Expose when PKP is bypassed in SSLInfo.

net/http/transport_security_state.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 
 #include <stdint.h>
 
 #include <map>
@@ skipping 237 matching lines @@
   // Indicates whether or not a public key pin check should send a
   // report if a violation is detected.
   enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS };
 
   TransportSecurityState();
   ~TransportSecurityState();
 
   // These functions search for static and dynamic STS and PKP states, and
   // invoke the functions of the same name on them. These functions are the
   // primary public interface; direct access to STS and PKP states is best
-  // left to tests.
+  // left to tests. The caller needs to handle the optional pinning override
+  // when is_issued_by_known_root is false.
   bool ShouldSSLErrorsBeFatal(const std::string& host);
   bool ShouldUpgradeToSSL(const std::string& host);
   bool CheckPublicKeyPins(const HostPortPair& host_port_pair,
                           bool is_issued_by_known_root,
                           const HashValueVector& hashes,
                           const X509Certificate* served_certificate_chain,
                           const X509Certificate* validated_certificate_chain,
                           const PublicKeyPinReportStatus report_status,
                           std::string* failure_log);
   bool HasPublicKeyPins(const std::string& host);
@@ skipping 136 matching lines @@
   static void ReportUMAOnPinFailure(const std::string& host);
 
   // IsBuildTimely returns true if the current build is new enough ensure that
   // built in security information (i.e. HSTS preloading and pinning
   // information) is timely.
   static bool IsBuildTimely();
 
   // Helper method for actually checking pins.
   bool CheckPublicKeyPinsImpl(
       const HostPortPair& host_port_pair,
+      bool is_issued_by_known_root,
       const HashValueVector& hashes,
       const X509Certificate* served_certificate_chain,
       const X509Certificate* validated_certificate_chain,
       const PublicKeyPinReportStatus report_status,
       std::string* failure_log);
 
   // If a Delegate is present, notify it that the internal state has
   // changed.
   void DirtyNotify();
 
@@ skipping 20 matching lines @@
 
   // Returns true if a request to |host_port_pair| with the given
   // SubjectPublicKeyInfo |hashes| satisfies the pins in |pkp_state|,
   // and false otherwise. If a violation is found and reporting is
   // configured (i.e. there is a report URI in |pkp_state| and
   // |report_status| says to), this method sends an HPKP violation
   // report containing |served_certificate_chain| and
   // |validated_certificate_chain|.
   bool CheckPinsAndMaybeSendReport(
       const HostPortPair& host_port_pair,
+      bool is_issued_by_known_root,
       const TransportSecurityState::PKPState& pkp_state,
       const HashValueVector& hashes,
       const X509Certificate* served_certificate_chain,
       const X509Certificate* validated_certificate_chain,
       const TransportSecurityState::PublicKeyPinReportStatus report_status,
       std::string* failure_log);
 
   // Returns true and updates |*expect_ct_result| iff there is a static
   // (built-in) state for |host| with expect_ct=true.
   bool GetStaticExpectCTState(const std::string& host,
@@ skipping 34 matching lines @@
   // rate-limiting.
   ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>>
       sent_reports_cache_;
 
   DISALLOW_COPY_AND_ASSIGN(TransportSecurityState);
 };
 
 }  // namespace net
 
 #endif  // NET_HTTP_TRANSPORT_SECURITY_STATE_H_