Revert 105595 - Initial infrastructure for the fraudulent certificate chain reportingfeature. Phase Two of this feature ishttp://codereview.chromium.org/8055027/, and Phase Three ishttp://codereview.chromium.org/8120016/.This feature will be under heavy development, including additional,end-to-end unit testing, throughout Q4 2011. Manual testing shows thatthe basic SendReport functionality works, and that is all we need inthe immediate, pre-Stable short-term.BUG=99185Review URL: http://codereview.chromium.org/8037039

The build failure on windows shared library build: http://build.chromium.org/p/chromium/builders/Win%20Builder%20%28dbg%29%28shared%29/builds/15800/steps/compile/logs/stdio 56>browser.lib(chrome_fraudulent_certificate_reporter.obj) : error LNK2019: unresolved external symbol "__declspec(dllimport) public: virtual __thiscall net::FraudulentCertificateReporter::~FraudulentCertificateReporter(void)" (__imp_??1FraudulentCertificateReporter@net@@UAE@XZ) referenced in function __unwindfunclet$??0ChromeFraudulentCertificateReporter@chrome_browser_net@@QAE@PAVURLRequestContext@net@@@Z$0 56>browser.lib(chrome_fraudulent_certificate_reporter.obj) : error LNK2019: unresolved external symbol "__declspec(dllimport) public: __thiscall net::FraudulentCertificateReporter::FraudulentCertificateReporter(void)" (__imp_??0FraudulentCertificateReporter@net@@QAE@XZ) referenced in function "public: __thiscall chrome_browser_net::ChromeFraudulentCertificateReporter::ChromeFraudulentCertificateReporter(class net::URLRequestContext *)" (??0ChromeFraudulentCertificateReporter@chrome_browser_net@@QAE@PAVURLRequestContext@net@@@Z) TBR=palmer@chromium.org Review URL: http://codereview.chromium.org/8301018 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@105614 0039d316-1c4b-4281-b951-d872f2087c98
author: apatrick@chromium.org <apatrick@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-10-14 23:50:35 +0000
committer: apatrick@chromium.org <apatrick@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-10-14 23:50:35 +0000
commit: 325806865b379f97c5ffe53e91bc4a6e1c802bb8 (patch)
tree: a1b82567202eeb5be8e8294e45a559a9c895221b /net
parent: a421e31604d2b9b3df626686b7729fb690e062a5 (diff)
download: chromium_src-325806865b379f97c5ffe53e91bc4a6e1c802bb8.zip
chromium_src-325806865b379f97c5ffe53e91bc4a6e1c802bb8.tar.gz
chromium_src-325806865b379f97c5ffe53e91bc4a6e1c802bb8.tar.bz2
7 files changed, 219 insertions, 414 deletions
diff --git a/net/base/transport_security_state.cc b/net/base/transport_security_state.cc
index b634cfc..0926fc0 100644
--- a/net/base/transport_security_state.cc
+++ b/net/base/transport_security_state.cc
@@ -844,114 +844,126 @@ static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries,
   return false;
 }
 
-// These hashes are base64 encodings of SHA1 hashes for cert public keys.
-static const char kCertPKHashVerisignClass3[] =
+// IsPreloadedSTS returns true if the canonicalized hostname should always be
+// considered to have STS enabled.
+bool TransportSecurityState::IsPreloadedSTS(
+    const std::string& canonicalized_host,
+    bool sni_available,
+    DomainState* out) {
+  DCHECK(CalledOnValidThread());
+
+  out->preloaded = true;
+  out->mode = DomainState::MODE_STRICT;
+  out->include_subdomains = false;
+
+  // These hashes are base64 encodings of SHA1 hashes for cert public keys.
+  static const char kCertPKHashVerisignClass3[] =
       "sha1/4n972HfV354KP560yw4uqe/baXc=";
-static const char kCertPKHashVerisignClass3G3[] =
+  static const char kCertPKHashVerisignClass3G3[] =
       "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
-static const char kCertPKHashGoogle1024[] =
+  static const char kCertPKHashGoogle1024[] =
       "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=";
-static const char kCertPKHashGoogle2048[] =
+  static const char kCertPKHashGoogle2048[] =
       "sha1/AbkhxY0L343gKf+cki7NVWp+ozk=";
-static const char kCertPKHashEquifaxSecureCA[] =
+  static const char kCertPKHashEquifaxSecureCA[] =
       "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=";
-static const char* const kGoogleAcceptableCerts[] = {
-  kCertPKHashVerisignClass3,
-  kCertPKHashVerisignClass3G3,
-  kCertPKHashGoogle1024,
-  kCertPKHashGoogle2048,
-  kCertPKHashEquifaxSecureCA,
-  NULL,
-};
-
-static const char kCertRapidSSL[] =
+  static const char* const kGoogleAcceptableCerts[] = {
+    kCertPKHashVerisignClass3,
+    kCertPKHashVerisignClass3G3,
+    kCertPKHashGoogle1024,
+    kCertPKHashGoogle2048,
+    kCertPKHashEquifaxSecureCA,
+    0,
+  };
+
+  static const char kCertRapidSSL[] =
     "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=";
-static const char kCertDigiCertEVRoot[] =
+  static const char kCertDigiCertEVRoot[] =
     "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM=";
-static const char kCertTor1[] =
+  static const char kCertTor1[] =
     "sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y=";
-static const char kCertTor2[] =
+  static const char kCertTor2[] =
     "sha1/lia43lPolzSPVIq34Dw57uYcLD8=";
-static const char kCertTor3[] =
+  static const char kCertTor3[] =
     "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y=";
-static const char* const kTorAcceptableCerts[] = {
-  kCertRapidSSL,
-  kCertDigiCertEVRoot,
-  kCertTor1,
-  kCertTor2,
-  kCertTor3,
-  NULL,
-};
-
-static const char kCertVerisignClass1[] =
+  static const char* const kTorAcceptableCerts[] = {
+    kCertRapidSSL,
+    kCertDigiCertEVRoot,
+    kCertTor1,
+    kCertTor2,
+    kCertTor3,
+    0,
+  };
+
+  static const char kCertVerisignClass1[] =
     "sha1/I0PRSKJViZuUfUYaeX7ATP7RcLc=";
-static const char kCertVerisignClass3[] =
+  static const char kCertVerisignClass3[] =
     "sha1/4n972HfV354KP560yw4uqe/baXc=";
-static const char kCertVerisignClass3_G4[] =
+  static const char kCertVerisignClass3_G4[] =
     "sha1/7WYxNdMb1OymFMQp4xkGn5TBJlA=";
-static const char kCertVerisignClass4_G3[] =
+  static const char kCertVerisignClass4_G3[] =
     "sha1/PANDaGiVHPNpKri0Jtq6j+ki5b0=";
-static const char kCertVerisignClass3_G3[] =
+  static const char kCertVerisignClass3_G3[] =
     "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
-static const char kCertVerisignClass1_G3[] =
+  static const char kCertVerisignClass1_G3[] =
     "sha1/VRmyeKyygdftp6vBg5nDu2kEJLU=";
-static const char kCertVerisignClass2_G3[] =
+  static const char kCertVerisignClass2_G3[] =
     "sha1/Wr7Fddyu87COJxlD/H8lDD32YeM=";
-static const char kCertVerisignClass3_G2[] =
+  static const char kCertVerisignClass3_G2[] =
     "sha1/GiG0lStik84Ys2XsnA6TTLOB5tQ=";
-static const char kCertVerisignClass2_G2[] =
+  static const char kCertVerisignClass2_G2[] =
     "sha1/Eje6RRfurSkm/cHN/r7t8t7ZFFw=";
-static const char kCertVerisignClass3_G5[] =
+  static const char kCertVerisignClass3_G5[] =
     "sha1/sYEIGhmkwJQf+uiVKMEkyZs0rMc=";
-static const char kCertVerisignUniversal[] =
+  static const char kCertVerisignUniversal[] =
     "sha1/u8I+KQuzKHcdrT6iTb30I70GsD0=";
 
-static const char kCertTwitter1[] =
+  static const char kCertTwitter1[] =
     "sha1/Vv7zwhR9TtOIN/29MFI4cgHld40=";
 
-static const char kCertGeoTrustGlobal[] =
+  static const char kCertGeoTrustGlobal[] =
     "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=";
-static const char kCertGeoTrustGlobal2[] =
+  static const char kCertGeoTrustGlobal2[] =
     "sha1/cTg28gIxU0crbrplRqkQFVggBQk=";
-static const char kCertGeoTrustUniversal[] =
+  static const char kCertGeoTrustUniversal[] =
     "sha1/h+hbY1PGI6MSjLD/u/VR/lmADiI=";
-static const char kCertGeoTrustUniversal2[] =
+  static const char kCertGeoTrustUniversal2[] =
     "sha1/Xk9ThoXdT57KX9wNRW99UbHcm3s=";
-static const char kCertGeoTrustPrimary[] =
+  static const char kCertGeoTrustPrimary[] =
     "sha1/sBmJ5+/7Sq/LFI9YRjl2IkFQ4bo=";
-static const char kCertGeoTrustPrimaryG2[] =
+  static const char kCertGeoTrustPrimaryG2[] =
     "sha1/vb6nG6txV/nkddlU0rcngBqCJoI=";
-static const char kCertGeoTrustPrimaryG3[] =
+  static const char kCertGeoTrustPrimaryG3[] =
     "sha1/nKmNAK90Dd2BgNITRaWLjy6UONY=";
 
-static const char* const kTwitterComAcceptableCerts[] = {
-  kCertVerisignClass1,
-  kCertVerisignClass3,
-  kCertVerisignClass3_G4,
-  kCertVerisignClass4_G3,
-  kCertVerisignClass3_G3,
-  kCertVerisignClass1_G3,
-  kCertVerisignClass2_G3,
-  kCertVerisignClass3_G2,
-  kCertVerisignClass2_G2,
-  kCertVerisignClass3_G5,
-  kCertVerisignUniversal,
-  kCertGeoTrustGlobal,
-  kCertGeoTrustGlobal2,
-  kCertGeoTrustUniversal,
-  kCertGeoTrustUniversal2,
-  kCertGeoTrustPrimary,
-  kCertGeoTrustPrimaryG2,
-  kCertGeoTrustPrimaryG3,
-  kCertTwitter1,
-  NULL,
-};
-
-// kTestAcceptableCerts doesn't actually match any public keys and is used
-// with "pinningtest.appspot.com", below, to test if pinning is active.
-static const char* const kTestAcceptableCerts[] = {
-  "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
-};
+  static const char* const kTwitterComAcceptableCerts[] = {
+    kCertVerisignClass1,
+    kCertVerisignClass3,
+    kCertVerisignClass3_G4,
+    kCertVerisignClass4_G3,
+    kCertVerisignClass3_G3,
+    kCertVerisignClass1_G3,
+    kCertVerisignClass2_G3,
+    kCertVerisignClass3_G2,
+    kCertVerisignClass2_G2,
+    kCertVerisignClass3_G5,
+    kCertVerisignUniversal,
+    kCertGeoTrustGlobal,
+    kCertGeoTrustGlobal2,
+    kCertGeoTrustUniversal,
+    kCertGeoTrustUniversal2,
+    kCertGeoTrustPrimary,
+    kCertGeoTrustPrimaryG2,
+    kCertGeoTrustPrimaryG3,
+    kCertTwitter1,
+    0,
+  };
+
+  // kTestAcceptableCerts doesn't actually match any public keys and is used
+  // with "pinningtest.appspot.com", below, to test if pinning is active.
+  static const char* const kTestAcceptableCerts[] = {
+    "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
+  };
 
 #if defined(OS_CHROMEOS)
   static const bool kTwitterHSTS = true;
@@ -959,202 +971,140 @@ static const char* const kTestAcceptableCerts[] = {
   static const bool kTwitterHSTS = false;
 #endif
 
-// In the medium term this list is likely to just be hardcoded here. This
-// slightly odd form removes the need for additional relocations records.
-static const struct HSTSPreload kPreloadedSTS[] = {
-  // (*.)google.com, iff using SSL must use an acceptable certificate.
-  {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
-  {25, true, "\013pinningtest\007appspot\003com", false,
-      kTestAcceptableCerts },
-  // Now we force HTTPS for subtrees of google.com.
-  {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
-  {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
-  {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts },
-  {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts },
-  {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts },
-  {25, true, "\014spreadsheets\006google\003com", true,
-      kGoogleAcceptableCerts },
-  {22, false, "\011appengine\006google\003com", true,
-      kGoogleAcceptableCerts },
-  {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts },
-  {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts },
-  {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts },
-  {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts },
-  {23, true, "\012talkgadget\006google\003com", true,
-      kGoogleAcceptableCerts },
-  {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts },
-  {29, true, "\020hostedtalkgadget\006google\003com", true,
-      kGoogleAcceptableCerts },
-  {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts },
-  // Other Google-related domains that must use HTTPS.
-  {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts },
-  {26, true, "\003ssl\020google-analytics\003com", true,
-      kGoogleAcceptableCerts },
-  {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts },
-  {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts },
-  // Other Google-related domains that must use an acceptable certificate
-  // iff using SSL.
-  {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts },
-  {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts },
-  {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts },
-  {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
-  {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
-  {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
-  {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
-  {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
-  {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
-  {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts },
-  // Exclude the learn.doubleclick.net subdomain because it uses a different
-  // CA.
-  {23, true, "\005learn\013doubleclick\003net", false, 0 },
-  // Now we force HTTPS for other sites that have requested it.
-  {16, false, "\003www\006paypal\003com", true, 0 },
-  {16, false, "\003www\006elanex\003biz", true, 0 },
-  {12, true,  "\006jottit\003com", true, 0 },
-  {19, true,  "\015sunshinepress\003org", true, 0 },
-  {21, false, "\003www\013noisebridge\003net", true, 0 },
-  {10, false, "\004neg9\003org", true, 0 },
-  {12, true, "\006riseup\003net", true, 0 },
-  {11, false, "\006factor\002cc", true, 0 },
-  {22, false, "\007members\010mayfirst\003org", true, 0 },
-  {22, false, "\007support\010mayfirst\003org", true, 0 },
-  {17, false, "\002id\010mayfirst\003org", true, 0 },
-  {20, false, "\005lists\010mayfirst\003org", true, 0 },
-  {19, true, "\015splendidbacon\003com", true, 0 },
-  {28, false, "\016aladdinschools\007appspot\003com", true, 0 },
-  {14, true, "\011ottospora\002nl", true, 0 },
-  {25, false, "\003www\017paycheckrecords\003com", true, 0 },
-  {14, false, "\010lastpass\003com", true, 0 },
-  {18, false, "\003www\010lastpass\003com", true, 0 },
-  {14, true, "\010keyerror\003com", true, 0 },
-  {13, false, "\010entropia\002de", true, 0 },
-  {17, false, "\003www\010entropia\002de", true, 0 },
-  {11, true, "\005romab\003com", true, 0 },
-  {16, false, "\012logentries\003com", true, 0 },
-  {20, false, "\003www\012logentries\003com", true, 0 },
-  {12, true, "\006stripe\003com", true, 0 },
-  {27, true, "\025cloudsecurityalliance\003org", true, 0 },
-  {15, true, "\005login\004sapo\002pt", true, 0 },
-  {19, true, "\015mattmccutchen\003net", true, 0 },
-  {11, true, "\006betnet\002fr", true, 0 },
-  {13, true, "\010uprotect\002it", true, 0 },
-  {14, false, "\010squareup\003com", true, 0 },
-  {9, true, "\004cert\002se", true, 0 },
-  {11, true, "\006crypto\002is", true, 0 },
-  {20, true, "\005simon\007butcher\004name", true, 0 },
-  {10, true, "\004linx\003net", true, 0 },
-  {13, false, "\007dropcam\003com", true, 0 },
-  {17, false, "\003www\007dropcam\003com", true, 0 },
-  {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
-  {13, false, "\007epoxate\003com", true, 0 },
-  {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
-  {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
-  {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
-  {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
-  {22, true, "\003www\014moneybookers\003com", true, 0 },
-  {17, false, "\013ledgerscope\003net", true, 0 },
-  {21, false, "\003www\013ledgerscope\003net", true, 0 },
-  {10, false, "\004kyps\003net", true, 0 },
-  {14, false, "\003www\004kyps\003net", true, 0 },
-  {17, true, "\003app\007recurly\003com", true, 0 },
-  {17, true, "\003api\007recurly\003com", true, 0 },
-  {13, false, "\007greplin\003com", true, 0 },
-  {17, false, "\003www\007greplin\003com", true, 0 },
-  {27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
-  {12, true, "\006ubertt\003org", true, 0 },
-
-  {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+  // In the medium term this list is likely to just be hardcoded here. This,
+  // slightly odd, form removes the need for additional relocations records.
+  static const struct HSTSPreload kPreloadedSTS[] = {
+    // (*.)google.com, iff using SSL must use an acceptable certificate.
+    {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
+    {25, true, "\013pinningtest\007appspot\003com", false,
+     kTestAcceptableCerts },
+    // Now we force HTTPS for subtrees of google.com.
+    {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
+    {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
+    {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts },
+    {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts },
+    {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts },
+    {25, true, "\014spreadsheets\006google\003com", true,
+     kGoogleAcceptableCerts },
+    {22, false, "\011appengine\006google\003com", true,
+     kGoogleAcceptableCerts },
+    {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts },
+    {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts },
+    {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts },
+    {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts },
+    {23, true, "\012talkgadget\006google\003com", true,
+     kGoogleAcceptableCerts },
+    {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts },
+    {29, true, "\020hostedtalkgadget\006google\003com", true,
+     kGoogleAcceptableCerts },
+    {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts },
+    // Other Google-related domains that must use HTTPS.
+    {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts },
+    {26, true, "\003ssl\020google-analytics\003com", true,
+     kGoogleAcceptableCerts },
+    {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts },
+    {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts },
+    // Other Google-related domains that must use an acceptable certificate
+    // iff using SSL.
+    {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts },
+    {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts },
+    {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts },
+    {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
+    {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
+    {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
+    {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
+    {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
+    {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
+    {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts },
+    // Exclude the learn.doubleclick.net subdomain because it uses a different
+    // CA.
+    {23, true, "\005learn\013doubleclick\003net", false, 0 },
+    // Now we force HTTPS for other sites that have requested it.
+    {16, false, "\003www\006paypal\003com", true, 0 },
+    {16, false, "\003www\006elanex\003biz", true, 0 },
+    {12, true,  "\006jottit\003com", true, 0 },
+    {19, true,  "\015sunshinepress\003org", true, 0 },
+    {21, false, "\003www\013noisebridge\003net", true, 0 },
+    {10, false, "\004neg9\003org", true, 0 },
+    {12, true, "\006riseup\003net", true, 0 },
+    {11, false, "\006factor\002cc", true, 0 },
+    {22, false, "\007members\010mayfirst\003org", true, 0 },
+    {22, false, "\007support\010mayfirst\003org", true, 0 },
+    {17, false, "\002id\010mayfirst\003org", true, 0 },
+    {20, false, "\005lists\010mayfirst\003org", true, 0 },
+    {19, true, "\015splendidbacon\003com", true, 0 },
+    {28, false, "\016aladdinschools\007appspot\003com", true, 0 },
+    {14, true, "\011ottospora\002nl", true, 0 },
+    {25, false, "\003www\017paycheckrecords\003com", true, 0 },
+    {14, false, "\010lastpass\003com", true, 0 },
+    {18, false, "\003www\010lastpass\003com", true, 0 },
+    {14, true, "\010keyerror\003com", true, 0 },
+    {13, false, "\010entropia\002de", true, 0 },
+    {17, false, "\003www\010entropia\002de", true, 0 },
+    {11, true, "\005romab\003com", true, 0 },
+    {16, false, "\012logentries\003com", true, 0 },
+    {20, false, "\003www\012logentries\003com", true, 0 },
+    {12, true, "\006stripe\003com", true, 0 },
+    {27, true, "\025cloudsecurityalliance\003org", true, 0 },
+    {15, true, "\005login\004sapo\002pt", true, 0 },
+    {19, true, "\015mattmccutchen\003net", true, 0 },
+    {11, true, "\006betnet\002fr", true, 0 },
+    {13, true, "\010uprotect\002it", true, 0 },
+    {14, false, "\010squareup\003com", true, 0 },
+    {9, true, "\004cert\002se", true, 0 },
+    {11, true, "\006crypto\002is", true, 0 },
+    {20, true, "\005simon\007butcher\004name", true, 0 },
+    {10, true, "\004linx\003net", true, 0 },
+    {13, false, "\007dropcam\003com", true, 0 },
+    {17, false, "\003www\007dropcam\003com", true, 0 },
+    {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
+    {13, false, "\007epoxate\003com", true, 0 },
+    {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
+    {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
+    {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
+    {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
+    {22, true, "\003www\014moneybookers\003com", true, 0 },
+    {17, false, "\013ledgerscope\003net", true, 0 },
+    {21, false, "\003www\013ledgerscope\003net", true, 0 },
+    {10, false, "\004kyps\003net", true, 0 },
+    {14, false, "\003www\004kyps\003net", true, 0 },
+    {17, true, "\003app\007recurly\003com", true, 0 },
+    {17, true, "\003api\007recurly\003com", true, 0 },
+    {13, false, "\007greplin\003com", true, 0 },
+    {17, false, "\003www\007greplin\003com", true, 0 },
+    {27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
+    {12, true, "\006ubertt\003org", true, 0 },
+
+    {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+    {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+    {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+    {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+    {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+    {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+    {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
 
 #if 0
-  // Twitter CDN pins disabled in order to track down pinning failures --agl
-  {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
-  {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
-  {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCerts },
+    // Twitter CDN pins disabled in order to track down pinning failures --agl
+    {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
+    {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
+    {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCerts },
 #endif
-};
-static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
-
-static const struct HSTSPreload kPreloadedSNISTS[] = {
-  // These SNI-only domains must always use HTTPS.
-  {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
-  {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
-  {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
-  {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
-  // These SNI-only domains must use an acceptable certificate iff using
-  // HTTPS.
-  {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
-  // www. requires SNI.
-  {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
-};
-static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
-
-// Returns true if there is an HSTSPreload entry for the host in |entries|, and
-// if its |required_hashes| member is identical (by address) to |certs|.
-static bool ScanForHostAndCerts(
-    const std::string& canonicalized_host,
-    const struct HSTSPreload* entries,
-    size_t num_entries,
-    const char* const certs[]) {
-  bool hit = false;
-
-  for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
-    for (size_t j = 0; j < num_entries; j++) {
-      const struct HSTSPreload& entry = entries[j];
-
-      if (i != 0 && !entry.include_subdomains)
-        continue;
-
-      if (entry.length == canonicalized_host.size() - i &&
-          memcmp(entry.dns_name, &canonicalized_host[i], entry.length) == 0) {
-        hit = entry.required_hashes == certs;
-        // Return immediately upon exact match:
-        if (i == 0)
-          return hit;
-      }
-    }
-  }
-
-  return hit;
-}
-
-// static
-bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
-                                                    bool sni_available) {
-  std::string canonicalized_host = CanonicalizeHost(host);
-
-  if (ScanForHostAndCerts(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS,
-                          kGoogleAcceptableCerts)) {
-    return true;
-  }
-
-  if (sni_available) {
-    if (ScanForHostAndCerts(canonicalized_host, kPreloadedSNISTS, kNumPreloadedSNISTS,
-                            kGoogleAcceptableCerts)) {
-      return true;
-    }
-  }
-
-  return false;
-}
-
-
-// IsPreloadedSTS returns true if the canonicalized hostname should always be
-// considered to have STS enabled.
-bool TransportSecurityState::IsPreloadedSTS(
-    const std::string& canonicalized_host,
-    bool sni_available,
-    DomainState* out) {
-  DCHECK(CalledOnValidThread());
-
-  out->preloaded = true;
-  out->mode = DomainState::MODE_STRICT;
-  out->include_subdomains = false;
+  };
+  static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
+
+  static const struct HSTSPreload kPreloadedSNISTS[] = {
+    // These SNI-only domains must always use HTTPS.
+    {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
+    {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
+    {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
+    {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
+    // These SNI-only domains must use an acceptable certificate iff using
+    // HTTPS.
+    {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
+    // www. requires SNI.
+    {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
+  };
+  static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
 
   for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
     std::string host_sub_chunk(&canonicalized_host[i],
diff --git a/net/base/transport_security_state.h b/net/base/transport_security_state.h
index 6832daf..f65da62 100644
--- a/net/base/transport_security_state.h
+++ b/net/base/transport_security_state.h
@@ -113,21 +113,6 @@ class NET_EXPORT TransportSecurityState
                    const std::string& host,
                    bool sni_available);
 
-  // Returns true if we have a preloaded certificate pin for the |host| and if
-  // its set of required certificates is the set we expect for Google
-  // properties. If |sni_available| is true, searches the preloads defined for
-  // SNI-using hosts as well as the usual preload list.
-  //
-  // Note that like HasMetadata, if |host| matches both an exact entry and is a
-  // subdomain of another entry, the exact match determines the return value.
-  //
-  // This function is used by ChromeFraudulentCertificateReporter to determine
-  // whether or not we can automatically post fraudulent certificate reports to
-  // Google; we only do so automatically in cases when the user was trying to
-  // connect to Google in the first place.
-  static bool IsGooglePinnedProperty(const std::string& host,
-                                     bool sni_available);
-
   // Deletes all records created since a given time.
   void DeleteSince(const base::Time& time);
 
diff --git a/net/base/transport_security_state_unittest.cc b/net/base/transport_security_state_unittest.cc
index d9337a9..8bbf641 100644
--- a/net/base/transport_security_state_unittest.cc
+++ b/net/base/transport_security_state_unittest.cc
@@ -1032,67 +1032,4 @@ TEST_F(TransportSecurityStateTest, DISABLED_ParseSidePinsFuzz) {
   }
 }
 
-TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
-  EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
-      "www.example.com", true));
-  EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
-      "www.paypal.com", true));
-  EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
-      "mail.twitter.com", true));
-  EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
-      "www.google.com.int", true));
-  EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
-      "jottit.com", true));
-  // learn.doubleclick.net has a more specific match than
-  // *.doubleclick.com, and has 0 or NULL for its required certs.
-  // This test ensures that the exact-match-preferred behavior
-  // works.
-  EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
-      "learn.doubleclick.net", true));
-
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "encrypted.google.com", true));
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "mail.google.com", true));
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "accounts.google.com", true));
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "doubleclick.net", true));
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "ad.doubleclick.net", true));
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "youtube.com", true));
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "www.profiles.google.com", true));
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "checkout.google.com", true));
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "googleadservices.com", true));
-
-  // Test with sni_enabled false:
-  EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
-      "www.example.com", false));
-  EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
-      "www.paypal.com", false));
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "checkout.google.com", false));
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "googleadservices.com", false));
-
-  // Test some SNI hosts:
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "gmail.com", true));
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "googlegroups.com", true));
-  EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
-      "www.googlegroups.com", true));
-  // Expect to fail for SNI hosts when not searching the SNI list:
-  EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
-      "gmail.com", false));
-  EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
-      "googlegroups.com", false));
-  EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
-      "www.googlegroups.com", false));
-}
-
 }  // namespace net
diff --git a/net/data/ssl/certificates/README b/net/data/ssl/certificates/README
index d782cdb4..8ca5c9c 100644
--- a/net/data/ssl/certificates/README
+++ b/net/data/ssl/certificates/README
@@ -51,8 +51,3 @@ unit tests.
 - google_diginotar.pem
 - diginotar_public_ca_2025.pem : A certificate chain for the regression test
       of http://crbug.com/94673
-
-- test_mail_google_com.pem : A certificate signed by the test CA for
-    "mail.google.com". Because it is signed by that CA instead of the true CA
-    for that host, it will fail the
-    TransportSecurityState::IsChainOfPublicKeysPermitted test.
diff --git a/net/data/ssl/certificates/test_mail_google_com.pem b/net/data/ssl/certificates/test_mail_google_com.pem
deleted file mode 100644
index d72d562..0000000
--- a/net/data/ssl/certificates/test_mail_google_com.pem
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEXDCCAkSgAwIBAgIBBjANBgkqhkiG9w0BAQUFADBgMRAwDgYDVQQDEwdUZXN0
-IENBMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
-TW91bnRhaW4gVmlldzESMBAGA1UEChMJQ2VydCBUZXN0MB4XDTExMTAxMTE5MTYy
-MVoXDTEzMDcyNzAwMDAwMFowbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlm
-b3JuaWExEjAQBgNVBAoTCUNlcnQgVGVzdDEbMBkGA1UECxMSR29hdCBUZWxlcG9y
-dGF0aW9uMRgwFgYDVQQDEw9tYWlsLmdvb2dsZS5jb20wXDANBgkqhkiG9w0BAQEF
-AANLADBIAkEAvy9N7zZ2yuMamRGUDc7KiLHq+OwVkfmvDRsrj77+MMR1DkUx1Qez
-s+tKtm6dyi5mariRL5ChbgIBqNYhb/cecQIDAQABo4HbMIHYMBIGA1UdEwEB/wQI
-MAYBAf8CAQEwDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQQFF3/oZUdPuM69r0i
-Gl5tEK5e7TCBkgYDVR0jBIGKMIGHgBRdzn+Z49QZQTFPxs+xJfVar+OXMaFkpGIw
-YDEQMA4GA1UEAxMHVGVzdCBDQTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlm
-b3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxEjAQBgNVBAoTCUNlcnQgVGVz
-dIIJANRRk9Q/3tlOMA0GCSqGSIb3DQEBBQUAA4ICAQCPO6wgG6cFmu5ZgAN9q+dS
-BVrMiJhHj62Tlw7qNjD+VAfidTTtQPM8T0y2LtNe2epO6jDOyIpRwsKkFi5mozcs
-Dd3CfXAs7fkdY4ZnAxjXhhk1fvMkomR6CfTHEwcGkfwVm2MDozZmYbS83OP+E82B
-+yKA41ppbw75/meJzH4nSECBd/Whzi8AuuX6e3bSae6XEAdhBQoLHyNAvZ0IEeCb
-sI3DvXdpIP0LyYJH6+F/KG5Jugby44HuAK1MBn9/f5tYplucOj5cyw/fYWd8REGD
-Ob71lh9/eZVcYjvbF6LxlizZQ+DNHV2QkHvSQqAACDbpFCUcU9KO5xvN8RaVtFmJ
-sDuHtxDDXFcXHhLh6bcC2KFrsmwEV68jmek0++eMa/W99ADzNWUWCmGoyZQafP2e
-eqQ6Ry8wgH+ZVkhQaaGk4fCKZATpX7//qdj7IzO52Kpx0dwsW7mHxPjdRKQzThkn
-lwFSiKByJDMOm9JbjpGf52JsCX4OSFuHCRcc2TB867xKRfBoAXE06fMS2lTwAcQh
-3vdzO0gEv9WOvdvehvngcrWzGwIdGaP6BBXi+9b5wPBR8ravMPAgQBXg01vME+/+
-TkpEaCFACOttO0YkVqG6lFFT1wigsh3k4/+Eyh/RsLTsFObZBJsMLetbY/XzwhTf
-LyeXa2sT1sk6l+EfrzWS1Q==
------END CERTIFICATE-----
diff --git a/net/net.gyp b/net/net.gyp
index 370a585..6bc9340 100644
--- a/net/net.gyp
+++ b/net/net.gyp
@@ -635,7 +635,6 @@
         'udp/udp_socket_libevent.h',
         'udp/udp_socket_win.cc',
         'udp/udp_socket_win.h',
-        'url_request/fraudulent_certificate_reporter.h',
         'url_request/url_request.cc',
         'url_request/url_request.h',
         'url_request/url_request_about_job.cc',
diff --git a/net/url_request/fraudulent_certificate_reporter.h b/net/url_request/fraudulent_certificate_reporter.h
deleted file mode 100644
index 7522c13..0000000
--- a/net/url_request/fraudulent_certificate_reporter.h
+++ /dev/null
@@ -1,35 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_URL_REQUEST_FRAUDULENT_CERTIFICATE_REPORTER_H_
-#define NET_URL_REQUEST_FRAUDULENT_CERTIFICATE_REPORTER_H_
-
-#include <string>
-
-#include "net/base/net_export.h"
-
-namespace net {
-
-class SSLInfo;
-
-// FraudulentCertificateReporter is an interface for asynchronously
-// reporting certificate chains that fail the certificate pinning
-// check.
-class NET_EXPORT FraudulentCertificateReporter {
- public:
-  virtual ~FraudulentCertificateReporter() {}
-
-  // Sends a report to the report collection server containing the |ssl_info|
-  // associated with a connection to |hostname|. If |sni_available| is true,
-  // searches the SNI transport security metadata as well as the usual
-  // transport security metadata when determining policy for sending the report.
-  virtual void SendReport(const std::string& hostname,
-                          const SSLInfo& ssl_info,
-                          bool sni_available) = 0;
-};
-
-}  // namespace net
-
-#endif  // NET_URL_REQUEST_FRAUDULENT_CERTIFICATE_REPORTER_H_
-
author	apatrick@chromium.org <apatrick@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-10-14 23:50:35 +0000
committer	apatrick@chromium.org <apatrick@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-10-14 23:50:35 +0000
commit	325806865b379f97c5ffe53e91bc4a6e1c802bb8 (patch)
tree	a1b82567202eeb5be8e8294e45a559a9c895221b /net
parent	a421e31604d2b9b3df626686b7729fb690e062a5 (diff)
download	chromium_src-325806865b379f97c5ffe53e91bc4a6e1c802bb8.zip chromium_src-325806865b379f97c5ffe53e91bc4a6e1c802bb8.tar.gz chromium_src-325806865b379f97c5ffe53e91bc4a6e1c802bb8.tar.bz2