Add static domain security state generator tool.

Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this tool into the build process.

This tool generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the tool manually:
out/Default/domain_security_preload_generator net/http/transport_security_state_static.json net/http/transport_security_state_static.pins net/tools/domain_security_preload_generator/resources/transport_security_state_static.template /home/you/output.h -v

[1] https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_state_static_generate/transport_security_state_static_generate.go
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG=595493
R=agl@chromium.org, lgarron@chromium.org

Committed: https://chromium.googlesource.com/chromium/src/+/09983e3dcc7573863a52ef827870613dde3cd83e
Committed: https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b
Cr-Commit-Position: refs/heads/master@{#438358}

[martijnc, 2016-12-05 18:58:25]

Description was changed from

==========
Add static domain security state generator tool.

BUG=595493
==========

to

==========
Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this script into the build process.

This scripts generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the script manually:
out/Default/domain_security_preload_generator
net/http/transport_security_state_static.json
net/http/transport_security_state_static.pins
net/tools/domain_security_preload_generator/resources/transport_security_state_static.template
/home/you/output.h -v


[1]
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st...
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG=595493
==========

[martijnc, 2016-12-05 18:58:25]

martijn@martijnc.be changed reviewers:
+ lgarron@chromium.org

[martijnc, 2016-12-05 19:13:26]

This is what I currently have, the code isn't as polished as I'd like it to be
but initial (manual) tests show that it works. I want to go through it myself
before I sent it out for proper review but wanted to share it in case you have
early comments.

Also uploaded another CL (https://codereview.chromium.org/2551943002) that runs
this as part of the build process (I tried to make it a dependent CL but didn't
get it work).

I want to add at least a test that tests whether all hostnames in the JSON are
in the trie before this becomes part of the build process. There isn't any
precedent for tests in net/tools though.

This will need review from a net OWNER, can you recommend someone who is
familiar with this? Possibly rsleevi/davidben/agl?

On my system the tool takes ~250ms to generate the file (compared to ~1.6s for
the Go script). That doesn't include compile time but recompiles of the tool
should be limited.

[lgarron, 2016-12-05 20:48:29]

lgarron@chromium.org changed reviewers:
+ agl@chromium.org

[lgarron, 2016-12-05 20:48:30]

Thanks so much for doing this!
I believe agl@ wrote all the old relevant code.

agl@, are you you up for reviewing this?

https://codereview.chromium.org/2551153003/diff/1/net/net.gypi
File net/net.gypi (right):

https://codereview.chromium.org/2551153003/diff/1/net/net.gypi#newcode1439
net/net.gypi:1439: # To make 'gn check' validate the header usage properly,
these are the
Nit: estore double quotes (I think you search-replaced these by accident).

[martijnc, 2016-12-05 22:01:49]

Patchset #2 (id:20001) has been deleted

[martijnc, 2016-12-05 22:33:01]

Patchset #2 (id:40001) has been deleted

[agl, 2016-12-06 18:51:36]

I'm not sure how familiar you are with code reviewing but I wanted to say,
firstly, thank you for doing this! My comments for a given line are likely to be
rather terse and that can read as curt. But that's not what's intended! It's
just that the customary phrasings get too repetitive in a format like this.

Also, there are rather a lot of comments here but please don't be overwhelmed.
If you find that it's too much that's ok and you can ask for a CL to be taken
over rather than answer wave-after-wave of requests that can seem ungrateful.

One overall comment: I'm not sure if I saw anything matching
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st....
(Not critical and can be added later if it's not currently there.)

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/bit_writer.h (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/bit_writer.h:16: // 8 bits they will
be appended to the vector automaticly.
typo.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/bit_writer.h:25: // Append the last
|number_of_bits| of |bits| to the end of the buffer.
does "last" mean "least-significant"?

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/bit_writer.h:31: void Close();
I think Close would be better named Flush, since it's possible to continue using
the object afterwards.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/bit_writer.h:46: uint8_t used_;
I think we're allowed to say " = 0" in class declarations now, which is
preferable to putting them in the constructor. (Although keep the constructor to
save it being emitted in multiple .o files.)

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/bit_writer.h:49: int32_t position_;
uint32_t (or size_t) to match the return type of |position|.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/cert_util.cc (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/cert_util.cc:19: static const char*
kPEMBeginBlock = "-----BEGIN %s-----";
static const char kPEMBeginBlock[] = …

(Always use [] rather than * for string constants as it saves a relocation
record in some cases.)

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/cert_util.cc:65: const unsigned
char* der_data =
Prefer to write |unsigned char| as |uint8_t|.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/cert_util.cc:67: X509* cert =
d2i_X509(NULL, &der_data, base::checked_cast<long>(der.size()));
See net/cert/asn1_util.h:ExtractSPKIFromDERCert

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/cert_util.h (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/cert_util.h:23: // |pem_key| and
copies the digest to |out_hash|. Returns true on success and
I think this should be clearer that the contents of the PEM block are expected
to be exactly an SPKI, since there are many forms of PEM-encoded public-key.

// Decodes a PEM block from |pem_key| and sets |*out_hash| to the SHA256 hash of
the contents.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/cert_util.h:29: void
InitializeCryptoLibrary();
Use src/crypto/openssl_util.h:EnsureOpenSSLInit rather than this.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc
(right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:44:
// |entries| the pinsets under the pinset key to |pinsets| and the domain IDs
comma after "|entries|" and quotes around the key names.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:73:
std::string hostname = "";
no need to say = "";

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:75:
std::cerr << "Could extract name from entry " << i << std::endl;
s/Could/Couldn't/

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:82:
std::string mode = "";
ditto about = "" and elsewhere in this function.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:108:
std::unique_ptr<DomainSecurityEntry> entry(new DomainSecurityEntry(
It seems that DomainSecurityEntry might be better as a struct. The constructor
really has too many argument and, if it were a struct, the above methods on
|parsed| could write into it directly.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:181:
bool isValid = true;
If this is matching
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st...,
then it needs to ensure !candidate.empty() and that candidate[0] in 'A'..'Z'.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:193:
static const char* kStartOfCert = "-----BEGIN CERTIFICATE";
ditto about [] vs *

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:227:
if (!line.size() && current_state == CertificateParserState::PRE_NAME) {
write !line.size() as line.empty()

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:243:
current_state = CertificateParserState::IN_HASH;
The IN_HASH state is a little odd because it means that the following line is
always ignored, no? The Go code processes the hash immediately and that might be
best here.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:267:
if (line.size()) {
I don't think you need to ignore blank lines.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:284:
if (line.size()) {
I don't think you need to ignore blank lines.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:300:
}
default:
  CHECK(false) << "Unknown state " << current_state;

(Or something similar.)

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:319:
std::string(pin.second.data(), pin.second.data() + (pin.second.size()));
drop extra parens around |pin.second.size()|.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:495:
checks_result = checks_result && CheckNoopEntries(entries);
if (!CheckDuplicateEntries(entries) ||
    !CheckNoopEntries(entries) ||
    …) {
  …
  return 1;
}

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File
net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.cc
(right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.cc:10:
#include "net/tools/domain_security_preload_generator/huffman/huffman_node.h"
If this is the only include of |huffman_node.h| then I think the contents should
just be included in this file. (The code review tool doesn't make it easy to
check whether it's the only reference I'm afraid.)

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File
net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.h
(right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.h:16:
class HuffmanNode;
HPACK is full of Huffman code too and I worry that we might evolve into an ODR
violation. I think it would be worth putting at least this Huffman code in a
namespace. Maybe "transport_security_state"?

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.h:42:
HuffmanRepresentationTable ToHuffmanRepresentationTable();
"HuffmanRepresentation" in the name seems like a bit of a sutter. Also this is
called ToFoo, while just below is AsFoo. I think they should both have the same
prefix.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.h:71:
// the number of these its usage has been recorded through RecordUsage().
s/these/times/

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/huffman/huffman_node.h (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/huffman/huffman_node.h:17: int
count,
counts have been uint32_t's prior to this. Types should be consistent.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/pinset.h (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/pinset.h:15: // A pinset represents
the data a website would send in a HPKP header. A pinset
s/pinset/Pinset/

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/preloaded_state_generator.cc
(right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/preloaded_state_generator.cc:21:
static const char* kNewLine = "\n";
ditto about [] vs *.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/preloaded_state_generator.cc:52: if
(bytes_on_current_line >= 12 && (i + 1) < bytes.size()) {
no need for parens around |i + 1|.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/preloaded_state_generator.cc:58: }
else if ((i + 1) < bytes.size()) {
no need for parens around |i + 1|.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/spki_hash.cc (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/spki_hash.cc:44: if
(!EVP_DigestInit(context.get(), EVP_sha256())) {
include "third_party/boringssl/src/include/openssl/sha.h" (drop "evp.h") and:

SHA256(input, input_length, data_);

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/spki_hash.h (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/spki_hash.h:16: enum : size_t {
kSPKIHashLength = 32 };
put this in the SPKIHash class and just call it kLength?

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/trie/trie_bit_buffer.h (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/trie/trie_bit_buffer.h:18: // and
positions. The characters are stored as their Huffmanrepresentation.
Huffmanrepresentation -> HuffmanRepresentation

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/trie/trie_bit_buffer.h:32: //
|position| and |last_position|. |last_position| will updated to equal the
"be" after "will"

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/trie/trie_bit_buffer.h:43: // Write
the entire buffer to |writer|.
Comment should say what the return value is.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/trie/trie_bit_buffer.h:48: void
Close();
Likewise, I'd probably call this Flush.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/trie/trie_bit_buffer.h:67: uint8_t
current_byte_;
I would use " = 0" syntax for these rather than set them in the constructor.

[martijnc, 2016-12-06 20:57:33]

Patchset #3 (id:80001) has been deleted

[martijnc, 2016-12-07 22:19:46]

Patchset #4 (id:120001) has been deleted

[martijnc, 2016-12-07 22:24:51]

Patchset #4 (id:140001) has been deleted

[martijnc, 2016-12-07 22:37:54]

On 2016/12/06 at 18:51:36, agl wrote:
> I'm not sure how familiar you are with code reviewing but I wanted to say,
firstly, thank you for doing this! My comments for a given line are likely to be
rather terse and that can read as curt. But that's not what's intended! It's
just that the customary phrasings get too repetitive in a format like this.
> 
> Also, there are rather a lot of comments here but please don't be overwhelmed.
If you find that it's too much that's ok and you can ask for a CL to be taken
over rather than answer wave-after-wave of requests that can seem ungrateful.

I've contributed patches before. My previous patches were small changes or
refactorings though, this is probably the largest with lots of new code. I'll
let the patch sit for a few days before going through it myself next time, that
way I'll hopefully can catch the obvious errors myself (I tend to miss things
after working on code for a while).

Thank you for reviewing this (rather large) CL! I really appreciate the feedback
:).

> One overall comment: I'm not sure if I saw anything matching
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st....
(Not critical and can be added later if it's not currently there.)

You're right, I missed this. I've made a note to add this.

https://codereview.chromium.org/2551153003/diff/1/net/net.gypi
File net/net.gypi (right):

https://codereview.chromium.org/2551153003/diff/1/net/net.gypi#newcode1439
net/net.gypi:1439: # To make 'gn check' validate the header usage properly,
these are the
On 2016/12/05 at 20:48:30, lgarron wrote:
> Nit: estore double quotes (I think you search-replaced these by accident).

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/bit_writer.h (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/bit_writer.h:16: // 8 bits they will
be appended to the vector automaticly.
On 2016/12/06 at 18:51:34, agl wrote:
> typo.

Fixed.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/bit_writer.h:25: // Append the last
|number_of_bits| of |bits| to the end of the buffer.
On 2016/12/06 at 18:51:34, agl wrote:
> does "last" mean "least-significant"?

Yes, clarified in the comment.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/bit_writer.h:31: void Close();
On 2016/12/06 at 18:51:34, agl wrote:
> I think Close would be better named Flush, since it's possible to continue
using the object afterwards.

Renamed.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/bit_writer.h:46: uint8_t used_;
On 2016/12/06 at 18:51:34, agl wrote:
> I think we're allowed to say " = 0" in class declarations now, which is
preferable to putting them in the constructor. (Although keep the constructor to
save it being emitted in multiple .o files.)

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/bit_writer.h:49: int32_t position_;
On 2016/12/06 at 18:51:34, agl wrote:
> uint32_t (or size_t) to match the return type of |position|.

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/cert_util.cc (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/cert_util.cc:19: static const char*
kPEMBeginBlock = "-----BEGIN %s-----";
On 2016/12/06 at 18:51:35, agl wrote:
> static const char kPEMBeginBlock[] = …
> 
> (Always use [] rather than * for string constants as it saves a relocation
record in some cases.)

Done.

Wasn't sure which one to use, the styleguide doesn't mention this specifically
and both are used throughout the code. I'll use [] in the future, thanks!

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/cert_util.cc:65: const unsigned
char* der_data =
On 2016/12/06 at 18:51:35, agl wrote:
> Prefer to write |unsigned char| as |uint8_t|.

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/cert_util.cc:67: X509* cert =
d2i_X509(NULL, &der_data, base::checked_cast<long>(der.size()));
On 2016/12/06 at 18:51:35, agl wrote:
> See net/cert/asn1_util.h:ExtractSPKIFromDERCert

Using that method would require a //net dependency. The //net dependency would
result in reference cycle when this becomes part of the build process (net ->
generate_preload_domain_security_state -> domain_security_preload_generator ->
net).

That's also the reason this tool doesn't use net::HashValue.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/cert_util.h (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/cert_util.h:23: // |pem_key| and
copies the digest to |out_hash|. Returns true on success and
On 2016/12/06 at 18:51:35, agl wrote:
> I think this should be clearer that the contents of the PEM block are expected
to be exactly an SPKI, since there are many forms of PEM-encoded public-key.
> 
> // Decodes a PEM block from |pem_key| and sets |*out_hash| to the SHA256 hash
of the contents.

Clarified.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/cert_util.h:29: void
InitializeCryptoLibrary();
On 2016/12/06 at 18:51:35, agl wrote:
> Use src/crypto/openssl_util.h:EnsureOpenSSLInit rather than this.

Removed and updated domain_security_preload_generator.cc to call
crypto::EnsureOpenSSLInit().

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc
(right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:44:
// |entries| the pinsets under the pinset key to |pinsets| and the domain IDs
On 2016/12/06 at 18:51:35, agl wrote:
> comma after "|entries|" and quotes around the key names.

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:73:
std::string hostname = "";
On 2016/12/06 at 18:51:35, agl wrote:
> no need to say = "";

Removed.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:75:
std::cerr << "Could extract name from entry " << i << std::endl;
On 2016/12/06 at 18:51:35, agl wrote:
> s/Could/Couldn't/

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:82:
std::string mode = "";
On 2016/12/06 at 18:51:35, agl wrote:
> ditto about = "" and elsewhere in this function.

Removed.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:108:
std::unique_ptr<DomainSecurityEntry> entry(new DomainSecurityEntry(
On 2016/12/06 at 18:51:35, agl wrote:
> It seems that DomainSecurityEntry might be better as a struct. The constructor
really has too many argument and, if it were a struct, the above methods on
|parsed| could write into it directly.

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:181:
bool isValid = true;
On 2016/12/06 at 18:51:35, agl wrote:
> If this is matching
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st...,
then it needs to ensure !candidate.empty() and that candidate[0] in 'A'..'Z'.

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:193:
static const char* kStartOfCert = "-----BEGIN CERTIFICATE";
On 2016/12/06 at 18:51:35, agl wrote:
> ditto about [] vs *

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:227:
if (!line.size() && current_state == CertificateParserState::PRE_NAME) {
On 2016/12/06 at 18:51:35, agl wrote:
> write !line.size() as line.empty()

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:243:
current_state = CertificateParserState::IN_HASH;
On 2016/12/06 at 18:51:35, agl wrote:
> The IN_HASH state is a little odd because it means that the following line is
always ignored, no? The Go code processes the hash immediately and that might be
best here.

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:267:
if (line.size()) {
On 2016/12/06 at 18:51:35, agl wrote:
> I don't think you need to ignore blank lines.

Removed.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:284:
if (line.size()) {
On 2016/12/06 at 18:51:35, agl wrote:
> I don't think you need to ignore blank lines.

Removed.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:300:
}
On 2016/12/06 at 18:51:35, agl wrote:
> default:
>   CHECK(false) << "Unknown state " << current_state;
> 
> (Or something similar.)

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:319:
std::string(pin.second.data(), pin.second.data() + (pin.second.size()));
On 2016/12/06 at 18:51:35, agl wrote:
> drop extra parens around |pin.second.size()|.

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/domain_security_preload_generator.cc:495:
checks_result = checks_result && CheckNoopEntries(entries);
On 2016/12/06 at 18:51:35, agl wrote:
> if (!CheckDuplicateEntries(entries) ||
>     !CheckNoopEntries(entries) ||
>     …) {
>   …
>   return 1;
> }

Done. (`git cl format` formats this differently though)

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File
net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.cc
(right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.cc:10:
#include "net/tools/domain_security_preload_generator/huffman/huffman_node.h"
On 2016/12/06 at 18:51:35, agl wrote:
> If this is the only include of |huffman_node.h| then I think the contents
should just be included in this file. (The code review tool doesn't make it easy
to check whether it's the only reference I'm afraid.)

It is only used here. Moved HuffmanNode into an anonymous namespace in this
file.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File
net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.h
(right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.h:16:
class HuffmanNode;
On 2016/12/06 at 18:51:36, agl wrote:
> HPACK is full of Huffman code too and I worry that we might evolve into an ODR
violation. I think it would be worth putting at least this Huffman code in a
namespace. Maybe "transport_security_state"?

I moved most of the code into a "transport_security_state" namespace, most of it
is very specific to this anyway.

Would you prefer a different name for this tool as well? I opted for
"domain_security_preload_generator" because that's the component this is under
in the bug tracker.

"transport_security_state_generator" might be clearer since the other code is
named similarly, as was the old script.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.h:42:
HuffmanRepresentationTable ToHuffmanRepresentationTable();
On 2016/12/06 at 18:51:36, agl wrote:
> "HuffmanRepresentation" in the name seems like a bit of a sutter. Also this is
called ToFoo, while just below is AsFoo. I think they should both have the same
prefix.

Both done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/huffman/huffman_frequency_tracker.h:71:
// the number of these its usage has been recorded through RecordUsage().
On 2016/12/06 at 18:51:36, agl wrote:
> s/these/times/

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/huffman/huffman_node.h (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/huffman/huffman_node.h:17: int
count,
On 2016/12/06 at 18:51:36, agl wrote:
> counts have been uint32_t's prior to this. Types should be consistent.

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/pinset.h (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/pinset.h:15: // A pinset represents
the data a website would send in a HPKP header. A pinset
On 2016/12/06 at 18:51:36, agl wrote:
> s/pinset/Pinset/

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/preloaded_state_generator.cc
(right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/preloaded_state_generator.cc:21:
static const char* kNewLine = "\n";
On 2016/12/06 at 18:51:36, agl wrote:
> ditto about [] vs *.

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/preloaded_state_generator.cc:52: if
(bytes_on_current_line >= 12 && (i + 1) < bytes.size()) {
On 2016/12/06 at 18:51:36, agl wrote:
> no need for parens around |i + 1|.

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/preloaded_state_generator.cc:58: }
else if ((i + 1) < bytes.size()) {
On 2016/12/06 at 18:51:36, agl wrote:
> no need for parens around |i + 1|.

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/spki_hash.cc (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/spki_hash.cc:44: if
(!EVP_DigestInit(context.get(), EVP_sha256())) {
On 2016/12/06 at 18:51:36, agl wrote:
> include "third_party/boringssl/src/include/openssl/sha.h" (drop "evp.h") and:
> 
> SHA256(input, input_length, data_);

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/spki_hash.h (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/spki_hash.h:16: enum : size_t {
kSPKIHashLength = 32 };
On 2016/12/06 at 18:51:36, agl wrote:
> put this in the SPKIHash class and just call it kLength?

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/trie/trie_bit_buffer.h (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/trie/trie_bit_buffer.h:18: // and
positions. The characters are stored as their Huffmanrepresentation.
On 2016/12/06 at 18:51:36, agl wrote:
> Huffmanrepresentation -> HuffmanRepresentation

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/trie/trie_bit_buffer.h:32: //
|position| and |last_position|. |last_position| will updated to equal the
On 2016/12/06 at 18:51:36, agl wrote:
> "be" after "will"

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/trie/trie_bit_buffer.h:43: // Write
the entire buffer to |writer|.
On 2016/12/06 at 18:51:36, agl wrote:
> Comment should say what the return value is.

Done.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/trie/trie_bit_buffer.h:48: void
Close();
On 2016/12/06 at 18:51:36, agl wrote:
> Likewise, I'd probably call this Flush.

Renamed.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/trie/trie_bit_buffer.h:67: uint8_t
current_byte_;
On 2016/12/06 at 18:51:36, agl wrote:
> I would use " = 0" syntax for these rather than set them in the constructor.

Done.

[martijnc, 2016-12-08 17:37:30]

Patchset #3 (id:100001) has been deleted

[martijnc, 2016-12-12 19:42:51]

Patchset #5 (id:200001) has been deleted

[agl, 2016-12-12 23:59:59]

Lucas: your call, but I would be inclined to land this CL at this stage and then
check that it matches the output of the Go code once it's in the tree.

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
File net/tools/domain_security_preload_generator/cert_util.cc (right):

https://codereview.chromium.org/2551153003/diff/60001/net/tools/domain_securi...
net/tools/domain_security_preload_generator/cert_util.cc:67: X509* cert =
d2i_X509(NULL, &der_data, base::checked_cast<long>(der.size()));
On 2016/12/07 22:37:53, martijnc wrote:
> On 2016/12/06 at 18:51:35, agl wrote:
> > See net/cert/asn1_util.h:ExtractSPKIFromDERCert
> 
> Using that method would require a //net dependency. The //net dependency would
> result in reference cycle when this becomes part of the build process (net ->
> generate_preload_domain_security_state -> domain_security_preload_generator ->
> net).
> 
> That's also the reason this tool doesn't use net::HashValue.

Since this is a build-time tool it's ok for now. We're trying to kill X509_*
from BoringSSL in Chromium but we can always replace this later.

[lgarron, 2016-12-13 21:43:13]

I wanted to test this before landing, but this isn't working for me. :-(
Do I need to run something differently?


lgarron@hypatia ~/c/src (tsss)> ninja -C out/Release
domain_security_preload_generator
compiler proxy (pid=59890) status: http://127.0.0.1:8088 ok
ninja: Entering directory `out/Release'
[1/1] Regenerating ninja files
[13/13] LINK ./domain_security_preload_generator

lgarron@hypatia ~/c/src (tsss)> ./out/Release/domain_security_preload_generator
net/http/transport_security_state_static.json
net/http/transport_security_state_static.pins
net/tools/domain_security_preload_generator/resources/transport_security_state_static.template
/home/you/output.h -v
Saved 28110 bits by using accurate Huffman counts.
Bit length 1311271
Root position 1310605
Failed to write output.

[lgarron, 2016-12-13 21:43:58]

Oh, ignore me, I didn't change the output file name. :-P

[lgarron, 2016-12-13 21:48:09]

Awesome, it works and I've verified that the only difference (after updating to
use the sorted Go program) is comments and whitespace. LGTM from me.

agl@, could we have an OWNERS LGTM from you?

Also, should we put me as an owner for
net/tools/domain_security_preload_generator ?

[agl, 2016-12-13 21:50:36]

lgtm

[martijnc, 2016-12-13 22:07:10]

The CQ bit was checked by martijn@martijnc.be

[martijnc, 2016-12-13 22:07:10]

I'll send this to the CQ, feel free to cancel if you want to add OWNERS first.

[commit-bot: I haz the power, 2016-12-13 22:07:49]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-12-13 22:14:46]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-12-13 22:14:47]

Try jobs failed on following builders:
  ios-device on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device/builds...)
  ios-device-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device-xcode-...)

[commit-bot: I haz the power, 2016-12-13 22:41:11]

Description was changed from

==========
Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this script into the build process.

This scripts generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the script manually:
out/Default/domain_security_preload_generator
net/http/transport_security_state_static.json
net/http/transport_security_state_static.pins
net/tools/domain_security_preload_generator/resources/transport_security_state_static.template
/home/you/output.h -v


[1]
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st...
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG=595493
==========

to

==========
Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this script into the build process.

This scripts generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the script manually:
out/Default/domain_security_preload_generator
net/http/transport_security_state_static.json
net/http/transport_security_state_static.pins
net/tools/domain_security_preload_generator/resources/transport_security_state_static.template
/home/you/output.h -v

[1]
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st...
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG=595493
R=agl@chromium.org, lgarron@chromium.org

Committed: https://crrev.com/09983e3dcc7573863a52ef827870613dde3cd83e
Cr-Commit-Position: refs/heads/master@{#438316}
==========

[commit-bot: I haz the power, 2016-12-13 22:41:12]

Patchset 5 (id:??) landed as
https://crrev.com/09983e3dcc7573863a52ef827870613dde3cd83e
Cr-Commit-Position: refs/heads/master@{#438316}

[lgarron, 2016-12-13 22:43:07]

Description was changed from

==========
Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this script into the build process.

This scripts generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the script manually:
out/Default/domain_security_preload_generator
net/http/transport_security_state_static.json
net/http/transport_security_state_static.pins
net/tools/domain_security_preload_generator/resources/transport_security_state_static.template
/home/you/output.h -v

[1]
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st...
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG=595493
R=agl@chromium.org, lgarron@chromium.org

Committed: https://crrev.com/09983e3dcc7573863a52ef827870613dde3cd83e
Cr-Commit-Position: refs/heads/master@{#438316}
==========

to

==========
Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this script into the build process.

This scripts generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the script manually:
out/Default/domain_security_preload_generator
net/http/transport_security_state_static.json
net/http/transport_security_state_static.pins
net/tools/domain_security_preload_generator/resources/transport_security_state_static.template
/home/you/output.h -v


[1]
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st...
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG=595493
R=agl@chromium.org, lgarron@chromium.org

Committed:
https://chromium.googlesource.com/chromium/src/+/09983e3dcc7573863a52ef827870...
==========

[lgarron, 2016-12-13 22:43:09]

Committed patchset #5 (id:220001) manually as
09983e3dcc7573863a52ef827870613dde3cd83e (presubmit successful).

[lgarron, 2016-12-13 22:57:57]

Oops, I accidentally landed this directly due to a a mixup about branches and
patches. :-/

Since it's not part of the build process, let's see if it actually breaks
something, and revert if there are issues.

[martijnc, 2016-12-13 23:02:09]

On 2016/12/13 at 22:57:57, lgarron wrote:
> Oops, I accidentally landed this directly due to a a mixup about branches and
patches. :-/
> 
> Since it's not part of the build process, let's see if it actually breaks
something, and revert if there are issues.

I think you only landed a change to transport_security_state_static.h
(https://chromium.googlesource.com/chromium/src/+/09983e3dcc7573863a52ef827870...)
but it appears linked to this CL.

The actual tool doesn't compile on iOS, I'll look into that.

[martijnc, 2016-12-13 23:08:51]

The CQ bit was checked by martijn@martijnc.be to run a CQ dry run

[commit-bot: I haz the power, 2016-12-13 23:09:24]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[martijnc, 2016-12-13 23:36:19]

Description was changed from

==========
Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this script into the build process.

This scripts generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the script manually:
out/Default/domain_security_preload_generator
net/http/transport_security_state_static.json
net/http/transport_security_state_static.pins
net/tools/domain_security_preload_generator/resources/transport_security_state_static.template
/home/you/output.h -v


[1]
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st...
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG=595493
R=agl@chromium.org, lgarron@chromium.org

Committed:
https://chromium.googlesource.com/chromium/src/+/09983e3dcc7573863a52ef827870...
==========

to

==========
Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this tool into the build process.

This tool generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the tool manually:
out/Default/domain_security_preload_generator
net/http/transport_security_state_static.json
net/http/transport_security_state_static.pins
net/tools/domain_security_preload_generator/resources/transport_security_state_static.template
/home/you/output.h -v


[1]
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st...
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG=595493
R=agl@chromium.org, lgarron@chromium.org

Committed:
https://chromium.googlesource.com/chromium/src/+/09983e3dcc7573863a52ef827870...
==========

[commit-bot: I haz the power, 2016-12-14 00:20:40]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-12-14 00:20:42]

Dry run: This issue passed the CQ dry run.

[martijnc, 2016-12-14 00:21:03]

The CQ bit was checked by martijn@martijnc.be

[martijnc, 2016-12-14 00:21:03]

The patchset sent to the CQ was uploaded after l-g-t-m from
lgarron@chromium.org, agl@chromium.org
Link to the patchset: https://codereview.chromium.org/2551153003/#ps240001
(title: "Fix iOS?")

[commit-bot: I haz the power, 2016-12-14 00:21:31]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-12-14 00:26:50]

CQ is committing da patch.

Bot data: {"patchset_id": 240001, "attempt_start_ts": 1481674863145540,
"parent_rev": "57827994af04521b99ddd774eabfd882c1e68364", "commit_rev":
"76cd50ef726e2d2ea69e87f885dabf624c663221"}

[commit-bot: I haz the power, 2016-12-14 00:28:06]

Description was changed from

==========
Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this tool into the build process.

This tool generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the tool manually:
out/Default/domain_security_preload_generator
net/http/transport_security_state_static.json
net/http/transport_security_state_static.pins
net/tools/domain_security_preload_generator/resources/transport_security_state_static.template
/home/you/output.h -v


[1]
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st...
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG=595493
R=agl@chromium.org, lgarron@chromium.org

Committed:
https://chromium.googlesource.com/chromium/src/+/09983e3dcc7573863a52ef827870...
==========

to

==========
Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this tool into the build process.

This tool generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the tool manually:
out/Default/domain_security_preload_generator
net/http/transport_security_state_static.json
net/http/transport_security_state_static.pins
net/tools/domain_security_preload_generator/resources/transport_security_state_static.template
/home/you/output.h -v


[1]
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st...
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG=595493
R=agl@chromium.org, lgarron@chromium.org

Committed:
https://chromium.googlesource.com/chromium/src/+/09983e3dcc7573863a52ef827870...
Review-Url: https://codereview.chromium.org/2551153003
==========

[commit-bot: I haz the power, 2016-12-14 00:28:07]

Committed patchset #6 (id:240001)

[commit-bot: I haz the power, 2016-12-14 00:32:28]

Description was changed from

==========
Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this tool into the build process.

This tool generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the tool manually:
out/Default/domain_security_preload_generator
net/http/transport_security_state_static.json
net/http/transport_security_state_static.pins
net/tools/domain_security_preload_generator/resources/transport_security_state_static.template
/home/you/output.h -v


[1]
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st...
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG=595493
R=agl@chromium.org, lgarron@chromium.org

Committed:
https://chromium.googlesource.com/chromium/src/+/09983e3dcc7573863a52ef827870...
Review-Url: https://codereview.chromium.org/2551153003
==========

to

==========
Add static domain security state generator tool.

This tool is a C++ port of the Go script [1] currently used to generate the
static (preloaded) domain security state
(net/http/transport_security_state_static.h) blob.

A follow up CL [2] integrates this tool into the build process.

This tool generates identical outputs as the Go script after merging [3]. The
only difference should be related to whitespace and comments.

You can run the tool manually:
out/Default/domain_security_preload_generator
net/http/transport_security_state_static.json
net/http/transport_security_state_static.pins
net/tools/domain_security_preload_generator/resources/transport_security_state_static.template
/home/you/output.h -v

[1]
https://github.com/chromium/hstspreload/blob/master/cmd/transport_security_st...
[2] https://codereview.chromium.org/2551943002
[3] https://github.com/chromium/hstspreload/pull/91

BUG=595493
R=agl@chromium.org, lgarron@chromium.org

Committed:
https://chromium.googlesource.com/chromium/src/+/09983e3dcc7573863a52ef827870...
Committed: https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b
Cr-Commit-Position: refs/heads/master@{#438358}
==========

[commit-bot: I haz the power, 2016-12-14 00:32:29]

Patchset 6 (id:??) landed as
https://crrev.com/40db4b769e07e2e2a7ccbdcf5a8d734a1385c32b
Cr-Commit-Position: refs/heads/master@{#438358}

[lgarron, 2016-12-14 01:26:34]

Indeed, I had the wrong patch set for a binary list update that I had to land
directly.
That's the kind of error that this tools should hopefully obsolete; sorry for
messing up this landing. :-(

I think you need to create a copy of this CL so we can land it; would you mind
doing that?

[lgarron, 2016-12-14 01:26:47]

The CQ bit was checked by lgarron@chromium.org

[commit-bot: I haz the power, 2016-12-14 01:27:17]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-12-14 01:38:30]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-12-14 01:38:31]

Try jobs failed on following builders:
  chromium_presubmit on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presub...)

[lgarron, 2016-12-14 01:45:35]

The CQ bit was checked by lgarron@chromium.org

[commit-bot: I haz the power, 2016-12-14 01:46:18]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-12-14 01:55:04]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-12-14 01:55:06]

Try jobs failed on following builders:
  chromium_presubmit on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presub...)

[martijnc, 2016-12-14 16:49:20]

On 2016/12/14 at 01:26:34, lgarron wrote:
> Indeed, I had the wrong patch set for a binary list update that I had to land
directly.
> That's the kind of error that this tools should hopefully obsolete; sorry for
messing up this landing. :-(
> 
> I think you need to create a copy of this CL so we can land it; would you mind
doing that?

This already landed. It went through the second time;
https://chromium.googlesource.com/chromium/src/+/40db4b769e07e2e2a7ccbdcf5a8d...