Send HPKP violation reports when a pin check fails

net/http/transport_security_state.cc

Index: net/http/transport_security_state.cc
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index f8bd18d2bd1de4797540babe662ed83846bf6aee..9c8e9897bbd01e6ce0b58971bba21249264194e5 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -513,6 +513,10 @@ bool TransportSecurityState::CheckPublicKeyPins(
     const std::string& host,
     bool is_issued_by_known_root,
     const HashValueVector& public_key_hashes,
+    uint16_t port,
+    const X509Certificate* served_certificate_chain,
+    const X509Certificate* validated_certificate_chain,
+    const PublicKeyPinReportStatus report_status,
     std::string* pinning_failure_log) {
   // Perform pin validation if, and only if, all these conditions obtain:
   //
@@ -523,8 +527,9 @@ bool TransportSecurityState::CheckPublicKeyPins(
     return true;
   }
 
-  bool pins_are_valid =
-      CheckPublicKeyPinsImpl(host, public_key_hashes, pinning_failure_log);
+  bool pins_are_valid = CheckPublicKeyPinsImpl(
+      host, public_key_hashes, port, served_certificate_chain,
+      validated_certificate_chain, report_status, pinning_failure_log);
   if (!pins_are_valid) {
     LOG(ERROR) << *pinning_failure_log;
     ReportUMAOnPinFailure(host);
@@ -821,10 +826,36 @@ bool TransportSecurityState::IsBuildTimely() {
 bool TransportSecurityState::CheckPublicKeyPinsImpl(
     const std::string& host,
     const HashValueVector& hashes,
+    uint16_t port,
+    const X509Certificate* served_certificate_chain,
+    const X509Certificate* validated_certificate_chain,
+    const PublicKeyPinReportStatus report_status,
     std::string* failure_log) {
   PKPState dynamic_state;
-  if (GetDynamicPKPState(host, &dynamic_state))
-    return dynamic_state.CheckPublicKeyPins(hashes, failure_log);
+  if (GetDynamicPKPState(host, &dynamic_state)) {
+    bool result = dynamic_state.CheckPublicKeyPins(hashes, failure_log);
+
+    if (result || !reporter_ ||
+        report_status == DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT)
+      return result;
+
+    GURL report_uri;
+    std::string serialized_report;
+
+    if (!reporter_->GetHPKPReportUri(dynamic_state, &report_uri))

[Ryan Sleevi, 2015/07/10 16:40:00]

Does this mean we can't preload report-uris? Seems to be.

Perhaps reshuffling this to indicate which PKPState was used?

[estark, 2015/07/10 19:33:30]

Done.

+      return result;
+
+    if (!reporter_->BuildHPKPReport(
+            host, port, dynamic_state.expiry, dynamic_state.include_subdomains,
+            dynamic_state.domain, served_certificate_chain,
+            validated_certificate_chain, dynamic_state.spki_hashes,
+            &serialized_report)) {
+      LOG(ERROR) << "Failed to build HPKP report";
+      return result;
+    }
+
+    reporter_->SendHPKPReport(report_uri, serialized_report);
+  }
 
   PKPState static_pkp_state;
   STSState unused;