Index: net/base/transport_security_state_unittest.cc |
=================================================================== |
--- net/base/transport_security_state_unittest.cc (revision 80507) |
+++ net/base/transport_security_state_unittest.cc (working copy) |
@@ -1,8 +1,13 @@ |
-// Copyright (c) 2009 The Chromium Authors. All rights reserved. |
+// Copyright (c) 2011 The Chromium Authors. All rights reserved. |
// Use of this source code is governed by a BSD-style license that can be |
// found in the LICENSE file. |
+#include "base/file_path.h" |
+#include "base/string_util.h" |
+#include "base/time.h" |
+#include "net/base/cert_test_util.h" |
#include "net/base/transport_security_state.h" |
+#include "net/base/x509_certificate.h" |
#include "testing/gtest/include/gtest/gtest.h" |
namespace net { |
@@ -432,4 +437,47 @@ |
EXPECT_FALSE(state->IsEnabledForHost(&domain_state, kLongName)); |
} |
+TEST_F(TransportSecurityStateTest, CertLocks) { |
+ scoped_refptr<TransportSecurityState> state( |
+ new TransportSecurityState); |
+ FilePath certs_dir = GetTestCertsDirectory(); |
+ scoped_refptr<X509Certificate> google_cert( |
+ ImportCertFromFile(certs_dir, "google.chain.pem")); |
+ |
+ TransportSecurityState::DomainState domain_state; |
+ EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "www.evil.com")); |
+ EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert)); |
+ const base::Time current_time(base::Time::Now()); |
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
+ domain_state.expiry = expiry; |
+ state->EnableHost("www.evil.com", domain_state); |
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com")); |
+ EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert)); |
+ |
+ domain_state.cert_locks.push_back("0000000000000000000000000000000000000001"); |
+ state->EnableHost("www.evil.com", domain_state); |
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com")); |
+ EXPECT_FALSE(state->IsAcceptableCertificate("www.evil.com", google_cert)); |
+ |
+ std::string ser; |
+ EXPECT_TRUE(state->Serialise(&ser)); |
+ bool dirty; |
+ EXPECT_TRUE(state->Deserialise(ser, &dirty)); |
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com")); |
+ EXPECT_FALSE(state->IsAcceptableCertificate("www.evil.com", google_cert)); |
+ |
+ const SHA1Fingerprint& fp = google_cert->fingerprint(); |
+ std::string hash; |
+ for (size_t i = 0; i < sizeof(fp.data); ++i) |
+ hash += StringPrintf("%02X", fp.data[i]); |
+ domain_state.cert_locks.push_back(hash); |
+ state->EnableHost("www.evil.com", domain_state); |
+ EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert)); |
+ |
+ EXPECT_TRUE(state->Serialise(&ser)); |
+ EXPECT_TRUE(state->Deserialise(ser, &dirty)); |
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com")); |
+ EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert)); |
+} |
+ |
} // namespace net |