Revert 113823 - net: move pinning checks into the SSL socket.

Previously we would reject requests with pinning errors at the URLRequest layer
but, by that time, we would already have sent cookies.

The commenting of the #ifdef is deliberate - it allows the builders to chew the
code over. Once the builders are happy I'll land another change to uncomment
the #ifdefs.

This also happens to start unpicking the DNS certificate provenance stuff.

BUG=none
TEST=Verify that https://pinningtest.appspot.com fails to load in offical builds.

Review URL: http://codereview.chromium.org/8865006

TBR=agl@chromium.org
Review URL: http://codereview.chromium.org/8896012

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@113846 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 12 insertions, 47 deletions

diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index eb8c662..5b7b188 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -66,7 +66,6 @@
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
-#include "base/build_time.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/memory/singleton.h"
@@ -97,6 +96,7 @@
 #include "net/base/x509_certificate_net_log_param.h"
 #include "net/ocsp/nss_ocsp.h"
 #include "net/socket/client_socket_handle.h"
+#include "net/socket/dns_cert_provenance_checker.h"
 #include "net/socket/nss_ssl_util.h"
 #include "net/socket/ssl_error_params.h"
 #include "net/socket/ssl_host_info.h"
@@ -458,7 +458,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket,
       nss_bufs_(NULL),
       net_log_(transport_socket->socket()->NetLog()),
       ssl_host_info_(ssl_host_info),
-      transport_security_state_(context.transport_security_state),
+      dns_cert_checker_(context.dns_cert_checker),
       next_proto_status_(kNextProtoUnsupported),
       valid_thread_id_(base::kInvalidThreadId) {
   EnterFunction("");
@@ -1624,6 +1624,13 @@ int SSLClientSocketNSS::DoGetOBCertComplete(int result) {
 }
 
 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) {
+  if (ssl_config_.dns_cert_provenance_checking_enabled &&
+      dns_cert_checker_) {
+    PeerCertificateChain certs(nss_fd_);
+    dns_cert_checker_->DoAsyncVerification(
+        host_and_port_.host(), certs.AsStringPieceVector());
+  }
+
   DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(),
                                            server_cert_nss_,
                                            host_and_port_.port());
@@ -1787,7 +1794,7 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
   // http://crbug.com/15630 for more info.
 
   // TODO(hclam): Skip logging if server cert was expected to be bad because
-  // |server_cert_verify_result_| doesn't contain all the information about
+  // |server_cert_verify_results_| doesn't contain all the information about
   // the cert.
   if (result == OK)
     LogConnectionTypeMetrics();
@@ -1800,47 +1807,6 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
       DoReadCallback(rv);
   }
 
-//#if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID)
-  // Take care of any mandates for public key pinning.
-  //
-  // Pinning is only enabled for official builds to make sure that others don't
-  // end up with pins that cannot be easily updated.
-  //
-  // TODO(agl): we might have an issue here where a request for foo.example.com
-  // merges into a SPDY connection to www.example.com, and gets a different
-  // certificate.
-
-  const CertStatus cert_status = server_cert_verify_result_->cert_status;
-  if ((result == OK || (IsCertificateError(result) &&
-                        IsCertStatusMinorError(cert_status))) &&
-      server_cert_verify_result_->is_issued_by_known_root &&
-      transport_security_state_) {
-    bool sni_available = ssl_config_.tls1_enabled || ssl_config_.ssl3_fallback;
-    const std::string& host = host_and_port_.host();
-
-    TransportSecurityState::DomainState domain_state;
-    if (transport_security_state_->HasPinsForHost(
-            &domain_state, host, sni_available)) {
-      if (!domain_state.IsChainOfPublicKeysPermitted(
-               server_cert_verify_result_->public_key_hashes)) {
-        const base::Time build_time = base::GetBuildTime();
-        // Pins are not enforced if the build is sufficiently old. Chrome
-        // users should get updates every six weeks or so, but it's possible
-        // that some users will stop getting updates for some reason. We
-        // don't want those users building up as a pool of people with bad
-        // pins.
-        if ((base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */) {
-          result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
-          UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
-          TransportSecurityState::ReportUMAOnPinFailure(host);
-        }
-      } else {
-        UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
-      }
-    }
-  }
-//#endif
-
   // Exit DoHandshakeLoop and return the result to the caller to Connect.
   DCHECK(next_handshake_state_ == STATE_NONE);
   return result;
diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h
index 366aa7f..7a150ff 100644
--- a/net/socket/ssl_client_socket_nss.h
+++ b/net/socket/ssl_client_socket_nss.h
@@ -35,10 +35,10 @@ namespace net {
 class BoundNetLog;
 class CertVerifier;
 class ClientSocketHandle;
+class DnsCertProvenanceChecker;
 class OriginBoundCertService;
 class SingleRequestCertVerifier;
 class SSLHostInfo;
-class TransportSecurityState;
 class X509Certificate;
 
 // An SSL client socket implemented with Mozilla NSS.
@@ -296,8 +296,7 @@ class SSLClientSocketNSS : public SSLClientSocket {
   base::TimeTicks start_cert_verification_time_;
 
   scoped_ptr<SSLHostInfo> ssl_host_info_;
-
-  TransportSecurityState* transport_security_state_;
+  DnsCertProvenanceChecker* const dns_cert_checker_;
 
   // next_proto_ is the protocol that we selected by NPN.
   std::string next_proto_;