| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 17 matching lines...) Expand all Loading... |
| 28 #include "net/ssl/ssl_info.h" | 28 #include "net/ssl/ssl_info.h" |
| 29 #include "net/test/cert_test_util.h" | 29 #include "net/test/cert_test_util.h" |
| 30 #include "testing/gtest/include/gtest/gtest.h" | 30 #include "testing/gtest/include/gtest/gtest.h" |
| 31 | 31 |
| 32 #if defined(USE_OPENSSL) | 32 #if defined(USE_OPENSSL) |
| 33 #include "crypto/openssl_util.h" | 33 #include "crypto/openssl_util.h" |
| 34 #else | 34 #else |
| 35 #include "crypto/nss_util.h" | 35 #include "crypto/nss_util.h" |
| 36 #endif | 36 #endif |
| 37 | 37 |
| 38 namespace { |
| 39 |
| 40 const char kReportUri[] = "http://example.test/test"; |
| 41 |
| 42 } // namespace |
| 43 |
| 38 namespace net { | 44 namespace net { |
| 39 | 45 |
| 40 class TransportSecurityStateTest : public testing::Test { | 46 class TransportSecurityStateTest : public testing::Test { |
| 41 public: | 47 public: |
| 42 void SetUp() override { | 48 void SetUp() override { |
| 43 #if defined(USE_OPENSSL) | 49 #if defined(USE_OPENSSL) |
| 44 crypto::EnsureOpenSSLInit(); | 50 crypto::EnsureOpenSSLInit(); |
| 45 #else | 51 #else |
| 46 crypto::EnsureNSSInit(); | 52 crypto::EnsureNSSInit(); |
| 47 #endif | 53 #endif |
| (...skipping 159 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 207 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test")); | 213 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test")); |
| 208 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test")); | 214 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test")); |
| 209 EXPECT_FALSE(state.ShouldUpgradeToSSL("test")); | 215 EXPECT_FALSE(state.ShouldUpgradeToSSL("test")); |
| 210 EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test")); | 216 EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test")); |
| 211 } | 217 } |
| 212 | 218 |
| 213 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule | 219 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule |
| 214 // with it, regardless of the includeSubDomains bit. This is a regression test | 220 // with it, regardless of the includeSubDomains bit. This is a regression test |
| 215 // for https://crbug.com/469957. | 221 // for https://crbug.com/469957. |
| 216 TEST_F(TransportSecurityStateTest, SubdomainCarveout) { | 222 TEST_F(TransportSecurityStateTest, SubdomainCarveout) { |
| 223 const GURL report_uri(kReportUri); |
| 217 TransportSecurityState state; | 224 TransportSecurityState state; |
| 218 const base::Time current_time(base::Time::Now()); | 225 const base::Time current_time(base::Time::Now()); |
| 219 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 226 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 220 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 227 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 221 | 228 |
| 222 state.AddHSTS("example1.test", expiry, true); | 229 state.AddHSTS("example1.test", expiry, true); |
| 223 state.AddHSTS("foo.example1.test", expiry, false); | 230 state.AddHSTS("foo.example1.test", expiry, false); |
| 224 | 231 |
| 225 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); | 232 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
| 226 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes()); | 233 report_uri); |
| 234 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes(), |
| 235 report_uri); |
| 227 | 236 |
| 228 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 237 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| 229 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 238 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| 230 | 239 |
| 231 // The foo.example1.test rule overrides the example1.test rule, so | 240 // The foo.example1.test rule overrides the example1.test rule, so |
| 232 // bar.foo.example1.test has no HSTS state. | 241 // bar.foo.example1.test has no HSTS state. |
| 233 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); | 242 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); |
| 234 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); | 243 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); |
| 235 | 244 |
| 236 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); | 245 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); |
| 237 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 246 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
| 238 | 247 |
| 239 // The foo.example2.test rule overrides the example1.test rule, so | 248 // The foo.example2.test rule overrides the example1.test rule, so |
| 240 // bar.foo.example2.test has no HPKP state. | 249 // bar.foo.example2.test has no HPKP state. |
| 241 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test")); | 250 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test")); |
| 242 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); | 251 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); |
| 243 | 252 |
| 244 // Expire the foo.example*.test rules. | 253 // Expire the foo.example*.test rules. |
| 245 state.AddHSTS("foo.example1.test", older, false); | 254 state.AddHSTS("foo.example1.test", older, false); |
| 246 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes()); | 255 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes(), |
| 256 report_uri); |
| 247 | 257 |
| 248 // Now the base example*.test rules apply to bar.foo.example*.test. | 258 // Now the base example*.test rules apply to bar.foo.example*.test. |
| 249 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); | 259 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); |
| 250 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); | 260 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); |
| 251 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test")); | 261 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test")); |
| 252 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); | 262 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); |
| 253 } | 263 } |
| 254 | 264 |
| 255 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { | 265 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { |
| 266 const GURL report_uri(kReportUri); |
| 256 TransportSecurityState state; | 267 TransportSecurityState state; |
| 257 const base::Time current_time(base::Time::Now()); | 268 const base::Time current_time(base::Time::Now()); |
| 258 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 269 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 259 | 270 |
| 260 state.AddHSTS("example1.test", expiry, false); | 271 state.AddHSTS("example1.test", expiry, false); |
| 261 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); | 272 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
| 273 report_uri); |
| 262 | 274 |
| 263 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. | 275 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. |
| 264 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); | 276 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); |
| 265 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test")); | 277 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test")); |
| 266 } | 278 } |
| 267 | 279 |
| 268 // Tests that HPKP and HSTS state both expire. Also tests that expired entries | 280 // Tests that HPKP and HSTS state both expire. Also tests that expired entries |
| 269 // are pruned. | 281 // are pruned. |
| 270 TEST_F(TransportSecurityStateTest, Expiration) { | 282 TEST_F(TransportSecurityStateTest, Expiration) { |
| 283 const GURL report_uri(kReportUri); |
| 271 TransportSecurityState state; | 284 TransportSecurityState state; |
| 272 const base::Time current_time(base::Time::Now()); | 285 const base::Time current_time(base::Time::Now()); |
| 273 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 286 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 274 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 287 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 275 | 288 |
| 276 // Note: this test assumes that inserting an entry with an expiration time in | 289 // Note: this test assumes that inserting an entry with an expiration time in |
| 277 // the past works and is pruned on query. | 290 // the past works and is pruned on query. |
| 278 state.AddHSTS("example1.test", older, false); | 291 state.AddHSTS("example1.test", older, false); |
| 279 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); | 292 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 280 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 293 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
| 281 // Querying |state| for a domain should flush out expired entries. | 294 // Querying |state| for a domain should flush out expired entries. |
| 282 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 295 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 283 | 296 |
| 284 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); | 297 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
| 298 report_uri); |
| 285 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 299 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 286 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 300 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 287 // Querying |state| for a domain should flush out expired entries. | 301 // Querying |state| for a domain should flush out expired entries. |
| 288 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 302 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 289 | 303 |
| 290 state.AddHSTS("example1.test", older, false); | 304 state.AddHSTS("example1.test", older, false); |
| 291 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); | 305 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
| 306 report_uri); |
| 292 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); | 307 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 293 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 308 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 294 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); | 309 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); |
| 295 // Querying |state| for a domain should flush out expired entries. | 310 // Querying |state| for a domain should flush out expired entries. |
| 296 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 311 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 297 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 312 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 298 | 313 |
| 299 // Test that HSTS can outlive HPKP. | 314 // Test that HSTS can outlive HPKP. |
| 300 state.AddHSTS("example1.test", expiry, false); | 315 state.AddHSTS("example1.test", expiry, false); |
| 301 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); | 316 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
| 317 report_uri); |
| 302 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 318 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| 303 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 319 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 304 | 320 |
| 305 // Test that HPKP can outlive HSTS. | 321 // Test that HPKP can outlive HSTS. |
| 306 state.AddHSTS("example2.test", older, false); | 322 state.AddHSTS("example2.test", older, false); |
| 307 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); | 323 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
| 324 report_uri); |
| 308 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 325 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
| 309 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); | 326 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); |
| 310 } | 327 } |
| 311 | 328 |
| 312 TEST_F(TransportSecurityStateTest, InvalidDomains) { | 329 TEST_F(TransportSecurityStateTest, InvalidDomains) { |
| 313 TransportSecurityState state; | 330 TransportSecurityState state; |
| 314 const base::Time current_time(base::Time::Now()); | 331 const base::Time current_time(base::Time::Now()); |
| 315 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 332 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 316 | 333 |
| 317 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test")); | 334 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test")); |
| 318 bool include_subdomains = true; | 335 bool include_subdomains = true; |
| 319 state.AddHSTS("example.test", expiry, include_subdomains); | 336 state.AddHSTS("example.test", expiry, include_subdomains); |
| 320 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test")); | 337 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test")); |
| 321 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test")); | 338 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test")); |
| 322 } | 339 } |
| 323 | 340 |
| 324 // Tests that HPKP and HSTS state are queried independently for subdomain | 341 // Tests that HPKP and HSTS state are queried independently for subdomain |
| 325 // matches. | 342 // matches. |
| 326 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { | 343 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { |
| 344 const GURL report_uri(kReportUri); |
| 327 TransportSecurityState state; | 345 TransportSecurityState state; |
| 328 const base::Time current_time(base::Time::Now()); | 346 const base::Time current_time(base::Time::Now()); |
| 329 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 347 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 330 | 348 |
| 331 state.AddHSTS("example1.test", expiry, true); | 349 state.AddHSTS("example1.test", expiry, true); |
| 332 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes()); | 350 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes(), |
| 351 report_uri); |
| 333 | 352 |
| 334 state.AddHSTS("example2.test", expiry, false); | 353 state.AddHSTS("example2.test", expiry, false); |
| 335 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); | 354 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
| 355 report_uri); |
| 336 | 356 |
| 337 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 357 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| 338 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); | 358 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); |
| 339 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test")); | 359 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test")); |
| 340 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 360 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
| 341 } | 361 } |
| 342 | 362 |
| 343 // Tests that HPKP and HSTS state are inserted and overridden independently. | 363 // Tests that HPKP and HSTS state are inserted and overridden independently. |
| 344 TEST_F(TransportSecurityStateTest, IndependentInsertion) { | 364 TEST_F(TransportSecurityStateTest, IndependentInsertion) { |
| 365 const GURL report_uri(kReportUri); |
| 345 TransportSecurityState state; | 366 TransportSecurityState state; |
| 346 const base::Time current_time(base::Time::Now()); | 367 const base::Time current_time(base::Time::Now()); |
| 347 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 368 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 348 | 369 |
| 349 // Place an includeSubdomains HSTS entry below a normal HPKP entry. | 370 // Place an includeSubdomains HSTS entry below a normal HPKP entry. |
| 350 state.AddHSTS("example1.test", expiry, true); | 371 state.AddHSTS("example1.test", expiry, true); |
| 351 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes()); | 372 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes(), |
| 373 report_uri); |
| 352 | 374 |
| 353 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 375 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| 354 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); | 376 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); |
| 355 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 377 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| 356 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 378 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 357 | 379 |
| 358 // Drop the includeSubdomains from the HSTS entry. | 380 // Drop the includeSubdomains from the HSTS entry. |
| 359 state.AddHSTS("example1.test", expiry, false); | 381 state.AddHSTS("example1.test", expiry, false); |
| 360 | 382 |
| 361 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test")); | 383 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| 362 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); | 384 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); |
| 363 | 385 |
| 364 // Place an includeSubdomains HPKP entry below a normal HSTS entry. | 386 // Place an includeSubdomains HPKP entry below a normal HSTS entry. |
| 365 state.AddHSTS("foo.example2.test", expiry, false); | 387 state.AddHSTS("foo.example2.test", expiry, false); |
| 366 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); | 388 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
| 389 report_uri); |
| 367 | 390 |
| 368 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); | 391 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
| 369 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 392 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
| 370 | 393 |
| 371 // Drop the includeSubdomains from the HSTS entry. | 394 // Drop the includeSubdomains from the HSTS entry. |
| 372 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); | 395 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
| 396 report_uri); |
| 373 | 397 |
| 374 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); | 398 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
| 375 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); | 399 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); |
| 376 } | 400 } |
| 377 | 401 |
| 378 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the | 402 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the |
| 379 // states are not mixed together. | 403 // states are not mixed together. |
| 380 TEST_F(TransportSecurityStateTest, DynamicDomainState) { | 404 TEST_F(TransportSecurityStateTest, DynamicDomainState) { |
| 405 const GURL report_uri(kReportUri); |
| 381 TransportSecurityState state; | 406 TransportSecurityState state; |
| 382 const base::Time current_time(base::Time::Now()); | 407 const base::Time current_time(base::Time::Now()); |
| 383 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); | 408 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); |
| 384 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); | 409 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); |
| 385 | 410 |
| 386 state.AddHSTS("example.com", expiry1, true); | 411 state.AddHSTS("example.com", expiry1, true); |
| 387 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes()); | 412 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes(), |
| 413 report_uri); |
| 388 | 414 |
| 389 TransportSecurityState::STSState sts_state; | 415 TransportSecurityState::STSState sts_state; |
| 390 TransportSecurityState::PKPState pkp_state; | 416 TransportSecurityState::PKPState pkp_state; |
| 391 ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state)); | 417 ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state)); |
| 392 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 418 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| 393 EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); | 419 EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); |
| 394 EXPECT_TRUE(pkp_state.HasPublicKeyPins()); | 420 EXPECT_TRUE(pkp_state.HasPublicKeyPins()); |
| 395 EXPECT_TRUE(sts_state.include_subdomains); | 421 EXPECT_TRUE(sts_state.include_subdomains); |
| 396 EXPECT_FALSE(pkp_state.include_subdomains); | 422 EXPECT_FALSE(pkp_state.include_subdomains); |
| 397 EXPECT_EQ(expiry1, sts_state.expiry); | 423 EXPECT_EQ(expiry1, sts_state.expiry); |
| 398 EXPECT_EQ(expiry2, pkp_state.expiry); | 424 EXPECT_EQ(expiry2, pkp_state.expiry); |
| 399 EXPECT_EQ("example.com", sts_state.domain); | 425 EXPECT_EQ("example.com", sts_state.domain); |
| 400 EXPECT_EQ("foo.example.com", pkp_state.domain); | 426 EXPECT_EQ("foo.example.com", pkp_state.domain); |
| 401 } | 427 } |
| 402 | 428 |
| 403 // Tests that new pins always override previous pins. This should be true for | 429 // Tests that new pins always override previous pins. This should be true for |
| 404 // both pins at the same domain or includeSubdomains pins at a parent domain. | 430 // both pins at the same domain or includeSubdomains pins at a parent domain. |
| 405 TEST_F(TransportSecurityStateTest, NewPinsOverride) { | 431 TEST_F(TransportSecurityStateTest, NewPinsOverride) { |
| 432 const GURL report_uri(kReportUri); |
| 406 TransportSecurityState state; | 433 TransportSecurityState state; |
| 407 TransportSecurityState::PKPState pkp_state; | 434 TransportSecurityState::PKPState pkp_state; |
| 408 const base::Time current_time(base::Time::Now()); | 435 const base::Time current_time(base::Time::Now()); |
| 409 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 436 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 410 HashValue hash1(HASH_VALUE_SHA1); | 437 HashValue hash1(HASH_VALUE_SHA1); |
| 411 memset(hash1.data(), 0x01, hash1.size()); | 438 memset(hash1.data(), 0x01, hash1.size()); |
| 412 HashValue hash2(HASH_VALUE_SHA1); | 439 HashValue hash2(HASH_VALUE_SHA1); |
| 413 memset(hash2.data(), 0x02, hash1.size()); | 440 memset(hash2.data(), 0x02, hash1.size()); |
| 414 HashValue hash3(HASH_VALUE_SHA1); | 441 HashValue hash3(HASH_VALUE_SHA1); |
| 415 memset(hash3.data(), 0x03, hash1.size()); | 442 memset(hash3.data(), 0x03, hash1.size()); |
| 416 | 443 |
| 417 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1)); | 444 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1), |
| 445 report_uri); |
| 418 | 446 |
| 419 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 447 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| 420 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 448 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
| 421 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1)); | 449 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1)); |
| 422 | 450 |
| 423 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2)); | 451 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2), |
| 452 report_uri); |
| 424 | 453 |
| 425 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 454 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| 426 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 455 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
| 427 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2)); | 456 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2)); |
| 428 | 457 |
| 429 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3)); | 458 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3), |
| 459 report_uri); |
| 430 | 460 |
| 431 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 461 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| 432 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 462 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
| 433 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash3)); | 463 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash3)); |
| 434 } | 464 } |
| 435 | 465 |
| 436 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | 466 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
| 437 TransportSecurityState state; | 467 TransportSecurityState state; |
| 438 const base::Time current_time(base::Time::Now()); | 468 const base::Time current_time(base::Time::Now()); |
| 439 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 469 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 440 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 470 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 441 | 471 |
| 442 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 472 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
| 443 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 473 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
| 444 bool include_subdomains = false; | 474 bool include_subdomains = false; |
| 445 state.AddHSTS("example.com", expiry, include_subdomains); | 475 state.AddHSTS("example.com", expiry, include_subdomains); |
| 446 state.AddHPKP("example.com", expiry, include_subdomains, | 476 state.AddHPKP("example.com", expiry, include_subdomains, |
| 447 GetSampleSPKIHashes()); | 477 GetSampleSPKIHashes(), GURL()); |
| 448 | 478 |
| 449 state.DeleteAllDynamicDataSince(expiry); | 479 state.DeleteAllDynamicDataSince(expiry); |
| 450 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); | 480 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); |
| 451 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 481 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
| 452 state.DeleteAllDynamicDataSince(older); | 482 state.DeleteAllDynamicDataSince(older); |
| 453 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 483 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
| 454 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 484 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
| 455 | 485 |
| 456 // STS and PKP data in |state| should be empty now. | 486 // STS and PKP data in |state| should be empty now. |
| 457 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 487 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 458 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 488 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 459 } | 489 } |
| 460 | 490 |
| 461 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | 491 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
| 462 TransportSecurityState state; | 492 TransportSecurityState state; |
| 463 const base::Time current_time(base::Time::Now()); | 493 const base::Time current_time(base::Time::Now()); |
| 464 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 494 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 465 bool include_subdomains = false; | 495 bool include_subdomains = false; |
| 466 | 496 |
| 467 state.AddHSTS("example1.test", expiry, include_subdomains); | 497 state.AddHSTS("example1.test", expiry, include_subdomains); |
| 468 state.AddHPKP("example1.test", expiry, include_subdomains, | 498 state.AddHPKP("example1.test", expiry, include_subdomains, |
| 469 GetSampleSPKIHashes()); | 499 GetSampleSPKIHashes(), GURL()); |
| 470 | 500 |
| 471 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 501 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| 472 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 502 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
| 473 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); | 503 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); |
| 474 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); | 504 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); |
| 475 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); | 505 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); |
| 476 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 506 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
| 477 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 507 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 478 } | 508 } |
| 479 | 509 |
| (...skipping 596 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1076 // These hosts used to only be HSTS when SNI was available. | 1106 // These hosts used to only be HSTS when SNI was available. |
| 1077 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1107 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
| 1078 "gmail.com")); | 1108 "gmail.com")); |
| 1079 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1109 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
| 1080 "googlegroups.com")); | 1110 "googlegroups.com")); |
| 1081 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1111 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
| 1082 "www.googlegroups.com")); | 1112 "www.googlegroups.com")); |
| 1083 } | 1113 } |
| 1084 | 1114 |
| 1085 } // namespace net | 1115 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1211363005:
Parse HPKP report-uri and persist in TransportSecurityPersister (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master