Centralize the logic for checking public key pins

net/http/transport_security_state.h

Index: net/http/transport_security_state.h
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h
index 364593791455030cc4d5cd37a30b2dc03f3ec6c4..7d42888fd42401808594eb9e857e10e6c8eafd80 100644
--- a/net/http/transport_security_state.h
+++ b/net/http/transport_security_state.h
@@ -163,6 +163,7 @@ class NET_EXPORT TransportSecurityState
   bool ShouldUpgradeToSSL(const std::string& host, bool sni_enabled);
   bool CheckPublicKeyPins(const std::string& host,
                           bool sni_enabled,
+                          bool is_issued_by_known_root,
                           const HashValueVector& hashes,
                           std::string* failure_log);
   bool HasPublicKeyPins(const std::string& host, bool sni_enabled);
@@ -267,6 +268,25 @@ class NET_EXPORT TransportSecurityState
   // The maximum number of seconds for which we'll cache an HSTS request.
   static const long int kMaxHSTSAgeSecs;
 
+ private:
+  friend class TransportSecurityStateTest;
+  FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest,
+                           UpdateDynamicPKPOnly);
+  FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest,
+                           UpdateDynamicPKPMaxAge0);
+  FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest,
+                           DISABLED_UpdateDynamicPKPMaxAge0);
+  FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest,
+                           NoClobberPins);
+
+  typedef std::map<std::string, DomainState> DomainStateMap;
+
+  // Helper method for actually checking pins.
+  bool CheckPublicKeyPinsImpl(const std::string& host,
+                              bool sni_enabled,
+                              const HashValueVector& hashes,
+                              std::string* failure_log);
+
   // Send an UMA report on pin validation failure, if the host is in a
   // statically-defined list of domains.
   //
@@ -275,19 +295,12 @@ class NET_EXPORT TransportSecurityState
   // (an implementation detail of this class) with a more generic
   // representation of first-class DomainStates, and exposing the preloads
   // to the caller with |GetStaticDomainState|.
-  static void ReportUMAOnPinFailure(const std::string& host);

[wtc, 2014/08/07 22:51:44]

Nit: "static" tells me that the method doesn't access any instance members. So
it'd be good to keep it.

[Ryan Hamilton, 2014/08/07 23:19:04]

Done.

+  void ReportUMAOnPinFailure(const std::string& host) const;
 
   // IsBuildTimely returns true if the current build is new enough ensure that
   // built in security information (i.e. HSTS preloading and pinning
   // information) is timely.
-  static bool IsBuildTimely();
-
- private:
-  friend class TransportSecurityStateTest;
-  FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest,
-                           UpdateDynamicPKPOnly);
-
-  typedef std::map<std::string, DomainState> DomainStateMap;
+  bool IsBuildTimely() const;
 
   // If a Delegate is present, notify it that the internal state has
   // changed.
@@ -309,6 +322,9 @@ class NET_EXPORT TransportSecurityState
 
   Delegate* delegate_;
 
+  // True if static pins should be used.
+  bool enable_static_pinning_;
+
   DISALLOW_COPY_AND_ASSIGN(TransportSecurityState);
 };