Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(444)

Side by Side Diff: net/base/transport_security_state_unittest.cc

Issue 6793026: Initial support for HSTS certificate locking. This isn't a finished work, but (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 9 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "base/file_path.h"
6 #include "base/string_util.h"
7 #include "base/time.h"
8 #include "net/base/cert_test_util.h"
5 #include "net/base/transport_security_state.h" 9 #include "net/base/transport_security_state.h"
10 #include "net/base/x509_certificate.h"
6 #include "testing/gtest/include/gtest/gtest.h" 11 #include "testing/gtest/include/gtest/gtest.h"
7 12
8 namespace net { 13 namespace net {
9 14
10 class TransportSecurityStateTest : public testing::Test { 15 class TransportSecurityStateTest : public testing::Test {
11 }; 16 };
12 17
13 TEST_F(TransportSecurityStateTest, BogusHeaders) { 18 TEST_F(TransportSecurityStateTest, BogusHeaders) {
14 int max_age = 42; 19 int max_age = 42;
15 bool include_subdomains = false; 20 bool include_subdomains = false;
(...skipping 409 matching lines...) Expand 10 before | Expand all | Expand 10 after
425 scoped_refptr<TransportSecurityState> state( 430 scoped_refptr<TransportSecurityState> state(
426 new TransportSecurityState); 431 new TransportSecurityState);
427 const char kLongName[] = 432 const char kLongName[] =
428 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" 433 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
429 "WaveletIdDomainAndBlipBlipid"; 434 "WaveletIdDomainAndBlipBlipid";
430 TransportSecurityState::DomainState domain_state; 435 TransportSecurityState::DomainState domain_state;
431 // Just checks that we don't hit a NOTREACHED. 436 // Just checks that we don't hit a NOTREACHED.
432 EXPECT_FALSE(state->IsEnabledForHost(&domain_state, kLongName)); 437 EXPECT_FALSE(state->IsEnabledForHost(&domain_state, kLongName));
433 } 438 }
434 439
440 TEST_F(TransportSecurityStateTest, CertLocks) {
441 scoped_refptr<TransportSecurityState> state(
442 new TransportSecurityState);
443 FilePath certs_dir = GetTestCertsDirectory();
444 scoped_refptr<X509Certificate> google_cert(
445 ImportCertFromFile(certs_dir, "google.chain.pem"));
446
447 TransportSecurityState::DomainState domain_state;
448 EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "www.evil.com"));
449 EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert));
450 const base::Time current_time(base::Time::Now());
451 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
452 domain_state.expiry = expiry;
453 state->EnableHost("www.evil.com", domain_state);
454 EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com"));
455 EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert));
456
457 domain_state.cert_locks.push_back("0000000000000000000000000000000000000001");
458 state->EnableHost("www.evil.com", domain_state);
459 EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com"));
460 EXPECT_FALSE(state->IsAcceptableCertificate("www.evil.com", google_cert));
461
462 std::string ser;
463 EXPECT_TRUE(state->Serialise(&ser));
464 bool dirty;
465 EXPECT_TRUE(state->Deserialise(ser, &dirty));
466 EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com"));
467 EXPECT_FALSE(state->IsAcceptableCertificate("www.evil.com", google_cert));
468
469 const SHA1Fingerprint& fp = google_cert->fingerprint();
470 std::string hash;
471 for (size_t i = 0; i < sizeof(fp.data); ++i)
472 hash += StringPrintf("%02X", fp.data[i]);
473 domain_state.cert_locks.push_back(hash);
474 state->EnableHost("www.evil.com", domain_state);
475 EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert));
476
477 EXPECT_TRUE(state->Serialise(&ser));
478 EXPECT_TRUE(state->Deserialise(ser, &dirty));
479 EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com"));
480 EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert));
481 }
482
435 } // namespace net 483 } // namespace net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698