net/base/transport_security_state_unittest.cc - Issue 10826257: Implement SHA-256 fingerprint support

Unified Diff: net/base/transport_security_state_unittest.cc

Issue 10826257: Implement SHA-256 fingerprint support (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: Created 8 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Index: net/base/transport_security_state_unittest.cc

===================================================================

--- net/base/transport_security_state_unittest.cc (revision 152152)

+++ net/base/transport_security_state_unittest.cc (working copy)

@@ -6,11 +6,13 @@

#include <algorithm>

#include <string>

+#include <vector>

#include "base/base64.h"

#include "base/file_path.h"

#include "base/sha1.h"

#include "base/string_piece.h"

+#include "crypto/sha2.h"

#include "net/base/asn1_util.h"

#include "net/base/cert_test_util.h"

#include "net/base/cert_verifier.h"

@@ -20,6 +22,7 @@

#include "net/base/ssl_info.h"

#include "net/base/test_completion_callback.h"

#include "net/base/test_root_certs.h"

+#include "net/base/x509_cert_types.h"

#include "net/base/x509_certificate.h"

#include "net/http/http_util.h"

#include "testing/gtest/include/gtest/gtest.h"

@@ -91,7 +94,8 @@

}

static bool GetPublicKeyHash(const net::X509Certificate::OSCertHandle& cert,

- SHA1Fingerprint* fingerprint) {

+ HashValue* fingerprint,

+ HashValueTag tag) {

std::string der_bytes;

if (!net::X509Certificate::GetDEREncoded(cert, &der_bytes))

return false;

@@ -100,28 +104,52 @@

if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki))

return false;

- base::SHA1HashBytes(reinterpret_cast<const unsigned char*>(spki.data()),

- spki.size(), fingerprint->data);

+ fingerprint->tag = tag;

+ switch (tag) {

+ case HASH_VALUE_SHA1:

+ base::SHA1HashBytes(reinterpret_cast<const unsigned char*>(spki.data()),

Ryan Sleevi 2012/08/23 22:48:20 does a static_cast work here?

palmer 2012/08/29 00:01:24 error: invalid static_cast from type ‘const char*’

+ spki.size(), fingerprint->data());

+ break;

+ case HASH_VALUE_SHA256:

+ crypto::SHA256HashString(spki, fingerprint->data(),

+ crypto::kSHA256Length);

+ break;

+ default:

+ NOTREACHED() << "Unknown HashValueTag " << tag;

+ }

return true;

}

-static std::string GetPinFromCert(X509Certificate* cert) {

- SHA1Fingerprint spki_hash;

- EXPECT_TRUE(GetPublicKeyHash(cert->os_cert_handle(), &spki_hash));

+static std::string GetPinFromCert(X509Certificate* cert, HashValueTag tag) {

+ HashValue spki_hash;

+ EXPECT_TRUE(GetPublicKeyHash(cert->os_cert_handle(), &spki_hash, tag));

std::string base64;

- base::Base64Encode(base::StringPiece(reinterpret_cast<char*>(spki_hash.data),

- sizeof(spki_hash.data)),

- &base64);

- return "pin-sha1=" + HttpUtil::Quote(base64);

+ base::Base64Encode(base::StringPiece(

+ reinterpret_cast<char*>(spki_hash.data()), spki_hash.size()), &base64);

+ std::string label;

+ switch (tag) {

+ case HASH_VALUE_SHA1:

+ label = "pin-sha1=";

+ break;

+ case HASH_VALUE_SHA256:

+ label = "pin-sha256=";

+ break;

+ default:

+ NOTREACHED() << "Unknown HashValueTag " << tag;

+ }

+ return label + HttpUtil::Quote(base64);

}

-TEST_F(TransportSecurityStateTest, BogusPinsHeaders) {

+static void TestBogusPinsHeaders(HashValueTag tag) {

TransportSecurityState::DomainState state;

SSLInfo ssl_info;

ssl_info.cert =

ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");

- std::string good_pin = GetPinFromCert(ssl_info.cert);

+ std::string good_pin = GetPinFromCert(ssl_info.cert, tag);

base::Time now = base::Time::Now();

// The backup pin is fake --- it just has to not be in the chain.

@@ -180,6 +208,14 @@

EXPECT_FALSE(state.include_subdomains);

}

+TEST_F(TransportSecurityStateTest, BogusPinsHeadersSHA1) {

+ TestBogusPinsHeaders(HASH_VALUE_SHA1);

+TEST_F(TransportSecurityStateTest, BogusPinsHeadersSHA256) {

+ TestBogusPinsHeaders(HASH_VALUE_SHA256);

TEST_F(TransportSecurityStateTest, ValidSTSHeaders) {

TransportSecurityState::DomainState state;

base::Time expiry;

@@ -240,7 +276,7 @@

EXPECT_TRUE(state.include_subdomains);

}

-TEST_F(TransportSecurityStateTest, ValidPinsHeaders) {

+static void TestValidPinsHeaders(HashValueTag tag) {

TransportSecurityState::DomainState state;

base::Time expiry;

base::Time now = base::Time::Now();

@@ -280,7 +316,8 @@

// Normally, ssl_client_socket_nss would do this, but for a unit test we

// fake it.

ssl_info.public_key_hashes = result.public_key_hashes;

- std::string good_pin = GetPinFromCert(ssl_info.cert);

+ std::string good_pin = GetPinFromCert(ssl_info.cert, /*tag*/HASH_VALUE_SHA1);

+ DLOG(WARNING) << "good pin: " << good_pin;

// The backup pin is fake --- we just need an SPKI hash that does not match

// the hash of any SPKI in the certificate chain.

@@ -356,6 +393,14 @@

EXPECT_EQ(expiry, state.dynamic_spki_hashes_expiry);

}

+TEST_F(TransportSecurityStateTest, ValidPinsHeadersSHA1) {

+ TestValidPinsHeaders(HASH_VALUE_SHA1);

+TEST_F(TransportSecurityStateTest, ValidPinsHeadersSHA256) {

+ TestValidPinsHeaders(HASH_VALUE_SHA256);

TEST_F(TransportSecurityStateTest, SimpleMatches) {

TransportSecurityState state;

TransportSecurityState::DomainState domain_state;

@@ -783,7 +828,7 @@

EXPECT_TRUE(state.GetDomainState("chrome.google.com", true, &domain_state));

EXPECT_TRUE(HasPins("chrome.google.com"));

- FingerprintVector hashes;

+ HashValueVector hashes;

// Checks that a built-in list does exist.

EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes));

EXPECT_FALSE(HasPins("www.paypal.com"));

@@ -829,18 +874,14 @@

}

static bool AddHash(const std::string& type_and_base64,

- FingerprintVector* out) {

- std::string hash_str;

- if (type_and_base64.find("sha1/") == 0 &&

- base::Base64Decode(type_and_base64.substr(5, type_and_base64.size() - 5),

- &hash_str) &&

- hash_str.size() == base::kSHA1Length) {

- SHA1Fingerprint hash;

- memcpy(hash.data, hash_str.data(), sizeof(hash.data));

- out->push_back(hash);

- return true;

- }

- return false;

+ HashValueVector* out) {

+ HashValue hash;

+ if (!TransportSecurityState::ParsePin(type_and_base64, &hash))

+ return false;

+ out->push_back(hash);

+ return true;

}

TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCerts) {

@@ -862,7 +903,7 @@

NULL,

};

- std::vector<net::SHA1Fingerprint> good_hashes, bad_hashes;

+ HashValueVector good_hashes, bad_hashes;

for (size_t i = 0; kGoodPath[i]; i++) {

EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));

@@ -898,7 +939,7 @@

NULL,

};

- std::vector<net::SHA1Fingerprint> good_hashes, bad_hashes;

+ HashValueVector good_hashes, bad_hashes;

for (size_t i = 0; kGoodPath[i]; i++) {

EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));

@@ -916,6 +957,100 @@

EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(bad_hashes));

}

+TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) {

+ static const char* ee_sha1 = "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=";

+ static const char* ee_sha256 =

+ "sha256/sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I=";

+ static const char* google_1024_sha1 = "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=";

+ static const char* google_1024_sha256 =

+ "sha256/trlUMquuV/4CDLK3T0+fkXPIxwivyecyrOIyeQR8bQU=";

+ static const char* equifax_sha1 = "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=";

+ static const char* equifax_sha256 =

+ "sha256//1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY=";

+ static const char* trustcenter_sha1 = "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=";

+ static const char* trustcenter_sha256 =

+ "sha256/Dq58KIA4NMLsboWMLU8/aTREzaAGEFW+EtUule8dd/M=";

+ // Good chains for plus.google.com chain up through google_1024_sha{1,256}

+ // to equifax_sha{1,256}. Bad chains chain up to equifa through

Ryan Sleevi 2012/08/23 22:48:20 equifax

palmer 2012/08/29 00:01:24 Done.

+ // trustcenter_sha{1,256}, which is a blacklisted key. Even though Equifax

+ // and Google1024 are known-good, the blacklistedness of Trustcenter

+ // should override and cause pin validation failure.

+ TransportSecurityState state;

+ TransportSecurityState::DomainState domain_state;

+ EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state));

+ EXPECT_TRUE(domain_state.HasPins());

+ // The statically-defined pins are all SHA-1, so we add some SHA-256 pins

+ // manually:

+ EXPECT_TRUE(AddHash(google_1024_sha256, &domain_state.static_spki_hashes));

+ EXPECT_TRUE(AddHash(trustcenter_sha256,

+ &domain_state.bad_static_spki_hashes));

+ // Try an all-good SHA1 chain.

+ HashValueVector validated_chain;

+ EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));

+ EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain));

+ EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));

+ EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));

+ // Try an all-bad SHA1 chain.

+ validated_chain.clear();

+ EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));

+ EXPECT_TRUE(AddHash(trustcenter_sha1, &validated_chain));

+ EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));

+ EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));

+ // Try an all-good SHA-256 chain.

+ validated_chain.clear();

+ EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));

+ EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain));

+ EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));

+ EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));

+ // Try an all-bad SHA-256 chain.

+ validated_chain.clear();

+ EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));

+ EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain));

+ EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));

+ EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));

+ // Try a mixed-hash good chain.

+ validated_chain.clear();

+ EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));

+ EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain));

+ EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));

+ EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));

+ // Try a mixed-hash bad chain.

+ validated_chain.clear();

+ EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));

+ EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain));

+ EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));

+ EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));

+ // Try a chain with all good hashes.

+ validated_chain.clear();

+ EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));

+ EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain));

+ EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));

+ EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));

+ EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain));

+ EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));

+ EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));

+ // Try a chain with all bad hashes.

+ validated_chain.clear();

+ EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));

+ EXPECT_TRUE(AddHash(trustcenter_sha1, &validated_chain));

+ EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));

+ EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));

+ EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain));

+ EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));

+ EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));

Ryan Sleevi 2012/08/23 22:48:20 Can you add a test that reflects how CertVerifier

palmer 2012/08/29 00:01:24 It's not clear to me that we should guarantee a pa

TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {

TransportSecurityState state;

TransportSecurityState::DomainState domain_state;

« net/base/transport_security_state.cc ('K') | « net/base/transport_security_state.cc ('k') | net/base/x509_cert_types.h » ('j') | net/base/x509_cert_types.h » ('J')