| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 17 matching lines...) Expand all Loading... |
| 28 #include "net/ssl/ssl_info.h" | 28 #include "net/ssl/ssl_info.h" |
| 29 #include "net/test/cert_test_util.h" | 29 #include "net/test/cert_test_util.h" |
| 30 #include "testing/gtest/include/gtest/gtest.h" | 30 #include "testing/gtest/include/gtest/gtest.h" |
| 31 | 31 |
| 32 #if defined(USE_OPENSSL) | 32 #if defined(USE_OPENSSL) |
| 33 #include "crypto/openssl_util.h" | 33 #include "crypto/openssl_util.h" |
| 34 #else | 34 #else |
| 35 #include "crypto/nss_util.h" | 35 #include "crypto/nss_util.h" |
| 36 #endif | 36 #endif |
| 37 | 37 |
| 38 namespace { |
| 39 |
| 40 const char kReportUri[] = "http://example.test/test"; |
| 41 |
| 42 } // namespace |
| 43 |
| 38 namespace net { | 44 namespace net { |
| 39 | 45 |
| 40 class TransportSecurityStateTest : public testing::Test { | 46 class TransportSecurityStateTest : public testing::Test { |
| 41 public: | 47 public: |
| 42 void SetUp() override { | 48 void SetUp() override { |
| 43 #if defined(USE_OPENSSL) | 49 #if defined(USE_OPENSSL) |
| 44 crypto::EnsureOpenSSLInit(); | 50 crypto::EnsureOpenSSLInit(); |
| 45 #else | 51 #else |
| 46 crypto::EnsureNSSInit(); | 52 crypto::EnsureNSSInit(); |
| 47 #endif | 53 #endif |
| (...skipping 167 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 215 // for https://crbug.com/469957. | 221 // for https://crbug.com/469957. |
| 216 TEST_F(TransportSecurityStateTest, SubdomainCarveout) { | 222 TEST_F(TransportSecurityStateTest, SubdomainCarveout) { |
| 217 TransportSecurityState state; | 223 TransportSecurityState state; |
| 218 const base::Time current_time(base::Time::Now()); | 224 const base::Time current_time(base::Time::Now()); |
| 219 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 225 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 220 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 226 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 221 | 227 |
| 222 state.AddHSTS("example1.test", expiry, true); | 228 state.AddHSTS("example1.test", expiry, true); |
| 223 state.AddHSTS("foo.example1.test", expiry, false); | 229 state.AddHSTS("foo.example1.test", expiry, false); |
| 224 | 230 |
| 225 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); | 231 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
| 226 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes()); | 232 kReportUri); |
| 233 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes(), |
| 234 kReportUri); |
| 227 | 235 |
| 228 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 236 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| 229 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 237 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| 230 | 238 |
| 231 // The foo.example1.test rule overrides the example1.test rule, so | 239 // The foo.example1.test rule overrides the example1.test rule, so |
| 232 // bar.foo.example1.test has no HSTS state. | 240 // bar.foo.example1.test has no HSTS state. |
| 233 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); | 241 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); |
| 234 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); | 242 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); |
| 235 | 243 |
| 236 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); | 244 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); |
| 237 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 245 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
| 238 | 246 |
| 239 // The foo.example2.test rule overrides the example1.test rule, so | 247 // The foo.example2.test rule overrides the example1.test rule, so |
| 240 // bar.foo.example2.test has no HPKP state. | 248 // bar.foo.example2.test has no HPKP state. |
| 241 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test")); | 249 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test")); |
| 242 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); | 250 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); |
| 243 | 251 |
| 244 // Expire the foo.example*.test rules. | 252 // Expire the foo.example*.test rules. |
| 245 state.AddHSTS("foo.example1.test", older, false); | 253 state.AddHSTS("foo.example1.test", older, false); |
| 246 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes()); | 254 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes(), |
| 255 kReportUri); |
| 247 | 256 |
| 248 // Now the base example*.test rules apply to bar.foo.example*.test. | 257 // Now the base example*.test rules apply to bar.foo.example*.test. |
| 249 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); | 258 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); |
| 250 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); | 259 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); |
| 251 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test")); | 260 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test")); |
| 252 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); | 261 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); |
| 253 } | 262 } |
| 254 | 263 |
| 255 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { | 264 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { |
| 256 TransportSecurityState state; | 265 TransportSecurityState state; |
| 257 const base::Time current_time(base::Time::Now()); | 266 const base::Time current_time(base::Time::Now()); |
| 258 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 267 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 259 | 268 |
| 260 state.AddHSTS("example1.test", expiry, false); | 269 state.AddHSTS("example1.test", expiry, false); |
| 261 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); | 270 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
| 271 kReportUri); |
| 262 | 272 |
| 263 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. | 273 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. |
| 264 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); | 274 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); |
| 265 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test")); | 275 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test")); |
| 266 } | 276 } |
| 267 | 277 |
| 268 // Tests that HPKP and HSTS state both expire. Also tests that expired entries | 278 // Tests that HPKP and HSTS state both expire. Also tests that expired entries |
| 269 // are pruned. | 279 // are pruned. |
| 270 TEST_F(TransportSecurityStateTest, Expiration) { | 280 TEST_F(TransportSecurityStateTest, Expiration) { |
| 271 TransportSecurityState state; | 281 TransportSecurityState state; |
| 272 const base::Time current_time(base::Time::Now()); | 282 const base::Time current_time(base::Time::Now()); |
| 273 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 283 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 274 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 284 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 275 | 285 |
| 276 // Note: this test assumes that inserting an entry with an expiration time in | 286 // Note: this test assumes that inserting an entry with an expiration time in |
| 277 // the past works and is pruned on query. | 287 // the past works and is pruned on query. |
| 278 state.AddHSTS("example1.test", older, false); | 288 state.AddHSTS("example1.test", older, false); |
| 279 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); | 289 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 280 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 290 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
| 281 // Querying |state| for a domain should flush out expired entries. | 291 // Querying |state| for a domain should flush out expired entries. |
| 282 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 292 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 283 | 293 |
| 284 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); | 294 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
| 295 kReportUri); |
| 285 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 296 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 286 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 297 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 287 // Querying |state| for a domain should flush out expired entries. | 298 // Querying |state| for a domain should flush out expired entries. |
| 288 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 299 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 289 | 300 |
| 290 state.AddHSTS("example1.test", older, false); | 301 state.AddHSTS("example1.test", older, false); |
| 291 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); | 302 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
| 303 kReportUri); |
| 292 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); | 304 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 293 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 305 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 294 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); | 306 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); |
| 295 // Querying |state| for a domain should flush out expired entries. | 307 // Querying |state| for a domain should flush out expired entries. |
| 296 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 308 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 297 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 309 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 298 | 310 |
| 299 // Test that HSTS can outlive HPKP. | 311 // Test that HSTS can outlive HPKP. |
| 300 state.AddHSTS("example1.test", expiry, false); | 312 state.AddHSTS("example1.test", expiry, false); |
| 301 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); | 313 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
| 314 kReportUri); |
| 302 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 315 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| 303 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 316 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 304 | 317 |
| 305 // Test that HPKP can outlive HSTS. | 318 // Test that HPKP can outlive HSTS. |
| 306 state.AddHSTS("example2.test", older, false); | 319 state.AddHSTS("example2.test", older, false); |
| 307 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); | 320 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
| 321 kReportUri); |
| 308 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 322 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
| 309 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); | 323 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); |
| 310 } | 324 } |
| 311 | 325 |
| 312 TEST_F(TransportSecurityStateTest, InvalidDomains) { | 326 TEST_F(TransportSecurityStateTest, InvalidDomains) { |
| 313 TransportSecurityState state; | 327 TransportSecurityState state; |
| 314 const base::Time current_time(base::Time::Now()); | 328 const base::Time current_time(base::Time::Now()); |
| 315 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 329 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 316 | 330 |
| 317 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test")); | 331 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test")); |
| 318 bool include_subdomains = true; | 332 bool include_subdomains = true; |
| 319 state.AddHSTS("example.test", expiry, include_subdomains); | 333 state.AddHSTS("example.test", expiry, include_subdomains); |
| 320 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test")); | 334 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test")); |
| 321 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test")); | 335 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test")); |
| 322 } | 336 } |
| 323 | 337 |
| 324 // Tests that HPKP and HSTS state are queried independently for subdomain | 338 // Tests that HPKP and HSTS state are queried independently for subdomain |
| 325 // matches. | 339 // matches. |
| 326 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { | 340 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { |
| 327 TransportSecurityState state; | 341 TransportSecurityState state; |
| 328 const base::Time current_time(base::Time::Now()); | 342 const base::Time current_time(base::Time::Now()); |
| 329 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 343 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 330 | 344 |
| 331 state.AddHSTS("example1.test", expiry, true); | 345 state.AddHSTS("example1.test", expiry, true); |
| 332 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes()); | 346 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes(), |
| 347 kReportUri); |
| 333 | 348 |
| 334 state.AddHSTS("example2.test", expiry, false); | 349 state.AddHSTS("example2.test", expiry, false); |
| 335 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); | 350 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
| 351 kReportUri); |
| 336 | 352 |
| 337 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 353 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| 338 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); | 354 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); |
| 339 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test")); | 355 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test")); |
| 340 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 356 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
| 341 } | 357 } |
| 342 | 358 |
| 343 // Tests that HPKP and HSTS state are inserted and overridden independently. | 359 // Tests that HPKP and HSTS state are inserted and overridden independently. |
| 344 TEST_F(TransportSecurityStateTest, IndependentInsertion) { | 360 TEST_F(TransportSecurityStateTest, IndependentInsertion) { |
| 345 TransportSecurityState state; | 361 TransportSecurityState state; |
| 346 const base::Time current_time(base::Time::Now()); | 362 const base::Time current_time(base::Time::Now()); |
| 347 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 363 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 348 | 364 |
| 349 // Place an includeSubdomains HSTS entry below a normal HPKP entry. | 365 // Place an includeSubdomains HSTS entry below a normal HPKP entry. |
| 350 state.AddHSTS("example1.test", expiry, true); | 366 state.AddHSTS("example1.test", expiry, true); |
| 351 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes()); | 367 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes(), |
| 368 kReportUri); |
| 352 | 369 |
| 353 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 370 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| 354 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); | 371 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); |
| 355 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 372 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| 356 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 373 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 357 | 374 |
| 358 // Drop the includeSubdomains from the HSTS entry. | 375 // Drop the includeSubdomains from the HSTS entry. |
| 359 state.AddHSTS("example1.test", expiry, false); | 376 state.AddHSTS("example1.test", expiry, false); |
| 360 | 377 |
| 361 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test")); | 378 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| 362 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); | 379 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); |
| 363 | 380 |
| 364 // Place an includeSubdomains HPKP entry below a normal HSTS entry. | 381 // Place an includeSubdomains HPKP entry below a normal HSTS entry. |
| 365 state.AddHSTS("foo.example2.test", expiry, false); | 382 state.AddHSTS("foo.example2.test", expiry, false); |
| 366 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); | 383 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
| 384 kReportUri); |
| 367 | 385 |
| 368 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); | 386 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
| 369 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 387 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
| 370 | 388 |
| 371 // Drop the includeSubdomains from the HSTS entry. | 389 // Drop the includeSubdomains from the HSTS entry. |
| 372 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); | 390 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
| 391 kReportUri); |
| 373 | 392 |
| 374 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); | 393 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
| 375 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); | 394 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); |
| 376 } | 395 } |
| 377 | 396 |
| 378 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the | 397 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the |
| 379 // states are not mixed together. | 398 // states are not mixed together. |
| 380 TEST_F(TransportSecurityStateTest, DynamicDomainState) { | 399 TEST_F(TransportSecurityStateTest, DynamicDomainState) { |
| 381 TransportSecurityState state; | 400 TransportSecurityState state; |
| 382 const base::Time current_time(base::Time::Now()); | 401 const base::Time current_time(base::Time::Now()); |
| 383 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); | 402 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); |
| 384 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); | 403 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); |
| 385 | 404 |
| 386 state.AddHSTS("example.com", expiry1, true); | 405 state.AddHSTS("example.com", expiry1, true); |
| 387 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes()); | 406 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes(), |
| 407 kReportUri); |
| 388 | 408 |
| 389 TransportSecurityState::STSState sts_state; | 409 TransportSecurityState::STSState sts_state; |
| 390 TransportSecurityState::PKPState pkp_state; | 410 TransportSecurityState::PKPState pkp_state; |
| 391 ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state)); | 411 ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state)); |
| 392 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 412 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| 393 EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); | 413 EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); |
| 394 EXPECT_TRUE(pkp_state.HasPublicKeyPins()); | 414 EXPECT_TRUE(pkp_state.HasPublicKeyPins()); |
| 395 EXPECT_TRUE(sts_state.include_subdomains); | 415 EXPECT_TRUE(sts_state.include_subdomains); |
| 396 EXPECT_FALSE(pkp_state.include_subdomains); | 416 EXPECT_FALSE(pkp_state.include_subdomains); |
| 397 EXPECT_EQ(expiry1, sts_state.expiry); | 417 EXPECT_EQ(expiry1, sts_state.expiry); |
| 398 EXPECT_EQ(expiry2, pkp_state.expiry); | 418 EXPECT_EQ(expiry2, pkp_state.expiry); |
| 399 EXPECT_EQ("example.com", sts_state.domain); | 419 EXPECT_EQ("example.com", sts_state.domain); |
| 400 EXPECT_EQ("foo.example.com", pkp_state.domain); | 420 EXPECT_EQ("foo.example.com", pkp_state.domain); |
| 401 } | 421 } |
| 402 | 422 |
| 403 // Tests that new pins always override previous pins. This should be true for | 423 // Tests that new pins always override previous pins. This should be true for |
| 404 // both pins at the same domain or includeSubdomains pins at a parent domain. | 424 // both pins at the same domain or includeSubdomains pins at a parent domain. |
| 405 TEST_F(TransportSecurityStateTest, NewPinsOverride) { | 425 TEST_F(TransportSecurityStateTest, NewPinsOverride) { |
| 406 TransportSecurityState state; | 426 TransportSecurityState state; |
| 407 TransportSecurityState::PKPState pkp_state; | 427 TransportSecurityState::PKPState pkp_state; |
| 408 const base::Time current_time(base::Time::Now()); | 428 const base::Time current_time(base::Time::Now()); |
| 409 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 429 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 410 HashValue hash1(HASH_VALUE_SHA1); | 430 HashValue hash1(HASH_VALUE_SHA1); |
| 411 memset(hash1.data(), 0x01, hash1.size()); | 431 memset(hash1.data(), 0x01, hash1.size()); |
| 412 HashValue hash2(HASH_VALUE_SHA1); | 432 HashValue hash2(HASH_VALUE_SHA1); |
| 413 memset(hash2.data(), 0x02, hash1.size()); | 433 memset(hash2.data(), 0x02, hash1.size()); |
| 414 HashValue hash3(HASH_VALUE_SHA1); | 434 HashValue hash3(HASH_VALUE_SHA1); |
| 415 memset(hash3.data(), 0x03, hash1.size()); | 435 memset(hash3.data(), 0x03, hash1.size()); |
| 416 | 436 |
| 417 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1)); | 437 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1), |
| 438 kReportUri); |
| 418 | 439 |
| 419 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 440 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| 420 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 441 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
| 421 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1)); | 442 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1)); |
| 422 | 443 |
| 423 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2)); | 444 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2), |
| 445 kReportUri); |
| 424 | 446 |
| 425 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 447 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| 426 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 448 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
| 427 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2)); | 449 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2)); |
| 428 | 450 |
| 429 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3)); | 451 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3), |
| 452 kReportUri); |
| 430 | 453 |
| 431 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 454 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| 432 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 455 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
| 433 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash3)); | 456 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash3)); |
| 434 } | 457 } |
| 435 | 458 |
| 436 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | 459 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
| 437 TransportSecurityState state; | 460 TransportSecurityState state; |
| 438 const base::Time current_time(base::Time::Now()); | 461 const base::Time current_time(base::Time::Now()); |
| 439 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 462 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 440 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 463 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 441 | 464 |
| 442 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 465 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
| 443 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 466 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
| 444 bool include_subdomains = false; | 467 bool include_subdomains = false; |
| 445 state.AddHSTS("example.com", expiry, include_subdomains); | 468 state.AddHSTS("example.com", expiry, include_subdomains); |
| 446 state.AddHPKP("example.com", expiry, include_subdomains, | 469 state.AddHPKP("example.com", expiry, include_subdomains, |
| 447 GetSampleSPKIHashes()); | 470 GetSampleSPKIHashes(), std::string()); |
| 448 | 471 |
| 449 state.DeleteAllDynamicDataSince(expiry); | 472 state.DeleteAllDynamicDataSince(expiry); |
| 450 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); | 473 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); |
| 451 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 474 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
| 452 state.DeleteAllDynamicDataSince(older); | 475 state.DeleteAllDynamicDataSince(older); |
| 453 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 476 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
| 454 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 477 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
| 455 | 478 |
| 456 // STS and PKP data in |state| should be empty now. | 479 // STS and PKP data in |state| should be empty now. |
| 457 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 480 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 458 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 481 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 459 } | 482 } |
| 460 | 483 |
| 461 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | 484 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
| 462 TransportSecurityState state; | 485 TransportSecurityState state; |
| 463 const base::Time current_time(base::Time::Now()); | 486 const base::Time current_time(base::Time::Now()); |
| 464 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 487 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 465 bool include_subdomains = false; | 488 bool include_subdomains = false; |
| 466 | 489 |
| 467 state.AddHSTS("example1.test", expiry, include_subdomains); | 490 state.AddHSTS("example1.test", expiry, include_subdomains); |
| 468 state.AddHPKP("example1.test", expiry, include_subdomains, | 491 state.AddHPKP("example1.test", expiry, include_subdomains, |
| 469 GetSampleSPKIHashes()); | 492 GetSampleSPKIHashes(), std::string()); |
| 470 | 493 |
| 471 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 494 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| 472 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 495 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
| 473 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); | 496 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); |
| 474 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); | 497 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); |
| 475 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); | 498 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); |
| 476 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 499 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
| 477 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 500 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 478 } | 501 } |
| 479 | 502 |
| (...skipping 596 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1076 // These hosts used to only be HSTS when SNI was available. | 1099 // These hosts used to only be HSTS when SNI was available. |
| 1077 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1100 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
| 1078 "gmail.com")); | 1101 "gmail.com")); |
| 1079 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1102 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
| 1080 "googlegroups.com")); | 1103 "googlegroups.com")); |
| 1081 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1104 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
| 1082 "www.googlegroups.com")); | 1105 "www.googlegroups.com")); |
| 1083 } | 1106 } |
| 1084 | 1107 |
| 1085 } // namespace net | 1108 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1211363005:
Parse HPKP report-uri and persist in TransportSecurityPersister (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master