Revert "Revert "net: reenable Twitter's public key pins with api.twitter.com using the CDN pins.""

This relands r113203, which was reverted in r113229. Hopefully the ChromeOS
bots will be happy this time.

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@113398 0039d316-1c4b-4281-b951-d872f2087c98

net/base/public_key_hashes_check.go

@@ -53,6 +53,12 @@ func matchNames(name, v string) error {
 	if strings.HasSuffix(firstWord, ",") {
 		firstWord = firstWord[:len(firstWord)-1]
 	}
+	if pos := strings.Index(firstWord, "."); pos != -1 {
+		firstWord = firstWord[:pos]
+	}
+	if pos := strings.Index(firstWord, "-"); pos != -1 {
+		firstWord = firstWord[:pos]
+	}
 	if !strings.HasPrefix(v, firstWord) {
 		return errors.New("The first word of the certificate name isn't a prefix of the variable name")
 	}
@@ -135,7 +141,7 @@ func main() {
 			trimmed = trimmed[6 : len(trimmed)-2]
 			h := sha1.New()
 			h.Write(x509Cert.RawSubjectPublicKeyInfo)
-			shouldBe := base64.StdEncoding.EncodeToString(h.Sum())
+			shouldBe := base64.StdEncoding.EncodeToString(h.Sum(nil))
 			if shouldBe != string(trimmed) {
 				fmt.Fprintf(os.Stderr, "Line %d: hash should be %s, but found %s\n", lineNo, shouldBe, trimmed)
 				return

net/base/transport_security_state.cc

@@ -968,6 +968,53 @@ static const char* const kTwitterComAcceptableCerts[] = {
   kNoRejectedPublicKeys, \
 }
 
+// kTwitterCDNAcceptableCerts are the set of public keys valid for Twitter's
+// CDNs, which includes all the keys from kTwitterComAcceptableCerts.
+static const char* const kTwitterCDNAcceptableCerts[] = {
+  kSPKIHash_VeriSignClass1,
+  kSPKIHash_VeriSignClass3,
+  kSPKIHash_VeriSignClass3_G4,
+  kSPKIHash_VeriSignClass4_G3,
+  kSPKIHash_VeriSignClass3_G3,
+  kSPKIHash_VeriSignClass1_G3,
+  kSPKIHash_VeriSignClass2_G3,
+  kSPKIHash_VeriSignClass3_G2,
+  kSPKIHash_VeriSignClass2_G2,
+  kSPKIHash_VeriSignClass3_G5,
+  kSPKIHash_VeriSignUniversal,
+  kSPKIHash_GeoTrustGlobal,
+  kSPKIHash_GeoTrustGlobal2,
+  kSPKIHash_GeoTrustUniversal,
+  kSPKIHash_GeoTrustUniversal2,
+  kSPKIHash_GeoTrustPrimary,
+  kSPKIHash_GeoTrustPrimary_G2,
+  kSPKIHash_GeoTrustPrimary_G3,
+  kSPKIHash_Twitter1,
+
+  kSPKIHash_Entrust_2048,
+  kSPKIHash_Entrust_EV,
+  kSPKIHash_Entrust_G2,
+  kSPKIHash_Entrust_SSL,
+  kSPKIHash_AAACertificateServices,
+  kSPKIHash_AddTrustClass1CARoot,
+  kSPKIHash_AddTrustExternalCARoot,
+  kSPKIHash_AddTrustPublicCARoot,
+  kSPKIHash_AddTrustQualifiedCARoot,
+  kSPKIHash_COMODOCertificationAuthority,
+  kSPKIHash_SecureCertificateServices,
+  kSPKIHash_TrustedCertificateServices,
+  kSPKIHash_UTNDATACorpSGC,
+  kSPKIHash_UTNUSERFirstClientAuthenticationandEmail,
+  kSPKIHash_UTNUSERFirstHardware,
+  kSPKIHash_UTNUSERFirstObject,
+  kSPKIHash_GTECyberTrustGlobalRoot,
+  NULL,
+};
+#define kTwitterCDNPins { \
+  kTwitterCDNAcceptableCerts, \
+  kNoRejectedPublicKeys, \
+}
+
 // kTestAcceptableCerts doesn't actually match any public keys and is used
 // with "pinningtest.appspot.com", below, to test if pinning is active.
 static const char* const kTestAcceptableCerts[] = {
@@ -1132,14 +1179,13 @@ static const struct HSTSPreload kPreloadedSTS[] = {
       DOMAIN_NOT_PINNED },
   {12, true, "\006ubertt\003org", true, kNoPins, DOMAIN_NOT_PINNED },
 
-#if 0
   // Twitter pins disabled in order to track down pinning failures --agl
   {13, false, "\007twitter\003com", kTwitterHSTS,
       kTwitterComPins, DOMAIN_TWITTER_COM },
   {17, true, "\003www\007twitter\003com", kTwitterHSTS,
       kTwitterComPins, DOMAIN_TWITTER_COM },
   {17, true, "\003api\007twitter\003com", kTwitterHSTS,
-      kTwitterComPins, DOMAIN_TWITTER_COM },
+      kTwitterCDNPins, DOMAIN_TWITTER_COM },
   {19, true, "\005oauth\007twitter\003com", kTwitterHSTS,
       kTwitterComPins, DOMAIN_TWITTER_COM },
   {20, true, "\006mobile\007twitter\003com", kTwitterHSTS,
@@ -1154,7 +1200,6 @@ static const struct HSTSPreload kPreloadedSTS[] = {
       DOMAIN_TWIMG_COM },
   {23, true, "\010twimg0-a\010akamaihd\003net", false,
       kTwitterCDNPins, DOMAIN_AKAMAIHD_NET },
-#endif
 };
 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
 

net/base/transport_security_state_unittest.cc

@@ -580,18 +580,15 @@ TEST_F(TransportSecurityStateTest, Preloaded) {
   EXPECT_TRUE(ShouldRedirect("ubertt.org"));
   EXPECT_TRUE(ShouldRedirect("foo.ubertt.org"));
 
-#if 0
-  // Currently disabled to debug Twitter public key pins  --agl
 #if defined(OS_CHROMEOS)
-  EXPECT_TRUE(state.GetDomainState(&domain_state,
-                                   "twitter.com",
-                                   false));
+  static const bool kTwitterHSTS = true;
 #else
-  EXPECT_FALSE(state.GetDomainState(&domain_state,
-                                      "twitter.com",
-                                      false));
-#endif
+  static const bool kTwitterHSTS = false;
 #endif
+
+  EXPECT_EQ(kTwitterHSTS, ShouldRedirect("twitter.com"));
+  EXPECT_EQ(kTwitterHSTS, ShouldRedirect("www.twitter.com"));
+  EXPECT_TRUE(HasPins("www.twitter.com"));
 }
 
 TEST_F(TransportSecurityStateTest, LongNames) {
@@ -692,7 +689,6 @@ TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
                                    true));
   EXPECT_TRUE(state.HasPinsForHost(&domain_state, "www.googleplex.com", true));
 
-#if 0
   // Disabled in order to help track down pinning failures --agl
   EXPECT_TRUE(state.HasPinsForHost(&domain_state, "twitter.com", true));
   EXPECT_FALSE(state.HasPinsForHost(&domain_state, "foo.twitter.com", true));
@@ -705,7 +701,6 @@ TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
   EXPECT_TRUE(state.HasPinsForHost(&domain_state, "platform.twitter.com", true));
   EXPECT_TRUE(state.HasPinsForHost(&domain_state, "si0.twimg.com", true));
   EXPECT_TRUE(state.HasPinsForHost(&domain_state, "twimg0-a.akamaihd.net", true));
-#endif
 }
 
 static bool AddHash(const std::string& type_and_base64,