Revert "net: reenable Twitter's public key pins with api.twitter.com using the CDN pins."

This reverts commit r113203. It failed on the ChromeOS valgrind and heapcheck bots.

BUG=113203

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@113229 0039d316-1c4b-4281-b951-d872f2087c98

net/base/public_key_hashes_check.go

@@ -53,12 +53,6 @@ func matchNames(name, v string) error {
 	if strings.HasSuffix(firstWord, ",") {
 		firstWord = firstWord[:len(firstWord)-1]
 	}
-	if pos := strings.Index(firstWord, "."); pos != -1 {
-		firstWord = firstWord[:pos]
-	}
-	if pos := strings.Index(firstWord, "-"); pos != -1 {
-		firstWord = firstWord[:pos]
-	}
 	if !strings.HasPrefix(v, firstWord) {
 		return errors.New("The first word of the certificate name isn't a prefix of the variable name")
 	}
@@ -141,7 +135,7 @@ func main() {
 			trimmed = trimmed[6 : len(trimmed)-2]
 			h := sha1.New()
 			h.Write(x509Cert.RawSubjectPublicKeyInfo)
-			shouldBe := base64.StdEncoding.EncodeToString(h.Sum(nil))
+			shouldBe := base64.StdEncoding.EncodeToString(h.Sum())
 			if shouldBe != string(trimmed) {
 				fmt.Fprintf(os.Stderr, "Line %d: hash should be %s, but found %s\n", lineNo, shouldBe, trimmed)
 				return

net/base/transport_security_state.cc

@@ -968,53 +968,6 @@ static const char* const kTwitterComAcceptableCerts[] = {
   kNoRejectedPublicKeys, \
 }
 
-// kTwitterCDNAcceptableCerts are the set of public keys valid for Twitter's
-// CDNs, which includes all the keys from kTwitterComAcceptableCerts.
-static const char* const kTwitterCDNAcceptableCerts[] = {
-  kSPKIHash_VeriSignClass1,
-  kSPKIHash_VeriSignClass3,
-  kSPKIHash_VeriSignClass3_G4,
-  kSPKIHash_VeriSignClass4_G3,
-  kSPKIHash_VeriSignClass3_G3,
-  kSPKIHash_VeriSignClass1_G3,
-  kSPKIHash_VeriSignClass2_G3,
-  kSPKIHash_VeriSignClass3_G2,
-  kSPKIHash_VeriSignClass2_G2,
-  kSPKIHash_VeriSignClass3_G5,
-  kSPKIHash_VeriSignUniversal,
-  kSPKIHash_GeoTrustGlobal,
-  kSPKIHash_GeoTrustGlobal2,
-  kSPKIHash_GeoTrustUniversal,
-  kSPKIHash_GeoTrustUniversal2,
-  kSPKIHash_GeoTrustPrimary,
-  kSPKIHash_GeoTrustPrimary_G2,
-  kSPKIHash_GeoTrustPrimary_G3,
-  kSPKIHash_Twitter1,
-
-  kSPKIHash_Entrust_2048,
-  kSPKIHash_Entrust_EV,
-  kSPKIHash_Entrust_G2,
-  kSPKIHash_Entrust_SSL,
-  kSPKIHash_AAACertificateServices,
-  kSPKIHash_AddTrustClass1CARoot,
-  kSPKIHash_AddTrustExternalCARoot,
-  kSPKIHash_AddTrustPublicCARoot,
-  kSPKIHash_AddTrustQualifiedCARoot,
-  kSPKIHash_COMODOCertificationAuthority,
-  kSPKIHash_SecureCertificateServices,
-  kSPKIHash_TrustedCertificateServices,
-  kSPKIHash_UTNDATACorpSGC,
-  kSPKIHash_UTNUSERFirstClientAuthenticationandEmail,
-  kSPKIHash_UTNUSERFirstHardware,
-  kSPKIHash_UTNUSERFirstObject,
-  kSPKIHash_GTECyberTrustGlobalRoot,
-  NULL,
-};
-#define kTwitterCDNPins { \
-  kTwitterCDNAcceptableCerts, \
-  kNoRejectedPublicKeys, \
-}
-
 // kTestAcceptableCerts doesn't actually match any public keys and is used
 // with "pinningtest.appspot.com", below, to test if pinning is active.
 static const char* const kTestAcceptableCerts[] = {
@@ -1179,13 +1132,14 @@ static const struct HSTSPreload kPreloadedSTS[] = {
       DOMAIN_NOT_PINNED },
   {12, true, "\006ubertt\003org", true, kNoPins, DOMAIN_NOT_PINNED },
 
+#if 0
   // Twitter pins disabled in order to track down pinning failures --agl
   {13, false, "\007twitter\003com", kTwitterHSTS,
       kTwitterComPins, DOMAIN_TWITTER_COM },
   {17, true, "\003www\007twitter\003com", kTwitterHSTS,
       kTwitterComPins, DOMAIN_TWITTER_COM },
   {17, true, "\003api\007twitter\003com", kTwitterHSTS,
-      kTwitterCDNPins, DOMAIN_TWITTER_COM },
+      kTwitterComPins, DOMAIN_TWITTER_COM },
   {19, true, "\005oauth\007twitter\003com", kTwitterHSTS,
       kTwitterComPins, DOMAIN_TWITTER_COM },
   {20, true, "\006mobile\007twitter\003com", kTwitterHSTS,
@@ -1200,6 +1154,7 @@ static const struct HSTSPreload kPreloadedSTS[] = {
       DOMAIN_TWIMG_COM },
   {23, true, "\010twimg0-a\010akamaihd\003net", false,
       kTwitterCDNPins, DOMAIN_AKAMAIHD_NET },
+#endif
 };
 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
 

net/base/transport_security_state_unittest.cc

@@ -580,10 +580,18 @@ TEST_F(TransportSecurityStateTest, Preloaded) {
   EXPECT_TRUE(ShouldRedirect("ubertt.org"));
   EXPECT_TRUE(ShouldRedirect("foo.ubertt.org"));
 
-
-  EXPECT_FALSE(ShouldRedirect("twitter.com"));
-  EXPECT_FALSE(ShouldRedirect("www.twitter.com"));
-  EXPECT_TRUE(HasPins("www.twitter.com"));
+#if 0
+  // Currently disabled to debug Twitter public key pins  --agl
+#if defined(OS_CHROMEOS)
+  EXPECT_TRUE(state.GetDomainState(&domain_state,
+                                   "twitter.com",
+                                   false));
+#else
+  EXPECT_FALSE(state.GetDomainState(&domain_state,
+                                      "twitter.com",
+                                      false));
+#endif
+#endif
 }
 
 TEST_F(TransportSecurityStateTest, LongNames) {
@@ -684,6 +692,7 @@ TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
                                    true));
   EXPECT_TRUE(state.HasPinsForHost(&domain_state, "www.googleplex.com", true));
 
+#if 0
   // Disabled in order to help track down pinning failures --agl
   EXPECT_TRUE(state.HasPinsForHost(&domain_state, "twitter.com", true));
   EXPECT_FALSE(state.HasPinsForHost(&domain_state, "foo.twitter.com", true));
@@ -696,6 +705,7 @@ TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
   EXPECT_TRUE(state.HasPinsForHost(&domain_state, "platform.twitter.com", true));
   EXPECT_TRUE(state.HasPinsForHost(&domain_state, "si0.twimg.com", true));
   EXPECT_TRUE(state.HasPinsForHost(&domain_state, "twimg0-a.akamaihd.net", true));
+#endif
 }
 
 static bool AddHash(const std::string& type_and_base64,