| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <stdint.h> | 5 #include <stdint.h> |
| 6 #include <algorithm> | 6 #include <algorithm> |
| 7 | 7 |
| 8 #include "base/base64.h" | 8 #include "base/base64.h" |
| 9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
| 10 #include "base/strings/string_piece.h" | 10 #include "base/strings/string_piece.h" |
| (...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 145 // values for its predictable fields. | 145 // values for its predictable fields. |
| 146 EXPECT_EQ(0, max_age.InSeconds()); | 146 EXPECT_EQ(0, max_age.InSeconds()); |
| 147 EXPECT_FALSE(include_subdomains); | 147 EXPECT_FALSE(include_subdomains); |
| 148 } | 148 } |
| 149 | 149 |
| 150 static void TestBogusPinsHeaders(HashValueTag tag) { | 150 static void TestBogusPinsHeaders(HashValueTag tag) { |
| 151 base::TimeDelta max_age; | 151 base::TimeDelta max_age; |
| 152 bool include_subdomains; | 152 bool include_subdomains; |
| 153 HashValueVector hashes; | 153 HashValueVector hashes; |
| 154 HashValueVector chain_hashes; | 154 HashValueVector chain_hashes; |
| 155 std::string report_uri; |
| 155 | 156 |
| 156 // Set some fake "chain" hashes | 157 // Set some fake "chain" hashes |
| 157 chain_hashes.push_back(GetTestHashValue(1, tag)); | 158 chain_hashes.push_back(GetTestHashValue(1, tag)); |
| 158 chain_hashes.push_back(GetTestHashValue(2, tag)); | 159 chain_hashes.push_back(GetTestHashValue(2, tag)); |
| 159 chain_hashes.push_back(GetTestHashValue(3, tag)); | 160 chain_hashes.push_back(GetTestHashValue(3, tag)); |
| 160 | 161 |
| 161 // The good pin must be in the chain, the backup pin must not be | 162 // The good pin must be in the chain, the backup pin must not be |
| 162 std::string good_pin = GetTestPin(2, tag); | 163 std::string good_pin = GetTestPin(2, tag); |
| 163 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag); | 164 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag); |
| 164 std::string backup_pin = GetTestPin(4, tag); | 165 std::string backup_pin = GetTestPin(4, tag); |
| 165 | 166 |
| 166 EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age, | 167 EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age, |
| 167 &include_subdomains, &hashes)); | 168 &include_subdomains, &hashes, &report_uri)); |
| 168 EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age, | 169 EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age, |
| 169 &include_subdomains, &hashes)); | 170 &include_subdomains, &hashes, &report_uri)); |
| 170 EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age, | 171 EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age, |
| 171 &include_subdomains, &hashes)); | 172 &include_subdomains, &hashes, &report_uri)); |
| 172 EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age, | 173 EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age, |
| 173 &include_subdomains, &hashes)); | 174 &include_subdomains, &hashes, &report_uri)); |
| 174 EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age, | 175 EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age, |
| 175 &include_subdomains, &hashes)); | 176 &include_subdomains, &hashes, &report_uri)); |
| 176 EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age, | 177 EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age, |
| 177 &include_subdomains, &hashes)); | 178 &include_subdomains, &hashes, &report_uri)); |
| 178 EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age, | 179 EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age, |
| 179 &include_subdomains, &hashes)); | 180 &include_subdomains, &hashes, &report_uri)); |
| 180 EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age, | 181 EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age, |
| 181 &include_subdomains, &hashes)); | 182 &include_subdomains, &hashes, &report_uri)); |
| 182 EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age, | 183 EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age, |
| 183 &include_subdomains, &hashes)); | 184 &include_subdomains, &hashes, &report_uri)); |
| 184 EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age, | 185 EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age, |
| 185 &include_subdomains, &hashes)); | 186 &include_subdomains, &hashes, &report_uri)); |
| 186 EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age, | 187 EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age, |
| 187 &include_subdomains, &hashes)); | 188 &include_subdomains, &hashes, &report_uri)); |
| 188 EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age, | 189 EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age, |
| 189 &include_subdomains, &hashes)); | 190 &include_subdomains, &hashes, &report_uri)); |
| 190 EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes, | 191 EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes, &max_age, |
| 191 &max_age, &include_subdomains, &hashes)); | 192 &include_subdomains, &hashes, &report_uri)); |
| 192 EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes, | 193 EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes, &max_age, |
| 193 &max_age, &include_subdomains, &hashes)); | 194 &include_subdomains, &hashes, &report_uri)); |
| 194 EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923", | 195 EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923", chain_hashes, |
| 196 &max_age, &include_subdomains, &hashes, |
| 197 &report_uri)); |
| 198 EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes, &max_age, |
| 199 &include_subdomains, &hashes, &report_uri)); |
| 200 EXPECT_FALSE(ParseHPKPHeader( |
| 201 "max-ag=3488923pins=" + good_pin + "," + backup_pin, chain_hashes, |
| 202 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 203 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;pins=" + good_pin + "," + |
| 204 backup_pin + "report-uri=\"http://foo.com\"", |
| 195 chain_hashes, &max_age, &include_subdomains, | 205 chain_hashes, &max_age, &include_subdomains, |
| 196 &hashes)); | 206 &hashes, &report_uri)); |
| 197 EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes, | 207 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin, chain_hashes, |
| 198 &max_age, &include_subdomains, &hashes)); | 208 &max_age, &include_subdomains, &hashes, |
| 199 EXPECT_FALSE(ParseHPKPHeader("max-ag=3488923pins=" + good_pin + "," + | 209 &report_uri)); |
| 200 backup_pin, | 210 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin, chain_hashes, |
| 211 &max_age, &include_subdomains, &hashes, |
| 212 &report_uri)); |
| 213 EXPECT_FALSE(ParseHPKPHeader( |
| 214 "max-aged=3488923; " + backup_pin + ";" + backup_pin, chain_hashes, |
| 215 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 216 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" + good_pin, |
| 201 chain_hashes, &max_age, &include_subdomains, | 217 chain_hashes, &max_age, &include_subdomains, |
| 202 &hashes)); | 218 &hashes, &report_uri)); |
| 203 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin, | 219 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin, chain_hashes, |
| 204 chain_hashes, &max_age, &include_subdomains, | 220 &max_age, &include_subdomains, &hashes, |
| 205 &hashes)); | 221 &report_uri)); |
| 206 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin, | |
| 207 chain_hashes, &max_age, &include_subdomains, | |
| 208 &hashes)); | |
| 209 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin + ";" + | |
| 210 backup_pin, | |
| 211 chain_hashes, &max_age, &include_subdomains, | |
| 212 &hashes)); | |
| 213 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" + | |
| 214 good_pin, | |
| 215 chain_hashes, &max_age, &include_subdomains, | |
| 216 &hashes)); | |
| 217 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin, | |
| 218 chain_hashes, &max_age, &include_subdomains, | |
| 219 &hashes)); | |
| 220 EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age, | 222 EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age, |
| 221 &include_subdomains, &hashes)); | 223 &include_subdomains, &hashes, &report_uri)); |
| 222 EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age, | 224 EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age, |
| 223 &include_subdomains, &hashes)); | 225 &include_subdomains, &hashes, &report_uri)); |
| 224 EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age, | 226 EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age, |
| 225 &include_subdomains, &hashes)); | 227 &include_subdomains, &hashes, &report_uri)); |
| 226 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age, | 228 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age, |
| 227 &include_subdomains, &hashes)); | 229 &include_subdomains, &hashes, &report_uri)); |
| 228 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes, | 230 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes, &max_age, |
| 229 &max_age, &include_subdomains, &hashes)); | 231 &include_subdomains, &hashes, &report_uri)); |
| 230 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain", | 232 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain", |
| 231 chain_hashes, &max_age, &include_subdomains, | 233 chain_hashes, &max_age, &include_subdomains, |
| 232 &hashes)); | 234 &hashes, &report_uri)); |
| 235 EXPECT_FALSE(ParseHPKPHeader( |
| 236 "max-age=3488923 report-uri=\"http://foo.com\"", chain_hashes, |
| 237 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 233 EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age, | 238 EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age, |
| 234 &include_subdomains, &hashes)); | 239 &include_subdomains, &hashes, &report_uri)); |
| 235 EXPECT_FALSE( | 240 EXPECT_FALSE(ParseHPKPHeader( |
| 236 ParseHPKPHeader("max-age=243; " + good_pin_unquoted + ";" + backup_pin, | 241 "max-age=243; " + good_pin_unquoted + ";" + backup_pin, chain_hashes, |
| 237 chain_hashes, &max_age, &include_subdomains, &hashes)); | 242 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 243 EXPECT_FALSE(ParseHPKPHeader( |
| 244 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=;", |
| 245 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 246 EXPECT_FALSE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + |
| 247 ";report-uri=http://foo.com;", |
| 248 chain_hashes, &max_age, &include_subdomains, |
| 249 &hashes, &report_uri)); |
| 250 EXPECT_FALSE(ParseHPKPHeader( |
| 251 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=''", |
| 252 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 238 | 253 |
| 239 // Check the out args were not updated by checking the default | 254 // Check the out args were not updated by checking the default |
| 240 // values for its predictable fields. | 255 // values for its predictable fields. |
| 241 EXPECT_EQ(0, max_age.InSeconds()); | 256 EXPECT_EQ(0, max_age.InSeconds()); |
| 242 EXPECT_EQ(hashes.size(), (size_t)0); | 257 EXPECT_EQ(hashes.size(), (size_t)0); |
| 243 } | 258 } |
| 244 | 259 |
| 245 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { | 260 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { |
| 246 base::TimeDelta max_age; | 261 base::TimeDelta max_age; |
| 247 base::TimeDelta expect_max_age; | 262 base::TimeDelta expect_max_age; |
| (...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 398 EXPECT_EQ(expect_max_age, max_age); | 413 EXPECT_EQ(expect_max_age, max_age); |
| 399 EXPECT_TRUE(include_subdomains); | 414 EXPECT_TRUE(include_subdomains); |
| 400 } | 415 } |
| 401 | 416 |
| 402 static void TestValidPKPHeaders(HashValueTag tag) { | 417 static void TestValidPKPHeaders(HashValueTag tag) { |
| 403 base::TimeDelta max_age; | 418 base::TimeDelta max_age; |
| 404 base::TimeDelta expect_max_age; | 419 base::TimeDelta expect_max_age; |
| 405 bool include_subdomains; | 420 bool include_subdomains; |
| 406 HashValueVector hashes; | 421 HashValueVector hashes; |
| 407 HashValueVector chain_hashes; | 422 HashValueVector chain_hashes; |
| 423 std::string expect_report_uri; |
| 424 std::string report_uri; |
| 408 | 425 |
| 409 // Set some fake "chain" hashes into chain_hashes | 426 // Set some fake "chain" hashes into chain_hashes |
| 410 chain_hashes.push_back(GetTestHashValue(1, tag)); | 427 chain_hashes.push_back(GetTestHashValue(1, tag)); |
| 411 chain_hashes.push_back(GetTestHashValue(2, tag)); | 428 chain_hashes.push_back(GetTestHashValue(2, tag)); |
| 412 chain_hashes.push_back(GetTestHashValue(3, tag)); | 429 chain_hashes.push_back(GetTestHashValue(3, tag)); |
| 413 | 430 |
| 414 // The good pin must be in the chain, the backup pin must not be | 431 // The good pin must be in the chain, the backup pin must not be |
| 415 std::string good_pin = GetTestPin(2, tag); | 432 std::string good_pin = GetTestPin(2, tag); |
| 416 std::string good_pin2 = GetTestPin(3, tag); | 433 std::string good_pin2 = GetTestPin(3, tag); |
| 417 std::string backup_pin = GetTestPin(4, tag); | 434 std::string backup_pin = GetTestPin(4, tag); |
| 418 | 435 |
| 419 EXPECT_TRUE(ParseHPKPHeader( | 436 EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin, |
| 420 "max-age=243; " + good_pin + ";" + backup_pin, | 437 chain_hashes, &max_age, &include_subdomains, |
| 421 chain_hashes, &max_age, &include_subdomains, &hashes)); | 438 &hashes, &report_uri)); |
| 422 expect_max_age = base::TimeDelta::FromSeconds(243); | 439 expect_max_age = base::TimeDelta::FromSeconds(243); |
| 423 EXPECT_EQ(expect_max_age, max_age); | 440 EXPECT_EQ(expect_max_age, max_age); |
| 424 EXPECT_FALSE(include_subdomains); | 441 EXPECT_FALSE(include_subdomains); |
| 442 EXPECT_EQ(std::string(), report_uri); |
| 425 | 443 |
| 426 EXPECT_TRUE(ParseHPKPHeader( | 444 EXPECT_TRUE(ParseHPKPHeader( |
| 427 " " + good_pin + "; " + backup_pin + " ; Max-agE = 567", | 445 "max-age=243; " + good_pin + ";" + backup_pin + "; report-uri= \"/foo\"", |
| 428 chain_hashes, &max_age, &include_subdomains, &hashes)); | 446 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 429 expect_max_age = base::TimeDelta::FromSeconds(567); | 447 expect_max_age = base::TimeDelta::FromSeconds(243); |
| 448 expect_report_uri = "/foo"; |
| 430 EXPECT_EQ(expect_max_age, max_age); | 449 EXPECT_EQ(expect_max_age, max_age); |
| 431 EXPECT_FALSE(include_subdomains); | 450 EXPECT_FALSE(include_subdomains); |
| 451 EXPECT_EQ(expect_report_uri, report_uri); |
| 432 | 452 |
| 433 EXPECT_TRUE(ParseHPKPHeader( | 453 EXPECT_TRUE(ParseHPKPHeader(" " + good_pin + "; " + backup_pin + |
| 434 "includeSubDOMAINS;" + good_pin + ";" + backup_pin + | 454 " ; Max-agE = 567; repOrT-URi = \"/foo\"", |
| 435 " ; mAx-aGe = 890 ", | 455 chain_hashes, &max_age, &include_subdomains, |
| 436 chain_hashes, &max_age, &include_subdomains, &hashes)); | 456 &hashes, &report_uri)); |
| 457 expect_max_age = base::TimeDelta::FromSeconds(567); |
| 458 expect_report_uri = "/foo"; |
| 459 EXPECT_EQ(expect_max_age, max_age); |
| 460 EXPECT_FALSE(include_subdomains); |
| 461 EXPECT_EQ(expect_report_uri, report_uri); |
| 462 |
| 463 EXPECT_TRUE(ParseHPKPHeader("includeSubDOMAINS;" + good_pin + ";" + |
| 464 backup_pin + " ; mAx-aGe = 890 ", |
| 465 chain_hashes, &max_age, &include_subdomains, |
| 466 &hashes, &report_uri)); |
| 437 expect_max_age = base::TimeDelta::FromSeconds(890); | 467 expect_max_age = base::TimeDelta::FromSeconds(890); |
| 438 EXPECT_EQ(expect_max_age, max_age); | 468 EXPECT_EQ(expect_max_age, max_age); |
| 439 EXPECT_TRUE(include_subdomains); | 469 EXPECT_TRUE(include_subdomains); |
| 440 | 470 |
| 441 EXPECT_TRUE(ParseHPKPHeader( | 471 EXPECT_TRUE(ParseHPKPHeader( |
| 442 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", | 472 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", chain_hashes, |
| 443 chain_hashes, &max_age, &include_subdomains, &hashes)); | 473 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 444 expect_max_age = base::TimeDelta::FromSeconds(123); | 474 expect_max_age = base::TimeDelta::FromSeconds(123); |
| 445 EXPECT_EQ(expect_max_age, max_age); | 475 EXPECT_EQ(expect_max_age, max_age); |
| 446 EXPECT_FALSE(include_subdomains); | 476 EXPECT_FALSE(include_subdomains); |
| 447 | 477 |
| 448 EXPECT_TRUE(ParseHPKPHeader( | 478 EXPECT_TRUE(ParseHPKPHeader( |
| 449 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", | 479 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", chain_hashes, |
| 450 chain_hashes, &max_age, &include_subdomains, &hashes)); | 480 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 451 expect_max_age = base::TimeDelta::FromSeconds(394082); | 481 expect_max_age = base::TimeDelta::FromSeconds(394082); |
| 452 EXPECT_EQ(expect_max_age, max_age); | 482 EXPECT_EQ(expect_max_age, max_age); |
| 453 EXPECT_FALSE(include_subdomains); | 483 EXPECT_FALSE(include_subdomains); |
| 454 | 484 |
| 455 EXPECT_TRUE(ParseHPKPHeader( | 485 EXPECT_TRUE(ParseHPKPHeader( |
| 456 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", | 486 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", chain_hashes, |
| 457 chain_hashes, &max_age, &include_subdomains, &hashes)); | 487 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 458 expect_max_age = base::TimeDelta::FromSeconds( | 488 expect_max_age = base::TimeDelta::FromSeconds( |
| 459 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299)))); | 489 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299)))); |
| 460 EXPECT_EQ(expect_max_age, max_age); | 490 EXPECT_EQ(expect_max_age, max_age); |
| 461 EXPECT_FALSE(include_subdomains); | 491 EXPECT_FALSE(include_subdomains); |
| 462 | 492 |
| 463 EXPECT_TRUE(ParseHPKPHeader( | 493 EXPECT_TRUE(ParseHPKPHeader( |
| 464 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " + | 494 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " + |
| 465 good_pin + ";" + backup_pin + "; ", | 495 good_pin + ";" + backup_pin + "; ", |
| 466 chain_hashes, &max_age, &include_subdomains, &hashes)); | 496 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 467 expect_max_age = base::TimeDelta::FromSeconds( | 497 expect_max_age = base::TimeDelta::FromSeconds( |
| 468 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038)))); | 498 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038)))); |
| 469 EXPECT_EQ(expect_max_age, max_age); | 499 EXPECT_EQ(expect_max_age, max_age); |
| 470 EXPECT_TRUE(include_subdomains); | 500 EXPECT_TRUE(include_subdomains); |
| 471 | 501 |
| 472 EXPECT_TRUE(ParseHPKPHeader( | 502 EXPECT_TRUE(ParseHPKPHeader(" max-age=0 ; " + good_pin + ";" + backup_pin, |
| 473 " max-age=0 ; " + good_pin + ";" + backup_pin, | 503 chain_hashes, &max_age, &include_subdomains, |
| 474 chain_hashes, &max_age, &include_subdomains, &hashes)); | 504 &hashes, &report_uri)); |
| 475 expect_max_age = base::TimeDelta::FromSeconds(0); | 505 expect_max_age = base::TimeDelta::FromSeconds(0); |
| 476 EXPECT_EQ(expect_max_age, max_age); | 506 EXPECT_EQ(expect_max_age, max_age); |
| 477 EXPECT_FALSE(include_subdomains); | 507 EXPECT_FALSE(include_subdomains); |
| 478 | 508 |
| 479 EXPECT_TRUE(ParseHPKPHeader( | 509 EXPECT_TRUE(ParseHPKPHeader( |
| 480 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin, | 510 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin, |
| 481 chain_hashes, &max_age, &include_subdomains, &hashes)); | 511 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 482 expect_max_age = base::TimeDelta::FromSeconds(0); | 512 expect_max_age = base::TimeDelta::FromSeconds(0); |
| 483 EXPECT_EQ(expect_max_age, max_age); | 513 EXPECT_EQ(expect_max_age, max_age); |
| 484 EXPECT_TRUE(include_subdomains); | 514 EXPECT_TRUE(include_subdomains); |
| 485 | 515 |
| 486 EXPECT_TRUE(ParseHPKPHeader( | 516 EXPECT_TRUE(ParseHPKPHeader( |
| 487 " max-age=999999999999999999999999999999999999999999999 ; " + | 517 " max-age=999999999999999999999999999999999999999999999 ; " + |
| 488 backup_pin + ";" + good_pin + "; ", | 518 backup_pin + ";" + good_pin + "; ", |
| 489 chain_hashes, &max_age, &include_subdomains, &hashes)); | 519 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 490 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); | 520 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); |
| 491 EXPECT_EQ(expect_max_age, max_age); | 521 EXPECT_EQ(expect_max_age, max_age); |
| 492 EXPECT_FALSE(include_subdomains); | 522 EXPECT_FALSE(include_subdomains); |
| 493 | 523 |
| 524 EXPECT_TRUE(ParseHPKPHeader( |
| 525 " max-age=999999999999999999999999999999999999999999999 ; " + |
| 526 backup_pin + ";" + good_pin + "; report-uri=\"/foo\"", |
| 527 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 528 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); |
| 529 expect_report_uri = "/foo"; |
| 530 EXPECT_EQ(expect_max_age, max_age); |
| 531 EXPECT_FALSE(include_subdomains); |
| 532 EXPECT_EQ(expect_report_uri, report_uri); |
| 533 |
| 494 // Test that parsing a different header resets the hashes. | 534 // Test that parsing a different header resets the hashes. |
| 495 hashes.clear(); | 535 hashes.clear(); |
| 496 EXPECT_TRUE(ParseHPKPHeader( | 536 EXPECT_TRUE(ParseHPKPHeader( |
| 497 " max-age=999; " + | 537 " max-age=999; " + backup_pin + ";" + good_pin + "; ", chain_hashes, |
| 498 backup_pin + ";" + good_pin + "; ", | 538 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 499 chain_hashes, &max_age, &include_subdomains, &hashes)); | |
| 500 EXPECT_EQ(2u, hashes.size()); | 539 EXPECT_EQ(2u, hashes.size()); |
| 501 EXPECT_TRUE(ParseHPKPHeader( | 540 EXPECT_TRUE(ParseHPKPHeader( |
| 502 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, | 541 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, |
| 503 &max_age, &include_subdomains, &hashes)); | 542 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 504 EXPECT_EQ(2u, hashes.size()); | 543 EXPECT_EQ(2u, hashes.size()); |
| 505 } | 544 } |
| 506 | 545 |
| 507 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { | 546 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { |
| 508 TestBogusPinsHeaders(HASH_VALUE_SHA1); | 547 TestBogusPinsHeaders(HASH_VALUE_SHA1); |
| 509 } | 548 } |
| 510 | 549 |
| 511 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { | 550 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { |
| 512 TestBogusPinsHeaders(HASH_VALUE_SHA256); | 551 TestBogusPinsHeaders(HASH_VALUE_SHA256); |
| 513 } | 552 } |
| (...skipping 16 matching lines...) Expand all Loading... |
| 530 EXPECT_TRUE( | 569 EXPECT_TRUE( |
| 531 state.GetStaticDomainState(domain, &static_domain_state)); | 570 state.GetStaticDomainState(domain, &static_domain_state)); |
| 532 EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL); | 571 EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL); |
| 533 HashValueVector saved_hashes = static_domain_state.pkp.spki_hashes; | 572 HashValueVector saved_hashes = static_domain_state.pkp.spki_hashes; |
| 534 | 573 |
| 535 // Add a header, which should only update the dynamic state. | 574 // Add a header, which should only update the dynamic state. |
| 536 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1); | 575 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1); |
| 537 HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA1); | 576 HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA1); |
| 538 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1); | 577 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1); |
| 539 std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1); | 578 std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1); |
| 540 std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin; | 579 std::string report_uri = "http://google.com"; |
| 580 std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin + |
| 581 ";report-uri=\"" + report_uri + "\""; |
| 541 | 582 |
| 542 // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. | 583 // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. |
| 543 SSLInfo ssl_info; | 584 SSLInfo ssl_info; |
| 544 ssl_info.public_key_hashes.push_back(good_hash); | 585 ssl_info.public_key_hashes.push_back(good_hash); |
| 545 ssl_info.public_key_hashes.push_back(saved_hashes[0]); | 586 ssl_info.public_key_hashes.push_back(saved_hashes[0]); |
| 546 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); | 587 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); |
| 547 | 588 |
| 548 // Expect the static state to remain unchanged. | 589 // Expect the static state to remain unchanged. |
| 549 TransportSecurityState::DomainState new_static_domain_state; | 590 TransportSecurityState::DomainState new_static_domain_state; |
| 550 EXPECT_TRUE(state.GetStaticDomainState( | 591 EXPECT_TRUE(state.GetStaticDomainState( |
| 551 domain, &new_static_domain_state)); | 592 domain, &new_static_domain_state)); |
| 552 for (size_t i = 0; i < saved_hashes.size(); ++i) { | 593 for (size_t i = 0; i < saved_hashes.size(); ++i) { |
| 553 EXPECT_TRUE(HashValuesEqual(saved_hashes[i])( | 594 EXPECT_TRUE(HashValuesEqual(saved_hashes[i])( |
| 554 new_static_domain_state.pkp.spki_hashes[i])); | 595 new_static_domain_state.pkp.spki_hashes[i])); |
| 555 } | 596 } |
| 556 | 597 |
| 557 // Expect the dynamic state to reflect the header. | 598 // Expect the dynamic state to reflect the header. |
| 558 TransportSecurityState::DomainState dynamic_domain_state; | 599 TransportSecurityState::DomainState dynamic_domain_state; |
| 559 EXPECT_TRUE(state.GetDynamicDomainState(domain, &dynamic_domain_state)); | 600 EXPECT_TRUE(state.GetDynamicDomainState(domain, &dynamic_domain_state)); |
| 560 EXPECT_EQ(2UL, dynamic_domain_state.pkp.spki_hashes.size()); | 601 EXPECT_EQ(2UL, dynamic_domain_state.pkp.spki_hashes.size()); |
| 602 EXPECT_EQ(report_uri, dynamic_domain_state.pkp.report_uri); |
| 561 | 603 |
| 562 HashValueVector::const_iterator hash = | 604 HashValueVector::const_iterator hash = |
| 563 std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(), | 605 std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(), |
| 564 dynamic_domain_state.pkp.spki_hashes.end(), | 606 dynamic_domain_state.pkp.spki_hashes.end(), |
| 565 HashValuesEqual(good_hash)); | 607 HashValuesEqual(good_hash)); |
| 566 EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash); | 608 EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash); |
| 567 | 609 |
| 568 hash = std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(), | 610 hash = std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(), |
| 569 dynamic_domain_state.pkp.spki_hashes.end(), | 611 dynamic_domain_state.pkp.spki_hashes.end(), |
| 570 HashValuesEqual(backup_hash)); | 612 HashValuesEqual(backup_hash)); |
| 571 EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash); | 613 EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash); |
| 572 | 614 |
| 573 // Expect the overall state to reflect the header, too. | 615 // Expect the overall state to reflect the header, too. |
| 574 EXPECT_TRUE(state.HasPublicKeyPins(domain)); | 616 EXPECT_TRUE(state.HasPublicKeyPins(domain)); |
| 575 HashValueVector hashes; | 617 HashValueVector hashes; |
| 576 hashes.push_back(good_hash); | 618 hashes.push_back(good_hash); |
| 577 std::string failure_log; | 619 std::string failure_log; |
| 578 const bool is_issued_by_known_root = true; | 620 const bool is_issued_by_known_root = true; |
| 579 EXPECT_TRUE(state.CheckPublicKeyPins( | 621 EXPECT_TRUE(state.CheckPublicKeyPins( |
| 580 domain, is_issued_by_known_root, hashes, &failure_log)); | 622 domain, is_issued_by_known_root, hashes, 0, nullptr, nullptr, |
| 623 TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log)); |
| 581 | 624 |
| 582 TransportSecurityState::DomainState new_dynamic_domain_state; | 625 TransportSecurityState::DomainState new_dynamic_domain_state; |
| 583 EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state)); | 626 EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state)); |
| 584 EXPECT_EQ(2UL, new_dynamic_domain_state.pkp.spki_hashes.size()); | 627 EXPECT_EQ(2UL, new_dynamic_domain_state.pkp.spki_hashes.size()); |
| 628 EXPECT_EQ(report_uri, dynamic_domain_state.pkp.report_uri); |
| 585 | 629 |
| 586 hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(), | 630 hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(), |
| 587 new_dynamic_domain_state.pkp.spki_hashes.end(), | 631 new_dynamic_domain_state.pkp.spki_hashes.end(), |
| 588 HashValuesEqual(good_hash)); | 632 HashValuesEqual(good_hash)); |
| 589 EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash); | 633 EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash); |
| 590 | 634 |
| 591 hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(), | 635 hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(), |
| 592 new_dynamic_domain_state.pkp.spki_hashes.end(), | 636 new_dynamic_domain_state.pkp.spki_hashes.end(), |
| 593 HashValuesEqual(backup_hash)); | 637 HashValuesEqual(backup_hash)); |
| 594 EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash); | 638 EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash); |
| (...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 659 // though dynamic policy has been removed. (This policy may change in the | 703 // though dynamic policy has been removed. (This policy may change in the |
| 660 // future, in which case this test must be updated.) | 704 // future, in which case this test must be updated.) |
| 661 EXPECT_TRUE(state.HasPublicKeyPins(domain)); | 705 EXPECT_TRUE(state.HasPublicKeyPins(domain)); |
| 662 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal(domain)); | 706 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal(domain)); |
| 663 std::string failure_log; | 707 std::string failure_log; |
| 664 // Damage the hashes to cause a pin validation failure. | 708 // Damage the hashes to cause a pin validation failure. |
| 665 new_static_domain_state2.pkp.spki_hashes[0].data()[0] ^= 0x80; | 709 new_static_domain_state2.pkp.spki_hashes[0].data()[0] ^= 0x80; |
| 666 new_static_domain_state2.pkp.spki_hashes[1].data()[0] ^= 0x80; | 710 new_static_domain_state2.pkp.spki_hashes[1].data()[0] ^= 0x80; |
| 667 new_static_domain_state2.pkp.spki_hashes[2].data()[0] ^= 0x80; | 711 new_static_domain_state2.pkp.spki_hashes[2].data()[0] ^= 0x80; |
| 668 const bool is_issued_by_known_root = true; | 712 const bool is_issued_by_known_root = true; |
| 669 EXPECT_FALSE( | 713 EXPECT_FALSE(state.CheckPublicKeyPins( |
| 670 state.CheckPublicKeyPins(domain, | 714 domain, is_issued_by_known_root, new_static_domain_state2.pkp.spki_hashes, |
| 671 is_issued_by_known_root, | 715 0, nullptr, nullptr, |
| 672 new_static_domain_state2.pkp.spki_hashes, | 716 TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log)); |
| 673 &failure_log)); | |
| 674 EXPECT_NE(0UL, failure_log.length()); | 717 EXPECT_NE(0UL, failure_log.length()); |
| 675 } | 718 } |
| 676 | 719 |
| 677 // Tests that when a static HSTS and a static HPKP entry are present, adding a | 720 // Tests that when a static HSTS and a static HPKP entry are present, adding a |
| 678 // dynamic HSTS header does not clobber the static HPKP entry. Further, adding a | 721 // dynamic HSTS header does not clobber the static HPKP entry. Further, adding a |
| 679 // dynamic HPKP entry could not affect the HSTS entry for the site. | 722 // dynamic HPKP entry could not affect the HSTS entry for the site. |
| 680 TEST_F(HttpSecurityHeadersTest, NoClobberPins) { | 723 TEST_F(HttpSecurityHeadersTest, NoClobberPins) { |
| 681 TransportSecurityState state; | 724 TransportSecurityState state; |
| 682 TransportSecurityState::DomainState domain_state; | 725 TransportSecurityState::DomainState domain_state; |
| 683 | 726 |
| (...skipping 10 matching lines...) Expand all Loading... |
| 694 EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); | 737 EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); |
| 695 EXPECT_TRUE(state.HasPublicKeyPins(domain)); | 738 EXPECT_TRUE(state.HasPublicKeyPins(domain)); |
| 696 | 739 |
| 697 // Add a dynamic HSTS header. CheckPublicKeyPins should still pass when given | 740 // Add a dynamic HSTS header. CheckPublicKeyPins should still pass when given |
| 698 // the original |saved_hashes|, indicating that the static PKP data is still | 741 // the original |saved_hashes|, indicating that the static PKP data is still |
| 699 // configured for the domain. | 742 // configured for the domain. |
| 700 EXPECT_TRUE(state.AddHSTSHeader(domain, "includesubdomains; max-age=10000")); | 743 EXPECT_TRUE(state.AddHSTSHeader(domain, "includesubdomains; max-age=10000")); |
| 701 EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); | 744 EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); |
| 702 std::string failure_log; | 745 std::string failure_log; |
| 703 const bool is_issued_by_known_root = true; | 746 const bool is_issued_by_known_root = true; |
| 704 EXPECT_TRUE(state.CheckPublicKeyPins(domain, | 747 EXPECT_TRUE(state.CheckPublicKeyPins( |
| 705 is_issued_by_known_root, | 748 domain, is_issued_by_known_root, saved_hashes, 0, nullptr, nullptr, |
| 706 saved_hashes, | 749 TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log)); |
| 707 &failure_log)); | |
| 708 | 750 |
| 709 // Add an HPKP header, which should only update the dynamic state. | 751 // Add an HPKP header, which should only update the dynamic state. |
| 710 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1); | 752 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1); |
| 711 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1); | 753 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1); |
| 712 std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1); | 754 std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1); |
| 713 std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin; | 755 std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin; |
| 714 | 756 |
| 715 // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. | 757 // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. |
| 716 SSLInfo ssl_info; | 758 SSLInfo ssl_info; |
| 717 ssl_info.public_key_hashes.push_back(good_hash); | 759 ssl_info.public_key_hashes.push_back(good_hash); |
| 718 ssl_info.public_key_hashes.push_back(saved_hashes[0]); | 760 ssl_info.public_key_hashes.push_back(saved_hashes[0]); |
| 719 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); | 761 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); |
| 720 | 762 |
| 721 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); | 763 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); |
| 722 // HSTS should still be configured for this domain. | 764 // HSTS should still be configured for this domain. |
| 723 EXPECT_TRUE(domain_state.ShouldUpgradeToSSL()); | 765 EXPECT_TRUE(domain_state.ShouldUpgradeToSSL()); |
| 724 EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); | 766 EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); |
| 725 // The dynamic pins, which do not match |saved_hashes|, should take | 767 // The dynamic pins, which do not match |saved_hashes|, should take |
| 726 // precedence over the static pins and cause the check to fail. | 768 // precedence over the static pins and cause the check to fail. |
| 727 EXPECT_FALSE(state.CheckPublicKeyPins(domain, | 769 EXPECT_FALSE(state.CheckPublicKeyPins( |
| 728 is_issued_by_known_root, | 770 domain, is_issued_by_known_root, saved_hashes, 0, nullptr, nullptr, |
| 729 saved_hashes, | 771 TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log)); |
| 730 &failure_log)); | |
| 731 } | 772 } |
| 732 | 773 |
| 733 // Tests that seeing an invalid HPKP header leaves the existing one alone. | 774 // Tests that seeing an invalid HPKP header leaves the existing one alone. |
| 734 TEST_F(HttpSecurityHeadersTest, IgnoreInvalidHeaders) { | 775 TEST_F(HttpSecurityHeadersTest, IgnoreInvalidHeaders) { |
| 735 TransportSecurityState state; | 776 TransportSecurityState state; |
| 736 | 777 |
| 737 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA256); | 778 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA256); |
| 738 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA256); | 779 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA256); |
| 739 std::string bad_pin = GetTestPin(2, HASH_VALUE_SHA256); | 780 std::string bad_pin = GetTestPin(2, HASH_VALUE_SHA256); |
| 740 std::string backup_pin = GetTestPin(3, HASH_VALUE_SHA256); | 781 std::string backup_pin = GetTestPin(3, HASH_VALUE_SHA256); |
| 741 | 782 |
| 742 SSLInfo ssl_info; | 783 SSLInfo ssl_info; |
| 743 ssl_info.public_key_hashes.push_back(good_hash); | 784 ssl_info.public_key_hashes.push_back(good_hash); |
| 744 | 785 |
| 745 // Add a valid HPKP header. | 786 // Add a valid HPKP header. |
| 746 EXPECT_TRUE(state.AddHPKPHeader( | 787 EXPECT_TRUE(state.AddHPKPHeader( |
| 747 "example.com", "max-age = 10000; " + good_pin + "; " + backup_pin, | 788 "example.com", "max-age = 10000; " + good_pin + "; " + backup_pin, |
| 748 ssl_info)); | 789 ssl_info)); |
| 749 | 790 |
| 750 // Check the insertion was valid. | 791 // Check the insertion was valid. |
| 751 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 792 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
| 752 std::string failure_log; | 793 std::string failure_log; |
| 753 bool is_issued_by_known_root = true; | 794 bool is_issued_by_known_root = true; |
| 754 EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root, | 795 EXPECT_TRUE(state.CheckPublicKeyPins( |
| 755 ssl_info.public_key_hashes, | 796 "example.com", is_issued_by_known_root, ssl_info.public_key_hashes, 0, |
| 756 &failure_log)); | 797 nullptr, nullptr, |
| 798 TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log)); |
| 757 | 799 |
| 758 // Now assert an invalid one. This should fail. | 800 // Now assert an invalid one. This should fail. |
| 759 EXPECT_FALSE(state.AddHPKPHeader( | 801 EXPECT_FALSE(state.AddHPKPHeader( |
| 760 "example.com", "max-age = 10000; " + bad_pin + "; " + backup_pin, | 802 "example.com", "max-age = 10000; " + bad_pin + "; " + backup_pin, |
| 761 ssl_info)); | 803 ssl_info)); |
| 762 | 804 |
| 763 // The old pins must still exist. | 805 // The old pins must still exist. |
| 764 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 806 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
| 765 EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root, | 807 EXPECT_TRUE(state.CheckPublicKeyPins( |
| 766 ssl_info.public_key_hashes, | 808 "example.com", is_issued_by_known_root, ssl_info.public_key_hashes, 0, |
| 767 &failure_log)); | 809 nullptr, nullptr, |
| 810 TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log)); |
| 768 } | 811 } |
| 769 | 812 |
| 770 }; // namespace net | 813 }; // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1211933005:
Initial (partial) implementation of HPKP violation reporting (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master