Add --ignore-certificate-errors-spki-list switch and UMA histogram.

chrome/browser/io_thread.cc

Index: chrome/browser/io_thread.cc
diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc
index 11a0084276f89521e4aac2d0632c93fdf5ad31ba..328c4ae0460bf06636c0b5001ee0cadb2a78a79b 100644
--- a/chrome/browser/io_thread.cc
+++ b/chrome/browser/io_thread.cc
@@ -1024,6 +1024,26 @@ void IOThread::ConfigureParamsFromFieldTrialsAndCommandLine(
   if (command_line.HasSwitch(switches::kEnableUserAlternateProtocolPorts)) {
     params->enable_user_alternate_protocol_ports = true;
   }
+  if (command_line.HasSwitch(switches::kIgnoreCertificateErrorsSPKIList)) {
+    std::string spki_list = command_line.GetSwitchValueASCII(
+        switches::kIgnoreCertificateErrorsSPKIList);
+    for (const std::string& spki : base::SplitString(
+             spki_list, ",", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) {
+      net::HashValue hash;
+      if (!hash.FromString("sha256/" + spki)) {
+        LOG(ERROR) << "Invalid SPKI in --ignore-certificate-errors-spki-list: "
+                   << spki;
+      } else {
+        net::SHA256HashValue hv;
+        DCHECK_EQ(hash.size(), sizeof(hv));
+        memcpy(&hv, hash.data(), sizeof(hv));
+        params->ignore_certificate_error_spki_set.insert(hv);
+      }
+    }
+  }

[Ryan Sleevi, 2017/03/30 15:12:09]

So a thought - if we didn't want to plumb the SPKI logic all the way down, and
force it into the override, we could simply create a wrapping CertVerifier
around 578-585 which would call in to the normal CertVerifier, and then either
bypass calling the OS verifier (for those certs in the bypass list) or mask off
the errors.

That is, I'm wondering whether something like

class IgnoreErrorsCertVerifier : public CertVerifier {
 public:
  IgnoreErrorsCertVerifier(scoped_ptr<CertVerifier> next_verifier,
                           HashValueVector certs);

  ...
};

Makes more sense?

The main difference with that is that by masking off the error at the
CertVerifier level, we potentially allow it to store entries to the disk cache
or to use H/2 pooling, which I don't think the current approach would allow.

The other thing is whether we should force user-data-dir to be present (e.g. see
https://cs.chromium.org/chromium/src/chrome/browser/chrome_content_browser_cl...
or
https://cs.chromium.org/chromium/src/chrome/common/secure_origin_whitelist.cc...)

[martinkr, 2017/03/30 17:33:38]

Yeah, I think it would also be easier to understand than the current override
logic (at least for me who's not terribly familiar with this code).
 
Good question. I lean towards yes because it doesn't seem to complicate things
when this switch is used in test automation but probably provides a meaningful
security benefit for human users. OTOH, there is nothing preventing you from
setting user-data-dir to  ~/.config/google-chrome/Default, is there? So if we're
worried about users whitelisting some SPKI because stackoverflow told them so
after they couldn't connect to a site, then this is probably not an additional
deterrent against that.

+  UMA_HISTOGRAM_BOOLEAN(
+      "Net.Certificate.kIgnoreCertificateErrorsSPKIList",
+      command_line.HasSwitch(switches::kIgnoreCertificateErrorsSPKIList));
   if (command_line.HasSwitch(switches::kIgnoreCertificateErrors)) {
     params->ignore_certificate_errors = true;
   }