OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 196 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
207 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test")); | 207 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test")); |
208 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test")); | 208 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test")); |
209 EXPECT_FALSE(state.ShouldUpgradeToSSL("test")); | 209 EXPECT_FALSE(state.ShouldUpgradeToSSL("test")); |
210 EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test")); | 210 EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test")); |
211 } | 211 } |
212 | 212 |
213 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule | 213 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule |
214 // with it, regardless of the includeSubDomains bit. This is a regression test | 214 // with it, regardless of the includeSubDomains bit. This is a regression test |
215 // for https://crbug.com/469957. | 215 // for https://crbug.com/469957. |
216 TEST_F(TransportSecurityStateTest, SubdomainCarveout) { | 216 TEST_F(TransportSecurityStateTest, SubdomainCarveout) { |
217 static const char kReportUri[] = "http://example.com/test"; | |
218 std::string report_uri(kReportUri); | |
219 | |
217 TransportSecurityState state; | 220 TransportSecurityState state; |
218 const base::Time current_time(base::Time::Now()); | 221 const base::Time current_time(base::Time::Now()); |
219 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 222 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
220 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 223 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
221 | 224 |
222 state.AddHSTS("example1.test", expiry, true); | 225 state.AddHSTS("example1.test", expiry, true); |
223 state.AddHSTS("foo.example1.test", expiry, false); | 226 state.AddHSTS("foo.example1.test", expiry, false); |
224 | 227 |
225 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); | 228 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
226 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes()); | 229 report_uri); |
davidben
2015/07/15 22:21:07
Does passing kReportUri in here not work? I would
estark
2015/07/16 00:07:01
Done.
| |
230 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes(), | |
231 report_uri); | |
227 | 232 |
228 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 233 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
229 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 234 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
230 | 235 |
231 // The foo.example1.test rule overrides the example1.test rule, so | 236 // The foo.example1.test rule overrides the example1.test rule, so |
232 // bar.foo.example1.test has no HSTS state. | 237 // bar.foo.example1.test has no HSTS state. |
233 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); | 238 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); |
234 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); | 239 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); |
235 | 240 |
236 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); | 241 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); |
237 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 242 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
238 | 243 |
239 // The foo.example2.test rule overrides the example1.test rule, so | 244 // The foo.example2.test rule overrides the example1.test rule, so |
240 // bar.foo.example2.test has no HPKP state. | 245 // bar.foo.example2.test has no HPKP state. |
241 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test")); | 246 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test")); |
242 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); | 247 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); |
243 | 248 |
244 // Expire the foo.example*.test rules. | 249 // Expire the foo.example*.test rules. |
245 state.AddHSTS("foo.example1.test", older, false); | 250 state.AddHSTS("foo.example1.test", older, false); |
246 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes()); | 251 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes(), |
252 report_uri); | |
247 | 253 |
248 // Now the base example*.test rules apply to bar.foo.example*.test. | 254 // Now the base example*.test rules apply to bar.foo.example*.test. |
249 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); | 255 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); |
250 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); | 256 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); |
251 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test")); | 257 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test")); |
252 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); | 258 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); |
253 } | 259 } |
254 | 260 |
255 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { | 261 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { |
262 static const char kReportUri[] = "http://example.com/test"; | |
263 std::string report_uri(kReportUri); | |
264 | |
256 TransportSecurityState state; | 265 TransportSecurityState state; |
257 const base::Time current_time(base::Time::Now()); | 266 const base::Time current_time(base::Time::Now()); |
258 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 267 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
259 | 268 |
260 state.AddHSTS("example1.test", expiry, false); | 269 state.AddHSTS("example1.test", expiry, false); |
261 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); | 270 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
271 report_uri); | |
262 | 272 |
263 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. | 273 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. |
264 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); | 274 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); |
265 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test")); | 275 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test")); |
266 } | 276 } |
267 | 277 |
268 // Tests that HPKP and HSTS state both expire. Also tests that expired entries | 278 // Tests that HPKP and HSTS state both expire. Also tests that expired entries |
269 // are pruned. | 279 // are pruned. |
270 TEST_F(TransportSecurityStateTest, Expiration) { | 280 TEST_F(TransportSecurityStateTest, Expiration) { |
281 static const char kReportUri[] = "http://example.com/test"; | |
282 std::string report_uri(kReportUri); | |
283 | |
271 TransportSecurityState state; | 284 TransportSecurityState state; |
272 const base::Time current_time(base::Time::Now()); | 285 const base::Time current_time(base::Time::Now()); |
273 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 286 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
274 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 287 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
275 | 288 |
276 // Note: this test assumes that inserting an entry with an expiration time in | 289 // Note: this test assumes that inserting an entry with an expiration time in |
277 // the past works and is pruned on query. | 290 // the past works and is pruned on query. |
278 state.AddHSTS("example1.test", older, false); | 291 state.AddHSTS("example1.test", older, false); |
279 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); | 292 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); |
280 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 293 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
281 // Querying |state| for a domain should flush out expired entries. | 294 // Querying |state| for a domain should flush out expired entries. |
282 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 295 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
283 | 296 |
284 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); | 297 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
298 report_uri); | |
285 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 299 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
286 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 300 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
287 // Querying |state| for a domain should flush out expired entries. | 301 // Querying |state| for a domain should flush out expired entries. |
288 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 302 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
289 | 303 |
290 state.AddHSTS("example1.test", older, false); | 304 state.AddHSTS("example1.test", older, false); |
291 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); | 305 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
306 report_uri); | |
292 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); | 307 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); |
293 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 308 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
294 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); | 309 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); |
295 // Querying |state| for a domain should flush out expired entries. | 310 // Querying |state| for a domain should flush out expired entries. |
296 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 311 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
297 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 312 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
298 | 313 |
299 // Test that HSTS can outlive HPKP. | 314 // Test that HSTS can outlive HPKP. |
300 state.AddHSTS("example1.test", expiry, false); | 315 state.AddHSTS("example1.test", expiry, false); |
301 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); | 316 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
317 report_uri); | |
302 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 318 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
303 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 319 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
304 | 320 |
305 // Test that HPKP can outlive HSTS. | 321 // Test that HPKP can outlive HSTS. |
306 state.AddHSTS("example2.test", older, false); | 322 state.AddHSTS("example2.test", older, false); |
307 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); | 323 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
324 report_uri); | |
308 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 325 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
309 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); | 326 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); |
310 } | 327 } |
311 | 328 |
312 TEST_F(TransportSecurityStateTest, InvalidDomains) { | 329 TEST_F(TransportSecurityStateTest, InvalidDomains) { |
313 TransportSecurityState state; | 330 TransportSecurityState state; |
314 const base::Time current_time(base::Time::Now()); | 331 const base::Time current_time(base::Time::Now()); |
315 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 332 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
316 | 333 |
317 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test")); | 334 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test")); |
318 bool include_subdomains = true; | 335 bool include_subdomains = true; |
319 state.AddHSTS("example.test", expiry, include_subdomains); | 336 state.AddHSTS("example.test", expiry, include_subdomains); |
320 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test")); | 337 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test")); |
321 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test")); | 338 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test")); |
322 } | 339 } |
323 | 340 |
324 // Tests that HPKP and HSTS state are queried independently for subdomain | 341 // Tests that HPKP and HSTS state are queried independently for subdomain |
325 // matches. | 342 // matches. |
326 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { | 343 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { |
344 static const char kReportUri[] = "http://example.com/test"; | |
345 std::string report_uri(kReportUri); | |
346 | |
327 TransportSecurityState state; | 347 TransportSecurityState state; |
328 const base::Time current_time(base::Time::Now()); | 348 const base::Time current_time(base::Time::Now()); |
329 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 349 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
330 | 350 |
331 state.AddHSTS("example1.test", expiry, true); | 351 state.AddHSTS("example1.test", expiry, true); |
332 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes()); | 352 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes(), |
353 report_uri); | |
333 | 354 |
334 state.AddHSTS("example2.test", expiry, false); | 355 state.AddHSTS("example2.test", expiry, false); |
335 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); | 356 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
357 report_uri); | |
336 | 358 |
337 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 359 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
338 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); | 360 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); |
339 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test")); | 361 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test")); |
340 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 362 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
341 } | 363 } |
342 | 364 |
343 // Tests that HPKP and HSTS state are inserted and overridden independently. | 365 // Tests that HPKP and HSTS state are inserted and overridden independently. |
344 TEST_F(TransportSecurityStateTest, IndependentInsertion) { | 366 TEST_F(TransportSecurityStateTest, IndependentInsertion) { |
367 static const char kReportUri[] = "http://example.com/test"; | |
368 std::string report_uri(kReportUri); | |
369 | |
345 TransportSecurityState state; | 370 TransportSecurityState state; |
346 const base::Time current_time(base::Time::Now()); | 371 const base::Time current_time(base::Time::Now()); |
347 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 372 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
348 | 373 |
349 // Place an includeSubdomains HSTS entry below a normal HPKP entry. | 374 // Place an includeSubdomains HSTS entry below a normal HPKP entry. |
350 state.AddHSTS("example1.test", expiry, true); | 375 state.AddHSTS("example1.test", expiry, true); |
351 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes()); | 376 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes(), |
377 report_uri); | |
352 | 378 |
353 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 379 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
354 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); | 380 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); |
355 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 381 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
356 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 382 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
357 | 383 |
358 // Drop the includeSubdomains from the HSTS entry. | 384 // Drop the includeSubdomains from the HSTS entry. |
359 state.AddHSTS("example1.test", expiry, false); | 385 state.AddHSTS("example1.test", expiry, false); |
360 | 386 |
361 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test")); | 387 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test")); |
362 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); | 388 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); |
363 | 389 |
364 // Place an includeSubdomains HPKP entry below a normal HSTS entry. | 390 // Place an includeSubdomains HPKP entry below a normal HSTS entry. |
365 state.AddHSTS("foo.example2.test", expiry, false); | 391 state.AddHSTS("foo.example2.test", expiry, false); |
366 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); | 392 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
393 report_uri); | |
367 | 394 |
368 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); | 395 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
369 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 396 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
370 | 397 |
371 // Drop the includeSubdomains from the HSTS entry. | 398 // Drop the includeSubdomains from the HSTS entry. |
372 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); | 399 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
400 report_uri); | |
373 | 401 |
374 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); | 402 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
375 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); | 403 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); |
376 } | 404 } |
377 | 405 |
378 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the | 406 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the |
379 // states are not mixed together. | 407 // states are not mixed together. |
380 TEST_F(TransportSecurityStateTest, DynamicDomainState) { | 408 TEST_F(TransportSecurityStateTest, DynamicDomainState) { |
409 static const char kReportUri[] = "http://example.com/test"; | |
410 std::string report_uri(kReportUri); | |
411 | |
381 TransportSecurityState state; | 412 TransportSecurityState state; |
382 const base::Time current_time(base::Time::Now()); | 413 const base::Time current_time(base::Time::Now()); |
383 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); | 414 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); |
384 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); | 415 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); |
385 | 416 |
386 state.AddHSTS("example.com", expiry1, true); | 417 state.AddHSTS("example.com", expiry1, true); |
387 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes()); | 418 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes(), |
419 report_uri); | |
388 | 420 |
389 TransportSecurityState::STSState sts_state; | 421 TransportSecurityState::STSState sts_state; |
390 TransportSecurityState::PKPState pkp_state; | 422 TransportSecurityState::PKPState pkp_state; |
391 ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state)); | 423 ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state)); |
392 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 424 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
393 EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); | 425 EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); |
394 EXPECT_TRUE(pkp_state.HasPublicKeyPins()); | 426 EXPECT_TRUE(pkp_state.HasPublicKeyPins()); |
395 EXPECT_TRUE(sts_state.include_subdomains); | 427 EXPECT_TRUE(sts_state.include_subdomains); |
396 EXPECT_FALSE(pkp_state.include_subdomains); | 428 EXPECT_FALSE(pkp_state.include_subdomains); |
397 EXPECT_EQ(expiry1, sts_state.expiry); | 429 EXPECT_EQ(expiry1, sts_state.expiry); |
398 EXPECT_EQ(expiry2, pkp_state.expiry); | 430 EXPECT_EQ(expiry2, pkp_state.expiry); |
399 EXPECT_EQ("example.com", sts_state.domain); | 431 EXPECT_EQ("example.com", sts_state.domain); |
400 EXPECT_EQ("foo.example.com", pkp_state.domain); | 432 EXPECT_EQ("foo.example.com", pkp_state.domain); |
401 } | 433 } |
402 | 434 |
403 // Tests that new pins always override previous pins. This should be true for | 435 // Tests that new pins always override previous pins. This should be true for |
404 // both pins at the same domain or includeSubdomains pins at a parent domain. | 436 // both pins at the same domain or includeSubdomains pins at a parent domain. |
405 TEST_F(TransportSecurityStateTest, NewPinsOverride) { | 437 TEST_F(TransportSecurityStateTest, NewPinsOverride) { |
438 static const char kReportUri[] = "http://example.com/test"; | |
439 std::string report_uri(kReportUri); | |
440 | |
406 TransportSecurityState state; | 441 TransportSecurityState state; |
407 TransportSecurityState::PKPState pkp_state; | 442 TransportSecurityState::PKPState pkp_state; |
408 const base::Time current_time(base::Time::Now()); | 443 const base::Time current_time(base::Time::Now()); |
409 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 444 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
410 HashValue hash1(HASH_VALUE_SHA1); | 445 HashValue hash1(HASH_VALUE_SHA1); |
411 memset(hash1.data(), 0x01, hash1.size()); | 446 memset(hash1.data(), 0x01, hash1.size()); |
412 HashValue hash2(HASH_VALUE_SHA1); | 447 HashValue hash2(HASH_VALUE_SHA1); |
413 memset(hash2.data(), 0x02, hash1.size()); | 448 memset(hash2.data(), 0x02, hash1.size()); |
414 HashValue hash3(HASH_VALUE_SHA1); | 449 HashValue hash3(HASH_VALUE_SHA1); |
415 memset(hash3.data(), 0x03, hash1.size()); | 450 memset(hash3.data(), 0x03, hash1.size()); |
416 | 451 |
417 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1)); | 452 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1), |
453 report_uri); | |
418 | 454 |
419 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 455 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
420 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 456 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
421 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1)); | 457 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1)); |
422 | 458 |
423 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2)); | 459 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2), |
460 report_uri); | |
424 | 461 |
425 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 462 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
426 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 463 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
427 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2)); | 464 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2)); |
428 | 465 |
429 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3)); | 466 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3), |
467 report_uri); | |
430 | 468 |
431 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 469 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
432 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 470 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
433 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash3)); | 471 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash3)); |
434 } | 472 } |
435 | 473 |
436 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | 474 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
437 TransportSecurityState state; | 475 TransportSecurityState state; |
438 const base::Time current_time(base::Time::Now()); | 476 const base::Time current_time(base::Time::Now()); |
439 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 477 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
440 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 478 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
441 | 479 |
442 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 480 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
443 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 481 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
444 bool include_subdomains = false; | 482 bool include_subdomains = false; |
445 state.AddHSTS("example.com", expiry, include_subdomains); | 483 state.AddHSTS("example.com", expiry, include_subdomains); |
446 state.AddHPKP("example.com", expiry, include_subdomains, | 484 state.AddHPKP("example.com", expiry, include_subdomains, |
447 GetSampleSPKIHashes()); | 485 GetSampleSPKIHashes(), std::string()); |
448 | 486 |
449 state.DeleteAllDynamicDataSince(expiry); | 487 state.DeleteAllDynamicDataSince(expiry); |
450 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); | 488 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); |
451 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 489 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
452 state.DeleteAllDynamicDataSince(older); | 490 state.DeleteAllDynamicDataSince(older); |
453 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 491 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
454 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 492 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
455 | 493 |
456 // STS and PKP data in |state| should be empty now. | 494 // STS and PKP data in |state| should be empty now. |
457 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 495 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
458 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 496 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
459 } | 497 } |
460 | 498 |
461 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | 499 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
462 TransportSecurityState state; | 500 TransportSecurityState state; |
463 const base::Time current_time(base::Time::Now()); | 501 const base::Time current_time(base::Time::Now()); |
464 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 502 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
465 bool include_subdomains = false; | 503 bool include_subdomains = false; |
466 | 504 |
467 state.AddHSTS("example1.test", expiry, include_subdomains); | 505 state.AddHSTS("example1.test", expiry, include_subdomains); |
468 state.AddHPKP("example1.test", expiry, include_subdomains, | 506 state.AddHPKP("example1.test", expiry, include_subdomains, |
469 GetSampleSPKIHashes()); | 507 GetSampleSPKIHashes(), std::string()); |
470 | 508 |
471 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 509 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
472 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 510 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
473 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); | 511 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); |
474 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); | 512 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); |
475 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); | 513 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); |
476 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 514 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
477 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 515 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
478 } | 516 } |
479 | 517 |
(...skipping 596 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1076 // These hosts used to only be HSTS when SNI was available. | 1114 // These hosts used to only be HSTS when SNI was available. |
1077 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1115 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1078 "gmail.com")); | 1116 "gmail.com")); |
1079 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1117 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1080 "googlegroups.com")); | 1118 "googlegroups.com")); |
1081 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1119 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1082 "www.googlegroups.com")); | 1120 "www.googlegroups.com")); |
1083 } | 1121 } |
1084 | 1122 |
1085 } // namespace net | 1123 } // namespace net |
OLD | NEW |