OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 17 matching lines...) Expand all Loading... |
28 #include "net/ssl/ssl_info.h" | 28 #include "net/ssl/ssl_info.h" |
29 #include "net/test/cert_test_util.h" | 29 #include "net/test/cert_test_util.h" |
30 #include "testing/gtest/include/gtest/gtest.h" | 30 #include "testing/gtest/include/gtest/gtest.h" |
31 | 31 |
32 #if defined(USE_OPENSSL) | 32 #if defined(USE_OPENSSL) |
33 #include "crypto/openssl_util.h" | 33 #include "crypto/openssl_util.h" |
34 #else | 34 #else |
35 #include "crypto/nss_util.h" | 35 #include "crypto/nss_util.h" |
36 #endif | 36 #endif |
37 | 37 |
| 38 namespace { |
| 39 |
| 40 const char kReportUri[] = "http://example.test/test"; |
| 41 |
| 42 } // namespace |
| 43 |
38 namespace net { | 44 namespace net { |
39 | 45 |
40 class TransportSecurityStateTest : public testing::Test { | 46 class TransportSecurityStateTest : public testing::Test { |
41 public: | 47 public: |
42 void SetUp() override { | 48 void SetUp() override { |
43 #if defined(USE_OPENSSL) | 49 #if defined(USE_OPENSSL) |
44 crypto::EnsureOpenSSLInit(); | 50 crypto::EnsureOpenSSLInit(); |
45 #else | 51 #else |
46 crypto::EnsureNSSInit(); | 52 crypto::EnsureNSSInit(); |
47 #endif | 53 #endif |
(...skipping 159 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
207 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test")); | 213 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test")); |
208 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test")); | 214 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test")); |
209 EXPECT_FALSE(state.ShouldUpgradeToSSL("test")); | 215 EXPECT_FALSE(state.ShouldUpgradeToSSL("test")); |
210 EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test")); | 216 EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test")); |
211 } | 217 } |
212 | 218 |
213 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule | 219 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule |
214 // with it, regardless of the includeSubDomains bit. This is a regression test | 220 // with it, regardless of the includeSubDomains bit. This is a regression test |
215 // for https://crbug.com/469957. | 221 // for https://crbug.com/469957. |
216 TEST_F(TransportSecurityStateTest, SubdomainCarveout) { | 222 TEST_F(TransportSecurityStateTest, SubdomainCarveout) { |
| 223 const GURL report_uri(kReportUri); |
217 TransportSecurityState state; | 224 TransportSecurityState state; |
218 const base::Time current_time(base::Time::Now()); | 225 const base::Time current_time(base::Time::Now()); |
219 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 226 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
220 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 227 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
221 | 228 |
222 state.AddHSTS("example1.test", expiry, true); | 229 state.AddHSTS("example1.test", expiry, true); |
223 state.AddHSTS("foo.example1.test", expiry, false); | 230 state.AddHSTS("foo.example1.test", expiry, false); |
224 | 231 |
225 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); | 232 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
226 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes()); | 233 report_uri); |
| 234 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes(), |
| 235 report_uri); |
227 | 236 |
228 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 237 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
229 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 238 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
230 | 239 |
231 // The foo.example1.test rule overrides the example1.test rule, so | 240 // The foo.example1.test rule overrides the example1.test rule, so |
232 // bar.foo.example1.test has no HSTS state. | 241 // bar.foo.example1.test has no HSTS state. |
233 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); | 242 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); |
234 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); | 243 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); |
235 | 244 |
236 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); | 245 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); |
237 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 246 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
238 | 247 |
239 // The foo.example2.test rule overrides the example1.test rule, so | 248 // The foo.example2.test rule overrides the example1.test rule, so |
240 // bar.foo.example2.test has no HPKP state. | 249 // bar.foo.example2.test has no HPKP state. |
241 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test")); | 250 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test")); |
242 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); | 251 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); |
243 | 252 |
244 // Expire the foo.example*.test rules. | 253 // Expire the foo.example*.test rules. |
245 state.AddHSTS("foo.example1.test", older, false); | 254 state.AddHSTS("foo.example1.test", older, false); |
246 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes()); | 255 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes(), |
| 256 report_uri); |
247 | 257 |
248 // Now the base example*.test rules apply to bar.foo.example*.test. | 258 // Now the base example*.test rules apply to bar.foo.example*.test. |
249 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); | 259 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); |
250 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); | 260 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); |
251 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test")); | 261 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test")); |
252 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); | 262 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); |
253 } | 263 } |
254 | 264 |
255 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { | 265 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { |
| 266 const GURL report_uri(kReportUri); |
256 TransportSecurityState state; | 267 TransportSecurityState state; |
257 const base::Time current_time(base::Time::Now()); | 268 const base::Time current_time(base::Time::Now()); |
258 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 269 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
259 | 270 |
260 state.AddHSTS("example1.test", expiry, false); | 271 state.AddHSTS("example1.test", expiry, false); |
261 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); | 272 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
| 273 report_uri); |
262 | 274 |
263 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. | 275 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. |
264 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); | 276 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); |
265 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test")); | 277 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test")); |
266 } | 278 } |
267 | 279 |
268 // Tests that HPKP and HSTS state both expire. Also tests that expired entries | 280 // Tests that HPKP and HSTS state both expire. Also tests that expired entries |
269 // are pruned. | 281 // are pruned. |
270 TEST_F(TransportSecurityStateTest, Expiration) { | 282 TEST_F(TransportSecurityStateTest, Expiration) { |
| 283 const GURL report_uri(kReportUri); |
271 TransportSecurityState state; | 284 TransportSecurityState state; |
272 const base::Time current_time(base::Time::Now()); | 285 const base::Time current_time(base::Time::Now()); |
273 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 286 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
274 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 287 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
275 | 288 |
276 // Note: this test assumes that inserting an entry with an expiration time in | 289 // Note: this test assumes that inserting an entry with an expiration time in |
277 // the past works and is pruned on query. | 290 // the past works and is pruned on query. |
278 state.AddHSTS("example1.test", older, false); | 291 state.AddHSTS("example1.test", older, false); |
279 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); | 292 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); |
280 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 293 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
281 // Querying |state| for a domain should flush out expired entries. | 294 // Querying |state| for a domain should flush out expired entries. |
282 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 295 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
283 | 296 |
284 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); | 297 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
| 298 report_uri); |
285 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 299 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
286 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 300 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
287 // Querying |state| for a domain should flush out expired entries. | 301 // Querying |state| for a domain should flush out expired entries. |
288 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 302 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
289 | 303 |
290 state.AddHSTS("example1.test", older, false); | 304 state.AddHSTS("example1.test", older, false); |
291 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); | 305 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
| 306 report_uri); |
292 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); | 307 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); |
293 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 308 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
294 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); | 309 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); |
295 // Querying |state| for a domain should flush out expired entries. | 310 // Querying |state| for a domain should flush out expired entries. |
296 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 311 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
297 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 312 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
298 | 313 |
299 // Test that HSTS can outlive HPKP. | 314 // Test that HSTS can outlive HPKP. |
300 state.AddHSTS("example1.test", expiry, false); | 315 state.AddHSTS("example1.test", expiry, false); |
301 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); | 316 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
| 317 report_uri); |
302 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 318 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
303 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 319 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
304 | 320 |
305 // Test that HPKP can outlive HSTS. | 321 // Test that HPKP can outlive HSTS. |
306 state.AddHSTS("example2.test", older, false); | 322 state.AddHSTS("example2.test", older, false); |
307 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); | 323 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
| 324 report_uri); |
308 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 325 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
309 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); | 326 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); |
310 } | 327 } |
311 | 328 |
312 TEST_F(TransportSecurityStateTest, InvalidDomains) { | 329 TEST_F(TransportSecurityStateTest, InvalidDomains) { |
313 TransportSecurityState state; | 330 TransportSecurityState state; |
314 const base::Time current_time(base::Time::Now()); | 331 const base::Time current_time(base::Time::Now()); |
315 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 332 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
316 | 333 |
317 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test")); | 334 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test")); |
318 bool include_subdomains = true; | 335 bool include_subdomains = true; |
319 state.AddHSTS("example.test", expiry, include_subdomains); | 336 state.AddHSTS("example.test", expiry, include_subdomains); |
320 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test")); | 337 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test")); |
321 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test")); | 338 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test")); |
322 } | 339 } |
323 | 340 |
324 // Tests that HPKP and HSTS state are queried independently for subdomain | 341 // Tests that HPKP and HSTS state are queried independently for subdomain |
325 // matches. | 342 // matches. |
326 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { | 343 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { |
| 344 const GURL report_uri(kReportUri); |
327 TransportSecurityState state; | 345 TransportSecurityState state; |
328 const base::Time current_time(base::Time::Now()); | 346 const base::Time current_time(base::Time::Now()); |
329 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 347 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
330 | 348 |
331 state.AddHSTS("example1.test", expiry, true); | 349 state.AddHSTS("example1.test", expiry, true); |
332 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes()); | 350 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes(), |
| 351 report_uri); |
333 | 352 |
334 state.AddHSTS("example2.test", expiry, false); | 353 state.AddHSTS("example2.test", expiry, false); |
335 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); | 354 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
| 355 report_uri); |
336 | 356 |
337 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 357 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
338 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); | 358 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); |
339 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test")); | 359 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test")); |
340 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 360 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
341 } | 361 } |
342 | 362 |
343 // Tests that HPKP and HSTS state are inserted and overridden independently. | 363 // Tests that HPKP and HSTS state are inserted and overridden independently. |
344 TEST_F(TransportSecurityStateTest, IndependentInsertion) { | 364 TEST_F(TransportSecurityStateTest, IndependentInsertion) { |
| 365 const GURL report_uri(kReportUri); |
345 TransportSecurityState state; | 366 TransportSecurityState state; |
346 const base::Time current_time(base::Time::Now()); | 367 const base::Time current_time(base::Time::Now()); |
347 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 368 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
348 | 369 |
349 // Place an includeSubdomains HSTS entry below a normal HPKP entry. | 370 // Place an includeSubdomains HSTS entry below a normal HPKP entry. |
350 state.AddHSTS("example1.test", expiry, true); | 371 state.AddHSTS("example1.test", expiry, true); |
351 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes()); | 372 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes(), |
| 373 report_uri); |
352 | 374 |
353 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 375 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
354 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); | 376 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); |
355 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 377 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
356 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 378 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
357 | 379 |
358 // Drop the includeSubdomains from the HSTS entry. | 380 // Drop the includeSubdomains from the HSTS entry. |
359 state.AddHSTS("example1.test", expiry, false); | 381 state.AddHSTS("example1.test", expiry, false); |
360 | 382 |
361 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test")); | 383 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test")); |
362 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); | 384 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); |
363 | 385 |
364 // Place an includeSubdomains HPKP entry below a normal HSTS entry. | 386 // Place an includeSubdomains HPKP entry below a normal HSTS entry. |
365 state.AddHSTS("foo.example2.test", expiry, false); | 387 state.AddHSTS("foo.example2.test", expiry, false); |
366 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); | 388 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
| 389 report_uri); |
367 | 390 |
368 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); | 391 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
369 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 392 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
370 | 393 |
371 // Drop the includeSubdomains from the HSTS entry. | 394 // Drop the includeSubdomains from the HSTS entry. |
372 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); | 395 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
| 396 report_uri); |
373 | 397 |
374 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); | 398 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
375 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); | 399 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); |
376 } | 400 } |
377 | 401 |
378 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the | 402 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the |
379 // states are not mixed together. | 403 // states are not mixed together. |
380 TEST_F(TransportSecurityStateTest, DynamicDomainState) { | 404 TEST_F(TransportSecurityStateTest, DynamicDomainState) { |
| 405 const GURL report_uri(kReportUri); |
381 TransportSecurityState state; | 406 TransportSecurityState state; |
382 const base::Time current_time(base::Time::Now()); | 407 const base::Time current_time(base::Time::Now()); |
383 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); | 408 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); |
384 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); | 409 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); |
385 | 410 |
386 state.AddHSTS("example.com", expiry1, true); | 411 state.AddHSTS("example.com", expiry1, true); |
387 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes()); | 412 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes(), |
| 413 report_uri); |
388 | 414 |
389 TransportSecurityState::STSState sts_state; | 415 TransportSecurityState::STSState sts_state; |
390 TransportSecurityState::PKPState pkp_state; | 416 TransportSecurityState::PKPState pkp_state; |
391 ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state)); | 417 ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state)); |
392 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 418 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
393 EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); | 419 EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); |
394 EXPECT_TRUE(pkp_state.HasPublicKeyPins()); | 420 EXPECT_TRUE(pkp_state.HasPublicKeyPins()); |
395 EXPECT_TRUE(sts_state.include_subdomains); | 421 EXPECT_TRUE(sts_state.include_subdomains); |
396 EXPECT_FALSE(pkp_state.include_subdomains); | 422 EXPECT_FALSE(pkp_state.include_subdomains); |
397 EXPECT_EQ(expiry1, sts_state.expiry); | 423 EXPECT_EQ(expiry1, sts_state.expiry); |
398 EXPECT_EQ(expiry2, pkp_state.expiry); | 424 EXPECT_EQ(expiry2, pkp_state.expiry); |
399 EXPECT_EQ("example.com", sts_state.domain); | 425 EXPECT_EQ("example.com", sts_state.domain); |
400 EXPECT_EQ("foo.example.com", pkp_state.domain); | 426 EXPECT_EQ("foo.example.com", pkp_state.domain); |
401 } | 427 } |
402 | 428 |
403 // Tests that new pins always override previous pins. This should be true for | 429 // Tests that new pins always override previous pins. This should be true for |
404 // both pins at the same domain or includeSubdomains pins at a parent domain. | 430 // both pins at the same domain or includeSubdomains pins at a parent domain. |
405 TEST_F(TransportSecurityStateTest, NewPinsOverride) { | 431 TEST_F(TransportSecurityStateTest, NewPinsOverride) { |
| 432 const GURL report_uri(kReportUri); |
406 TransportSecurityState state; | 433 TransportSecurityState state; |
407 TransportSecurityState::PKPState pkp_state; | 434 TransportSecurityState::PKPState pkp_state; |
408 const base::Time current_time(base::Time::Now()); | 435 const base::Time current_time(base::Time::Now()); |
409 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 436 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
410 HashValue hash1(HASH_VALUE_SHA1); | 437 HashValue hash1(HASH_VALUE_SHA1); |
411 memset(hash1.data(), 0x01, hash1.size()); | 438 memset(hash1.data(), 0x01, hash1.size()); |
412 HashValue hash2(HASH_VALUE_SHA1); | 439 HashValue hash2(HASH_VALUE_SHA1); |
413 memset(hash2.data(), 0x02, hash1.size()); | 440 memset(hash2.data(), 0x02, hash1.size()); |
414 HashValue hash3(HASH_VALUE_SHA1); | 441 HashValue hash3(HASH_VALUE_SHA1); |
415 memset(hash3.data(), 0x03, hash1.size()); | 442 memset(hash3.data(), 0x03, hash1.size()); |
416 | 443 |
417 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1)); | 444 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1), |
| 445 report_uri); |
418 | 446 |
419 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 447 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
420 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 448 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
421 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1)); | 449 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1)); |
422 | 450 |
423 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2)); | 451 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2), |
| 452 report_uri); |
424 | 453 |
425 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 454 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
426 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 455 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
427 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2)); | 456 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2)); |
428 | 457 |
429 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3)); | 458 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3), |
| 459 report_uri); |
430 | 460 |
431 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 461 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
432 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 462 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
433 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash3)); | 463 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash3)); |
434 } | 464 } |
435 | 465 |
436 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | 466 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
437 TransportSecurityState state; | 467 TransportSecurityState state; |
438 const base::Time current_time(base::Time::Now()); | 468 const base::Time current_time(base::Time::Now()); |
439 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 469 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
440 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 470 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
441 | 471 |
442 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 472 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
443 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 473 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
444 bool include_subdomains = false; | 474 bool include_subdomains = false; |
445 state.AddHSTS("example.com", expiry, include_subdomains); | 475 state.AddHSTS("example.com", expiry, include_subdomains); |
446 state.AddHPKP("example.com", expiry, include_subdomains, | 476 state.AddHPKP("example.com", expiry, include_subdomains, |
447 GetSampleSPKIHashes()); | 477 GetSampleSPKIHashes(), GURL()); |
448 | 478 |
449 state.DeleteAllDynamicDataSince(expiry); | 479 state.DeleteAllDynamicDataSince(expiry); |
450 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); | 480 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); |
451 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 481 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
452 state.DeleteAllDynamicDataSince(older); | 482 state.DeleteAllDynamicDataSince(older); |
453 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 483 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
454 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 484 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
455 | 485 |
456 // STS and PKP data in |state| should be empty now. | 486 // STS and PKP data in |state| should be empty now. |
457 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 487 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
458 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 488 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
459 } | 489 } |
460 | 490 |
461 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | 491 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
462 TransportSecurityState state; | 492 TransportSecurityState state; |
463 const base::Time current_time(base::Time::Now()); | 493 const base::Time current_time(base::Time::Now()); |
464 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 494 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
465 bool include_subdomains = false; | 495 bool include_subdomains = false; |
466 | 496 |
467 state.AddHSTS("example1.test", expiry, include_subdomains); | 497 state.AddHSTS("example1.test", expiry, include_subdomains); |
468 state.AddHPKP("example1.test", expiry, include_subdomains, | 498 state.AddHPKP("example1.test", expiry, include_subdomains, |
469 GetSampleSPKIHashes()); | 499 GetSampleSPKIHashes(), GURL()); |
470 | 500 |
471 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 501 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
472 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 502 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
473 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); | 503 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); |
474 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); | 504 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); |
475 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); | 505 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); |
476 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 506 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
477 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 507 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
478 } | 508 } |
479 | 509 |
(...skipping 596 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1076 // These hosts used to only be HSTS when SNI was available. | 1106 // These hosts used to only be HSTS when SNI was available. |
1077 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1107 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1078 "gmail.com")); | 1108 "gmail.com")); |
1079 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1109 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1080 "googlegroups.com")); | 1110 "googlegroups.com")); |
1081 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1111 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1082 "www.googlegroups.com")); | 1112 "www.googlegroups.com")); |
1083 } | 1113 } |
1084 | 1114 |
1085 } // namespace net | 1115 } // namespace net |
OLD | NEW |