net/base/transport_security_state_unittest.cc - Issue 6793026: Initial support for HSTS certificate locking. This isn't a finished work, but

Unified Diff: net/base/transport_security_state_unittest.cc

Issue 6793026: Initial support for HSTS certificate locking. This isn't a finished work, but (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: '' Created 9 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/base/transport_security_state_unittest.cc

===================================================================

--- net/base/transport_security_state_unittest.cc (revision 80507)

+++ net/base/transport_security_state_unittest.cc (working copy)

@@ -1,8 +1,13 @@

// Use of this source code is governed by a BSD-style license that can be

// found in the LICENSE file.

+#include "base/file_path.h"

+#include "base/string_util.h"

+#include "base/time.h"

+#include "net/base/cert_test_util.h"

#include "net/base/transport_security_state.h"

+#include "net/base/x509_certificate.h"

#include "testing/gtest/include/gtest/gtest.h"

namespace net {

@@ -432,4 +437,47 @@

EXPECT_FALSE(state->IsEnabledForHost(&domain_state, kLongName));

}

+TEST_F(TransportSecurityStateTest, CertLocks) {

+ scoped_refptr<TransportSecurityState> state(

+ new TransportSecurityState);

+ FilePath certs_dir = GetTestCertsDirectory();

+ scoped_refptr<X509Certificate> google_cert(

+ ImportCertFromFile(certs_dir, "google.chain.pem"));

+ TransportSecurityState::DomainState domain_state;

+ EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "www.evil.com"));

+ EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert));

+ const base::Time current_time(base::Time::Now());

+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);

+ domain_state.expiry = expiry;

+ state->EnableHost("www.evil.com", domain_state);

+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com"));

+ EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert));

+ domain_state.cert_locks.push_back("0000000000000000000000000000000000000001");

+ state->EnableHost("www.evil.com", domain_state);

+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com"));

+ EXPECT_FALSE(state->IsAcceptableCertificate("www.evil.com", google_cert));

+ std::string ser;

+ EXPECT_TRUE(state->Serialise(&ser));

+ bool dirty;

+ EXPECT_TRUE(state->Deserialise(ser, &dirty));

+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com"));

+ EXPECT_FALSE(state->IsAcceptableCertificate("www.evil.com", google_cert));

+ const SHA1Fingerprint& fp = google_cert->fingerprint();

+ std::string hash;

+ for (size_t i = 0; i < sizeof(fp.data); ++i)

+ hash += StringPrintf("%02X", fp.data[i]);

+ domain_state.cert_locks.push_back(hash);

+ state->EnableHost("www.evil.com", domain_state);

+ EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert));

+ EXPECT_TRUE(state->Serialise(&ser));

+ EXPECT_TRUE(state->Deserialise(ser, &dirty));

+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.evil.com"));

+ EXPECT_TRUE(state->IsAcceptableCertificate("www.evil.com", google_cert));

} // namespace net

« no previous file with comments | « net/base/transport_security_state.cc ('k') | net/base/x509_cert_types.h » ('j') | net/base/x509_certificate.h » ('J')