Improve TransportSecurityState data storage.

net/base/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/transport_security_state.h"
 
 #if defined(USE_OPENSSL)
 #include <openssl/ecdsa.h>
 #include <openssl/ssl.h>
 #else  // !defined(USE_OPENSSL)
 #include <cryptohi.h>
 #include <hasht.h>
 #include <keyhi.h>
 #include <pk11pub.h>
 #include <nspr.h>
 #endif
 
 #include <algorithm>
 
 #include "base/base64.h"
 #include "base/build_time.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/metrics/histogram.h"
 #include "base/sha1.h"
-#include "base/string_number_conversions.h"
 #include "base/string_util.h"
 #include "base/time.h"
-#include "base/utf_string_conversions.h"
-#include "base/values.h"
 #include "crypto/sha2.h"
 #include "googleurl/src/gurl.h"
 #include "net/base/dns_util.h"
 #include "net/base/ssl_info.h"
-#include "net/base/x509_cert_types.h"
+#include "net/base/transport_security_state_preload.h"
 #include "net/base/x509_certificate.h"
 #include "net/http/http_security_headers.h"
 
 #if defined(USE_OPENSSL)
 #include "crypto/openssl_util.h"
 #endif
 
 namespace net {
 
 namespace {
 
 std::string HashesToBase64String(const HashValueVector& hashes) {
   std::string str;
   for (size_t i = 0; i != hashes.size(); ++i) {
     if (i != 0)
       str += ",";
     str += hashes[i].ToString();
   }
   return str;
 }
 
-std::string HashHost(const std::string& canonicalized_host) {
-  char hashed[crypto::kSHA256Length];
-  crypto::SHA256HashString(canonicalized_host, hashed, sizeof(hashed));
-  return std::string(hashed, sizeof(hashed));
-}
-
 // Returns true if the intersection of |a| and |b| is not empty. If either
 // |a| or |b| is empty, returns false.
 bool HashesIntersect(const HashValueVector& a,
                      const HashValueVector& b) {
   for (HashValueVector::const_iterator i = a.begin(); i != a.end(); ++i) {
     HashValueVector::const_iterator j =
         std::find_if(b.begin(), b.end(), HashValuesEqual(*i));
     if (j != b.end())
       return true;
   }
   return false;
 }
 
-bool AddHash(const char* sha1_hash,
-             HashValueVector* out) {
-  HashValue hash(HASH_VALUE_SHA1);
-  memcpy(hash.data(), sha1_hash, hash.size());
-  out->push_back(hash);
-  return true;
-}
+std::string HashHost(const std::string& host) {
+  std::string lowercase = StringToLowerASCII(host);
+  std::string old_style_canonicalized_name;
+  if (!DNSDomainFromDot(lowercase, &old_style_canonicalized_name))
+    return std::string("");

[Ryan Sleevi, 2013/03/23 04:24:13]

return std::string()

The "" technically incurs overhead (in scanning the string). Pedantry, really.

[unsafe, 2013/03/23 08:19:39]

Done.

+
+  char hashed[crypto::kSHA256Length];
+  crypto::SHA256HashString(old_style_canonicalized_name, hashed,
+                           sizeof(hashed));
+  return std::string(hashed, sizeof(hashed));
+}
+
+// Iterate over ("www.example.com", "example.com", "com")
+struct DomainNameIterator {
+  explicit DomainNameIterator(const std::string& host) {
+    name_ = StringToLowerASCII(host);
+    index_ = 0;
+  }
+
+  bool AtEnd() {
+    return name_[index_] == 0;
+  }
+
+  // Advance to NUL char, or after the next '.'
+  void Advance() {
+    if (AtEnd())
+      return;
+    for (index_++; name_[index_] != '.' && name_[index_] != 0; index_++);
+    if (name_[index_] == '.')
+      index_++;
+  }
+
+  std::string GetName() {
+    return name_.substr(index_);
+  }
+
+  bool IsFullHostname() {
+    return index_ == 0;
+  }
+
+  std::string name_;  // The full hostname, canonicalized to lowercase
+  size_t index_;      // Index into name_
+};
 
 }  // namespace
 
 TransportSecurityState::TransportSecurityState()
   : delegate_(NULL) {
 }
 
-TransportSecurityState::Iterator::Iterator(const TransportSecurityState& state)
-    : iterator_(state.enabled_hosts_.begin()),
-      end_(state.enabled_hosts_.end()) {
-}
-
-TransportSecurityState::Iterator::~Iterator() {}
+TransportSecurityState::~TransportSecurityState() {}
 
 void TransportSecurityState::SetDelegate(
     TransportSecurityState::Delegate* delegate) {
   delegate_ = delegate;
 }
 
-void TransportSecurityState::EnableHost(const std::string& host,
-                                        const DomainState& state) {
+void TransportSecurityState::ClearDynamicData() {
+  hsts_entries_.clear();
+  hpkp_entries_.clear();
+}
+
+void TransportSecurityState::DeleteAllDynamicDataSince(const base::Time& time) {
   DCHECK(CalledOnValidThread());
-
-  const std::string canonicalized_host = CanonicalizeHost(host);
-  if (canonicalized_host.empty())
-    return;
-
-  DomainState existing_state;
-
-  // Use the original creation date if we already have this host. (But note
-  // that statically-defined states have no |created| date. Therefore, we do
-  // not bother to search the SNI-only static states.)
-  DomainState state_copy(state);
-  if (GetDomainState(host, false /* sni_enabled */, &existing_state) &&
-      !existing_state.created.is_null()) {
-    state_copy.created = existing_state.created;
-  }
-
-  // No need to store this value since it is redundant. (|canonicalized_host|
-  // is the map key.)
-  state_copy.domain.clear();
-
-  enabled_hosts_[HashHost(canonicalized_host)] = state_copy;
-  DirtyNotify();
+  hsts_entries_.DeleteEntriesSince(time);
+  hpkp_entries_.DeleteEntriesSince(time);
+  CheckDirty();
 }
 
 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) {
   DCHECK(CalledOnValidThread());
-
-  const std::string canonicalized_host = CanonicalizeHost(host);
-  if (canonicalized_host.empty())
-    return false;
-
-  DomainStateMap::iterator i = enabled_hosts_.find(
-      HashHost(canonicalized_host));
-  if (i != enabled_hosts_.end()) {
-    enabled_hosts_.erase(i);
-    DirtyNotify();
-    return true;
-  }
-  return false;
+  bool deleted_hsts = DeleteHSTS(host);
+  bool deleted_hpkp = DeleteHPKP(host);
+  CheckDirty();
+  return deleted_hsts || deleted_hpkp;
 }
 
 bool TransportSecurityState::GetDomainState(const std::string& host,
                                             bool sni_enabled,
-                                            DomainState* result) {
+                                            DomainState* result) const {
   DCHECK(CalledOnValidThread());
-
-  DomainState state;
-  const std::string canonicalized_host = CanonicalizeHost(host);
-  if (canonicalized_host.empty())
+  bool found = false;
+  const base::Time now = base::Time::Now();
+  DomainState dynamic_state;
+
+  found = GetPreloadDomainState(sni_enabled, now, host, result);
+  found = GetDynamicDomainState(now, host, &dynamic_state) || found;

[Ryan Sleevi, 2013/03/23 04:24:13]

Why not simply

found |= GetDynamicDomainState

Because you're not using logical or, you wouldn't have to worry about
short-circuiting (which I interpret your || found to be worried about)

[unsafe, 2013/03/23 08:19:39]

its sort of a logical operation, bit arithmetic looks wrong to me here, but it
could be done..  yeah, i was worried about short-circuiting

+
+  // Merge dynamic state into preload state
+  // Currently, HSTS and HPKP are set if either state has them set.
+  // However, if both states have HPKP set, the preload pins take precedence.
+  // This behavior may change (e.g. for the most-recent to take priority).
+  if (!result->should_upgrade_ && dynamic_state.should_upgrade_) {
+    result->should_upgrade_ = true;
+  }

[Ryan Sleevi, 2013/03/23 04:24:13]

style: omit braces for one-liner

[unsafe, 2013/03/23 08:19:39]

Done.

+  if (!result->has_public_key_pins_ && dynamic_state.has_public_key_pins_) {
+    result->has_public_key_pins_ = true;
+    result->public_key_pins_good_hashes_ =
+      dynamic_state.public_key_pins_good_hashes_;

[Ryan Sleevi, 2013/03/23 04:24:13]

style: four spaces indent for continuation

[unsafe, 2013/03/23 08:19:39]

Done.

+  }
+  return found;
+}
+
+bool TransportSecurityState::GetDynamicDomainState(const base::Time& now,
+                                                   const std::string& host,
+                                                   DomainState* result) const {
+  DynamicEntry hsts_entry;
+  HPKPEntry hpkp_entry;
+  // Iterate over 'www.example.com", 'example.com", "com"
+  for (DomainNameIterator iter(host); !iter.AtEnd(); iter.Advance()) {
+    std::string hashed_host = HashHost(iter.GetName());
+    bool is_full_hostname = iter.IsFullHostname();
+
+    // Get HSTS data from map
+    if (!result->should_upgrade_ &&
+        hsts_entries_.GetEntry(now, hashed_host, is_full_hostname,
+                               &hsts_entry)) {
+      result->should_upgrade_ = true;
+    }
+
+    // Get HPKP data from map
+    if (!result->has_public_key_pins_ &&
+        hpkp_entries_.GetEntry(now, hashed_host, is_full_hostname,
+                               &hpkp_entry)) {
+      result->has_public_key_pins_ = true;
+      result->public_key_pins_good_hashes_ = hpkp_entry.good_hashes_;
+    }
+
+    // If we've got all possible data, exit early
+    if (result->should_upgrade_ && result->has_public_key_pins_)
+      return true;
+  }
+  return result->should_upgrade_ || result->has_public_key_pins_;
+}
+
+bool TransportSecurityState::GetPreloadDomainState(bool sni_enabled,
+                                                   const base::Time& now,
+                                                   const std::string& host,
+                                                   DomainState* result) const {
+#ifdef PRELOADS_PRESENT

[Ryan Sleevi, 2013/03/23 04:24:13]

pedantry nit: #if defined() for non-header-guard ifdefs

[unsafe, 2013/03/23 08:19:39]

Done.

+  const PreloadEntry* entries = kPreloadedEntries;
+  size_t num_entries = kNumPreloaded;
+
+  if (!IsBuildTimely())
     return false;
 
-  bool has_preload = GetStaticDomainState(canonicalized_host, sni_enabled,
-                                          &state);
-  std::string canonicalized_preload = CanonicalizeHost(state.domain);
-
-  base::Time current_time(base::Time::Now());
-
-  for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
-    std::string host_sub_chunk(&canonicalized_host[i],
-                               canonicalized_host.size() - i);
-    // Exact match of a preload always wins.
-    if (has_preload && host_sub_chunk == canonicalized_preload) {
-      *result = state;
-      return true;
+  for (int count = 0; count < 2; count++) {
+    // If sni_enabled, then scan through SNI entries (if necessary)
+    if (count == 1) {
+      if (!sni_enabled)
+        break;
+      entries = kPreloadedEntriesSNI;
+      num_entries = kNumPreloadedSNI;
     }
 
-    DomainStateMap::iterator j =
-        enabled_hosts_.find(HashHost(host_sub_chunk));
-    if (j == enabled_hosts_.end())
-      continue;
-
-    if (current_time > j->second.upgrade_expiry &&
-        current_time > j->second.dynamic_spki_hashes_expiry) {
-      enabled_hosts_.erase(j);
-      DirtyNotify();
-      continue;
-    }
-
-    state = j->second;
-    state.domain = DNSDomainToString(host_sub_chunk);
-
-    // Succeed if we matched the domain exactly or if subdomain matches are
-    // allowed.
-    if (i == 0 || j->second.include_subdomains) {
-      *result = state;
-      return true;
-    }
-
-    return false;
-  }
-
-  return false;
-}
-
-void TransportSecurityState::ClearDynamicData() {
-  enabled_hosts_.clear();
-}
-
-void TransportSecurityState::DeleteAllDynamicDataSince(const base::Time& time) {
-  DCHECK(CalledOnValidThread());
-
-  bool dirtied = false;
-
-  DomainStateMap::iterator i = enabled_hosts_.begin();
-  while (i != enabled_hosts_.end()) {
-    if (i->second.created >= time) {
-      dirtied = true;
-      enabled_hosts_.erase(i++);
-    } else {
-      i++;
-    }
-  }
-
-  if (dirtied)
-    DirtyNotify();
-}
-
-TransportSecurityState::~TransportSecurityState() {}
-
-void TransportSecurityState::DirtyNotify() {
-  DCHECK(CalledOnValidThread());
-
-  if (delegate_)
-    delegate_->StateIsDirty(this);
-}
-
-// static
-std::string TransportSecurityState::CanonicalizeHost(const std::string& host) {
-  // We cannot perform the operations as detailed in the spec here as |host|
-  // has already undergone IDN processing before it reached us. Thus, we check
-  // that there are no invalid characters in the host and lowercase the result.
-
-  std::string new_host;
-  if (!DNSDomainFromDot(host, &new_host)) {
-    // DNSDomainFromDot can fail if any label is > 63 bytes or if the whole
-    // name is >255 bytes. However, search terms can have those properties.
-    return std::string();
-  }
-
-  for (size_t i = 0; new_host[i]; i += new_host[i] + 1) {
-    const unsigned label_length = static_cast<unsigned>(new_host[i]);
-    if (!label_length)
-      break;
-
-    for (size_t j = 0; j < label_length; ++j) {
-      // RFC 3490, 4.1, step 3
-      if (!IsSTD3ASCIIValidCharacter(new_host[i + 1 + j]))
-        return std::string();
-
-      new_host[i + 1 + j] = tolower(new_host[i + 1 + j]);
-    }
-
-    // step 3(b)
-    if (new_host[i + 1] == '-' ||
-        new_host[i + label_length] == '-') {
-      return std::string();
-    }
-  }
-
-  return new_host;
-}
-
-// |ReportUMAOnPinFailure| uses these to report which domain was associated
-// with the public key pinning failure.
-//
-// DO NOT CHANGE THE ORDERING OF THESE NAMES OR REMOVE ANY OF THEM. Add new
-// domains at the END of the listing (but before DOMAIN_NUM_EVENTS).
-enum SecondLevelDomainName {
-  DOMAIN_NOT_PINNED,
-
-  DOMAIN_GOOGLE_COM,
-  DOMAIN_ANDROID_COM,
-  DOMAIN_GOOGLE_ANALYTICS_COM,
-  DOMAIN_GOOGLEPLEX_COM,
-  DOMAIN_YTIMG_COM,
-  DOMAIN_GOOGLEUSERCONTENT_COM,
-  DOMAIN_YOUTUBE_COM,
-  DOMAIN_GOOGLEAPIS_COM,
-  DOMAIN_GOOGLEADSERVICES_COM,
-  DOMAIN_GOOGLECODE_COM,
-  DOMAIN_APPSPOT_COM,
-  DOMAIN_GOOGLESYNDICATION_COM,
-  DOMAIN_DOUBLECLICK_NET,
-  DOMAIN_GSTATIC_COM,
-  DOMAIN_GMAIL_COM,
-  DOMAIN_GOOGLEMAIL_COM,
-  DOMAIN_GOOGLEGROUPS_COM,
-
-  DOMAIN_TORPROJECT_ORG,
-
-  DOMAIN_TWITTER_COM,
-  DOMAIN_TWIMG_COM,
-
-  DOMAIN_AKAMAIHD_NET,
-
-  DOMAIN_TOR2WEB_ORG,
-
-  DOMAIN_YOUTU_BE,
-  DOMAIN_GOOGLECOMMERCE_COM,
-  DOMAIN_URCHIN_COM,
-  DOMAIN_GOO_GL,
-  DOMAIN_G_CO,
-  DOMAIN_GOOGLE_AC,
-  DOMAIN_GOOGLE_AD,
-  DOMAIN_GOOGLE_AE,
-  DOMAIN_GOOGLE_AF,
-  DOMAIN_GOOGLE_AG,
-  DOMAIN_GOOGLE_AM,
-  DOMAIN_GOOGLE_AS,
-  DOMAIN_GOOGLE_AT,
-  DOMAIN_GOOGLE_AZ,
-  DOMAIN_GOOGLE_BA,
-  DOMAIN_GOOGLE_BE,
-  DOMAIN_GOOGLE_BF,
-  DOMAIN_GOOGLE_BG,
-  DOMAIN_GOOGLE_BI,
-  DOMAIN_GOOGLE_BJ,
-  DOMAIN_GOOGLE_BS,
-  DOMAIN_GOOGLE_BY,
-  DOMAIN_GOOGLE_CA,
-  DOMAIN_GOOGLE_CAT,
-  DOMAIN_GOOGLE_CC,
-  DOMAIN_GOOGLE_CD,
-  DOMAIN_GOOGLE_CF,
-  DOMAIN_GOOGLE_CG,
-  DOMAIN_GOOGLE_CH,
-  DOMAIN_GOOGLE_CI,
-  DOMAIN_GOOGLE_CL,
-  DOMAIN_GOOGLE_CM,
-  DOMAIN_GOOGLE_CN,
-  DOMAIN_CO_AO,
-  DOMAIN_CO_BW,
-  DOMAIN_CO_CK,
-  DOMAIN_CO_CR,
-  DOMAIN_CO_HU,
-  DOMAIN_CO_ID,
-  DOMAIN_CO_IL,
-  DOMAIN_CO_IM,
-  DOMAIN_CO_IN,
-  DOMAIN_CO_JE,
-  DOMAIN_CO_JP,
-  DOMAIN_CO_KE,
-  DOMAIN_CO_KR,
-  DOMAIN_CO_LS,
-  DOMAIN_CO_MA,
-  DOMAIN_CO_MZ,
-  DOMAIN_CO_NZ,
-  DOMAIN_CO_TH,
-  DOMAIN_CO_TZ,
-  DOMAIN_CO_UG,
-  DOMAIN_CO_UK,
-  DOMAIN_CO_UZ,
-  DOMAIN_CO_VE,
-  DOMAIN_CO_VI,
-  DOMAIN_CO_ZA,
-  DOMAIN_CO_ZM,
-  DOMAIN_CO_ZW,
-  DOMAIN_COM_AF,
-  DOMAIN_COM_AG,
-  DOMAIN_COM_AI,
-  DOMAIN_COM_AR,
-  DOMAIN_COM_AU,
-  DOMAIN_COM_BD,
-  DOMAIN_COM_BH,
-  DOMAIN_COM_BN,
-  DOMAIN_COM_BO,
-  DOMAIN_COM_BR,
-  DOMAIN_COM_BY,
-  DOMAIN_COM_BZ,
-  DOMAIN_COM_CN,
-  DOMAIN_COM_CO,
-  DOMAIN_COM_CU,
-  DOMAIN_COM_CY,
-  DOMAIN_COM_DO,
-  DOMAIN_COM_EC,
-  DOMAIN_COM_EG,
-  DOMAIN_COM_ET,
-  DOMAIN_COM_FJ,
-  DOMAIN_COM_GE,
-  DOMAIN_COM_GH,
-  DOMAIN_COM_GI,
-  DOMAIN_COM_GR,
-  DOMAIN_COM_GT,
-  DOMAIN_COM_HK,
-  DOMAIN_COM_IQ,
-  DOMAIN_COM_JM,
-  DOMAIN_COM_JO,
-  DOMAIN_COM_KH,
-  DOMAIN_COM_KW,
-  DOMAIN_COM_LB,
-  DOMAIN_COM_LY,
-  DOMAIN_COM_MT,
-  DOMAIN_COM_MX,
-  DOMAIN_COM_MY,
-  DOMAIN_COM_NA,
-  DOMAIN_COM_NF,
-  DOMAIN_COM_NG,
-  DOMAIN_COM_NI,
-  DOMAIN_COM_NP,
-  DOMAIN_COM_NR,
-  DOMAIN_COM_OM,
-  DOMAIN_COM_PA,
-  DOMAIN_COM_PE,
-  DOMAIN_COM_PH,
-  DOMAIN_COM_PK,
-  DOMAIN_COM_PL,
-  DOMAIN_COM_PR,
-  DOMAIN_COM_PY,
-  DOMAIN_COM_QA,
-  DOMAIN_COM_RU,
-  DOMAIN_COM_SA,
-  DOMAIN_COM_SB,
-  DOMAIN_COM_SG,
-  DOMAIN_COM_SL,
-  DOMAIN_COM_SV,
-  DOMAIN_COM_TJ,
-  DOMAIN_COM_TN,
-  DOMAIN_COM_TR,
-  DOMAIN_COM_TW,
-  DOMAIN_COM_UA,
-  DOMAIN_COM_UY,
-  DOMAIN_COM_VC,
-  DOMAIN_COM_VE,
-  DOMAIN_COM_VN,
-  DOMAIN_GOOGLE_CV,
-  DOMAIN_GOOGLE_CZ,
-  DOMAIN_GOOGLE_DE,
-  DOMAIN_GOOGLE_DJ,
-  DOMAIN_GOOGLE_DK,
-  DOMAIN_GOOGLE_DM,
-  DOMAIN_GOOGLE_DZ,
-  DOMAIN_GOOGLE_EE,
-  DOMAIN_GOOGLE_ES,
-  DOMAIN_GOOGLE_FI,
-  DOMAIN_GOOGLE_FM,
-  DOMAIN_GOOGLE_FR,
-  DOMAIN_GOOGLE_GA,
-  DOMAIN_GOOGLE_GE,
-  DOMAIN_GOOGLE_GG,
-  DOMAIN_GOOGLE_GL,
-  DOMAIN_GOOGLE_GM,
-  DOMAIN_GOOGLE_GP,
-  DOMAIN_GOOGLE_GR,
-  DOMAIN_GOOGLE_GY,
-  DOMAIN_GOOGLE_HK,
-  DOMAIN_GOOGLE_HN,
-  DOMAIN_GOOGLE_HR,
-  DOMAIN_GOOGLE_HT,
-  DOMAIN_GOOGLE_HU,
-  DOMAIN_GOOGLE_IE,
-  DOMAIN_GOOGLE_IM,
-  DOMAIN_GOOGLE_INFO,
-  DOMAIN_GOOGLE_IQ,
-  DOMAIN_GOOGLE_IS,
-  DOMAIN_GOOGLE_IT,
-  DOMAIN_IT_AO,
-  DOMAIN_GOOGLE_JE,
-  DOMAIN_GOOGLE_JO,
-  DOMAIN_GOOGLE_JOBS,
-  DOMAIN_GOOGLE_JP,
-  DOMAIN_GOOGLE_KG,
-  DOMAIN_GOOGLE_KI,
-  DOMAIN_GOOGLE_KZ,
-  DOMAIN_GOOGLE_LA,
-  DOMAIN_GOOGLE_LI,
-  DOMAIN_GOOGLE_LK,
-  DOMAIN_GOOGLE_LT,
-  DOMAIN_GOOGLE_LU,
-  DOMAIN_GOOGLE_LV,
-  DOMAIN_GOOGLE_MD,
-  DOMAIN_GOOGLE_ME,
-  DOMAIN_GOOGLE_MG,
-  DOMAIN_GOOGLE_MK,
-  DOMAIN_GOOGLE_ML,
-  DOMAIN_GOOGLE_MN,
-  DOMAIN_GOOGLE_MS,
-  DOMAIN_GOOGLE_MU,
-  DOMAIN_GOOGLE_MV,
-  DOMAIN_GOOGLE_MW,
-  DOMAIN_GOOGLE_NE,
-  DOMAIN_NE_JP,
-  DOMAIN_GOOGLE_NET,
-  DOMAIN_GOOGLE_NL,
-  DOMAIN_GOOGLE_NO,
-  DOMAIN_GOOGLE_NR,
-  DOMAIN_GOOGLE_NU,
-  DOMAIN_OFF_AI,
-  DOMAIN_GOOGLE_PK,
-  DOMAIN_GOOGLE_PL,
-  DOMAIN_GOOGLE_PN,
-  DOMAIN_GOOGLE_PS,
-  DOMAIN_GOOGLE_PT,
-  DOMAIN_GOOGLE_RO,
-  DOMAIN_GOOGLE_RS,
-  DOMAIN_GOOGLE_RU,
-  DOMAIN_GOOGLE_RW,
-  DOMAIN_GOOGLE_SC,
-  DOMAIN_GOOGLE_SE,
-  DOMAIN_GOOGLE_SH,
-  DOMAIN_GOOGLE_SI,
-  DOMAIN_GOOGLE_SK,
-  DOMAIN_GOOGLE_SM,
-  DOMAIN_GOOGLE_SN,
-  DOMAIN_GOOGLE_SO,
-  DOMAIN_GOOGLE_ST,
-  DOMAIN_GOOGLE_TD,
-  DOMAIN_GOOGLE_TG,
-  DOMAIN_GOOGLE_TK,
-  DOMAIN_GOOGLE_TL,
-  DOMAIN_GOOGLE_TM,
-  DOMAIN_GOOGLE_TN,
-  DOMAIN_GOOGLE_TO,
-  DOMAIN_GOOGLE_TP,
-  DOMAIN_GOOGLE_TT,
-  DOMAIN_GOOGLE_US,
-  DOMAIN_GOOGLE_UZ,
-  DOMAIN_GOOGLE_VG,
-  DOMAIN_GOOGLE_VU,
-  DOMAIN_GOOGLE_WS,
-
-  DOMAIN_CHROMIUM_ORG,
-
-  DOMAIN_CRYPTO_CAT,
-
-  // Boundary value for UMA_HISTOGRAM_ENUMERATION:
-  DOMAIN_NUM_EVENTS
-};
-
-// PublicKeyPins contains a number of SubjectPublicKeyInfo hashes for a site.
-// The validated certificate chain for the site must not include any of
-// |excluded_hashes| and must include one or more of |required_hashes|.
-struct PublicKeyPins {
-  const char* const* required_hashes;
-  const char* const* excluded_hashes;
-};
-
-struct HSTSPreload {
-  uint8 length;
-  bool include_subdomains;
-  char dns_name[34];
-  bool https_required;
-  PublicKeyPins pins;
-  SecondLevelDomainName second_level_domain_name;
-};
-
-static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries,
-                       const std::string& canonicalized_host, size_t i,
-                       TransportSecurityState::DomainState* out, bool* ret) {
-  for (size_t j = 0; j < num_entries; j++) {
-    if (entries[j].length == canonicalized_host.size() - i &&
-        memcmp(entries[j].dns_name, &canonicalized_host[i],
-               entries[j].length) == 0) {
-      if (!entries[j].include_subdomains && i != 0) {
-        *ret = false;
-      } else {
-        out->include_subdomains = entries[j].include_subdomains;
-        *ret = true;
-        if (!entries[j].https_required)
-          out->upgrade_mode = TransportSecurityState::DomainState::MODE_DEFAULT;
-        if (entries[j].pins.required_hashes) {
-          const char* const* sha1_hash = entries[j].pins.required_hashes;
-          while (*sha1_hash) {
-            AddHash(*sha1_hash, &out->static_spki_hashes);
-            sha1_hash++;
+    for (DomainNameIterator iter(host); !iter.AtEnd(); iter.Advance()) {
+      std::string name = iter.GetName();
+      for (size_t index = 0; index < num_entries; index++) {
+        const PreloadEntry& entry = entries[index];
+
+        // If we find a relevant preload entry, populate the
+        // entire DomainState from it and return
+        if (entry.length == name.size() &&
+            memcmp(entry.dns_name, name.data(), entry.length) == 0 &&
+            (iter.IsFullHostname() || entry.include_subdomains)) {
+

[Ryan Sleevi, 2013/03/23 04:24:13]

nit: unnecessary newline

[unsafe, 2013/03/23 08:19:39]

Done.

+          // should_upgrade

[Ryan Sleevi, 2013/03/23 04:24:13]

the comment here and on 237 seem unnecessary.

[unsafe, 2013/03/23 08:19:39]

Done.

+          if (entry.https_required)
+            result->should_upgrade_ = true;
+
+          // has_public_key_pins
+          if (entry.pins.required_hashes || entry.pins.excluded_hashes)
+            result->has_public_key_pins_ = true;
+
+          HashValue hash(HASH_VALUE_SHA1);
+          if (entry.pins.required_hashes) {
+            const char* const* sha1_hashes = entry.pins.required_hashes;
+            while (*sha1_hashes) {
+              memcpy(hash.data(), *sha1_hashes, hash.size());
+              result->public_key_pins_good_hashes_.push_back(hash);
+              sha1_hashes++;
+            }
           }
-        }
-        if (entries[j].pins.excluded_hashes) {
-          const char* const* sha1_hash = entries[j].pins.excluded_hashes;
-          while (*sha1_hash) {
-            AddHash(*sha1_hash, &out->bad_static_spki_hashes);
-            sha1_hash++;
+          if (entry.pins.excluded_hashes) {
+            const char* const* sha1_hashes = entry.pins.excluded_hashes;
+            while (*sha1_hashes) {
+              memcpy(hash.data(), *sha1_hashes, hash.size());
+              result->public_key_pins_bad_hashes_.push_back(hash);
+              sha1_hashes++;
+            }
           }
+
+          // is_google_pinned_property
+          if (entry.pins.required_hashes == kGoogleAcceptableCerts)
+            result->is_google_pinned_property_ = true;
+
+          // report_uma_on_pin_failure
+          if (entry.second_level_domain_name != DOMAIN_NOT_PINNED) {
+            result->report_uma_on_pin_failure_ = true;
+            result->second_level_domain_name_ = entry.second_level_domain_name;
+          }
+          return true;
         }
       }
-      return true;
     }
   }
+#endif
   return false;
 }
 
-#include "net/base/transport_security_state_static.h"
-
-// Returns the HSTSPreload entry for the |canonicalized_host| in |entries|,
-// or NULL if there is none. Prefers exact hostname matches to those that
-// match only because HSTSPreload.include_subdomains is true.
-//
-// |canonicalized_host| should be the hostname as canonicalized by
-// CanonicalizeHost.
-static const struct HSTSPreload* GetHSTSPreload(
-    const std::string& canonicalized_host,
-    const struct HSTSPreload* entries,
-    size_t num_entries) {
-  for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
-    for (size_t j = 0; j < num_entries; j++) {
-      const struct HSTSPreload* entry = entries + j;
-
-      if (i != 0 && !entry->include_subdomains)
-        continue;
-
-      if (entry->length == canonicalized_host.size() - i &&
-          memcmp(entry->dns_name, &canonicalized_host[i], entry->length) == 0) {
-        return entry;
-      }
-    }
-  }
-
-  return NULL;
-}
-
-bool TransportSecurityState::AddHSTSHeader(const std::string& host,
+void TransportSecurityState::AddHSTSHeader(const std::string& host,
                                            const std::string& value) {
-  base::Time now = base::Time::Now();
-  TransportSecurityState::DomainState domain_state;
-  if (ParseHSTSHeader(now, value, &domain_state.upgrade_expiry,
-                      &domain_state.include_subdomains)) {
-    // Handle max-age == 0
-    if (now == domain_state.upgrade_expiry)
-      domain_state.upgrade_mode = DomainState::MODE_DEFAULT;
+  const base::Time now = base::Time::Now();
+  base::TimeDelta max_age;
+  bool include_subdomains = false;
+  if (ParseHSTSHeader(value, &max_age, &include_subdomains)) {
+    if (max_age.InSeconds() == 0)
+      DeleteHSTS(host);
     else
-      domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
-    domain_state.created = now;
-    EnableHost(host, domain_state);
-    return true;
-  }
-  return false;
-}
-
-bool TransportSecurityState::AddHPKPHeader(const std::string& host,
+      AddHSTS(host, now, now + max_age, include_subdomains);
+  }
+}
+
+void TransportSecurityState::AddHPKPHeader(const std::string& host,
                                            const std::string& value,
                                            const SSLInfo& ssl_info) {
-  base::Time now = base::Time::Now();
-  TransportSecurityState::DomainState domain_state;
-  if (ParseHPKPHeader(now, value, ssl_info.public_key_hashes,
-                      &domain_state.dynamic_spki_hashes_expiry,
-                      &domain_state.dynamic_spki_hashes)) {
-    domain_state.upgrade_mode = DomainState::MODE_DEFAULT;
-    domain_state.created = now;
-    EnableHost(host, domain_state);
-    return true;
-  }
-  return false;
+  const base::Time now = base::Time::Now();
+  base::TimeDelta max_age;
+  HashValueVector public_key_pin_hashes;
+  bool include_subdomains = false;  // TODO(trevp) PARSE FROM HEADER
+  if (ParseHPKPHeader(value, ssl_info.public_key_hashes, &max_age,
+                      &public_key_pin_hashes)) {
+    if (max_age.InSeconds() == 0)
+      DeleteHPKP(host);
+    else
+      AddHPKP(host, now, now + max_age, include_subdomains,
+              public_key_pin_hashes);

[Ryan Sleevi, 2013/03/23 04:24:13]

style nit: because this line wraps, you should have braces for the if beginning
on line 299 and the else beginning 301

[unsafe, 2013/03/23 08:19:39]

Done.

+  }
 }
 
 bool TransportSecurityState::AddHSTS(const std::string& host,
+                                     const base::Time& created,
                                      const base::Time& expiry,
                                      bool include_subdomains) {
-  // Copy-and-modify the existing DomainState for this host (if any).
-  TransportSecurityState::DomainState domain_state;
-  const std::string canonicalized_host = CanonicalizeHost(host);
-  const std::string hashed_host = HashHost(canonicalized_host);
-  DomainStateMap::const_iterator i = enabled_hosts_.find(
-      hashed_host);
-  if (i != enabled_hosts_.end())
-    domain_state = i->second;
-
-  domain_state.created = base::Time::Now();
-  domain_state.include_subdomains = include_subdomains;
-  domain_state.upgrade_expiry = expiry;
-  domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
-  EnableHost(host, domain_state);
-  return true;
+  bool retval = AddHSTSHashedHost(HashHost(host), created, expiry,
+                           include_subdomains);

[Ryan Sleevi, 2013/03/23 04:24:13]

style nit: indent
style: just return (no need for the retval temporary)

[unsafe, 2013/03/23 08:19:39]

Done.

+  return retval;
 }
 
 bool TransportSecurityState::AddHPKP(const std::string& host,
+                                     const base::Time& created,
                                      const base::Time& expiry,
                                      bool include_subdomains,
                                      const HashValueVector& hashes) {
-  // Copy-and-modify the existing DomainState for this host (if any).
-  TransportSecurityState::DomainState domain_state;
-  const std::string canonicalized_host = CanonicalizeHost(host);
-  const std::string hashed_host = HashHost(canonicalized_host);
-  DomainStateMap::const_iterator i = enabled_hosts_.find(
-      hashed_host);
-  if (i != enabled_hosts_.end())
-    domain_state = i->second;
-
-  domain_state.created = base::Time::Now();
-  domain_state.include_subdomains = include_subdomains;
-  domain_state.dynamic_spki_hashes_expiry = expiry;
-  domain_state.dynamic_spki_hashes = hashes;
-  EnableHost(host, domain_state);
-  return true;
-}
-
-// static
-bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
-                                                    bool sni_enabled) {
-  std::string canonicalized_host = CanonicalizeHost(host);
-  const struct HSTSPreload* entry =
-      GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
-
-  if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts)
-    return true;
-
-  if (sni_enabled) {
-    entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
-                           kNumPreloadedSNISTS);
-    if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts)
-      return true;
-  }
-
-  return false;
-}
-
-// static
-void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {
-  std::string canonicalized_host = CanonicalizeHost(host);
-
-  const struct HSTSPreload* entry =
-      GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
-
-  if (!entry) {
-    entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
-                           kNumPreloadedSNISTS);
-  }
-
-  if (!entry) {
-    // We don't care to report pin failures for dynamic pins.
-    return;
-  }
-
-  DCHECK(entry);
-  DCHECK(entry->pins.required_hashes);
-  DCHECK(entry->second_level_domain_name != DOMAIN_NOT_PINNED);
-
-  UMA_HISTOGRAM_ENUMERATION("Net.PublicKeyPinFailureDomain",
-                            entry->second_level_domain_name, DOMAIN_NUM_EVENTS);
-}
-
-// static
+  return AddHPKPHashedHost(HashHost(host), created, expiry,
+                           include_subdomains, hashes);
+}
+
+bool TransportSecurityState::AddHSTSHashedHost(const std::string& hashed_host,
+                                               const base::Time& created,
+                                               const base::Time& expiry,
+                                               bool include_subdomains) {
+
+  DynamicEntry entry(include_subdomains, created, expiry);
+  bool retval = hsts_entries_.AddEntry(hashed_host, entry);

[Ryan Sleevi, 2013/03/23 04:24:13]

naming nit: s/retval/result/

[unsafe, 2013/03/23 08:19:39]

Done.

+  CheckDirty();
+  return retval;
+}
+
+bool TransportSecurityState::AddHPKPHashedHost(const std::string& hashed_host,
+                                               const base::Time& created,
+                                               const base::Time& expiry,
+                                               bool include_subdomains,
+                                               const HashValueVector& hashes) {
+  if (hashes.empty())
+    return false;
+  HPKPEntry entry(include_subdomains, created, expiry, hashes);
+  bool retval = hpkp_entries_.AddEntry(hashed_host, entry);
+  CheckDirty();
+  return retval;
+}
+
+bool TransportSecurityState::DeleteHSTS(const std::string& host) {
+  bool retval = hsts_entries_.DeleteEntry(HashHost(host));
+  CheckDirty();
+  return retval;
+}
+
+bool TransportSecurityState::DeleteHPKP(const std::string& host) {
+  bool retval = hpkp_entries_.DeleteEntry(HashHost(host));
+  CheckDirty();
+  return retval;
+}
+
+const std::map<std::string, TransportSecurityState::DynamicEntry>&
+TransportSecurityState::GetHSTSEntries() const {
+  return hsts_entries_;
+}
+
+const std::map<std::string, TransportSecurityState::HPKPEntry>&
+TransportSecurityState::GetHPKPEntries() const {
+  return hpkp_entries_;
+}
+
 bool TransportSecurityState::IsBuildTimely() {
   const base::Time build_time = base::GetBuildTime();
   // We consider built-in information to be timely for 10 weeks.
   return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
 }
 
-bool TransportSecurityState::GetStaticDomainState(
-    const std::string& canonicalized_host,
-    bool sni_enabled,
-    DomainState* out) {
+void TransportSecurityState::CheckDirty() {
   DCHECK(CalledOnValidThread());
-
-  out->upgrade_mode = DomainState::MODE_FORCE_HTTPS;
-  out->include_subdomains = false;
-
-  const bool is_build_timely = IsBuildTimely();
-
-  for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
-    std::string host_sub_chunk(&canonicalized_host[i],
-                               canonicalized_host.size() - i);
-    out->domain = DNSDomainToString(host_sub_chunk);
-    std::string hashed_host(HashHost(host_sub_chunk));
-    if (forced_hosts_.find(hashed_host) != forced_hosts_.end()) {
-      *out = forced_hosts_[hashed_host];
-      out->domain = DNSDomainToString(host_sub_chunk);
-      return true;
-    }
-    bool ret;
-    if (is_build_timely &&
-        HasPreload(kPreloadedSTS, kNumPreloadedSTS, canonicalized_host, i, out,
-                   &ret)) {
-      return ret;
-    }
-    if (sni_enabled &&
-        is_build_timely &&
-        HasPreload(kPreloadedSNISTS, kNumPreloadedSNISTS, canonicalized_host, i,
-                   out, &ret)) {
-      return ret;
-    }
-  }
-
-  return false;
-}
-
-void TransportSecurityState::AddOrUpdateEnabledHosts(
-    const std::string& hashed_host, const DomainState& state) {
-  enabled_hosts_[hashed_host] = state;
-}
-
-void TransportSecurityState::AddOrUpdateForcedHosts(
-    const std::string& hashed_host, const DomainState& state) {
-  forced_hosts_[hashed_host] = state;
-}
+  if (delegate_ && (hsts_entries_.dirty || hpkp_entries_.dirty))
+    delegate_->StateIsDirty(this);
+  hsts_entries_.dirty = false;
+  hpkp_entries_.dirty = false;
+}
+
+// DynamicEntry and subclasses (e.g. HPKPEntry)
+
+TransportSecurityState::DynamicEntry::DynamicEntry()
+  : include_subdomains_(false), created_(), expiry_() {

[Ryan Sleevi, 2013/03/23 04:24:13]

style nit: each member initializer goes on a single line if the entire ctor
cannot fit on one line

http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Constr...

Please check all the ctors in this file.

+}
+
+TransportSecurityState::DynamicEntry::~DynamicEntry() {
+}
+
+TransportSecurityState::DynamicEntry::DynamicEntry(bool include_subdomains,
+                                                   const base::Time& created,
+                                                   const base::Time& expiry):
+  include_subdomains_(include_subdomains), created_(created), expiry_(expiry) {

[Ryan Sleevi, 2013/03/23 04:24:13]

style nit: 

TransportSecurityState::DynamicEntry::DynamicEntry(
    bool include_subdomains,
    const base::Time& created,
    const base::Time& expiry)
    : include_subdomains_(include_subdomains),
      created_(created),
      expiry_(expiry) {
}

+}
+
+TransportSecurityState::HPKPEntry::HPKPEntry()
+  : DynamicEntry(), good_hashes_() {
+}
+
+TransportSecurityState::HPKPEntry::~HPKPEntry() {
+}
+
+TransportSecurityState::HPKPEntry::HPKPEntry(
+  bool include_subdomains,
+  const base::Time& created,
+  const base::Time& expiry,
+  const HashValueVector& good_hashes):
+  DynamicEntry(include_subdomains, created, expiry),
+  good_hashes_(good_hashes) {
+}
+
+// DomainState
 
 TransportSecurityState::DomainState::DomainState()
-    : upgrade_mode(MODE_FORCE_HTTPS),
-      created(base::Time::Now()),
-      include_subdomains(false) {
+  : should_upgrade_(false), has_public_key_pins_(false),
+  is_google_pinned_property_(false), report_uma_on_pin_failure_(false),
+  public_key_pins_good_hashes_(), public_key_pins_bad_hashes_(),
+  second_level_domain_name_(DOMAIN_NOT_PINNED) {
 }
 
 TransportSecurityState::DomainState::~DomainState() {
 }
 
+bool TransportSecurityState::DomainState::HasPublicKeyPins() const {
+  return has_public_key_pins_;
+}
+
 bool TransportSecurityState::DomainState::CheckPublicKeyPins(
     const HashValueVector& hashes) const {
-  // Validate that hashes is not empty. By the time this code is called (in
-  // production), that should never happen, but it's good to be defensive.
-  // And, hashes *can* be empty in some test scenarios.
-  if (hashes.empty()) {
-    LOG(ERROR) << "Rejecting empty public key chain for public-key-pinned "
-                  "domain " << domain;
+  if (HashesIntersect(public_key_pins_bad_hashes_, hashes)) {
+    LOG(ERROR) << "Rejecting public key chain. Validated chain: "
+               << HashesToBase64String(hashes)
+               << ", matches one or more bad hashes: "
+               << HashesToBase64String(public_key_pins_bad_hashes_);
     return false;
   }
 
-  if (HashesIntersect(bad_static_spki_hashes, hashes)) {
-    LOG(ERROR) << "Rejecting public key chain for domain " << domain
-               << ". Validated chain: " << HashesToBase64String(hashes)
-               << ", matches one or more bad hashes: "
-               << HashesToBase64String(bad_static_spki_hashes);
-    return false;
-  }
-
-  // If there are no pins, then any valid chain is acceptable.
-  if (dynamic_spki_hashes.empty() && static_spki_hashes.empty())
+  // If there are no good pins, then any valid chain is acceptable.
+  // Otherwise, there has to be a match.
+  if (public_key_pins_good_hashes_.empty() ||
+      HashesIntersect(public_key_pins_good_hashes_, hashes))

[Ryan Sleevi, 2013/03/23 04:24:13]

style nit: braces

     return true;
 
-  if (HashesIntersect(dynamic_spki_hashes, hashes) ||
-      HashesIntersect(static_spki_hashes, hashes)) {
-    return true;
-  }
-
-  LOG(ERROR) << "Rejecting public key chain for domain " << domain
-             << ". Validated chain: " << HashesToBase64String(hashes)
-             << ", expected: " << HashesToBase64String(dynamic_spki_hashes)
-             << " or: " << HashesToBase64String(static_spki_hashes);
+  LOG(ERROR) << "Rejecting public key chain. Validated chain: "
+             << HashesToBase64String(hashes)
+             << ", expected: "
+             << HashesToBase64String(public_key_pins_good_hashes_);
   return false;
 }
 
 bool TransportSecurityState::DomainState::ShouldUpgradeToSSL() const {
-  return upgrade_mode == MODE_FORCE_HTTPS;
+  return should_upgrade_;
 }
 
 bool TransportSecurityState::DomainState::ShouldSSLErrorsBeFatal() const {
-  return true;
-}
-
-bool TransportSecurityState::DomainState::Equals(
-    const DomainState& other) const {
-  // TODO(palmer): Implement this
-  (void) other;
-  return true;
-}
-
-bool TransportSecurityState::DomainState::HasPublicKeyPins() const {
-  return static_spki_hashes.size() > 0 ||
-         bad_static_spki_hashes.size() > 0 ||
-         dynamic_spki_hashes.size() > 0;
+  return should_upgrade_;
+}
+
+bool TransportSecurityState::DomainState::IsGooglePinnedProperty() const {
+  return is_google_pinned_property_;
+}
+
+void TransportSecurityState::DomainState::ReportUMAOnPinFailure() const {
+  if (report_uma_on_pin_failure_) {
+    UMA_HISTOGRAM_ENUMERATION("Net.PublicKeyPinFailureDomain",
+                              second_level_domain_name_, DOMAIN_NUM_EVENTS);
+  }
+}
+
+const HashValueVector&
+TransportSecurityState::DomainState::GetPublicKeyPinsGoodHashes() const {
+  return public_key_pins_good_hashes_;
+}
+
+const HashValueVector&
+TransportSecurityState::DomainState::GetPublicKeyPinsBadHashes() const {
+  return public_key_pins_bad_hashes_;
 }
 
 }  // namespace