Expose when PKP is bypassed in SSLInfo.

net/quic/crypto/proof_verifier_chromium_test.cc

Index: net/quic/crypto/proof_verifier_chromium_test.cc
diff --git a/net/quic/crypto/proof_verifier_chromium_test.cc b/net/quic/crypto/proof_verifier_chromium_test.cc
index 267a2f9d499641e002475a01b138f77ea66d90c6..48283e081a7c97fa1559bf9a5a80f565042e831d 100644
--- a/net/quic/crypto/proof_verifier_chromium_test.cc
+++ b/net/quic/crypto/proof_verifier_chromium_test.cc
@@ -409,5 +409,90 @@ TEST_F(ProofVerifierChromiumTest, IgnoresPolicyEnforcerIfNotEV) {
   EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status);
 }
 
+HashValueVector MakeHashValueVector(uint8_t tag) {
+  HashValue hash(HASH_VALUE_SHA256);
+  memset(hash.data(), tag, hash.size());
+  HashValueVector hashes;
+  hashes.push_back(hash);
+  return hashes;
+}
+
+// Test that PKP is enforced for certificates that chain up to known roots.
+TEST_F(ProofVerifierChromiumTest, PKPEnforced) {
+  scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();
+  ASSERT_TRUE(test_cert);
+
+  CertVerifyResult dummy_result;
+  dummy_result.verified_cert = test_cert;
+  dummy_result.is_issued_by_known_root = true;
+  dummy_result.public_key_hashes = MakeHashValueVector(0x01);
+  dummy_result.cert_status = 0;
+
+  MockCertVerifier dummy_verifier;
+  dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
+
+  HashValueVector pin_hashes = MakeHashValueVector(0x02);
+  TransportSecurityState transport_security_state;
+  transport_security_state.AddHPKP(
+      kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000),
+      true, pin_hashes, GURL());
+
+  ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr,
+                                       &transport_security_state, nullptr);
+
+  std::unique_ptr<DummyProofVerifierCallback> callback(
+      new DummyProofVerifierCallback);
+  QuicAsyncStatus status = proof_verifier.VerifyProof(
+      kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "",
+      GetTestSignature(), verify_context_.get(), &error_details_, &details_,
+      callback.get());
+  ASSERT_EQ(QUIC_FAILURE, status);
+
+  ASSERT_TRUE(details_.get());
+  ProofVerifyDetailsChromium* verify_details =
+      static_cast<ProofVerifyDetailsChromium*>(details_.get());
+  EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status);
+  EXPECT_FALSE(verify_details->pkp_bypassed);
+  EXPECT_NE("", verify_details->pinning_failure_log);
+}
+
+// Test |pkp_bypassed| is set when PKP is bypassed due to a local
+// trust anchor
+TEST_F(ProofVerifierChromiumTest, PKPBypassFlagSet) {
+  scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();
+  ASSERT_TRUE(test_cert);
+
+  CertVerifyResult dummy_result;
+  dummy_result.verified_cert = test_cert;
+  dummy_result.is_issued_by_known_root = false;
+  dummy_result.public_key_hashes = MakeHashValueVector(0x01);
+  dummy_result.cert_status = 0;
+
+  MockCertVerifier dummy_verifier;
+  dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
+
+  HashValueVector expected_hashes = MakeHashValueVector(0x02);
+  TransportSecurityState transport_security_state_fail;
+  transport_security_state_fail.AddHPKP(
+      kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000),
+      true, expected_hashes, GURL());
+
+  ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr,
+                                       &transport_security_state_fail, nullptr);
+
+  std::unique_ptr<DummyProofVerifierCallback> callback(
+      new DummyProofVerifierCallback);
+  QuicAsyncStatus status = proof_verifier.VerifyProof(
+      kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "",
+      GetTestSignature(), verify_context_.get(), &error_details_, &details_,
+      callback.get());
+  ASSERT_EQ(QUIC_SUCCESS, status);
+
+  ASSERT_TRUE(details_.get());
+  ProofVerifyDetailsChromium* verify_details =
+      static_cast<ProofVerifyDetailsChromium*>(details_.get());
+  EXPECT_TRUE(verify_details->pkp_bypassed);
+}
+
 }  // namespace test
 }  // namespace net