OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "base/base64.h" | |
6 #include "base/sha1.h" | |
7 #include "base/string_piece.h" | |
8 #include "crypto/sha2.h" | |
9 #include "net/base/asn1_util.h" | |
10 #include "net/base/cert_test_util.h" | |
11 #include "net/base/cert_verifier.h" | |
12 #include "net/base/cert_verify_result.h" | |
13 #include "net/base/net_log.h" | |
14 #include "net/base/ssl_info.h" | |
15 #include "net/base/test_completion_callback.h" | |
16 #include "net/base/test_root_certs.h" | |
17 #include "net/http/http_security_headers.h" | |
18 #include "net/http/http_util.h" | |
19 #include "testing/gtest/include/gtest/gtest.h" | |
20 | |
21 | |
22 namespace net { | |
23 | |
24 class HttpSecurityHeadersTest : public testing::Test { | |
25 }; | |
26 | |
27 static bool GetPublicKeyHash(const net::X509Certificate::OSCertHandle& cert, | |
Ryan Sleevi
2012/10/29 09:01:24
style nit: see previous comments re: unnamed names
unsafe
2012/10/29 22:30:55
Fixed (this was pre-existing code, fwiw).
| |
28 HashValue* hash) { | |
29 std::string der_bytes; | |
30 if (!net::X509Certificate::GetDEREncoded(cert, &der_bytes)) | |
31 return false; | |
32 base::StringPiece spki; | |
33 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki)) | |
34 return false; | |
35 | |
36 switch (hash->tag) { | |
37 case HASH_VALUE_SHA1: | |
38 base::SHA1HashBytes(reinterpret_cast<const unsigned char*>(spki.data()), | |
39 spki.size(), hash->data()); | |
40 break; | |
41 case HASH_VALUE_SHA256: | |
42 crypto::SHA256HashString(spki, hash->data(), crypto::kSHA256Length); | |
43 break; | |
44 default: | |
45 NOTREACHED() << "Unknown HashValueTag " << hash->tag; | |
46 return false; | |
47 } | |
48 | |
49 return true; | |
50 } | |
51 | |
52 static std::string GetPinFromCert(X509Certificate* cert, HashValueTag tag) { | |
53 HashValue spki_hash(tag); | |
54 EXPECT_TRUE(GetPublicKeyHash(cert->os_cert_handle(), &spki_hash)); | |
55 | |
56 std::string base64; | |
57 base::Base64Encode(base::StringPiece( | |
58 reinterpret_cast<char*>(spki_hash.data()), spki_hash.size()), &base64); | |
59 | |
60 std::string label; | |
61 switch (tag) { | |
62 case HASH_VALUE_SHA1: | |
63 label = "pin-sha1="; | |
64 break; | |
65 case HASH_VALUE_SHA256: | |
66 label = "pin-sha256="; | |
67 break; | |
68 default: | |
69 NOTREACHED() << "Unknown HashValueTag " << tag; | |
70 } | |
71 | |
72 return label + HttpUtil::Quote(base64); | |
73 } | |
74 | |
75 TEST_F(HttpSecurityHeadersTest, BogusHeaders) { | |
76 base::Time now = base::Time::Now(); | |
77 base::Time expiry = now; | |
78 bool include_subdomains = false; | |
79 | |
80 EXPECT_FALSE(ParseHSTSHeader(now, "", &expiry, &include_subdomains)); | |
81 EXPECT_FALSE(ParseHSTSHeader(now, " ", &expiry, &include_subdomains)); | |
82 EXPECT_FALSE(ParseHSTSHeader(now, "abc", &expiry, &include_subdomains)); | |
83 EXPECT_FALSE(ParseHSTSHeader(now, " abc", &expiry, &include_subdomains)); | |
84 EXPECT_FALSE(ParseHSTSHeader(now, " abc ", &expiry, &include_subdomains)); | |
85 EXPECT_FALSE(ParseHSTSHeader(now, "max-age", &expiry, &include_subdomains)); | |
86 EXPECT_FALSE(ParseHSTSHeader(now, " max-age", &expiry, | |
87 &include_subdomains)); | |
88 EXPECT_FALSE(ParseHSTSHeader(now, " max-age ", &expiry, | |
89 &include_subdomains)); | |
90 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=", &expiry, &include_subdomains)); | |
91 EXPECT_FALSE(ParseHSTSHeader(now, " max-age=", &expiry, | |
92 &include_subdomains)); | |
93 EXPECT_FALSE(ParseHSTSHeader(now, " max-age =", &expiry, | |
94 &include_subdomains)); | |
95 EXPECT_FALSE(ParseHSTSHeader(now, " max-age= ", &expiry, | |
96 &include_subdomains)); | |
97 EXPECT_FALSE(ParseHSTSHeader(now, " max-age = ", &expiry, | |
98 &include_subdomains)); | |
99 EXPECT_FALSE(ParseHSTSHeader(now, " max-age = xy", &expiry, | |
100 &include_subdomains)); | |
101 EXPECT_FALSE(ParseHSTSHeader(now, " max-age = 3488a923", &expiry, | |
102 &include_subdomains)); | |
103 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488a923 ", &expiry, | |
104 &include_subdomains)); | |
105 EXPECT_FALSE(ParseHSTSHeader(now, "max-ag=3488923", &expiry, | |
106 &include_subdomains)); | |
107 EXPECT_FALSE(ParseHSTSHeader(now, "max-aged=3488923", &expiry, | |
108 &include_subdomains)); | |
109 EXPECT_FALSE(ParseHSTSHeader(now, "max-age==3488923", &expiry, | |
110 &include_subdomains)); | |
111 EXPECT_FALSE(ParseHSTSHeader(now, "amax-age=3488923", &expiry, | |
112 &include_subdomains)); | |
113 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=-3488923", &expiry, | |
114 &include_subdomains)); | |
115 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923;", &expiry, | |
116 &include_subdomains)); | |
117 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923 e", &expiry, | |
118 &include_subdomains)); | |
119 EXPECT_FALSE(ParseHSTSHeader(now, | |
120 "max-age=3488923 includesubdomain", | |
121 &expiry, &include_subdomains)); | |
122 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923includesubdomains", | |
123 &expiry, &include_subdomains)); | |
124 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923=includesubdomains", | |
125 &expiry, &include_subdomains)); | |
126 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923 includesubdomainx", | |
127 &expiry, &include_subdomains)); | |
128 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923 includesubdomain=", | |
129 &expiry, &include_subdomains)); | |
130 EXPECT_FALSE(ParseHSTSHeader(now, | |
131 "max-age=3488923 includesubdomain=true", | |
132 &expiry, &include_subdomains)); | |
133 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923 includesubdomainsx", | |
134 &expiry, &include_subdomains)); | |
135 EXPECT_FALSE(ParseHSTSHeader(now, | |
136 "max-age=3488923 includesubdomains x", | |
137 &expiry, &include_subdomains)); | |
138 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=34889.23 includesubdomains", | |
139 &expiry, &include_subdomains)); | |
140 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=34889 includesubdomains", | |
141 &expiry, &include_subdomains)); | |
142 | |
143 // Check the out args were not updated by checking the default | |
144 // values for its predictable fields. | |
145 EXPECT_EQ(now, expiry); | |
146 EXPECT_FALSE(include_subdomains); | |
147 } | |
148 | |
149 static void TestBogusPinsHeaders(HashValueTag tag) { | |
150 base::Time now = base::Time::Now(); | |
151 base::Time expiry = now; | |
152 HashValueVector hashes; | |
153 | |
154 SSLInfo ssl_info; | |
155 ssl_info.cert = | |
156 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | |
157 std::string good_pin = GetPinFromCert(ssl_info.cert, tag); | |
158 | |
159 // The backup pin is fake --- it just has to not be in the chain. | |
160 std::string backup_pin = "pin-sha1=" + | |
161 HttpUtil::Quote("6dcfXufJLW3J6S/9rRe4vUlBj5g="); | |
162 | |
163 EXPECT_FALSE(ParseHPKPHeader(now, "", ssl_info, &expiry, &hashes)); | |
164 EXPECT_FALSE(ParseHPKPHeader(now, " ", ssl_info, &expiry, &hashes)); | |
165 EXPECT_FALSE(ParseHPKPHeader(now, "abc", ssl_info, &expiry, &hashes)); | |
166 EXPECT_FALSE(ParseHPKPHeader(now, " abc", ssl_info, &expiry, &hashes)); | |
167 EXPECT_FALSE(ParseHPKPHeader(now, " abc ", ssl_info, &expiry, &hashes)); | |
168 EXPECT_FALSE(ParseHPKPHeader(now, "max-age", ssl_info, &expiry, &hashes)); | |
169 EXPECT_FALSE(ParseHPKPHeader(now, " max-age", ssl_info, &expiry, &hashes)); | |
170 EXPECT_FALSE(ParseHPKPHeader(now, " max-age ", ssl_info, &expiry, | |
171 &hashes)); | |
172 EXPECT_FALSE(ParseHPKPHeader(now, "max-age=", ssl_info, &expiry, &hashes)); | |
173 EXPECT_FALSE(ParseHPKPHeader(now, " max-age=", ssl_info, &expiry, | |
174 &hashes)); | |
175 EXPECT_FALSE(ParseHPKPHeader(now, " max-age =", ssl_info, &expiry, | |
176 &hashes)); | |
177 EXPECT_FALSE(ParseHPKPHeader(now, " max-age= ", ssl_info, &expiry, | |
178 &hashes)); | |
179 EXPECT_FALSE(ParseHPKPHeader(now, " max-age = ", ssl_info, &expiry, | |
180 &hashes)); | |
181 EXPECT_FALSE(ParseHPKPHeader(now, " max-age = xy", ssl_info, | |
182 &expiry, &hashes)); | |
183 EXPECT_FALSE(ParseHPKPHeader(now, | |
184 " max-age = 3488a923", | |
185 ssl_info, &expiry, &hashes)); | |
186 EXPECT_FALSE(ParseHPKPHeader(now, "max-age=3488a923 ", ssl_info, &expiry, | |
187 &hashes)); | |
188 EXPECT_FALSE(ParseHPKPHeader(now, | |
189 "max-ag=3488923pins=" + good_pin + "," + | |
190 backup_pin, | |
191 ssl_info, &expiry, &hashes)); | |
192 EXPECT_FALSE(ParseHPKPHeader(now, "max-aged=3488923" + backup_pin, | |
193 ssl_info, &expiry, &hashes)); | |
194 EXPECT_FALSE(ParseHPKPHeader(now, "max-aged=3488923; " + backup_pin, | |
195 ssl_info, &expiry, &hashes)); | |
196 EXPECT_FALSE(ParseHPKPHeader(now, | |
197 "max-aged=3488923; " + backup_pin + ";" + | |
198 backup_pin, | |
199 ssl_info, &expiry, &hashes)); | |
200 EXPECT_FALSE(ParseHPKPHeader(now, | |
201 "max-aged=3488923; " + good_pin + ";" + | |
202 good_pin, | |
203 ssl_info, &expiry, &hashes)); | |
204 EXPECT_FALSE(ParseHPKPHeader(now, "max-aged=3488923; " + good_pin, | |
205 ssl_info, &expiry, &hashes)); | |
206 EXPECT_FALSE(ParseHPKPHeader(now, "max-age==3488923", ssl_info, &expiry, | |
207 &hashes)); | |
208 EXPECT_FALSE(ParseHPKPHeader(now, "amax-age=3488923", ssl_info, &expiry, | |
209 &hashes)); | |
210 EXPECT_FALSE(ParseHPKPHeader(now, "max-age=-3488923", ssl_info, &expiry, | |
211 &hashes)); | |
212 EXPECT_FALSE(ParseHPKPHeader(now, "max-age=3488923;", ssl_info, &expiry, | |
213 &hashes)); | |
214 EXPECT_FALSE(ParseHPKPHeader(now, "max-age=3488923 e", ssl_info, | |
215 &expiry, &hashes)); | |
216 EXPECT_FALSE(ParseHPKPHeader(now, | |
217 "max-age=3488923 includesubdomain", | |
218 ssl_info, &expiry, &hashes)); | |
219 EXPECT_FALSE(ParseHPKPHeader(now, "max-age=34889.23", ssl_info, &expiry, | |
220 &hashes)); | |
221 | |
222 // Check the out args were not updated by checking the default | |
223 // values for its predictable fields. | |
224 EXPECT_EQ(now, expiry); | |
225 EXPECT_EQ(hashes.size(), (size_t)0); | |
226 } | |
227 | |
228 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { | |
229 base::Time now = base::Time::Now(); | |
230 base::Time expiry = now; | |
231 base::Time expect_expiry = now; | |
232 bool include_subdomains = false; | |
233 | |
234 EXPECT_TRUE(ParseHSTSHeader(now, "max-age=243", &expiry, | |
235 &include_subdomains)); | |
236 expect_expiry = now + base::TimeDelta::FromSeconds(243); | |
237 EXPECT_EQ(expect_expiry, expiry); | |
238 EXPECT_FALSE(include_subdomains); | |
239 | |
240 EXPECT_TRUE(ParseHSTSHeader(now, " Max-agE = 567", &expiry, | |
241 &include_subdomains)); | |
242 expect_expiry = now + base::TimeDelta::FromSeconds(567); | |
243 EXPECT_EQ(expect_expiry, expiry); | |
244 EXPECT_FALSE(include_subdomains); | |
245 | |
246 EXPECT_TRUE(ParseHSTSHeader(now, " mAx-aGe = 890 ", &expiry, | |
247 &include_subdomains)); | |
248 expect_expiry = now + base::TimeDelta::FromSeconds(890); | |
249 EXPECT_EQ(expect_expiry, expiry); | |
250 EXPECT_FALSE(include_subdomains); | |
251 | |
252 EXPECT_TRUE(ParseHSTSHeader(now, "max-age=123;incLudesUbdOmains", &expiry, | |
253 &include_subdomains)); | |
254 expect_expiry = now + base::TimeDelta::FromSeconds(123); | |
255 EXPECT_EQ(expect_expiry, expiry); | |
256 EXPECT_TRUE(include_subdomains); | |
257 | |
258 EXPECT_TRUE(ParseHSTSHeader(now, "incLudesUbdOmains; max-age=123", &expiry, | |
259 &include_subdomains)); | |
260 expect_expiry = now + base::TimeDelta::FromSeconds(123); | |
261 EXPECT_EQ(expect_expiry, expiry); | |
262 EXPECT_TRUE(include_subdomains); | |
263 | |
264 EXPECT_TRUE(ParseHSTSHeader(now, " incLudesUbdOmains; max-age=123", | |
265 &expiry, &include_subdomains)); | |
266 expect_expiry = now + base::TimeDelta::FromSeconds(123); | |
267 EXPECT_EQ(expect_expiry, expiry); | |
268 EXPECT_TRUE(include_subdomains); | |
269 | |
270 EXPECT_TRUE(ParseHSTSHeader(now, | |
271 " incLudesUbdOmains; max-age=123; pumpkin=kitten", &expiry, | |
272 &include_subdomains)); | |
273 expect_expiry = now + base::TimeDelta::FromSeconds(123); | |
274 EXPECT_EQ(expect_expiry, expiry); | |
275 EXPECT_TRUE(include_subdomains); | |
276 | |
277 EXPECT_TRUE(ParseHSTSHeader(now, | |
278 " pumpkin=894; incLudesUbdOmains; max-age=123 ", &expiry, | |
279 &include_subdomains)); | |
280 expect_expiry = now + base::TimeDelta::FromSeconds(123); | |
281 EXPECT_EQ(expect_expiry, expiry); | |
282 EXPECT_TRUE(include_subdomains); | |
283 | |
284 EXPECT_TRUE(ParseHSTSHeader(now, | |
285 " pumpkin; incLudesUbdOmains; max-age=123 ", &expiry, | |
286 &include_subdomains)); | |
287 expect_expiry = now + base::TimeDelta::FromSeconds(123); | |
288 EXPECT_EQ(expect_expiry, expiry); | |
289 EXPECT_TRUE(include_subdomains); | |
290 | |
291 EXPECT_TRUE(ParseHSTSHeader(now, | |
292 " pumpkin; incLudesUbdOmains; max-age=\"123\" ", &expiry, | |
293 &include_subdomains)); | |
294 expect_expiry = now + base::TimeDelta::FromSeconds(123); | |
295 EXPECT_EQ(expect_expiry, expiry); | |
296 EXPECT_TRUE(include_subdomains); | |
297 | |
298 EXPECT_TRUE(ParseHSTSHeader(now, | |
299 "animal=\"squirrel; distinguished\"; incLudesUbdOmains; max-age=123", | |
300 &expiry, &include_subdomains)); | |
301 expect_expiry = now + base::TimeDelta::FromSeconds(123); | |
302 EXPECT_EQ(expect_expiry, expiry); | |
303 EXPECT_TRUE(include_subdomains); | |
304 | |
305 EXPECT_TRUE(ParseHSTSHeader(now, "max-age=394082; incLudesUbdOmains", | |
306 &expiry, &include_subdomains)); | |
307 expect_expiry = now + base::TimeDelta::FromSeconds(394082); | |
308 EXPECT_EQ(expect_expiry, expiry); | |
309 EXPECT_TRUE(include_subdomains); | |
310 | |
311 EXPECT_TRUE(ParseHSTSHeader( | |
312 now, "max-age=39408299 ;incLudesUbdOmains", &expiry, | |
313 &include_subdomains)); | |
314 expect_expiry = now + base::TimeDelta::FromSeconds( | |
315 std::min(kMaxHSTSAgeSecs, (int64)39408299l)); | |
316 EXPECT_EQ(expect_expiry, expiry); | |
317 EXPECT_TRUE(include_subdomains); | |
318 | |
319 EXPECT_TRUE(ParseHSTSHeader( | |
320 now, "max-age=394082038 ; incLudesUbdOmains", &expiry, | |
321 &include_subdomains)); | |
322 expect_expiry = now + base::TimeDelta::FromSeconds( | |
323 std::min(kMaxHSTSAgeSecs, (int64)394082038l)); | |
324 EXPECT_EQ(expect_expiry, expiry); | |
325 EXPECT_TRUE(include_subdomains); | |
326 | |
327 EXPECT_TRUE(ParseHSTSHeader( | |
328 now, " max-age=0 ; incLudesUbdOmains ", &expiry, | |
329 &include_subdomains)); | |
330 expect_expiry = now + base::TimeDelta::FromSeconds(0); | |
331 EXPECT_EQ(expect_expiry, expiry); | |
332 EXPECT_TRUE(include_subdomains); | |
333 | |
334 EXPECT_TRUE(ParseHSTSHeader( | |
335 now, | |
336 " max-age=999999999999999999999999999999999999999999999 ;" | |
337 " incLudesUbdOmains ", &expiry, &include_subdomains)); | |
338 expect_expiry = now + base::TimeDelta::FromSeconds( | |
339 kMaxHSTSAgeSecs); | |
340 EXPECT_EQ(expect_expiry, expiry); | |
341 EXPECT_TRUE(include_subdomains); | |
342 } | |
343 | |
344 static void TestValidPinsHeaders(HashValueTag tag) { | |
345 base::Time now = base::Time::Now(); | |
346 base::Time expiry = now; | |
347 base::Time expect_expiry = now; | |
348 HashValueVector hashes; | |
349 | |
350 // Set up a realistic SSLInfo with a realistic cert chain. | |
351 FilePath certs_dir = GetTestCertsDirectory(); | |
352 scoped_refptr<X509Certificate> ee_cert = | |
353 ImportCertFromFile(certs_dir, | |
354 "2048-rsa-ee-by-2048-rsa-intermediate.pem"); | |
355 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); | |
356 scoped_refptr<X509Certificate> intermediate = | |
357 ImportCertFromFile(certs_dir, "2048-rsa-intermediate.pem"); | |
358 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate); | |
359 X509Certificate::OSCertHandles intermediates; | |
360 intermediates.push_back(intermediate->os_cert_handle()); | |
361 SSLInfo ssl_info; | |
362 ssl_info.cert = X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), | |
363 intermediates); | |
364 | |
365 // Add the root that signed the intermediate for this test. | |
366 scoped_refptr<X509Certificate> root_cert = | |
367 ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); | |
368 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); | |
369 ScopedTestRoot scoped_root(root_cert); | |
370 | |
371 // Verify has the side-effect of populating public_key_hashes, which | |
372 // ParsePinsHeader needs. (It wants to check pins against the validated | |
373 // chain, not just the presented chain.) | |
374 int rv = ERR_FAILED; | |
375 CertVerifyResult result; | |
376 scoped_ptr<CertVerifier> verifier(CertVerifier::CreateDefault()); | |
Ryan Sleevi
2012/10/29 09:01:24
There's no need to use a real CertVerifier - ergo,
unsafe
2012/10/29 22:30:55
This code is needed to setup the ssl_info, isn't i
Ryan Sleevi
2012/10/29 23:46:25
I believe TSS_unittest is excluded from compilatio
| |
377 TestCompletionCallback callback; | |
378 CertVerifier::RequestHandle handle = NULL; | |
379 rv = verifier->Verify(ssl_info.cert, "127.0.0.1", 0, NULL, &result, | |
380 callback.callback(), &handle, BoundNetLog()); | |
381 rv = callback.GetResult(rv); | |
382 ASSERT_EQ(OK, rv); | |
383 // Normally, ssl_client_socket_nss would do this, but for a unit test we | |
384 // fake it. | |
385 ssl_info.public_key_hashes = result.public_key_hashes; | |
386 std::string good_pin = GetPinFromCert(ssl_info.cert, /*tag*/HASH_VALUE_SHA1); | |
Ryan Sleevi
2012/10/29 09:01:24
style nit: Don't do this (/*tag*/)
BUG? You don't
unsafe
2012/10/29 22:30:55
Fixed (pre-existing).
Ryan Sleevi
2012/10/29 23:46:25
Dang. On the upside, spotting all these pre-existi
| |
387 DLOG(WARNING) << "good pin: " << good_pin; | |
388 | |
389 // The backup pin is fake --- we just need an SPKI hash that does not match | |
390 // the hash of any SPKI in the certificate chain. | |
391 std::string backup_pin = "pin-sha1=" + | |
392 HttpUtil::Quote("6dcfXufJLW3J6S/9rRe4vUlBj5g="); | |
Ryan Sleevi
2012/10/29 09:01:24
There is no need to construct this as a string wit
unsafe
2012/10/29 22:30:55
Fixed - changed to string literals (preexisting)..
| |
393 | |
394 EXPECT_TRUE(ParseHPKPHeader( | |
395 now, | |
396 "max-age=243; " + good_pin + ";" + backup_pin, | |
397 ssl_info, &expiry, &hashes)); | |
398 expect_expiry = now + base::TimeDelta::FromSeconds(243); | |
399 EXPECT_EQ(expect_expiry, expiry); | |
400 | |
401 EXPECT_TRUE(ParseHPKPHeader( | |
402 now, | |
403 " " + good_pin + "; " + backup_pin + " ; Max-agE = 567", | |
404 ssl_info, &expiry, &hashes)); | |
405 expect_expiry = now + base::TimeDelta::FromSeconds(567); | |
406 EXPECT_EQ(expect_expiry, expiry); | |
407 | |
408 EXPECT_TRUE(ParseHPKPHeader( | |
409 now, | |
410 good_pin + ";" + backup_pin + " ; mAx-aGe = 890 ", | |
411 ssl_info, &expiry, &hashes)); | |
412 expect_expiry = now + base::TimeDelta::FromSeconds(890); | |
413 EXPECT_EQ(expect_expiry, expiry); | |
414 | |
415 EXPECT_TRUE(ParseHPKPHeader( | |
416 now, | |
417 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", | |
418 ssl_info, &expiry, &hashes)); | |
419 expect_expiry = now + base::TimeDelta::FromSeconds(123); | |
420 EXPECT_EQ(expect_expiry, expiry); | |
421 | |
422 EXPECT_TRUE(ParseHPKPHeader( | |
423 now, | |
424 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", | |
425 ssl_info, &expiry, &hashes)); | |
426 expect_expiry = now + base::TimeDelta::FromSeconds(394082); | |
427 EXPECT_EQ(expect_expiry, expiry); | |
428 | |
429 EXPECT_TRUE(ParseHPKPHeader( | |
430 now, | |
431 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", | |
432 ssl_info, &expiry, &hashes)); | |
433 expect_expiry = now + base::TimeDelta::FromSeconds( | |
434 std::min(kMaxHSTSAgeSecs, (int64)39408299l)); | |
Ryan Sleevi
2012/10/29 09:01:24
BUG: Do not create int64 constants like this. They
unsafe
2012/10/29 22:30:55
Fixed.
| |
435 EXPECT_EQ(expect_expiry, expiry); | |
436 | |
437 EXPECT_TRUE(ParseHPKPHeader( | |
438 now, | |
439 "max-age=39408038 ; cybers=39408038 ; " + | |
440 good_pin + ";" + backup_pin + "; ", | |
441 ssl_info, &expiry, &hashes)); | |
442 expect_expiry = now + base::TimeDelta::FromSeconds( | |
443 std::min(kMaxHSTSAgeSecs, (int64)394082038l)); | |
444 EXPECT_EQ(expect_expiry, expiry); | |
445 | |
446 EXPECT_TRUE(ParseHPKPHeader( | |
447 now, | |
448 " max-age=0 ; " + good_pin + ";" + backup_pin, | |
449 ssl_info, &expiry, &hashes)); | |
450 expect_expiry = now + base::TimeDelta::FromSeconds(0); | |
451 EXPECT_EQ(expect_expiry, expiry); | |
452 | |
453 EXPECT_TRUE(ParseHPKPHeader( | |
454 now, | |
455 " max-age=999999999999999999999999999999999999999999999 ; " + | |
456 backup_pin + ";" + good_pin + "; ", | |
457 ssl_info, &expiry, &hashes)); | |
458 expect_expiry = now + | |
459 base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); | |
460 EXPECT_EQ(expect_expiry, expiry); | |
461 } | |
462 | |
463 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { | |
464 TestBogusPinsHeaders(HASH_VALUE_SHA1); | |
465 } | |
466 | |
467 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { | |
468 TestBogusPinsHeaders(HASH_VALUE_SHA256); | |
469 } | |
470 | |
471 TEST_F(HttpSecurityHeadersTest, ValidPinsHeadersSHA1) { | |
472 TestValidPinsHeaders(HASH_VALUE_SHA1); | |
473 } | |
474 | |
475 TEST_F(HttpSecurityHeadersTest, ValidPinsHeadersSHA256) { | |
476 TestValidPinsHeaders(HASH_VALUE_SHA256); | |
477 } | |
478 }; | |
OLD | NEW |