Refactor TransportSecurityState.

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
===================================================================
--- net/socket/ssl_client_socket_nss.cc	(revision 128526)
+++ net/socket/ssl_client_socket_nss.cc	(working copy)
@@ -134,8 +134,8 @@
 #elif defined(USE_NSS)
 typedef SECStatus
 (*CacheOCSPResponseFromSideChannelFunction)(
-    CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time,
-    SECItem *encodedResponse, void *pwArg);
+    CERTCertDBHandle* handle, CERTCertificate *cert, PRTime time,
+    SECItem* encodedResponse, void *pwArg);

[Ryan Sleevi, 2012/03/28 00:50:32]

This were typed such to match the underlying NSS style, so they are probably
fine as is.

If you are going to change them, change all four variables :)

[palmer, 2012/04/10 23:25:51]

Done.

 
 // On Linux, we dynamically link against the system version of libnss3.so. In
 // order to continue working on systems without up-to-date versions of NSS we
@@ -1734,56 +1734,6 @@
         UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time);
   }
 
-  PeerCertificateChain chain(nss_fd_);
-  for (unsigned i = 1; i < chain.size(); i++) {
-    if (strcmp(chain[i]->subjectName, "CN=meta") != 0)
-      continue;
-
-    base::StringPiece leaf_der(
-        reinterpret_cast<char*>(server_cert_nss_->derCert.data),
-        server_cert_nss_->derCert.len);
-    base::StringPiece leaf_spki;
-    if (!asn1::ExtractSPKIFromDERCert(leaf_der, &leaf_spki))
-      break;
-
-    static SECOidTag side_data_tag;
-    static bool side_data_tag_valid;
-    if (!side_data_tag_valid) {
-      // It's harmless if multiple threads enter this block concurrently.
-      static const uint8 kSideDataOID[] =
-          // 1.3.6.1.4.1.11129.2.1.4
-          // (iso.org.dod.internet.private.enterprises.google.googleSecurity.
-          //  certificateExtensions.sideData)
-          {0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x05};
-      SECOidData oid_data;
-      memset(&oid_data, 0, sizeof(oid_data));
-      oid_data.oid.data = const_cast<uint8*>(kSideDataOID);
-      oid_data.oid.len = sizeof(kSideDataOID);
-      oid_data.desc = "Certificate side data";
-      oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION;
-      side_data_tag = SECOID_AddEntry(&oid_data);
-      DCHECK_NE(SEC_OID_UNKNOWN, side_data_tag);
-      side_data_tag_valid = true;
-    }
-
-    SECItem side_data_item;
-    SECStatus rv = CERT_FindCertExtension(chain[i],
-        side_data_tag, &side_data_item);
-    if (rv != SECSuccess)
-      continue;
-
-    base::StringPiece side_data(
-        reinterpret_cast<char*>(side_data_item.data),
-        side_data_item.len);
-
-    if (!TransportSecurityState::ParseSidePin(
-             leaf_spki, side_data, &side_pinned_public_keys_)) {
-      LOG(WARNING) << "Side pinning data failed to parse: "
-                   << host_and_port_.host();
-    }
-    break;
-  }
-
   // We used to remember the intermediate CA certs in the NSS database
   // persistently.  However, NSS opens a connection to the SQLite database
   // during NSS initialization and doesn't close the connection until NSS