Centralize the logic for checking public key pins

net/http/transport_security_state.h

Index: net/http/transport_security_state.h
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h
index 364593791455030cc4d5cd37a30b2dc03f3ec6c4..594c34fac6a341b0e576305a895ce1804c01dfb3 100644
--- a/net/http/transport_security_state.h
+++ b/net/http/transport_security_state.h
@@ -252,6 +252,16 @@ class NET_EXPORT TransportSecurityState
   bool AddHPKP(const std::string& host, const base::Time& expiry,
                bool include_subdomains, const HashValueVector& hashes);
 
+  // Returns true if |public_key_hashes| meets the pinning constrains of
+  // |host|, or if the build is out of date, or if the root is not a
+  // built-in trusted root. |pinning_failure_log| is written to in the
+  // case of a pinning failure.

[Ryan Sleevi, 2014/08/07 18:58:41]

1) Comment wise, you're describing too much of the implementation, and the
implementation will change. For example "build is out of date"

2) Typo -> constrains -> constraints

3) This belongs with the other 'check/verify' methods of line 164, which makes
the difference between these two methods more ambiguous, and perhaps
overlapping, but also highlights the difference in your parameter order.

[Ryan Hamilton, 2014/08/07 22:07:12]

I've removed this method in favor of palmer's suggestion of just exposing this
via CheckPublicKeyPins. PTAL.

+  bool VerifyPinning(const HashValueVector& public_key_hashes,
+                     bool is_issued_by_known_root,
+                     bool sni_available,
+                     const std::string& host,
+                     std::string* pinning_failure_log);
+
   // Returns true iff we have any static public key pins for the |host| and
   // iff its set of required pins is the set we expect for Google
   // properties.