Expose when PKP is bypassed in SSLInfo.

net/http/transport_security_state.cc

Index: net/http/transport_security_state.cc
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index 16217a0c022e9f2149c698e9b45e9b1e1b6ed9ec..b24cfeb5871b8b2e188ab31d3ca768d3bc43e6d9 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -664,18 +664,20 @@ bool TransportSecurityState::CheckPublicKeyPins(
     const X509Certificate* validated_certificate_chain,
     const PublicKeyPinReportStatus report_status,
     std::string* pinning_failure_log) {
-  // Perform pin validation if, and only if, all these conditions obtain:
-  //
-  // * the server's certificate chain chains up to a known root (i.e. not a
-  //   user-installed trust anchor); and
-  // * the server actually has public key pins.
-  if (!is_issued_by_known_root || !HasPublicKeyPins(host_port_pair.host())) {
+  // Perform pin validation only if the server actually has public key pins.
+  if (!HasPublicKeyPins(host_port_pair.host())) {
     return true;
   }
 
   bool pins_are_valid = CheckPublicKeyPinsImpl(
-      host_port_pair, public_key_hashes, served_certificate_chain,
-      validated_certificate_chain, report_status, pinning_failure_log);
+      host_port_pair, is_issued_by_known_root, public_key_hashes,
+      served_certificate_chain, validated_certificate_chain, report_status,
+      pinning_failure_log);
+  // Don't track statistics when a local trust anchor would override the pinning
+  // anyway.
+  if (!is_issued_by_known_root)
+    return pins_are_valid;
+
   if (!pins_are_valid) {
     LOG(ERROR) << *pinning_failure_log;
     ReportUMAOnPinFailure(host_port_pair.host());
@@ -806,6 +808,7 @@ void TransportSecurityState::EnablePKPHost(const std::string& host,
 
 bool TransportSecurityState::CheckPinsAndMaybeSendReport(
     const HostPortPair& host_port_pair,
+    bool is_issued_by_known_root,
     const TransportSecurityState::PKPState& pkp_state,
     const HashValueVector& hashes,
     const X509Certificate* served_certificate_chain,
@@ -815,7 +818,7 @@ bool TransportSecurityState::CheckPinsAndMaybeSendReport(
   if (pkp_state.CheckPublicKeyPins(hashes, failure_log))
     return true;
 
-  if (!report_sender_ ||
+  if (!report_sender_ || !is_issued_by_known_root ||
       report_status != TransportSecurityState::ENABLE_PIN_REPORTS ||
       pkp_state.report_uri.is_empty()) {
     return false;
@@ -1057,14 +1060,10 @@ bool TransportSecurityState::ProcessHPKPReportOnlyHeader(
   pkp_state.report_uri = report_uri;
   pkp_state.domain = DNSDomainToString(CanonicalizeHost(host_port_pair.host()));
 
-  // Only perform pin validation if the cert chains up to a known root.
-  if (!ssl_info.is_issued_by_known_root)
-    return true;
-
   CheckPinsAndMaybeSendReport(
-      host_port_pair, pkp_state, ssl_info.public_key_hashes,
-      ssl_info.unverified_cert.get(), ssl_info.cert.get(), ENABLE_PIN_REPORTS,
-      &unused_failure_log);
+      host_port_pair, ssl_info.is_issued_by_known_root, pkp_state,
+      ssl_info.public_key_hashes, ssl_info.unverified_cert.get(),
+      ssl_info.cert.get(), ENABLE_PIN_REPORTS, &unused_failure_log);
   return true;
 }
 
@@ -1121,6 +1120,7 @@ bool TransportSecurityState::IsBuildTimely() {
 
 bool TransportSecurityState::CheckPublicKeyPinsImpl(
     const HostPortPair& host_port_pair,
+    bool is_issued_by_known_root,
     const HashValueVector& hashes,
     const X509Certificate* served_certificate_chain,
     const X509Certificate* validated_certificate_chain,
@@ -1137,8 +1137,9 @@ bool TransportSecurityState::CheckPublicKeyPinsImpl(
   }
 
   return CheckPinsAndMaybeSendReport(
-      host_port_pair, pkp_state, hashes, served_certificate_chain,
-      validated_certificate_chain, report_status, failure_log);
+      host_port_pair, is_issued_by_known_root, pkp_state, hashes,
+      served_certificate_chain, validated_certificate_chain, report_status,
+      failure_log);
 }
 
 bool TransportSecurityState::GetStaticDomainState(const std::string& host,