Revert revert "net: have pinning checks ignore minor certificate errors."

First landed in r108918, reverted in r109042. BUG=103368 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@109464 0039d316-1c4b-4281-b951-d872f2087c98
author: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-11-10 18:35:31 +0000
committer: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-11-10 18:35:31 +0000
commit: 551ff5175cad2b338d3debcbd4e2e58ffcef5ef7 (patch)
tree: 5f444f672dd7a0014bffa3ff55333756c8659ddc /net/url_request
parent: 0325ee3db3e1f06e559c1585d1e5828ea2bcf07e (diff)
download: chromium_src-551ff5175cad2b338d3debcbd4e2e58ffcef5ef7.zip
chromium_src-551ff5175cad2b338d3debcbd4e2e58ffcef5ef7.tar.gz
chromium_src-551ff5175cad2b338d3debcbd4e2e58ffcef5ef7.tar.bz2
1 files changed, 30 insertions, 25 deletions
diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
index 889fba86..5fd305a 100644
--- a/net/url_request/url_request_http_job.cc
+++ b/net/url_request/url_request_http_job.cc
@@ -660,7 +660,8 @@ void URLRequestHttpJob::OnStartCompleted(int result) {
   // Clear the IO_PENDING status
   SetStatus(URLRequestStatus());
 
-#if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID)
+// #if guard removed temporarily in order to let the builders test this code.
+//#if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID)
   // Take care of any mandates for public key pinning.
   //
   // Pinning is only enabled for official builds to make sure that others don't
@@ -669,33 +670,37 @@ void URLRequestHttpJob::OnStartCompleted(int result) {
   // TODO(agl): we might have an issue here where a request for foo.example.com
   // merges into a SPDY connection to www.example.com, and gets a different
   // certificate.
-  const SSLInfo& ssl_info = transaction_->GetResponseInfo()->ssl_info;
-  if (result == OK &&
-      ssl_info.is_valid() &&
-      ssl_info.is_issued_by_known_root &&
-      context_->transport_security_state()) {
-    TransportSecurityState::DomainState domain_state;
-    bool sni_available = SSLConfigService::IsSNIAvailable(
-        context_->ssl_config_service());
-    std::string host = request_->url().host();
-
-    if (context_->transport_security_state()->HasPinsForHost(
-            &domain_state, host, sni_available)) {
-      if (!domain_state.IsChainOfPublicKeysPermitted(
-              ssl_info.public_key_hashes)) {
-        result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
-        UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
-        TransportSecurityState::ReportUMAOnPinFailure(host);
-        FraudulentCertificateReporter* reporter =
-            context_->fraudulent_certificate_reporter();
-        if (reporter != NULL)
-          reporter->SendReport(host, ssl_info, sni_available);
-      } else {
-        UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
+  if (transaction_->GetResponseInfo() != NULL) {
+    const SSLInfo& ssl_info = transaction_->GetResponseInfo()->ssl_info;
+    if (ssl_info.is_valid() &&
+        (result == OK || (IsCertificateError(result) &&
+                          IsCertStatusMinorError(ssl_info.cert_status))) &&
+        ssl_info.is_issued_by_known_root &&
+        context_->transport_security_state()) {
+      TransportSecurityState::DomainState domain_state;
+      bool sni_available = SSLConfigService::IsSNIAvailable(
+          context_->ssl_config_service());
+      std::string host = request_->url().host();
+
+      if (context_->transport_security_state()->HasPinsForHost(
+              &domain_state, host, sni_available)) {
+        if (!domain_state.IsChainOfPublicKeysPermitted(
+                ssl_info.public_key_hashes)) {
+          result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
+          UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
+          TransportSecurityState::ReportUMAOnPinFailure(host);
+          FraudulentCertificateReporter* reporter =
+              context_->fraudulent_certificate_reporter();
+          if (reporter != NULL)
+            reporter->SendReport(host, ssl_info, sni_available);
+        } else {
+          UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
+        }
       }
     }
   }
-#endif
+//#endif
+
   if (result == OK) {
     scoped_refptr<HttpResponseHeaders> headers = GetResponseHeaders();
     if (request_->context() && request_->context()->network_delegate()) {
author	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-11-10 18:35:31 +0000
committer	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-11-10 18:35:31 +0000
commit	551ff5175cad2b338d3debcbd4e2e58ffcef5ef7 (patch)
tree	5f444f672dd7a0014bffa3ff55333756c8659ddc /net/url_request
parent	0325ee3db3e1f06e559c1585d1e5828ea2bcf07e (diff)
download	chromium_src-551ff5175cad2b338d3debcbd4e2e58ffcef5ef7.zip chromium_src-551ff5175cad2b338d3debcbd4e2e58ffcef5ef7.tar.gz chromium_src-551ff5175cad2b338d3debcbd4e2e58ffcef5ef7.tar.bz2