Chrome's SSLErrorHandler matches certificates against the captive portal certificate list by SPKI hash. But ssl_info.public_key_hashes is not necessarily populated if there was a certificate error [1]. We should make sure this field is populated in the cases we care about in SSLErrorHandler; otherwise we might need to calculate SPKIs separately in SSLErrorHandler.

[1] https://cs.chromium.org/chromium/src/net/cert/cert_verify_result.h?l=63