Revert 132012 - net: move HSTS preloaded and pinning info out of code.

net/base/transport_security_state_static.h

-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// This file is automatically generated by transport_security_state_static_generate.go
-
-#ifndef NET_BASE_TRANSPORT_SECURITY_STATE_STATIC_H_
-#define NET_BASE_TRANSPORT_SECURITY_STATE_STATIC_H_
+#ifndef NET_BASE_PUBLIC_KEY_HASHES_
+#define NET_BASE_PUBLIC_KEY_HASHES_
 #pragma once
 
-// These are SubjectPublicKeyInfo hashes for public key pinning. The
+// This file contains SubjectPublicKeyInfo hashes for public key pinning. The
 // hashes are base64 encoded, SHA1 digests.
 
-static const char kSPKIHash_TestSPKI[] =
-    "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=";
-
 #if 0
 -----BEGIN CERTIFICATE-----
 MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkG
 A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
 cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
 MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
 BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
 YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
 ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
 BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
@@ skipping 50 matching lines @@
 Af8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
 Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAuIojxkiWsRF8YHde
 BZqrocb6ghwYB8TrgbCoZutJqOkM0ymt9e8kTP3kS8p/XmOrmSfLnzYhLLkQYGfN
 0rTw8Ktx5YtaiScRhKqOv5nwnQkhClIZmloJ0pC3+gz4fniisIWvXEyZ2VxVKfml
 UUIuOss4jHg7y/j7lYe8vJD5UDI=
 -----END CERTIFICATE-----
 #endif
 static const char kSPKIHash_Google1024[] =
     "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=";
 
+// Not yet used publicly.
 static const char kSPKIHash_Google2048[] =
     "sha1/AbkhxY0L343gKf+cki7NVWp+ozk=";
 
 #if 0
 -----BEGIN CERTIFICATE-----
 MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
 UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
 dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
 MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
 dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
@@ skipping 223 matching lines @@
 eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
 hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
 Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
 vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
 +OkuE6N36B9K
 -----END CERTIFICATE-----
 #endif
 static const char kSPKIHash_DigiCertEVRoot[] =
     "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM=";
 
+// Not public
 static const char kSPKIHash_Tor1[] =
     "sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y=";
-
 static const char kSPKIHash_Tor2[] =
     "sha1/lia43lPolzSPVIq34Dw57uYcLD8=";
-
 static const char kSPKIHash_Tor3[] =
     "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y=";
 
 #if 0
 -----BEGIN CERTIFICATE-----
 MIICPTCCAaYCEQDNun9W8N/kvFT+IqyzcqpVMA0GCSqGSIb3DQEBAgUAMF8xCzAJ
 BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh
 c3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
 NjAxMjkwMDAwMDBaFw0yODA4MDEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD
 VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJp
@@ skipping 230 matching lines @@
 seQxIcaBlVZaDrHC1LGmWazxY8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz
 4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTxP/jgdFcrGJ2BtMQo2pSXpXDrrB2+
 BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+PwGZsY6rp2aQW9IHR
 lRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4mJO3
 7M2CYfE45k+XmCpajQ==
 -----END CERTIFICATE-----
 #endif
 static const char kSPKIHash_VeriSignUniversal[] =
     "sha1/u8I+KQuzKHcdrT6iTb30I70GsD0=";
 
+// Not public
 static const char kSPKIHash_Twitter1[] =
     "sha1/Vv7zwhR9TtOIN/29MFI4cgHld40=";
 
 #if 0
 -----BEGIN CERTIFICATE-----
 MIIDZjCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEW
 MBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMUR2VvVHJ1c3QgR2xvYmFs
 IENBIDIwHhcNMDQwMzA0MDUwMDAwWhcNMTkwMzA0MDUwMDAwWjBEMQswCQYDVQQG
 EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMUR2VvVHJ1c3Qg
 R2xvYmFsIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvPE1A
@@ skipping 134 matching lines @@
 AWh9jUGhlBjBJVz88P6DAod8DQ3PLghcSkANPuyBYeYk28rgDi0Hsj5W3I31QYUH
 SJsMC8tJP33st/3LjWeJGqvtux6jAAgIFyqCXDFdRootD4abdNlF+9RAsXqqaC2G
 spki4cErx5z481+oghLrGREt
 -----END CERTIFICATE-----
 #endif
 static const char kSPKIHash_GeoTrustPrimary_G3[] =
     "sha1/nKmNAK90Dd2BgNITRaWLjy6UONY=";
 
 #if 0
 -----BEGIN CERTIFICATE-----
-MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
-RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
-bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
-IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
-ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0yOTA3
-MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
-LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
-YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
-A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
-K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe
-sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX
-MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT
-XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/
-HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH
-4QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
-HQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJKoZIhvcNAQEFBQADggEBADub
-j1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPyT/4xmf3IDExo
-U8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf
-zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5b
-u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+
-bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
-fF6adulZkMV8gzURZVE=
+MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChMLRW50cnVzdC5u
+ZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBpbmNvcnAuIGJ5IHJlZi4gKGxp
+bWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNV
+BAMTKkVudHJ1c3QubmV0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQx
+NzUwNTFaFw0yOTA3MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3
+d3d3LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTEl
+MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5u
+ZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEArU1LqRKGsuqjIAcVFmQqK0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOL
+Gp18EzoOH1u3Hs/lJBQesYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSr
+hRSGlVuXMlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVTXTzW
+nLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/HoZdenoVve8AjhUi
+VBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH4QIDAQABo0IwQDAOBgNVHQ8BAf8E
+BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJ
+KoZIhvcNAQEFBQADggEBADubj1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPy
+T/4xmf3IDExoU8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf
+zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5bu/8j72gZyxKT
+J1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+bYQLCIt+jerXmCHG8+c8eS9e
+nNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/ErfF6adulZkMV8gzURZVE=
 -----END CERTIFICATE-----
 #endif
 static const char kSPKIHash_Entrust_2048[] =
     "sha1/VeSB0RGAvtiJuQijMfmhJAkWuXA=";
 
 #if 0
 -----BEGIN CERTIFICATE-----
 MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC
 VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
 Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
@@ skipping 463 matching lines @@
 r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
 04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
 GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
 3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
 lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
 -----END CERTIFICATE-----
 #endif
 static const char kSPKIHash_GTECyberTrustGlobalRoot[] =
     "sha1/WXkS3mF11m/EI7d3E3THlt5viHI=";
 
-// The following is static data describing the hosts that are hardcoded with
-// certificate pins or HSTS information.
+#endif // NET_BASE_PUBLIC_KEY_HASHES_
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/transport_security_state.h"
+
+#if defined(USE_OPENSSL)
+#include <openssl/ecdsa.h>
+#include <openssl/ssl.h>
+#else  // !defined(USE_OPENSSL)
+#include <cryptohi.h>
+#include <hasht.h>
+#include <keyhi.h>
+#include <pk11pub.h>
+#include <nspr.h>
+#endif
+
+#include <algorithm>
+#include <utility>
+
+#include "base/base64.h"
+#include "base/json/json_reader.h"
+#include "base/json/json_writer.h"
+#include "base/logging.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/metrics/histogram.h"
+#include "base/sha1.h"
+#include "base/string_number_conversions.h"
+#include "base/string_tokenizer.h"
+#include "base/string_util.h"
+#include "base/time.h"
+#include "base/utf_string_conversions.h"
+#include "base/values.h"
+#include "crypto/sha2.h"
+#include "googleurl/src/gurl.h"
+#include "net/base/asn1_util.h"
+#include "net/base/dns_util.h"
+#include "net/base/public_key_hashes.h"
+#include "net/base/ssl_info.h"
+#include "net/base/x509_certificate.h"
+#include "net/http/http_util.h"
+
+#if defined(USE_OPENSSL)
+#include "crypto/openssl_util.h"
+#endif
+
+namespace net {
+
+const long int TransportSecurityState::kMaxHSTSAgeSecs = 86400 * 365;  // 1 year
+
+TransportSecurityState::TransportSecurityState(const std::string& hsts_hosts)
+    : delegate_(NULL) {
+  if (!hsts_hosts.empty()) {
+    bool dirty;
+    Deserialise(hsts_hosts, &dirty, &forced_hosts_);
+  }
+}
+
+static std::string HashHost(const std::string& canonicalized_host) {
+  char hashed[crypto::kSHA256Length];
+  crypto::SHA256HashString(canonicalized_host, hashed, sizeof(hashed));
+  return std::string(hashed, sizeof(hashed));
+}
+
+void TransportSecurityState::SetDelegate(
+    TransportSecurityState::Delegate* delegate) {
+  delegate_ = delegate;
+}
+
+void TransportSecurityState::EnableHost(const std::string& host,
+                                        const DomainState& state) {
+  DCHECK(CalledOnValidThread());
+
+  const std::string canonicalized_host = CanonicalizeHost(host);
+  if (canonicalized_host.empty())
+    return;
+
+  // Only override a preloaded state if the new state describes a more strict
+  // policy. TODO(palmer): Reconsider this?
+  DomainState existing_state;
+  if (IsPreloadedSTS(canonicalized_host, true, &existing_state) &&
+      canonicalized_host == CanonicalizeHost(existing_state.domain) &&
+      existing_state.IsMoreStrict(state)) {
+    return;
+  }
+
+  // Use the original creation date if we already have this host.
+  DomainState state_copy(state);
+  if (GetDomainState(&existing_state, host, true) &&
+      !existing_state.created.is_null()) {
+    state_copy.created = existing_state.created;
+  }
+
+  // We don't store these values.
+  state_copy.preloaded = false;
+  state_copy.domain.clear();
+
+  enabled_hosts_[HashHost(canonicalized_host)] = state_copy;
+  DirtyNotify();
+}
+
+bool TransportSecurityState::DeleteHost(const std::string& host) {
+  DCHECK(CalledOnValidThread());
+
+  const std::string canonicalized_host = CanonicalizeHost(host);
+  if (canonicalized_host.empty())
+    return false;
+
+  std::map<std::string, DomainState>::iterator i = enabled_hosts_.find(
+      HashHost(canonicalized_host));
+  if (i != enabled_hosts_.end()) {
+    enabled_hosts_.erase(i);
+    DirtyNotify();
+    return true;
+  }
+  return false;
+}
+
+bool TransportSecurityState::HasPinsForHost(DomainState* result,
+                                            const std::string& host,
+                                            bool sni_available) {
+  DCHECK(CalledOnValidThread());
+
+  return HasMetadata(result, host, sni_available) &&
+      (!result->dynamic_spki_hashes.empty() ||
+       !result->preloaded_spki_hashes.empty());
+}
+
+bool TransportSecurityState::GetDomainState(DomainState* result,
+                                            const std::string& host,
+                                            bool sni_available) {
+  DCHECK(CalledOnValidThread());
+
+  return HasMetadata(result, host, sni_available);
+}
+
+bool TransportSecurityState::HasMetadata(DomainState* result,
+                                         const std::string& host,
+                                         bool sni_available) {
+  DCHECK(CalledOnValidThread());
+
+  DomainState state;
+  const std::string canonicalized_host = CanonicalizeHost(host);
+  if (canonicalized_host.empty())
+    return false;
+
+  bool has_preload = IsPreloadedSTS(canonicalized_host, sni_available, &state);
+  std::string canonicalized_preload = CanonicalizeHost(state.domain);
+
+  base::Time current_time(base::Time::Now());
+
+  for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
+    std::string host_sub_chunk(&canonicalized_host[i],
+                               canonicalized_host.size() - i);
+    // Exact match of a preload always wins.
+    if (has_preload && host_sub_chunk == canonicalized_preload) {
+      *result = state;
+      return true;
+    }
+
+    std::map<std::string, DomainState>::iterator j =
+        enabled_hosts_.find(HashHost(host_sub_chunk));
+    if (j == enabled_hosts_.end())
+      continue;
+
+    if (current_time > j->second.expiry &&
+        current_time > j->second.dynamic_spki_hashes_expiry) {
+      enabled_hosts_.erase(j);
+      DirtyNotify();
+      continue;
+    }
+
+    state = j->second;
+    state.domain = DNSDomainToString(host_sub_chunk);
+
+    // Succeed if we matched the domain exactly or if subdomain matches are
+    // allowed.
+    if (i == 0 || j->second.include_subdomains) {
+      *result = state;
+      return true;
+    }
+
+    return false;
+  }
+
+  return false;
+}
+
+void TransportSecurityState::DeleteSince(const base::Time& time) {
+  DCHECK(CalledOnValidThread());
+
+  bool dirtied = false;
+
+  std::map<std::string, DomainState>::iterator i = enabled_hosts_.begin();
+  while (i != enabled_hosts_.end()) {
+    if (i->second.created >= time) {
+      dirtied = true;
+      enabled_hosts_.erase(i++);
+    } else {
+      i++;
+    }
+  }
+
+  if (dirtied)
+    DirtyNotify();
+}
+
+// MaxAgeToInt converts a string representation of a number of seconds into a
+// int. We use strtol in order to handle overflow correctly. The string may
+// contain an arbitary number which we should truncate correctly rather than
+// throwing a parse failure.
+static bool MaxAgeToInt(std::string::const_iterator begin,
+                        std::string::const_iterator end,
+                        int* result) {
+  const std::string s(begin, end);
+  char* endptr;
+  long int i = strtol(s.data(), &endptr, 10 /* base */);
+  if (*endptr || i < 0)
+    return false;
+  if (i > TransportSecurityState::kMaxHSTSAgeSecs)
+    i = TransportSecurityState::kMaxHSTSAgeSecs;
+  *result = i;
+  return true;
+}
+
+// Strip, Split, StringPair, and ParsePins are private implementation details
+// of ParsePinsHeader(std::string&, DomainState&).
+static std::string Strip(const std::string& source) {
+  if (source.empty())
+    return source;
+
+  std::string::const_iterator start = source.begin();
+  std::string::const_iterator end = source.end();
+  HttpUtil::TrimLWS(&start, &end);
+  return std::string(start, end);
+}
+
+typedef std::pair<std::string, std::string> StringPair;
+
+static StringPair Split(const std::string& source, char delimiter) {
+  StringPair pair;
+  size_t point = source.find(delimiter);
+
+  pair.first = source.substr(0, point);
+  if (std::string::npos != point)
+    pair.second = source.substr(point + 1);
+
+  return pair;
+}
+
+// TODO(palmer): Support both sha256 and sha1. This will require additional
+// infrastructure code changes and can come in a later patch.
+//
+// static
+bool TransportSecurityState::ParsePin(const std::string& value,
+                                      SHA1Fingerprint* out) {
+  StringPair slash = Split(Strip(value), '/');
+  if (slash.first != "sha1")
+    return false;
+
+  std::string decoded;
+  if (!base::Base64Decode(slash.second, &decoded) ||
+      decoded.size() != arraysize(out->data)) {
+    return false;
+  }
+
+  memcpy(out->data, decoded.data(), arraysize(out->data));
+  return true;
+}
+
+static bool ParseAndAppendPin(const std::string& value,
+                      FingerprintVector* fingerprints) {
+  // The base64'd fingerprint MUST be a quoted-string. 20 bytes base64'd is 28
+  // characters; 32 bytes base64'd is 44 characters. TODO(palmer): Support
+  // SHA256.
+  size_t size = value.size();
+  if (size != 30 || value[0] != '"' || value[size - 1] != '"')
+    return false;
+
+  std::string unquoted = HttpUtil::Unquote(value);
+  std::string decoded;
+  SHA1Fingerprint fp;
+
+  if (!base::Base64Decode(unquoted, &decoded) ||
+      decoded.size() != arraysize(fp.data)) {
+    return false;
+  }
+
+  memcpy(fp.data, decoded.data(), arraysize(fp.data));
+  fingerprints->push_back(fp);
+  return true;
+}
+
+// static
+bool TransportSecurityState::GetPublicKeyHash(
+    const X509Certificate& cert, SHA1Fingerprint* spki_hash) {
+  std::string der_bytes;
+  if (!X509Certificate::GetDEREncoded(cert.os_cert_handle(), &der_bytes))
+    return false;
+
+  base::StringPiece spki;
+  if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki))
+    return false;
+
+  base::SHA1HashBytes(reinterpret_cast<const unsigned char*>(spki.data()),
+                      spki.size(), spki_hash->data);
+
+  return true;
+}
+
+struct FingerprintsEqualPredicate {
+  explicit FingerprintsEqualPredicate(const SHA1Fingerprint& fingerprint) :
+      fingerprint_(fingerprint) {}
+
+  bool operator()(const SHA1Fingerprint& other) const {
+    return fingerprint_.Equals(other);
+  }
+
+  const SHA1Fingerprint& fingerprint_;
+};
+
+// Returns true iff there is an item in |pins| which is not present in
+// |from_cert_chain|. Such an SPKI hash is called a "backup pin".
+static bool IsBackupPinPresent(const FingerprintVector& pins,
+                               const FingerprintVector& from_cert_chain) {
+  for (FingerprintVector::const_iterator
+       i = pins.begin(); i != pins.end(); ++i) {
+    FingerprintVector::const_iterator j =
+        std::find_if(from_cert_chain.begin(), from_cert_chain.end(),
+                     FingerprintsEqualPredicate(*i));
+      if (j == from_cert_chain.end())
+        return true;
+  }
+
+  return false;
+}
+
+static bool HashesIntersect(const FingerprintVector& a,
+                            const FingerprintVector& b) {
+  for (FingerprintVector::const_iterator
+       i = a.begin(); i != a.end(); ++i) {
+    FingerprintVector::const_iterator j =
+        std::find_if(b.begin(), b.end(), FingerprintsEqualPredicate(*i));
+      if (j != b.end())
+        return true;
+  }
+
+  return false;
+}
+
+// Returns true iff |pins| contains both a live and a backup pin. A live pin
+// is a pin whose SPKI is present in the certificate chain in |ssl_info|. A
+// backup pin is a pin intended for disaster recovery, not day-to-day use, and
+// thus must be absent from the certificate chain. The Public-Key-Pins header
+// specification requires both.
+static bool IsPinListValid(const FingerprintVector& pins,
+                           const SSLInfo& ssl_info) {
+  if (pins.size() < 2)
+    return false;
+
+  const FingerprintVector& from_cert_chain = ssl_info.public_key_hashes;
+  if (from_cert_chain.empty())
+    return false;
+
+  return IsBackupPinPresent(pins, from_cert_chain) &&
+      HashesIntersect(pins, from_cert_chain);
+}
+
+// "Public-Key-Pins" ":"
+//     "max-age" "=" delta-seconds ";"
+//     "pin-" algo "=" base64 [ ";" ... ]
+//
+// static
+bool TransportSecurityState::ParsePinsHeader(const std::string& value,
+                                             const SSLInfo& ssl_info,
+                                             DomainState* state) {
+  bool parsed_max_age = false;
+  int max_age = 0;
+  FingerprintVector pins;
+
+  std::string source = value;
+
+  while (!source.empty()) {
+    StringPair semicolon = Split(source, ';');
+    semicolon.first = Strip(semicolon.first);
+    semicolon.second = Strip(semicolon.second);
+    StringPair equals = Split(semicolon.first, '=');
+    equals.first = Strip(equals.first);
+    equals.second = Strip(equals.second);
+
+    if (LowerCaseEqualsASCII(equals.first, "max-age")) {
+      if (equals.second.empty() ||
+          !MaxAgeToInt(equals.second.begin(), equals.second.end(), &max_age)) {
+        return false;
+      }
+      if (max_age > kMaxHSTSAgeSecs)
+        max_age = kMaxHSTSAgeSecs;
+      parsed_max_age = true;
+    } else if (LowerCaseEqualsASCII(equals.first, "pin-sha1")) {
+      if (!ParseAndAppendPin(equals.second, &pins))
+        return false;
+    } else if (LowerCaseEqualsASCII(equals.first, "pin-sha256")) {
+      // TODO(palmer)
+    } else {
+      // Silently ignore unknown directives for forward compatibility.
+    }
+
+    source = semicolon.second;
+  }
+
+  if (!parsed_max_age || !IsPinListValid(pins, ssl_info))
+    return false;
+
+  state->max_age = max_age;
+  state->dynamic_spki_hashes_expiry =
+      base::Time::Now() + base::TimeDelta::FromSeconds(max_age);
+
+  state->dynamic_spki_hashes.clear();
+  if (max_age > 0) {
+    for (FingerprintVector::const_iterator i = pins.begin();
+         i != pins.end(); i++) {
+      state->dynamic_spki_hashes.push_back(*i);
+    }
+  }
+
+  return true;
+}
+
+// "Strict-Transport-Security" ":"
+//     "max-age" "=" delta-seconds [ ";" "includeSubDomains" ]
+//
+// static
+bool TransportSecurityState::ParseHeader(const std::string& value,
+                                         int* max_age,
+                                         bool* include_subdomains) {
+  DCHECK(max_age);
+  DCHECK(include_subdomains);
+
+  int max_age_candidate = 0;
+
+  enum ParserState {
+    START,
+    AFTER_MAX_AGE_LABEL,
+    AFTER_MAX_AGE_EQUALS,
+    AFTER_MAX_AGE,
+    AFTER_MAX_AGE_INCLUDE_SUB_DOMAINS_DELIMITER,
+    AFTER_INCLUDE_SUBDOMAINS,
+  } state = START;
+
+  StringTokenizer tokenizer(value, " \t=;");
+  tokenizer.set_options(StringTokenizer::RETURN_DELIMS);
+  while (tokenizer.GetNext()) {
+    DCHECK(!tokenizer.token_is_delim() || tokenizer.token().length() == 1);
+    switch (state) {
+      case START:
+        if (IsAsciiWhitespace(*tokenizer.token_begin()))
+          continue;
+        if (!LowerCaseEqualsASCII(tokenizer.token(), "max-age"))
+          return false;
+        state = AFTER_MAX_AGE_LABEL;
+        break;
+
+      case AFTER_MAX_AGE_LABEL:
+        if (IsAsciiWhitespace(*tokenizer.token_begin()))
+          continue;
+        if (*tokenizer.token_begin() != '=')
+          return false;
+        DCHECK_EQ(tokenizer.token().length(), 1U);
+        state = AFTER_MAX_AGE_EQUALS;
+        break;
+
+      case AFTER_MAX_AGE_EQUALS:
+        if (IsAsciiWhitespace(*tokenizer.token_begin()))
+          continue;
+        if (!MaxAgeToInt(tokenizer.token_begin(),
+                         tokenizer.token_end(),
+                         &max_age_candidate))
+          return false;
+        state = AFTER_MAX_AGE;
+        break;
+
+      case AFTER_MAX_AGE:
+        if (IsAsciiWhitespace(*tokenizer.token_begin()))
+          continue;
+        if (*tokenizer.token_begin() != ';')
+          return false;
+        state = AFTER_MAX_AGE_INCLUDE_SUB_DOMAINS_DELIMITER;
+        break;
+
+      case AFTER_MAX_AGE_INCLUDE_SUB_DOMAINS_DELIMITER:
+        if (IsAsciiWhitespace(*tokenizer.token_begin()))
+          continue;
+        if (!LowerCaseEqualsASCII(tokenizer.token(), "includesubdomains"))
+          return false;
+        state = AFTER_INCLUDE_SUBDOMAINS;
+        break;
+
+      case AFTER_INCLUDE_SUBDOMAINS:
+        if (!IsAsciiWhitespace(*tokenizer.token_begin()))
+          return false;
+        break;
+
+      default:
+        NOTREACHED();
+    }
+  }
+
+  // We've consumed all the input.  Let's see what state we ended up in.
+  switch (state) {
+    case START:
+    case AFTER_MAX_AGE_LABEL:
+    case AFTER_MAX_AGE_EQUALS:
+      return false;
+    case AFTER_MAX_AGE:
+      *max_age = max_age_candidate;
+      *include_subdomains = false;
+      return true;
+    case AFTER_MAX_AGE_INCLUDE_SUB_DOMAINS_DELIMITER:
+      return false;
+    case AFTER_INCLUDE_SUBDOMAINS:
+      *max_age = max_age_candidate;
+      *include_subdomains = true;
+      return true;
+    default:
+      NOTREACHED();
+      return false;
+  }
+}
+
+// Side pinning and superfluous certificates:
+//
+// In SSLClientSocketNSS::DoVerifyCertComplete we look for certificates with a
+// Subject of CN=meta. When we find one we'll currently try and parse side
+// pinned key from it.
+//
+// A side pin is a key which can be pinned to, but also can be kept offline and
+// still held by the site owner. The CN=meta certificate is just a backwards
+// compatiable method of carrying a lump of bytes to the client. (We could use
+// a TLS extension just as well, but it's a lot easier for admins to add extra
+// certificates to the chain.)
+
+// A TagMap represents the simple key-value structure that we use. Keys are
+// 32-bit ints. Values are byte strings.
+typedef std::map<uint32, base::StringPiece> TagMap;
+
+// ParseTags parses a list of key-value pairs from |in| to |out| and advances
+// |in| past the data. The key-value pair data is:
+//   u16le num_tags
+//   u32le tag[num_tags]
+//   u16le lengths[num_tags]
+//   ...data...
+static bool ParseTags(base::StringPiece* in, TagMap *out) {
+  // Many part of Chrome already assume little-endian. This is just to help
+  // anyone who should try to port it in the future.
+#if defined(__BYTE_ORDER)
+  // Linux check
+  COMPILE_ASSERT(__BYTE_ORDER == __LITTLE_ENDIAN, assumes_little_endian);
+#elif defined(__BIG_ENDIAN__)
+  // Mac check
+  #error assumes little endian
+#endif
+
+  uint16 num_tags_16;
+  if (in->size() < sizeof(num_tags_16))
+    return false;
+
+  memcpy(&num_tags_16, in->data(), sizeof(num_tags_16));
+  in->remove_prefix(sizeof(num_tags_16));
+  unsigned num_tags = num_tags_16;
+
+  if (in->size() < 6 * num_tags)
+    return false;
+
+  const uint32* tags = reinterpret_cast<const uint32*>(in->data());
+  const uint16* lens = reinterpret_cast<const uint16*>(
+      in->data() + 4*num_tags);
+  in->remove_prefix(6*num_tags);
+
+  uint32 prev_tag = 0;
+  for (unsigned i = 0; i < num_tags; i++) {
+    size_t len = lens[i];
+    uint32 tag = tags[i];
+
+    if (in->size() < len)
+      return false;
+    // tags must be in ascending order.
+    if (i > 0 && prev_tag >= tag)
+      return false;
+    (*out)[tag] = base::StringPiece(in->data(), len);
+    in->remove_prefix(len);
+    prev_tag = tag;
+  }
+
+  return true;
+}
+
+// GetTag extracts the data associated with |tag| in |tags|.
+static bool GetTag(uint32 tag, const TagMap& tags, base::StringPiece* out) {
+  TagMap::const_iterator i = tags.find(tag);
+  if (i == tags.end())
+    return false;
+
+  *out = i->second;
+  return true;
+}
+
+// kP256SubjectPublicKeyInfoPrefix can be prepended onto a P256 elliptic curve
+// point in X9.62 format in order to make a valid SubjectPublicKeyInfo. The
+// ASN.1 interpretation of these bytes is:
+//
+//     0:d=0  hl=2 l=  89 cons: SEQUENCE
+//     2:d=1  hl=2 l=  19 cons: SEQUENCE
+//     4:d=2  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
+//    13:d=2  hl=2 l=   8 prim: OBJECT            :prime256v1
+//    23:d=1  hl=2 l=  66 prim: BIT STRING
+static const uint8 kP256SubjectPublicKeyInfoPrefix[] = {
+  0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
+  0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
+  0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
+  0x42, 0x00,
+};
+
+// VerifySignature returns true iff |sig| is a valid signature of
+// |hash| by |pubkey|. The actual implementation is crypto library
+// specific.
+static bool VerifySignature(const base::StringPiece& pubkey,
+                            const base::StringPiece& sig,
+                            const base::StringPiece& hash);
+
+#if defined(USE_OPENSSL)
+
+static EVP_PKEY* DecodeX962P256PublicKey(
+    const base::StringPiece& pubkey_bytes) {
+  // The public key is an X9.62 encoded P256 point.
+  if (pubkey_bytes.size() != 1 + 2*32)
+    return NULL;
+
+  std::string pubkey_spki(
+      reinterpret_cast<const char*>(kP256SubjectPublicKeyInfoPrefix),
+      sizeof(kP256SubjectPublicKeyInfoPrefix));
+  pubkey_spki += pubkey_bytes.as_string();
+
+  EVP_PKEY* ret = NULL;
+  const unsigned char* der_pubkey =
+      reinterpret_cast<const unsigned char*>(pubkey_spki.data());
+  d2i_PUBKEY(&ret, &der_pubkey, pubkey_spki.size());
+  return ret;
+}
+
+static bool VerifySignature(const base::StringPiece& pubkey,
+                            const base::StringPiece& sig,
+                            const base::StringPiece& hash) {
+  crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> secpubkey(
+      DecodeX962P256PublicKey(pubkey));
+  if (!secpubkey.get())
+    return false;
+
+
+  crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> ec_key(
+      EVP_PKEY_get1_EC_KEY(secpubkey.get()));
+  if (!ec_key.get())
+    return false;
+
+  return ECDSA_verify(0, reinterpret_cast<const unsigned char*>(hash.data()),
+                      hash.size(),
+                      reinterpret_cast<const unsigned char*>(sig.data()),
+                      sig.size(), ec_key.get()) == 1;
+}
+
+#else
+
+// DecodeX962P256PublicKey parses an uncompressed, X9.62 format, P256 elliptic
+// curve point from |pubkey_bytes| and returns it as a SECKEYPublicKey.
+static SECKEYPublicKey* DecodeX962P256PublicKey(
+    const base::StringPiece& pubkey_bytes) {
+  // The public key is an X9.62 encoded P256 point.
+  if (pubkey_bytes.size() != 1 + 2*32)
+    return NULL;
+
+  std::string pubkey_spki(
+      reinterpret_cast<const char*>(kP256SubjectPublicKeyInfoPrefix),
+      sizeof(kP256SubjectPublicKeyInfoPrefix));
+  pubkey_spki += pubkey_bytes.as_string();
+
+  SECItem der;
+  memset(&der, 0, sizeof(der));
+  der.data = reinterpret_cast<uint8*>(const_cast<char*>(pubkey_spki.data()));
+  der.len = pubkey_spki.size();
+
+  CERTSubjectPublicKeyInfo* spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der);
+  if (!spki)
+    return NULL;
+  SECKEYPublicKey* public_key = SECKEY_ExtractPublicKey(spki);
+  SECKEY_DestroySubjectPublicKeyInfo(spki);
+
+  return public_key;
+}
+
+static bool VerifySignature(const base::StringPiece& pubkey,
+                            const base::StringPiece& sig,
+                            const base::StringPiece& hash) {
+  SECKEYPublicKey* secpubkey = DecodeX962P256PublicKey(pubkey);
+  if (!secpubkey)
+    return false;
+
+  SECItem sigitem;
+  memset(&sigitem, 0, sizeof(sigitem));
+  sigitem.data = reinterpret_cast<uint8*>(const_cast<char*>(sig.data()));
+  sigitem.len = sig.size();
+
+  // |decoded_sigitem| is newly allocated, as is the data that it points to.
+  SECItem* decoded_sigitem = DSAU_DecodeDerSigToLen(
+      &sigitem, SECKEY_SignatureLen(secpubkey));
+
+  if (!decoded_sigitem) {
+    SECKEY_DestroyPublicKey(secpubkey);
+    return false;
+  }
+
+  SECItem hashitem;
+  memset(&hashitem, 0, sizeof(hashitem));
+  hashitem.data = reinterpret_cast<unsigned char*>(
+      const_cast<char*>(hash.data()));
+  hashitem.len = hash.size();
+
+  SECStatus rv = PK11_Verify(secpubkey, decoded_sigitem, &hashitem, NULL);
+  SECKEY_DestroyPublicKey(secpubkey);
+  SECITEM_FreeItem(decoded_sigitem, PR_TRUE);
+  return rv == SECSuccess;
+}
+
+#endif  // !defined(USE_OPENSSL)
+
+// These are the tag values that we use. Tags are little-endian on the wire and
+// these values correspond to the ASCII of the name.
+static const uint32 kTagALGO = 0x4f474c41;
+static const uint32 kTagP256 = 0x36353250;
+static const uint32 kTagPUBK = 0x4b425550;
+static const uint32 kTagSIG = 0x474953;
+static const uint32 kTagSPIN = 0x4e495053;
+
+// static
+bool TransportSecurityState::ParseSidePin(
+    const base::StringPiece& leaf_spki,
+    const base::StringPiece& in_side_info,
+    FingerprintVector* out_pub_key_hash) {
+  base::StringPiece side_info(in_side_info);
+
+  TagMap outer;
+  if (!ParseTags(&side_info, &outer))
+    return false;
+  // trailing data is not allowed
+  if (side_info.size())
+    return false;
+
+  base::StringPiece side_pin_bytes;
+  if (!GetTag(kTagSPIN, outer, &side_pin_bytes))
+    return false;
+
+  bool have_parsed_a_key = false;
+  uint8 leaf_spki_hash[crypto::kSHA256Length];
+  bool have_leaf_spki_hash = false;
+
+  while (side_pin_bytes.size() > 0) {
+    TagMap side_pin;
+    if (!ParseTags(&side_pin_bytes, &side_pin))
+      return false;
+
+    base::StringPiece algo, pubkey, sig;
+    if (!GetTag(kTagALGO, side_pin, &algo) ||
+        !GetTag(kTagPUBK, side_pin, &pubkey) ||
+        !GetTag(kTagSIG, side_pin, &sig)) {
+      return false;
+    }
+
+    if (algo.size() != sizeof(kTagP256) ||
+        0 != memcmp(algo.data(), &kTagP256, sizeof(kTagP256))) {
+      // We don't support anything but P256 at the moment.
+      continue;
+    }
+
+    if (!have_leaf_spki_hash) {
+      crypto::SHA256HashString(
+          leaf_spki.as_string(), leaf_spki_hash, sizeof(leaf_spki_hash));
+      have_leaf_spki_hash = true;
+    }
+
+    if (VerifySignature(pubkey, sig, base::StringPiece(
+        reinterpret_cast<const char*>(leaf_spki_hash),
+        sizeof(leaf_spki_hash)))) {
+      SHA1Fingerprint fpr;
+      base::SHA1HashBytes(
+          reinterpret_cast<const uint8*>(pubkey.data()),
+          pubkey.size(),
+          fpr.data);
+      out_pub_key_hash->push_back(fpr);
+      have_parsed_a_key = true;
+    }
+  }
+
+  return have_parsed_a_key;
+}
+
+// This function converts the binary hashes, which we store in
+// |enabled_hosts_|, to a base64 string which we can include in a JSON file.
+static std::string HashedDomainToExternalString(const std::string& hashed) {
+  std::string out;
+  CHECK(base::Base64Encode(hashed, &out));
+  return out;
+}
+
+// This inverts |HashedDomainToExternalString|, above. It turns an external
+// string (from a JSON file) into an internal (binary) string.
+static std::string ExternalStringToHashedDomain(const std::string& external) {
+  std::string out;
+  if (!base::Base64Decode(external, &out) ||
+      out.size() != crypto::kSHA256Length) {
+    return std::string();
+  }
+
+  return out;
+}
+
+static ListValue* SPKIHashesToListValue(const FingerprintVector& hashes) {
+  ListValue* pins = new ListValue;
+
+  for (FingerprintVector::const_iterator i = hashes.begin();
+       i != hashes.end(); ++i) {
+    std::string hash_str(reinterpret_cast<const char*>(i->data),
+                         sizeof(i->data));
+    std::string b64;
+    base::Base64Encode(hash_str, &b64);
+    pins->Append(new StringValue("sha1/" + b64));
+  }
+
+  return pins;
+}
+
+bool TransportSecurityState::Serialise(std::string* output) {
+  DCHECK(CalledOnValidThread());
+
+  DictionaryValue toplevel;
+  base::Time now = base::Time::Now();
+  for (std::map<std::string, DomainState>::const_iterator
+       i = enabled_hosts_.begin(); i != enabled_hosts_.end(); ++i) {
+    DictionaryValue* state = new DictionaryValue;
+    state->SetBoolean("include_subdomains", i->second.include_subdomains);
+    state->SetDouble("created", i->second.created.ToDoubleT());
+    state->SetDouble("expiry", i->second.expiry.ToDoubleT());
+    state->SetDouble("dynamic_spki_hashes_expiry",
+                     i->second.dynamic_spki_hashes_expiry.ToDoubleT());
+
+    switch (i->second.mode) {
+      case DomainState::MODE_STRICT:
+        state->SetString("mode", "strict");
+        break;
+      case DomainState::MODE_SPDY_ONLY:
+        state->SetString("mode", "spdy-only");
+        break;
+      case DomainState::MODE_PINNING_ONLY:
+        state->SetString("mode", "pinning-only");
+        break;
+      default:
+        NOTREACHED() << "DomainState with unknown mode";
+        delete state;
+        continue;
+    }
+
+    state->Set("preloaded_spki_hashes",
+               SPKIHashesToListValue(i->second.preloaded_spki_hashes));
+
+    if (now < i->second.dynamic_spki_hashes_expiry) {
+      state->Set("dynamic_spki_hashes",
+                 SPKIHashesToListValue(i->second.dynamic_spki_hashes));
+    }
+
+    toplevel.Set(HashedDomainToExternalString(i->first), state);
+  }
+
+  base::JSONWriter::WriteWithOptions(&toplevel,
+                                     base::JSONWriter::OPTIONS_PRETTY_PRINT,
+                                     output);
+  return true;
+}
+
+bool TransportSecurityState::LoadEntries(const std::string& input,
+                                         bool* dirty) {
+  DCHECK(CalledOnValidThread());
+
+  enabled_hosts_.clear();
+  return Deserialise(input, dirty, &enabled_hosts_);
+}
+
+static bool AddHash(const std::string& type_and_base64,
+                    FingerprintVector* out) {
+  SHA1Fingerprint hash;
+
+  if (!TransportSecurityState::ParsePin(type_and_base64, &hash))
+    return false;
+
+  out->push_back(hash);
+  return true;
+}
+
+static void SPKIHashesFromListValue(FingerprintVector* hashes,
+                                    const ListValue& pins) {
+  size_t num_pins = pins.GetSize();
+  for (size_t i = 0; i < num_pins; ++i) {
+    std::string type_and_base64;
+    if (pins.GetString(i, &type_and_base64))
+      AddHash(type_and_base64, hashes);
+  }
+}
+
+// static
+bool TransportSecurityState::Deserialise(
+    const std::string& input,
+    bool* dirty,
+    std::map<std::string, DomainState>* out) {
+  scoped_ptr<Value> value(
+      base::JSONReader::Read(input, false /* do not allow trailing commas */));
+  if (!value.get() || !value->IsType(Value::TYPE_DICTIONARY))
+    return false;
+
+  DictionaryValue* dict_value = reinterpret_cast<DictionaryValue*>(value.get());
+  const base::Time current_time(base::Time::Now());
+  bool dirtied = false;
+
+  for (DictionaryValue::key_iterator i = dict_value->begin_keys();
+       i != dict_value->end_keys(); ++i) {
+    DictionaryValue* state;
+    if (!dict_value->GetDictionaryWithoutPathExpansion(*i, &state))
+      continue;
+
+    bool include_subdomains;
+    std::string mode_string;
+    double created;
+    double expiry;
+    double dynamic_spki_hashes_expiry = 0.0;
+
+    if (!state->GetBoolean("include_subdomains", &include_subdomains) ||
+        !state->GetString("mode", &mode_string) ||
+        !state->GetDouble("expiry", &expiry)) {
+      continue;
+    }
+
+    // Don't fail if this key is not present.
+    (void) state->GetDouble("dynamic_spki_hashes_expiry",
+                            &dynamic_spki_hashes_expiry);
+
+    ListValue* pins_list = NULL;
+    FingerprintVector preloaded_spki_hashes;
+    if (state->GetList("preloaded_spki_hashes", &pins_list))
+      SPKIHashesFromListValue(&preloaded_spki_hashes, *pins_list);
+
+    FingerprintVector dynamic_spki_hashes;
+    if (state->GetList("dynamic_spki_hashes", &pins_list))
+      SPKIHashesFromListValue(&dynamic_spki_hashes, *pins_list);
+
+    DomainState::Mode mode;
+    if (mode_string == "strict") {
+      mode = DomainState::MODE_STRICT;
+    } else if (mode_string == "spdy-only") {
+      mode = DomainState::MODE_SPDY_ONLY;
+    } else if (mode_string == "pinning-only") {
+      mode = DomainState::MODE_PINNING_ONLY;
+    } else {
+      LOG(WARNING) << "Unknown TransportSecurityState mode string found: "
+                   << mode_string;
+      continue;
+    }
+
+    base::Time expiry_time = base::Time::FromDoubleT(expiry);
+    base::Time dynamic_spki_hashes_expiry_time =
+        base::Time::FromDoubleT(dynamic_spki_hashes_expiry);
+    base::Time created_time;
+    if (state->GetDouble("created", &created)) {
+      created_time = base::Time::FromDoubleT(created);
+    } else {
+      // We're migrating an old entry with no creation date. Make sure we
+      // write the new date back in a reasonable time frame.
+      dirtied = true;
+      created_time = base::Time::Now();
+    }
+
+    if (expiry_time <= current_time &&
+        dynamic_spki_hashes_expiry_time <= current_time) {
+      // Make sure we dirty the state if we drop an entry.
+      dirtied = true;
+      continue;
+    }
+
+    std::string hashed = ExternalStringToHashedDomain(*i);
+    if (hashed.empty()) {
+      dirtied = true;
+      continue;
+    }
+
+    DomainState new_state;
+    new_state.mode = mode;
+    new_state.created = created_time;
+    new_state.expiry = expiry_time;
+    new_state.include_subdomains = include_subdomains;
+    new_state.preloaded_spki_hashes = preloaded_spki_hashes;
+    new_state.dynamic_spki_hashes = dynamic_spki_hashes;
+    new_state.dynamic_spki_hashes_expiry = dynamic_spki_hashes_expiry_time;
+    (*out)[hashed] = new_state;
+  }
+
+  *dirty = dirtied;
+  return true;
+}
+
+TransportSecurityState::~TransportSecurityState() {
+}
+
+void TransportSecurityState::DirtyNotify() {
+  DCHECK(CalledOnValidThread());
+
+  if (delegate_)
+    delegate_->StateIsDirty(this);
+}
+
+// static
+std::string TransportSecurityState::CanonicalizeHost(const std::string& host) {
+  // We cannot perform the operations as detailed in the spec here as |host|
+  // has already undergone IDN processing before it reached us. Thus, we check
+  // that there are no invalid characters in the host and lowercase the result.
+
+  std::string new_host;
+  if (!DNSDomainFromDot(host, &new_host)) {
+    // DNSDomainFromDot can fail if any label is > 63 bytes or if the whole
+    // name is >255 bytes. However, search terms can have those properties.
+    return std::string();
+  }
+
+  for (size_t i = 0; new_host[i]; i += new_host[i] + 1) {
+    const unsigned label_length = static_cast<unsigned>(new_host[i]);
+    if (!label_length)
+      break;
+
+    for (size_t j = 0; j < label_length; ++j) {
+      // RFC 3490, 4.1, step 3
+      if (!IsSTD3ASCIIValidCharacter(new_host[i + 1 + j]))
+        return std::string();
+
+      new_host[i + 1 + j] = tolower(new_host[i + 1 + j]);
+    }
+
+    // step 3(b)
+    if (new_host[i + 1] == '-' ||
+        new_host[i + label_length] == '-') {
+      return std::string();
+    }
+  }
+
+  return new_host;
+}
+
+// |ReportUMAOnPinFailure| uses these to report which domain was associated
+// with the public key pinning failure.
+//
+// DO NOT CHANGE THE ORDERING OF THESE NAMES OR REMOVE ANY OF THEM. Add new
+// domains at the END of the listing (but before DOMAIN_NUM_EVENTS).
+enum SecondLevelDomainName {
+  DOMAIN_NOT_PINNED,
+
+  DOMAIN_GOOGLE_COM,
+  DOMAIN_ANDROID_COM,
+  DOMAIN_GOOGLE_ANALYTICS_COM,
+  DOMAIN_GOOGLEPLEX_COM,
+  DOMAIN_YTIMG_COM,
+  DOMAIN_GOOGLEUSERCONTENT_COM,
+  DOMAIN_YOUTUBE_COM,
+  DOMAIN_GOOGLEAPIS_COM,
+  DOMAIN_GOOGLEADSERVICES_COM,
+  DOMAIN_GOOGLECODE_COM,
+  DOMAIN_APPSPOT_COM,
+  DOMAIN_GOOGLESYNDICATION_COM,
+  DOMAIN_DOUBLECLICK_NET,
+  DOMAIN_GSTATIC_COM,
+  DOMAIN_GMAIL_COM,
+  DOMAIN_GOOGLEMAIL_COM,
+  DOMAIN_GOOGLEGROUPS_COM,
+
+  DOMAIN_TORPROJECT_ORG,
+
+  DOMAIN_TWITTER_COM,
+  DOMAIN_TWIMG_COM,
+
+  DOMAIN_AKAMAIHD_NET,
+
+  // Boundary value for UMA_HISTOGRAM_ENUMERATION:
+  DOMAIN_NUM_EVENTS
+};
+
+// PublicKeyPins contains a number of SubjectPublicKeyInfo hashes for a site.
+// The validated certificate chain for the site must not include any of
+// |excluded_hashes| and must include one or more of |required_hashes|.
+struct PublicKeyPins {
+  const char* const* required_hashes;
+  const char* const* excluded_hashes;
+};
+
+struct HSTSPreload {
+  uint8 length;
+  bool include_subdomains;
+  char dns_name[30];
+  bool https_required;
+  PublicKeyPins pins;
+  SecondLevelDomainName second_level_domain_name;
+};
+
+static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries,
+                       const std::string& canonicalized_host, size_t i,
+                       TransportSecurityState::DomainState* out, bool* ret) {
+  for (size_t j = 0; j < num_entries; j++) {
+    if (entries[j].length == canonicalized_host.size() - i &&
+        memcmp(entries[j].dns_name, &canonicalized_host[i],
+               entries[j].length) == 0) {
+      if (!entries[j].include_subdomains && i != 0) {
+        *ret = false;
+      } else {
+        out->include_subdomains = entries[j].include_subdomains;
+        *ret = true;
+        if (!entries[j].https_required)
+          out->mode = TransportSecurityState::DomainState::MODE_PINNING_ONLY;
+        if (entries[j].pins.required_hashes) {
+          const char* const* hash = entries[j].pins.required_hashes;
+          while (*hash) {
+            bool ok = AddHash(*hash, &out->preloaded_spki_hashes);
+            DCHECK(ok) << " failed to parse " << *hash;
+            hash++;
+          }
+        }
+        if (entries[j].pins.excluded_hashes) {
+          const char* const* hash = entries[j].pins.excluded_hashes;
+          while (*hash) {
+            bool ok = AddHash(*hash, &out->bad_preloaded_spki_hashes);
+            DCHECK(ok) << " failed to parse " << *hash;
+            hash++;
+          }
+        }
+      }
+      return true;
+    }
+  }
+  return false;
+}
 
 // kNoRejectedPublicKeys is a placeholder for when no public keys are rejected.
 static const char* const kNoRejectedPublicKeys[] = {
   NULL,
 };
 
-static const char* const kTestAcceptableCerts[] = {
-  kSPKIHash_TestSPKI,
-  NULL,
-};
-#define kTestPins { \
-  kTestAcceptableCerts, \
-  kNoRejectedPublicKeys, \
-}
-
 static const char* const kGoogleAcceptableCerts[] = {
   kSPKIHash_VeriSignClass3,
   kSPKIHash_VeriSignClass3_G3,
   kSPKIHash_Google1024,
   kSPKIHash_Google2048,
   kSPKIHash_EquifaxSecureCA,
   NULL,
 };
 static const char* const kGoogleRejectedCerts[] = {
   kSPKIHash_Aetna,
@@ skipping 40 matching lines @@
   kSPKIHash_GeoTrustPrimary_G2,
   kSPKIHash_GeoTrustPrimary_G3,
   kSPKIHash_Twitter1,
   NULL,
 };
 #define kTwitterComPins { \
   kTwitterComAcceptableCerts, \
   kNoRejectedPublicKeys, \
 }
 
+// kTwitterCDNAcceptableCerts are the set of public keys valid for Twitter's
+// CDNs, which includes all the keys from kTwitterComAcceptableCerts.
 static const char* const kTwitterCDNAcceptableCerts[] = {
   kSPKIHash_VeriSignClass1,
   kSPKIHash_VeriSignClass3,
   kSPKIHash_VeriSignClass3_G4,
   kSPKIHash_VeriSignClass4_G3,
   kSPKIHash_VeriSignClass3_G3,
   kSPKIHash_VeriSignClass1_G3,
   kSPKIHash_VeriSignClass2_G3,
   kSPKIHash_VeriSignClass3_G2,
   kSPKIHash_VeriSignClass2_G2,
   kSPKIHash_VeriSignClass3_G5,
   kSPKIHash_VeriSignUniversal,
   kSPKIHash_GeoTrustGlobal,
   kSPKIHash_GeoTrustGlobal2,
   kSPKIHash_GeoTrustUniversal,
   kSPKIHash_GeoTrustUniversal2,
   kSPKIHash_GeoTrustPrimary,
   kSPKIHash_GeoTrustPrimary_G2,
   kSPKIHash_GeoTrustPrimary_G3,
   kSPKIHash_Twitter1,
+
   kSPKIHash_Entrust_2048,
   kSPKIHash_Entrust_EV,
   kSPKIHash_Entrust_G2,
   kSPKIHash_Entrust_SSL,
   kSPKIHash_AAACertificateServices,
   kSPKIHash_AddTrustClass1CARoot,
   kSPKIHash_AddTrustExternalCARoot,
   kSPKIHash_AddTrustPublicCARoot,
   kSPKIHash_AddTrustQualifiedCARoot,
   kSPKIHash_COMODOCertificationAuthority,
   kSPKIHash_SecureCertificateServices,
   kSPKIHash_TrustedCertificateServices,
   kSPKIHash_UTNDATACorpSGC,
   kSPKIHash_UTNUSERFirstClientAuthenticationandEmail,
   kSPKIHash_UTNUSERFirstHardware,
   kSPKIHash_UTNUSERFirstObject,
   kSPKIHash_GTECyberTrustGlobalRoot,
   NULL,
 };
 #define kTwitterCDNPins { \
   kTwitterCDNAcceptableCerts, \
   kNoRejectedPublicKeys, \
 }
 
-#define kNoPins {\
+// kTestAcceptableCerts doesn't actually match any public keys and is used
+// with "pinningtest.appspot.com", below, to test if pinning is active.
+static const char* const kTestAcceptableCerts[] = {
+  "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
+  NULL,
+};
+#define kTestPins { \
+  kTestAcceptableCerts, \
+  kNoRejectedPublicKeys, \
+}
+
+#define kNoPins { \
   NULL, NULL, \
 }
 
+#if defined(OS_CHROMEOS)
+  static const bool kTwitterHSTS = true;
+#else
+  static const bool kTwitterHSTS = false;
+#endif
+
+// In the medium term this list is likely to just be hardcoded here. This
+// slightly odd form removes the need for additional relocations records.
 static const struct HSTSPreload kPreloadedSTS[] = {
+  // (*.)google.com, iff using SSL must use an acceptable certificate.
+  {12, true, "\006google\003com", false, kGooglePins, DOMAIN_GOOGLE_COM },
   {25, true, "\013pinningtest\007appspot\003com", false, kTestPins, DOMAIN_APPSPOT_COM },
-  {12, true, "\006google\003com", false, kGooglePins, DOMAIN_GOOGLE_COM },
-  {19, true, "\006health\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
+  // Now we force HTTPS for subtrees of google.com.
+  {19, true, "\006health\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM  },
   {21, true, "\010checkout\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {19, true, "\006chrome\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {17, true, "\004docs\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {18, true, "\005sites\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {25, true, "\014spreadsheets\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {22, false, "\011appengine\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {22, true, "\011encrypted\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {21, true, "\010accounts\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {21, true, "\010profiles\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {17, true, "\004mail\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {23, true, "\012talkgadget\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {17, true, "\004talk\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {29, true, "\020hostedtalkgadget\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {17, true, "\004plus\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
+  // Other Google-related domains that must use HTTPS.
   {20, true, "\006market\007android\003com", true, kGooglePins, DOMAIN_ANDROID_COM },
   {26, true, "\003ssl\020google-analytics\003com", true, kGooglePins, DOMAIN_GOOGLE_ANALYTICS_COM },
   {18, true, "\005drive\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {16, true, "\012googleplex\003com", true, kGooglePins, DOMAIN_GOOGLEPLEX_COM },
   {19, true, "\006groups\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {17, true, "\004apis\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
-  {23, true, "\005chart\004apis\006google\003com", false, kGooglePins, DOMAIN_GOOGLE_COM },
+  // chart.apis.google.com is *not* HSTS because the certificate doesn't match
+  // and there are lots of links out there that still use the name. The correct
+  // hostname for this is chart.googleapis.com.
+  {23, true, "\005chart\004apis\006google\003com", false, kGooglePins, DOMAIN_GOOGLE_COM},
+
+  // Other Google-related domains that must use an acceptable certificate
+  // iff using SSL.
   {11, true, "\005ytimg\003com", false, kGooglePins, DOMAIN_YTIMG_COM },
   {23, true, "\021googleusercontent\003com", false, kGooglePins, DOMAIN_GOOGLEUSERCONTENT_COM },
   {13, true, "\007youtube\003com", false, kGooglePins, DOMAIN_YOUTUBE_COM },
   {16, true, "\012googleapis\003com", false, kGooglePins, DOMAIN_GOOGLEAPIS_COM },
   {22, true, "\020googleadservices\003com", false, kGooglePins, DOMAIN_GOOGLEADSERVICES_COM },
   {16, true, "\012googlecode\003com", false, kGooglePins, DOMAIN_GOOGLECODE_COM },
   {13, true, "\007appspot\003com", false, kGooglePins, DOMAIN_APPSPOT_COM },
   {23, true, "\021googlesyndication\003com", false, kGooglePins, DOMAIN_GOOGLESYNDICATION_COM },
   {17, true, "\013doubleclick\003net", false, kGooglePins, DOMAIN_DOUBLECLICK_NET },
   {17, true, "\003ssl\007gstatic\003com", false, kGooglePins, DOMAIN_GSTATIC_COM },
+  // Exclude the learn.doubleclick.net subdomain because it uses a different
+  // CA.
   {23, true, "\005learn\013doubleclick\003net", false, kNoPins, DOMAIN_NOT_PINNED },
+  // Now we force HTTPS for other sites that have requested it.
   {16, false, "\003www\006paypal\003com", true, kNoPins, DOMAIN_NOT_PINNED },
   {16, false, "\003www\006elanex\003biz", true, kNoPins, DOMAIN_NOT_PINNED },
-  {12, true, "\006jottit\003com", true, kNoPins, DOMAIN_NOT_PINNED },
-  {19, true, "\015sunshinepress\003org", true, kNoPins, DOMAIN_NOT_PINNED },
+  {12, true,  "\006jottit\003com", true, kNoPins, DOMAIN_NOT_PINNED },
+  {19, true,  "\015sunshinepress\003org", true, kNoPins, DOMAIN_NOT_PINNED },
   {21, false, "\003www\013noisebridge\003net", true, kNoPins, DOMAIN_NOT_PINNED },
   {10, false, "\004neg9\003org", true, kNoPins, DOMAIN_NOT_PINNED },
   {12, true, "\006riseup\003net", true, kNoPins, DOMAIN_NOT_PINNED },
   {11, false, "\006factor\002cc", true, kNoPins, DOMAIN_NOT_PINNED },
   {22, false, "\007members\010mayfirst\003org", true, kNoPins, DOMAIN_NOT_PINNED },
   {22, false, "\007support\010mayfirst\003org", true, kNoPins, DOMAIN_NOT_PINNED },
   {17, false, "\002id\010mayfirst\003org", true, kNoPins, DOMAIN_NOT_PINNED },
   {20, false, "\005lists\010mayfirst\003org", true, kNoPins, DOMAIN_NOT_PINNED },
   {19, true, "\015splendidbacon\003com", true, kNoPins, DOMAIN_NOT_PINNED },
   {28, false, "\016aladdinschools\007appspot\003com", true, kNoPins, DOMAIN_NOT_PINNED },
@@ skipping 32 matching lines @@
   {10, false, "\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED },
   {14, false, "\003www\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED },
   {17, true, "\003app\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED },
   {17, true, "\003api\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED },
   {13, false, "\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED },
   {17, false, "\003www\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED },
   {27, true, "\006luneta\016nearbuysystems\003com", true, kNoPins, DOMAIN_NOT_PINNED },
   {12, true, "\006ubertt\003org", true, kNoPins, DOMAIN_NOT_PINNED },
   {9, true, "\004pixi\002me", true, kNoPins, DOMAIN_NOT_PINNED },
   {14, true, "\010grepular\003com", true, kNoPins, DOMAIN_NOT_PINNED },
-  {16, false, "\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
-  {20, false, "\003www\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
-  {26, false, "\011developer\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
-  {30, false, "\003www\011developer\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
-  {24, false, "\007sandbox\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
-  {28, false, "\003www\007sandbox\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
+  {16, false , "\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
+  {20, false , "\003www\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
+  {26, false , "\011developer\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
+  {30, false , "\003www\011developer\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
+  {24, false , "\007sandbox\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
+  {28, false , "\003www\007sandbox\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED },
   {12, true, "\006crypto\003cat", true, kNoPins, DOMAIN_NOT_PINNED },
   {25, true, "\014bigshinylock\006minazo\003net", true, kNoPins, DOMAIN_NOT_PINNED },
   {10, true, "\005crate\002io", true, kNoPins, DOMAIN_NOT_PINNED },
-  {13, false, "\007twitter\003com", false, kTwitterComPins, DOMAIN_TWITTER_COM },
-  {17, true, "\003www\007twitter\003com", false, kTwitterComPins, DOMAIN_TWITTER_COM },
-  {17, true, "\003api\007twitter\003com", false, kTwitterCDNPins, DOMAIN_TWITTER_COM },
-  {19, true, "\005oauth\007twitter\003com", false, kTwitterComPins, DOMAIN_TWITTER_COM },
-  {20, true, "\006mobile\007twitter\003com", false, kTwitterComPins, DOMAIN_TWITTER_COM },
-  {17, true, "\003dev\007twitter\003com", false, kTwitterComPins, DOMAIN_TWITTER_COM },
-  {22, true, "\010business\007twitter\003com", false, kTwitterComPins, DOMAIN_TWITTER_COM },
+
+  {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComPins, DOMAIN_TWITTER_COM },
+  {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComPins, DOMAIN_TWITTER_COM },
+  {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterCDNPins, DOMAIN_TWITTER_COM },
+  {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComPins, DOMAIN_TWITTER_COM },
+  {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComPins, DOMAIN_TWITTER_COM },
+  {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComPins, DOMAIN_TWITTER_COM },
+  {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComPins, DOMAIN_TWITTER_COM },
   {22, true, "\010platform\007twitter\003com", false, kTwitterCDNPins, DOMAIN_TWITTER_COM },
   {15, true, "\003si0\005twimg\003com", false, kTwitterCDNPins, DOMAIN_TWIMG_COM },
   {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNPins, DOMAIN_AKAMAIHD_NET },
 };
 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
 
 static const struct HSTSPreload kPreloadedSNISTS[] = {
+  // These SNI-only domains must always use HTTPS.
   {11, false, "\005gmail\003com", true, kGooglePins, DOMAIN_GMAIL_COM },
   {16, false, "\012googlemail\003com", true, kGooglePins, DOMAIN_GOOGLEMAIL_COM },
   {15, false, "\003www\005gmail\003com", true, kGooglePins, DOMAIN_GMAIL_COM },
   {20, false, "\003www\012googlemail\003com", true, kGooglePins, DOMAIN_GOOGLEMAIL_COM },
+  // These SNI-only domains must use an acceptable certificate iff using
+  // HTTPS.
   {22, true, "\020google-analytics\003com", false, kGooglePins, DOMAIN_GOOGLE_ANALYTICS_COM },
+  // www. requires SNI.
   {18, true, "\014googlegroups\003com", false, kGooglePins, DOMAIN_GOOGLEGROUPS_COM },
 };
 static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
 
-#endif // NET_BASE_TRANSPORT_SECURITY_STATE_STATIC_H_
+// Returns the HSTSPreload entry for the |canonicalized_host| in |entries|,
+// or NULL if there is none. Prefers exact hostname matches to those that
+// match only because HSTSPreload.include_subdomains is true.
+//
+// |canonicalized_host| should be the hostname as canonicalized by
+// CanonicalizeHost.
+static const struct HSTSPreload* GetHSTSPreload(
+    const std::string& canonicalized_host,
+    const struct HSTSPreload* entries,
+    size_t num_entries) {
+  for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
+    for (size_t j = 0; j < num_entries; j++) {
+      const struct HSTSPreload* entry = entries + j;
+
+      if (i != 0 && !entry->include_subdomains)
+        continue;
+
+      if (entry->length == canonicalized_host.size() - i &&
+          memcmp(entry->dns_name, &canonicalized_host[i], entry->length) == 0) {
+        return entry;
+      }
+    }
+  }
+
+  return NULL;
+}
+
+// static
+bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
+                                                    bool sni_available) {
+  std::string canonicalized_host = CanonicalizeHost(host);
+  const struct HSTSPreload* entry =
+      GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
+
+  if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts)
+    return true;
+
+  if (sni_available) {
+    entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
+                           kNumPreloadedSNISTS);
+    if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts)
+      return true;
+  }
+
+  return false;
+}
+
+// static
+void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {
+  std::string canonicalized_host = CanonicalizeHost(host);
+
+  const struct HSTSPreload* entry =
+      GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
+
+  if (!entry) {
+    entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
+                           kNumPreloadedSNISTS);
+  }
+
+  DCHECK(entry);
+  DCHECK(entry->pins.required_hashes);
+  DCHECK(entry->second_level_domain_name != DOMAIN_NOT_PINNED);
+
+  UMA_HISTOGRAM_ENUMERATION("Net.PublicKeyPinFailureDomain",
+                            entry->second_level_domain_name, DOMAIN_NUM_EVENTS);
+}
+
+// IsPreloadedSTS returns true if the canonicalized hostname should always be
+// considered to have STS enabled.
+bool TransportSecurityState::IsPreloadedSTS(
+    const std::string& canonicalized_host,
+    bool sni_available,
+    DomainState* out) {
+  DCHECK(CalledOnValidThread());
+
+  out->preloaded = true;
+  out->mode = DomainState::MODE_STRICT;
+  out->include_subdomains = false;
+
+  for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
+    std::string host_sub_chunk(&canonicalized_host[i],
+                               canonicalized_host.size() - i);
+    out->domain = DNSDomainToString(host_sub_chunk);
+    std::string hashed_host(HashHost(host_sub_chunk));
+    if (forced_hosts_.find(hashed_host) != forced_hosts_.end()) {
+      *out = forced_hosts_[hashed_host];
+      out->domain = DNSDomainToString(host_sub_chunk);
+      out->preloaded = true;
+      return true;
+    }
+    bool ret;
+    if (HasPreload(kPreloadedSTS, kNumPreloadedSTS, canonicalized_host, i, out,
+                   &ret)) {
+      return ret;
+    }
+    if (sni_available &&
+        HasPreload(kPreloadedSNISTS, kNumPreloadedSNISTS, canonicalized_host, i,
+                   out, &ret)) {
+      return ret;
+    }
+  }
+
+  return false;
+}
+
+static std::string HashesToBase64String(
+    const FingerprintVector& hashes) {
+  std::vector<std::string> hashes_strs;
+  for (FingerprintVector::const_iterator
+       i = hashes.begin(); i != hashes.end(); i++) {
+    std::string s;
+    const std::string hash_str(reinterpret_cast<const char*>(i->data),
+                               sizeof(i->data));
+    base::Base64Encode(hash_str, &s);
+    hashes_strs.push_back(s);
+  }
+
+  return JoinString(hashes_strs, ',');
+}
+
+TransportSecurityState::DomainState::DomainState()
+    : mode(MODE_STRICT),
+      created(base::Time::Now()),
+      include_subdomains(false),
+      preloaded(false) {
+}
+
+TransportSecurityState::DomainState::~DomainState() {
+}
+
+bool TransportSecurityState::DomainState::IsChainOfPublicKeysPermitted(
+    const FingerprintVector& hashes) {
+
+  if (HashesIntersect(bad_preloaded_spki_hashes, hashes)) {
+    LOG(ERROR) << "Rejecting public key chain for domain " << domain
+               << ". Validated chain: " << HashesToBase64String(hashes)
+               << ", matches one or more bad hashes: "
+               << HashesToBase64String(bad_preloaded_spki_hashes);
+    return false;
+  }
+
+  if (!(dynamic_spki_hashes.empty() && preloaded_spki_hashes.empty()) &&
+      !HashesIntersect(dynamic_spki_hashes, hashes) &&
+      !HashesIntersect(preloaded_spki_hashes, hashes)) {
+    LOG(ERROR) << "Rejecting public key chain for domain " << domain
+               << ". Validated chain: " << HashesToBase64String(hashes)
+               << ", expected: " << HashesToBase64String(dynamic_spki_hashes)
+               << " or: " << HashesToBase64String(preloaded_spki_hashes);
+
+    return false;
+  }
+
+  return true;
+}
+
+bool TransportSecurityState::DomainState::IsMoreStrict(
+    const TransportSecurityState::DomainState& other) {
+  if (this->dynamic_spki_hashes.empty() && !other.dynamic_spki_hashes.empty())
+    return false;
+
+  if (!this->include_subdomains && other.include_subdomains)
+    return false;
+
+  return true;
+}
+
+bool TransportSecurityState::DomainState::ShouldRedirectHTTPToHTTPS()
+    const {
+  return mode == MODE_STRICT;
+}
+
+}  // namespace