Enable public key pinning of local trust anchors

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <memory>
 #include <utility>
 
@@ skipping 600 matching lines @@
 }
 
 }  // namespace
 
 TransportSecurityState::TransportSecurityState()
     : delegate_(nullptr),
       report_sender_(nullptr),
       enable_static_pins_(true),
       enable_static_expect_ct_(true),
       enable_static_expect_staple_(false),
+      enable_local_trust_anchor_pinning_(false),
       expect_ct_reporter_(nullptr),
       sent_reports_cache_(kMaxHPKPReportCacheEntries) {
 // Static pinning is only enabled for official builds to make sure that
 // others don't end up with pins that cannot be easily updated.
 #if !defined(OFFICIAL_BUILD) || defined(OS_ANDROID) || defined(OS_IOS)
   enable_static_pins_ = false;
   enable_static_expect_ct_ = false;
 #endif
   DCHECK(CalledOnValidThread());
 }
@@ skipping 26 matching lines @@
 }
 
 bool TransportSecurityState::CheckPublicKeyPins(
     const HostPortPair& host_port_pair,
     bool is_issued_by_known_root,
     const HashValueVector& public_key_hashes,
     const X509Certificate* served_certificate_chain,
     const X509Certificate* validated_certificate_chain,
     const PublicKeyPinReportStatus report_status,
     std::string* pinning_failure_log) {
-  // Perform pin validation if, and only if, all these conditions obtain:
+  // Perform pin validation if, and only if:
   //
-  // * the server's certificate chain chains up to a known root (i.e. not a
-  //   user-installed trust anchor); and
-  // * the server actually has public key pins.
-  if (!is_issued_by_known_root || !HasPublicKeyPins(host_port_pair.host())) {
+  // 1.   the server actually has public key pins; and one of the following
+  //      conditions is met:
+  // 2.1. the server's certificate chain chains up to a known root (i.e. not a
+  //      user-installed trust anchor).
+  // 2.2  the server's certificate chain chains up to user-installed trust
+  //      anchor and local trust pinning is enabled.
+  //
+  if ((!is_issued_by_known_root && !enable_local_trust_anchor_pinning_) ||
+      !HasPublicKeyPins(host_port_pair.host())) {
     return true;
   }
 
   bool pins_are_valid = CheckPublicKeyPinsImpl(
       host_port_pair, public_key_hashes, served_certificate_chain,
       validated_certificate_chain, report_status, pinning_failure_log);
   if (!pins_are_valid) {
     LOG(ERROR) << *pinning_failure_log;
     ReportUMAOnPinFailure(host_port_pair.host());
   }
@@ skipping 64 matching lines @@
   PKPState pkp_state;
   pkp_state.last_observed = last_observed;
   pkp_state.expiry = expiry;
   pkp_state.include_subdomains = include_subdomains;
   pkp_state.spki_hashes = hashes;
   pkp_state.report_uri = report_uri;
 
   EnablePKPHost(host, pkp_state);
 }
 
+void TransportSecurityState::EnableLocalTrustAnchorPinning(bool value) {
+  enable_local_trust_anchor_pinning_ = value;
+}
+
 void TransportSecurityState::EnableSTSHost(const std::string& host,
                                            const STSState& state) {
   DCHECK(CalledOnValidThread());
 
   const std::string canonicalized_host = CanonicalizeHost(host);
   if (canonicalized_host.empty())
     return;
 
   // Only store new state when HSTS is explicitly enabled. If it is
   // disabled, remove the state from the enabled hosts.
@@ skipping 284 matching lines @@
 
   PKPState pkp_state;
   pkp_state.last_observed = now;
   pkp_state.expiry = now;
   pkp_state.include_subdomains = include_subdomains;
   pkp_state.spki_hashes = spki_hashes;
   pkp_state.report_uri = report_uri;
   pkp_state.domain = DNSDomainToString(CanonicalizeHost(host_port_pair.host()));
 
   // Only perform pin validation if the cert chains up to a known root.
-  if (!ssl_info.is_issued_by_known_root)
+  if (!ssl_info.is_issued_by_known_root && !enable_local_trust_anchor_pinning_)
     return true;
 
   CheckPinsAndMaybeSendReport(
       host_port_pair, pkp_state, ssl_info.public_key_hashes,
       ssl_info.unverified_cert.get(), ssl_info.cert.get(), ENABLE_PIN_REPORTS,
       &unused_failure_log);
   return true;
 }
 
 void TransportSecurityState::ProcessExpectCTHeader(
@@ skipping 328 matching lines @@
 TransportSecurityState::PKPStateIterator::PKPStateIterator(
     const TransportSecurityState& state)
     : iterator_(state.enabled_pkp_hosts_.begin()),
       end_(state.enabled_pkp_hosts_.end()) {
 }
 
 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {
 }
 
 }  // namespace