Initial support for HSTS certificate locking. This isn't a finished work, but

net/base/transport_security_state_unittest.cc

-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "base/file_path.h"
+#include "base/string_util.h"
+#include "base/time.h"
+#include "net/base/cert_test_util.h"
 #include "net/base/transport_security_state.h"
+#include "net/base/x509_certificate.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
 
 class TransportSecurityStateTest : public testing::Test {
 };
 
 TEST_F(TransportSecurityStateTest, BogusHeaders) {
   int max_age = 42;
   bool include_subdomains = false;
@@ skipping 409 matching lines @@
   scoped_refptr<TransportSecurityState> state(
       new TransportSecurityState);
   const char kLongName[] =
       "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
       "WaveletIdDomainAndBlipBlipid";
   TransportSecurityState::DomainState domain_state;
   // Just checks that we don't hit a NOTREACHED.
   EXPECT_FALSE(state->IsEnabledForHost(&domain_state, kLongName));
 }
 
+TEST_F(TransportSecurityStateTest, CertLocks) {
+  scoped_refptr<TransportSecurityState> state(
+      new TransportSecurityState);
+  FilePath certs_dir = GetTestCertsDirectory();
+  scoped_refptr<X509Certificate> google_cert(
+      ImportCertFromFile(certs_dir, "google.chain.pem"));
+
+  TransportSecurityState::DomainState domain_state;
+  EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "www.evil.com"));
+  EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert));
+  const base::Time current_time(base::Time::Now());
+  const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+  domain_state.expiry = expiry;
+  state->EnableHost("www.evil.com", domain_state);
+  EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com"));
+  EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert));
+
+  domain_state.cert_locks.push_back("0000000000000000000000000000000000000001");
+  state->EnableHost("www.evil.com", domain_state);
+  EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com"));
+  EXPECT_FALSE(state->IsAcceptableCertificate("www.evil.com", google_cert));
+
+  std::string ser;
+  EXPECT_TRUE(state->Serialise(&ser));
+  bool dirty;
+  EXPECT_TRUE(state->Deserialise(ser, &dirty));
+  EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com"));
+  EXPECT_FALSE(state->IsAcceptableCertificate("www.evil.com", google_cert));
+
+  const SHA1Fingerprint& fp = google_cert->fingerprint();
+  std::string hash;
+  for (size_t i = 0; i < sizeof(fp.data); ++i)
+    hash += StringPrintf("%02X", fp.data[i]);
+  domain_state.cert_locks.push_back(hash);
+  state->EnableHost("www.evil.com", domain_state);
+  EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert));
+
+  EXPECT_TRUE(state->Serialise(&ser));
+  EXPECT_TRUE(state->Deserialise(ser, &dirty));
+  EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com"));
+  EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert));
+}
+
 }  // namespace net