Centralize the logic for checking public key pins

net/http/transport_security_state.cc

Index: net/http/transport_security_state.cc
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index 0b209b356e834dc7018bb0d9a743711b3e02cff5..94f623fa50917d6cbbf7d3e787a21a9ae9c361da 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -666,6 +666,55 @@ bool TransportSecurityState::AddHPKPHeader(const std::string& host,
   return false;
 }
 
+bool TransportSecurityState::VerifyPinning(
+    const HashValueVector& public_key_hashes,
+    bool is_issued_by_known_root,
+    bool sni_available,
+    const std::string& host,
+    std::string* pinning_failure_log) {
+#if !defined(OFFICIAL_BUILD) || defined(OS_ANDROID) || defined(OS_IOS)
+  return true;

[Ryan Sleevi, 2014/08/07 18:58:41]

// TODO(rsleevi): http://crbug.com/391035 - Enable dynamic PKP checks regardless
of build type

[Ryan Hamilton, 2014/08/07 22:07:12]

Done.

+#else
+  // Take care of any mandates for public key pinning.
+  //
+  // Pinning is only enabled for official builds to make sure that others don't
+  // end up with pins that cannot be easily updated.

[Ryan Sleevi, 2014/08/07 18:58:41]

// TODO(rsleevi): http://crbug.com/391035 - Only disable static pins for
non-official builds

[Ryan Hamilton, 2014/08/07 22:07:12]

Done.

+  //
+  // TODO(agl): We might have an issue here where a request for foo.example.com
+  // merges into a SPDY connection to www.example.com, and gets a different
+  // certificate.

[Ryan Sleevi, 2014/08/07 18:58:41]

This TODO(agl) no longer applies, does it?

[Ryan Hamilton, 2014/08/07 22:07:11]

Done.

+
+  // Perform pin validation if, and only if, all these conditions obtain:
+  //
+  // * a TransportSecurityState object is available;
+  // * the server's certificate chain is valid (or suffers from only a minor
+  //   error);

[Ryan Sleevi, 2014/08/07 18:58:41]

This bullet is no longer correct - this is handled by a higher layer.

[Ryan Hamilton, 2014/08/07 22:07:11]

Done. (As is the previous bullet)

+  // * the server's certificate chain chains up to a known root (i.e. not a
+  //   user-installed trust anchor); and
+  // * the build is recent (very old builds should fail open so that users
+  //   have some chance to recover).
+  //
+  if (!is_issued_by_known_root ||
+      !TransportSecurityState::IsBuildTimely() ||
+      !HasPublicKeyPins(host, sni_available)) {
+    return true;
+  }
+
+  if (CheckPublicKeyPins(host,
+                         sni_available,
+                         public_key_hashes,
+                         pinning_failure_log)) {
+    UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
+    return true;
+  }
+
+  LOG(ERROR) << *pinning_failure_log;
+  UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
+  TransportSecurityState::ReportUMAOnPinFailure(host);

[Ryan Sleevi, 2014/08/07 18:58:41]

No need for ReportUMAOnPinFailure to be public static now, is there?

[Ryan Hamilton, 2014/08/07 22:07:11]

Done. Same for IsBuildTimely()

+  return false;
+#endif
+}
+
 bool TransportSecurityState::AddHSTS(const std::string& host,
                                      const base::Time& expiry,
                                      bool include_subdomains) {