net: only enable certificate pinning in official builds.

This is to make sure that pins don't escape into forks of the code which may
not be updated in a timly manner.

BUG=none
TEST=none

Review URL: http://codereview.chromium.org/7659016

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@97642 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 8 insertions, 0 deletions

diff --git a/net/base/transport_security_state.cc b/net/base/transport_security_state.cc
index e82734d..a35325a 100644
--- a/net/base/transport_security_state.cc
+++ b/net/base/transport_security_state.cc
@@ -569,11 +569,19 @@ bool TransportSecurityState::IsPreloadedSTS(
     0,
   };
 
+  // kTestAcceptableCerts doesn't actually match any public keys and is used
+  // with "pinningtest.appspot.com", below, to test if pinning is active.
+  static const char* kTestAcceptableCerts[] = {
+    "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
+  };
+
   // In the medium term this list is likely to just be hardcoded here. This,
   // slightly odd, form removes the need for additional relocations records.
   static const struct HSTSPreload kPreloadedSTS[] = {
     // (*.)google.com, iff using SSL must use an acceptable certificate.
     {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
+    {25, true, "\013pinningtest\007appspot\003com", false,
+     kTestAcceptableCerts },
     // Now we force HTTPS for subtrees of google.com.
     {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
     {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },