Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1008)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/http_security_headers_unittest.cc

Issue 103803012: Make HSTS headers not clobber preloaded pins. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Rebase and refactor. (Not done yet.) Created 6 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/test/data/webui/net_internals/hsts_view.js ('k') | net/http/transport_security_persister.cc » ('j') | net/http/transport_security_state.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/http_security_headers_unittest.cc
diff --git a/net/http/http_security_headers_unittest.cc b/net/http/http_security_headers_unittest.cc
index 42a5ee9896062504e21575f23519983d5caa9652..0278739aa7228a360d60c59320a41fdd1f3e35bc 100644
--- a/net/http/http_security_headers_unittest.cc
+++ b/net/http/http_security_headers_unittest.cc
@@ -454,9 +454,9 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
// docs.google.com has preloaded pins.
std::string domain = "docs.google.com";
- EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state));
- EXPECT_GT(domain_state.static_spki_hashes.size(), 1UL);
- HashValueVector saved_hashes = domain_state.static_spki_hashes;
+ EXPECT_TRUE(state.GetStaticDomainState(domain, true, &domain_state));
+ EXPECT_GT(domain_state.pkp.spki_hashes.size(), 1UL);
+ HashValueVector saved_hashes = domain_state.pkp.spki_hashes;
// Add a header, which should only update the dynamic state.
HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
@@ -472,48 +472,96 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info));
// Expect the preloaded state to remain unchanged.
- std::string canonicalized_host = TransportSecurityState::CanonicalizeHost(
- domain);
TransportSecurityState::DomainState static_domain_state;
- EXPECT_TRUE(state.GetStaticDomainState(canonicalized_host,
- true,
- &static_domain_state));
+ EXPECT_TRUE(state.GetStaticDomainState(domain, true, &static_domain_state));
for (size_t i = 0; i < saved_hashes.size(); ++i) {
EXPECT_TRUE(HashValuesEqual(
- saved_hashes[i])(static_domain_state.static_spki_hashes[i]));
+ saved_hashes[i])(static_domain_state.pkp.spki_hashes[i]));
}
// Expect the dynamic state to reflect the header.
TransportSecurityState::DomainState dynamic_domain_state;
EXPECT_TRUE(state.GetDynamicDomainState(domain, &dynamic_domain_state));
- EXPECT_EQ(2UL, dynamic_domain_state.dynamic_spki_hashes.size());
+ EXPECT_EQ(2UL, dynamic_domain_state.pkp.spki_hashes.size());
HashValueVector::const_iterator hash = std::find_if(
- dynamic_domain_state.dynamic_spki_hashes.begin(),
- dynamic_domain_state.dynamic_spki_hashes.end(),
+ dynamic_domain_state.pkp.spki_hashes.begin(),
+ dynamic_domain_state.pkp.spki_hashes.end(),
HashValuesEqual(good_hash));
- EXPECT_NE(dynamic_domain_state.dynamic_spki_hashes.end(), hash);
+ EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash);
hash = std::find_if(
- dynamic_domain_state.dynamic_spki_hashes.begin(),
- dynamic_domain_state.dynamic_spki_hashes.end(),
+ dynamic_domain_state.pkp.spki_hashes.begin(),
+ dynamic_domain_state.pkp.spki_hashes.end(),
HashValuesEqual(backup_hash));
- EXPECT_NE(dynamic_domain_state.dynamic_spki_hashes.end(), hash);
+ EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash);
// Expect the overall state to reflect the header, too.
+ EXPECT_TRUE(state.HasPublicKeyPins(domain, true /* sni enabled */ ));
+ HashValueVector hashes;
+ hashes.push_back(good_hash);
+ EXPECT_TRUE(state.CheckPublicKeyPins(domain, true /* sni_enabled */, hashes));
+
+ /* TODO(palmer): check both dynamic and static state, or add
+ * TSS::GetPublicKeyPins?
Ryan Sleevi 2014/04/08 20:29:11 indent issue? Still trying to grok why this was d
EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state));
- EXPECT_EQ(2UL, domain_state.dynamic_spki_hashes.size());
+ EXPECT_EQ(2UL, domain_state.dynamic_pkp.spki_hashes.size());
- hash = std::find_if(domain_state.dynamic_spki_hashes.begin(),
- domain_state.dynamic_spki_hashes.end(),
+ hash = std::find_if(domain_state.pkp.spki_hashes.begin(),
+ domain_state.pkp.spki_hashes.end(),
HashValuesEqual(good_hash));
- EXPECT_NE(domain_state.dynamic_spki_hashes.end(), hash);
+ EXPECT_NE(domain_state.pkp.spki_hashes.end(), hash);
hash = std::find_if(
- domain_state.dynamic_spki_hashes.begin(),
- domain_state.dynamic_spki_hashes.end(),
+ domain_state.pkp.spki_hashes.begin(),
+ domain_state.pkp.spki_hashes.end(),
HashValuesEqual(backup_hash));
- EXPECT_NE(domain_state.dynamic_spki_hashes.end(), hash);
+ EXPECT_NE(domain_state.pkp.spki_hashes.end(), hash);
+ */
+}
+
+TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
+ TransportSecurityState state;
+ TransportSecurityState::DomainState domain_state;
+
+ // accounts.google.com has preloaded pins.
+ std::string domain = "accounts.google.com";
+
+ // Retrieve the DomainState as it is by default, including its known good
+ // pins.
+ const bool sni_enabled = true;
+ EXPECT_TRUE(state.GetStaticDomainState(domain, sni_enabled, &domain_state));
+ HashValueVector saved_hashes = domain_state.pkp.spki_hashes;
+ EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());
+ EXPECT_TRUE(domain_state.HasPublicKeyPins());
+ EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled));
+ EXPECT_TRUE(state.HasPublicKeyPins(domain, sni_enabled));
+
+ // Add a dynamic HSTS header. CheckPublicKeyPins should still pass when given
+ // the original |saved_hashes|, indicating that the static PKP data is still
+ // configured for the domain.
+ EXPECT_TRUE(state.AddHSTSHeader(domain, "includesubdomains; max-age=10000"));
+ EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled));
+ EXPECT_TRUE(state.CheckPublicKeyPins(domain, sni_enabled, saved_hashes));
+
+ // Add an HPKP header, which should only update the dynamic state.
+ HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
+ std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1);
+ std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1);
+ std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin;
+
+ // Construct a fake SSLInfo that will pass AddHPKPHeader's checks.
+ SSLInfo ssl_info;
+ ssl_info.public_key_hashes.push_back(good_hash);
+ ssl_info.public_key_hashes.push_back(saved_hashes[0]);
+ EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info));
+
+ EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info));
+ // HSTS should still be configured for this domain.
+ EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());
+ EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled));
+ // Check that a good pin is still valid.
+ EXPECT_TRUE(state.CheckPublicKeyPins(domain, sni_enabled, saved_hashes));
}
}; // namespace net
« no previous file with comments | « chrome/test/data/webui/net_internals/hsts_view.js ('k') | net/http/transport_security_persister.cc » ('j') | net/http/transport_security_state.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698