Expose when PKP is bypassed in SSLInfo.

net/socket/ssl_client_socket_impl.cc

Index: net/socket/ssl_client_socket_impl.cc
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
index 80ff994982f2d3e804266d8623bae1dd2e90b0d4..f1c94e7d8a55f3c3d69cbdea6d6ad08d4628962a 100644
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -1356,7 +1356,10 @@ int SSLClientSocketImpl::DoVerifyCertComplete(int result) {
           server_cert_verify_result_.public_key_hashes, server_cert_.get(),
           server_cert_verify_result_.verified_cert.get(),
           TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) {
-    result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
+    if (server_cert_verify_result_.is_issued_by_known_root)

[estark, 2016/05/31 14:59:57]

I think we need to apply the same logic to the corresponding check for QUIC
connections:
https://code.google.com/p/chromium/codesearch#chromium/src/net/quic/crypto/pr...

We probably also need to think about what to do for the SPDY pinning check here:
https://code.google.com/p/chromium/codesearch#chromium/src/net/spdy/spdy_sess...

That SPDY check is for whether or not a request can be pooled with an existing
connection: in order to be allowed, the connection must not violate pins for the
request's host. I suppose what we want to do there is continue to return true if
|is_issued_by_known_root| is false...?

[dadrian, 2016/05/31 18:58:31]

I implemented the same logic for QUIC, but I'm worried this CL is getting a
little out of hand. I'm taking what was unified logic in TransportSecurityState
and reimplementing it in three places. It does seem like the most
straightforward way, but I'm anticipating net owners won't be happy. 

+      result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
+    else
+      server_cert_verify_result_.cert_status |= CERT_STATUS_PKP_BYPASSED;
   }
 
   if (result == OK) {