Send HPKP violation reports when a pin check fails

net/http/transport_security_state.cc

Index: net/http/transport_security_state.cc
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index c372d83123dfc2df882904743f8d51c5851ec011..e03e13b5f57e738f6c88d3c212225137cab47f69 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -513,6 +513,10 @@ bool TransportSecurityState::CheckPublicKeyPins(
     const std::string& host,
     bool is_issued_by_known_root,
     const HashValueVector& public_key_hashes,
+    uint16_t port,
+    const X509Certificate* served_certificate_chain,
+    const X509Certificate* validated_certificate_chain,
+    const PublicKeyPinReportStatus report_status,
     std::string* pinning_failure_log) {
   // Perform pin validation if, and only if, all these conditions obtain:
   //
@@ -523,8 +527,9 @@ bool TransportSecurityState::CheckPublicKeyPins(
     return true;
   }
 
-  bool pins_are_valid =
-      CheckPublicKeyPinsImpl(host, public_key_hashes, pinning_failure_log);
+  bool pins_are_valid = CheckPublicKeyPinsImpl(
+      host, public_key_hashes, port, served_certificate_chain,
+      validated_certificate_chain, report_status, pinning_failure_log);
   if (!pins_are_valid) {
     LOG(ERROR) << *pinning_failure_log;
     ReportUMAOnPinFailure(host);
@@ -821,19 +826,41 @@ bool TransportSecurityState::IsBuildTimely() {
 bool TransportSecurityState::CheckPublicKeyPinsImpl(
     const std::string& host,
     const HashValueVector& hashes,
+    uint16_t port,
+    const X509Certificate* served_certificate_chain,
+    const X509Certificate* validated_certificate_chain,
+    const PublicKeyPinReportStatus report_status,
     std::string* failure_log) {
-  PKPState dynamic_state;
-  if (GetDynamicPKPState(host, &dynamic_state))
-    return dynamic_state.CheckPublicKeyPins(hashes, failure_log);
-
-  PKPState static_pkp_state;
+  bool used_static_state = false;
+  PKPState pkp_state;
   STSState unused;
-  if (GetStaticDomainState(host, &unused, &static_pkp_state))
-    return static_pkp_state.CheckPublicKeyPins(hashes, failure_log);
 
-  // HasPublicKeyPins should have returned true in order for this method
-  // to have been called, so if we fall through to here, it's an error.
-  return false;
+  if (!GetDynamicPKPState(host, &pkp_state)) {
+    if (!GetStaticDomainState(host, &unused, &pkp_state)) {
+      // HasPublicKeyPins should have returned true in order for this method
+      // to have been called, so if we fall through to here, it's an error.
+      return false;
+    }
+    used_static_state = true;
+  }
+
+  bool passed_pin_check = pkp_state.CheckPublicKeyPins(hashes, failure_log);
+
+  if (passed_pin_check || !reporter_ || report_status != ENABLE_PIN_REPORTS)
+    return passed_pin_check;
+
+  GURL report_uri;
+  std::string serialized_report;
+
+  if (!reporter_->GetHPKPReport(
+          host, pkp_state, used_static_state, port, served_certificate_chain,
+          validated_certificate_chain, &report_uri, &serialized_report)) {
+    return passed_pin_check;
+  }
+
+  reporter_->SendHPKPReport(report_uri, serialized_report);
+
+  return passed_pin_check;
 }
 
 bool TransportSecurityState::GetStaticDomainState(const std::string& host,