Revert 149261 - Support SHA-256 in public key pins for HTTPS.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 113 matching lines @@
 // set on Windows XP without error. There is some overhead from the server
 // sending the OCSP response if it supports the extension, for the subset of
 // XP clients who will request it but be unable to use it, but this is an
 // acceptable trade-off for simplicity of implementation.
 static bool IsOCSPStaplingSupported() {
   return true;
 }
 #elif defined(USE_NSS)
 typedef SECStatus
 (*CacheOCSPResponseFromSideChannelFunction)(
-    CERTCertDBHandle* handle, CERTCertificate* cert, PRTime time,
-    SECItem* encodedResponse, void* pwArg);
+    CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time,
+    SECItem *encodedResponse, void *pwArg);
 
 // On Linux, we dynamically link against the system version of libnss3.so. In
 // order to continue working on systems without up-to-date versions of NSS we
 // lookup CERT_CacheOCSPResponseFromSideChannel with dlsym.
 
 // RuntimeLibNSSFunctionPointers is a singleton which caches the results of any
 // runtime symbol resolution that we need.
 class RuntimeLibNSSFunctionPointers {
  public:
   CacheOCSPResponseFromSideChannelFunction
@@ skipping 2610 matching lines @@
   if (core_->state().server_cert_chain.empty() ||
       !core_->state().server_cert_chain[0]) {
     return false;
   }
 
   ssl_info->cert_status = server_cert_verify_result_.cert_status;
   ssl_info->cert = server_cert_verify_result_.verified_cert;
   ssl_info->connection_status =
       core_->state().ssl_connection_status;
   ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes;
-  // TODO(palmer) TODO(agl): Do side pins need to be in both SHA1 and SHA256
-  // forms? If consumers of side pins only care about SHA1, it is OK to put
-  // them only in the HASH_VALUE_SHA1 vector.
-  HashValueVector& sha1_hashes =
-      ssl_info->public_key_hashes[HASH_VALUE_SHA1];
-  for (HashValueVector::const_iterator i = side_pinned_public_keys_.begin();
-       i != side_pinned_public_keys_.end(); ++i) {
-    sha1_hashes.push_back(*i);
+  for (std::vector<SHA1Fingerprint>::const_iterator
+       i = side_pinned_public_keys_.begin();
+       i != side_pinned_public_keys_.end(); i++) {
+    ssl_info->public_key_hashes.push_back(*i);
   }
   ssl_info->is_issued_by_known_root =
       server_cert_verify_result_.is_issued_by_known_root;
   ssl_info->client_cert_sent =
       ssl_config_.send_client_cert && ssl_config_.client_cert;
   ssl_info->channel_id_sent = WasChannelIDSent();
 
   PRUint16 cipher_suite = SSLConnectionStatusToCipherSuite(
       core_->state().ssl_connection_status);
   SSLCipherSuiteInfo cipher_info;
@@ skipping 664 matching lines @@
     bool sni_available =
         ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 ||
         ssl_config_.version_fallback;
     const std::string& host = host_and_port_.host();
 
     TransportSecurityState::DomainState domain_state;
     if (transport_security_state_->GetDomainState(host, sni_available,
                                                   &domain_state) &&
         domain_state.HasPins()) {
       if (!domain_state.IsChainOfPublicKeysPermitted(
                server_cert_verify_result_.public_key_hashes)) {

[wtc, 2012/08/01 22:06:33]

server_cert_verify_result_.public_key_hashes is a vector of
vectors (std::vector<HashValueVector>), so we'll need to
take an element of the outer vector here.

         const base::Time build_time = base::GetBuildTime();
         // Pins are not enforced if the build is sufficiently old. Chrome
         // users should get updates every six weeks or so, but it's possible
         // that some users will stop getting updates for some reason. We
         // don't want those users building up as a pool of people with bad
         // pins.
         if ((base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */) {
           result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
           UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
           TransportSecurityState::ReportUMAOnPinFailure(host);
@@ skipping 54 matching lines @@
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
   return server_bound_cert_service_;
 }
 
 }  // namespace net