Centralize the logic for checking public key pins

net/quic/crypto/proof_verifier_chromium.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/proof_verifier_chromium.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback_helpers.h"
 #include "base/compiler_specific.h"
@@ skipping 218 matching lines @@
       SSLConfigService::GetCRLSet().get(),
       &verify_details_->cert_verify_result,
       base::Bind(&ProofVerifierChromium::Job::OnIOComplete,
                  base::Unretained(this)),
       net_log_);
 }
 
 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
   verifier_.reset();
 
-#if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS)
-  // TODO(wtc): The following code was copied from ssl_client_socket_nss.cc.
-  // Convert it to a new function that can be called by both files. These
-  // variables simulate the arguments to the new function.
   const CertVerifyResult& cert_verify_result =
       verify_details_->cert_verify_result;
-  bool sni_available = true;
-  const std::string& host = hostname_;
-  TransportSecurityState* transport_security_state = transport_security_state_;
-  std::string* pinning_failure_log = &verify_details_->pinning_failure_log;
-
-  // Take care of any mandates for public key pinning.
-  //
-  // Pinning is only enabled for official builds to make sure that others don't
-  // end up with pins that cannot be easily updated.
-  //
-  // TODO(agl): We might have an issue here where a request for foo.example.com
-  // merges into a SPDY connection to www.example.com, and gets a different
-  // certificate.
-
-  // Perform pin validation if, and only if, all these conditions obtain:
-  //
-  // * a TransportSecurityState object is available;
-  // * the server's certificate chain is valid (or suffers from only a minor
-  //   error);
-  // * the server's certificate chain chains up to a known root (i.e. not a
-  //   user-installed trust anchor); and
-  // * the build is recent (very old builds should fail open so that users
-  //   have some chance to recover).
-  //
   const CertStatus cert_status = cert_verify_result.cert_status;
-  if (transport_security_state &&
+  if (transport_security_state_ &&
       (result == OK ||
        (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
-      cert_verify_result.is_issued_by_known_root &&
-      TransportSecurityState::IsBuildTimely()) {
-    if (transport_security_state->HasPublicKeyPins(host, sni_available)) {
-      if (!transport_security_state->CheckPublicKeyPins(
-              host,
-              sni_available,
-              cert_verify_result.public_key_hashes,
-              pinning_failure_log)) {
-        LOG(ERROR) << *pinning_failure_log;
-        result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
-        UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
-        TransportSecurityState::ReportUMAOnPinFailure(host);
-      } else {
-        UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
-      }
-    }
+      !transport_security_state_->VerifyPinning(
+          cert_verify_result.public_key_hashes,
+          cert_verify_result.is_issued_by_known_root,
+          /* sni_available= */ true,
+          hostname_,
+          &verify_details_->pinning_failure_log)) {
+    result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
   }
-#endif
 
   if (result != OK) {
     error_details_ = StringPrintf("Failed to verify certificate chain: %s",
                                   ErrorToString(result));
     DLOG(WARNING) << error_details_;
   }
 
   // Exit DoLoop and return the result to the caller to VerifyProof.
   DCHECK_EQ(STATE_NONE, next_state_);
   return result;
@@ skipping 113 matching lines @@
   }
   return status;
 }
 
 void ProofVerifierChromium::OnJobComplete(Job* job) {
   active_jobs_.erase(job);
   delete job;
 }
 
 }  // namespace net