringPiece side_data(
-        reinterpret_cast<char*>(side_data_item.data),
-        side_data_item.len);
-
-    if (!TransportSecurityState::ParseSidePin(
-             leaf_spki, side_data, &side_pinned_public_keys_)) {
-      LOG(WARNING) << "Side pinning data failed to parse: "
-                   << host_and_port_.host();
-    }
-    break;
-  }
-
   // We used to remember the intermediate CA certs in the NSS database
   // persistently.  However, NSS opens a connection to the SQLite database
   // during NSS initialization and doesn't close the connection until NSS
   // shuts down.  If the file system where the database resides is gone,
   // the database connection goes bad.  What's worse, the connection won't
   // recover when the file system comes back.  Until this NSS or SQLite bug
   // is fixed, we need to  avoid using the NSS database for non-essential
   // purposes.  See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and
   // http://crbug.com/15630 for more info.
 
@@ skipping 915 matching lines @@
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
   return server_bound_cert_service_;
 }
 
 }  // namespace net