| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <algorithm> | 5 #include <algorithm> |
| 6 | 6 |
| 7 #include "base/base64.h" | 7 #include "base/base64.h" |
| 8 #include "base/sha1.h" | 8 #include "base/sha1.h" |
| 9 #include "base/strings/string_piece.h" | 9 #include "base/strings/string_piece.h" |
| 10 #include "crypto/sha2.h" | 10 #include "crypto/sha2.h" |
| (...skipping 498 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 509 HashValuesEqual(good_hash)); | 509 HashValuesEqual(good_hash)); |
| 510 EXPECT_NE(domain_state.dynamic_spki_hashes.end(), hash); | 510 EXPECT_NE(domain_state.dynamic_spki_hashes.end(), hash); |
| 511 | 511 |
| 512 hash = std::find_if( | 512 hash = std::find_if( |
| 513 domain_state.dynamic_spki_hashes.begin(), | 513 domain_state.dynamic_spki_hashes.begin(), |
| 514 domain_state.dynamic_spki_hashes.end(), | 514 domain_state.dynamic_spki_hashes.end(), |
| 515 HashValuesEqual(backup_hash)); | 515 HashValuesEqual(backup_hash)); |
| 516 EXPECT_NE(domain_state.dynamic_spki_hashes.end(), hash); | 516 EXPECT_NE(domain_state.dynamic_spki_hashes.end(), hash); |
| 517 } | 517 } |
| 518 | 518 |
| 519 TEST_F(HttpSecurityHeadersTest, NoClobberPins) { |
| 520 TransportSecurityState state; |
| 521 TransportSecurityState::DomainState domain_state; |
| 522 |
| 523 std::string domain("accounts.google.com"); |
| 524 |
| 525 // Retrieve the DomainState as it is by default, including its known good |
| 526 // pins. Assert sanity. |
| 527 EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state)); |
| 528 HashValueVector saved_hashes = domain_state.static_spki_hashes; |
| 529 EXPECT_TRUE(domain_state.ShouldUpgradeToSSL()); |
| 530 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
| 531 |
| 532 // Add a dynamic header. Due to bug crbug.com/29386, this will mask the |
| 533 // static pins. However, we temporarily work around that in |
| 534 // CheckPublicKeyPins (invoked below). CheckPublicKeyPins should still |
| 535 // pass when given the original |saved_hashes|. |
| 536 EXPECT_TRUE(state.AddHSTSHeader(domain, "includesubdomains; max-age=10000")); |
| 537 EXPECT_TRUE(domain_state.ShouldUpgradeToSSL()); |
| 538 EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state)); |
| 539 EXPECT_TRUE(domain_state.CheckPublicKeyPins(saved_hashes)); |
| 540 |
| 541 // Add a header, which should only update the dynamic state. |
| 542 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1); |
| 543 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1); |
| 544 std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1); |
| 545 std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin; |
| 546 |
| 547 // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. |
| 548 SSLInfo ssl_info; |
| 549 ssl_info.public_key_hashes.push_back(good_hash); |
| 550 ssl_info.public_key_hashes.push_back(saved_hashes[0]); |
| 551 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); |
| 552 |
| 553 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); |
| 554 EXPECT_TRUE(domain_state.ShouldUpgradeToSSL()); |
| 555 EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state)); |
| 556 EXPECT_TRUE(domain_state.CheckPublicKeyPins(saved_hashes)); |
| 557 } |
| 558 |
| 519 }; // namespace net | 559 }; // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 103803012:
Make HSTS headers not clobber preloaded pins. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src