| Index: net/http/http_security_headers_unittest.cc
|
| diff --git a/net/http/http_security_headers_unittest.cc b/net/http/http_security_headers_unittest.cc
|
| index 3564245ccd62c88740293a8d23b9eb5d7327d08b..62c6b2fb6e277684494004dca9f8c41a0bf81ed6 100644
|
| --- a/net/http/http_security_headers_unittest.cc
|
| +++ b/net/http/http_security_headers_unittest.cc
|
| @@ -152,6 +152,7 @@ static void TestBogusPinsHeaders(HashValueTag tag) {
|
| bool include_subdomains;
|
| HashValueVector hashes;
|
| HashValueVector chain_hashes;
|
| + std::string report_uri;
|
|
|
| // Set some fake "chain" hashes
|
| chain_hashes.push_back(GetTestHashValue(1, tag));
|
| @@ -164,77 +165,91 @@ static void TestBogusPinsHeaders(HashValueTag tag) {
|
| std::string backup_pin = GetTestPin(4, tag);
|
|
|
| EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| - EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes,
|
| - &max_age, &include_subdomains, &hashes));
|
| - EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes,
|
| - &max_age, &include_subdomains, &hashes));
|
| - EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923",
|
| + &include_subdomains, &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes, &max_age,
|
| + &include_subdomains, &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes, &max_age,
|
| + &include_subdomains, &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923", chain_hashes,
|
| + &max_age, &include_subdomains, &hashes,
|
| + &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes, &max_age,
|
| + &include_subdomains, &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader(
|
| + "max-ag=3488923pins=" + good_pin + "," + backup_pin, chain_hashes,
|
| + &max_age, &include_subdomains, &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;pins=" + good_pin + "," +
|
| + backup_pin + "report-uri=\"http://foo.com\"",
|
| chain_hashes, &max_age, &include_subdomains,
|
| - &hashes));
|
| - EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes,
|
| - &max_age, &include_subdomains, &hashes));
|
| - EXPECT_FALSE(ParseHPKPHeader("max-ag=3488923pins=" + good_pin + "," +
|
| - backup_pin,
|
| + &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin, chain_hashes,
|
| + &max_age, &include_subdomains, &hashes,
|
| + &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin, chain_hashes,
|
| + &max_age, &include_subdomains, &hashes,
|
| + &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader(
|
| + "max-aged=3488923; " + backup_pin + ";" + backup_pin, chain_hashes,
|
| + &max_age, &include_subdomains, &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" + good_pin,
|
| chain_hashes, &max_age, &include_subdomains,
|
| - &hashes));
|
| - EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin,
|
| - chain_hashes, &max_age, &include_subdomains,
|
| - &hashes));
|
| - EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin,
|
| - chain_hashes, &max_age, &include_subdomains,
|
| - &hashes));
|
| - EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin + ";" +
|
| - backup_pin,
|
| - chain_hashes, &max_age, &include_subdomains,
|
| - &hashes));
|
| - EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" +
|
| - good_pin,
|
| - chain_hashes, &max_age, &include_subdomains,
|
| - &hashes));
|
| - EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin,
|
| - chain_hashes, &max_age, &include_subdomains,
|
| - &hashes));
|
| + &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin, chain_hashes,
|
| + &max_age, &include_subdomains, &hashes,
|
| + &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| - EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes,
|
| - &max_age, &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes, &max_age,
|
| + &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain",
|
| chain_hashes, &max_age, &include_subdomains,
|
| - &hashes));
|
| + &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader(
|
| + "max-age=3488923 report-uri=\"http://foo.com\"", chain_hashes,
|
| + &max_age, &include_subdomains, &hashes, &report_uri));
|
| EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age,
|
| - &include_subdomains, &hashes));
|
| - EXPECT_FALSE(
|
| - ParseHPKPHeader("max-age=243; " + good_pin_unquoted + ";" + backup_pin,
|
| - chain_hashes, &max_age, &include_subdomains, &hashes));
|
| + &include_subdomains, &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader(
|
| + "max-age=243; " + good_pin_unquoted + ";" + backup_pin, chain_hashes,
|
| + &max_age, &include_subdomains, &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader(
|
| + "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=;",
|
| + chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin +
|
| + ";report-uri=http://foo.com;",
|
| + chain_hashes, &max_age, &include_subdomains,
|
| + &hashes, &report_uri));
|
| + EXPECT_FALSE(ParseHPKPHeader(
|
| + "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=''",
|
| + chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
|
|
|
| // Check the out args were not updated by checking the default
|
| // values for its predictable fields.
|
| @@ -405,6 +420,8 @@ static void TestValidPKPHeaders(HashValueTag tag) {
|
| bool include_subdomains;
|
| HashValueVector hashes;
|
| HashValueVector chain_hashes;
|
| + std::string expect_report_uri;
|
| + std::string report_uri;
|
|
|
| // Set some fake "chain" hashes into chain_hashes
|
| chain_hashes.push_back(GetTestHashValue(1, tag));
|
| @@ -416,45 +433,58 @@ static void TestValidPKPHeaders(HashValueTag tag) {
|
| std::string good_pin2 = GetTestPin(3, tag);
|
| std::string backup_pin = GetTestPin(4, tag);
|
|
|
| - EXPECT_TRUE(ParseHPKPHeader(
|
| - "max-age=243; " + good_pin + ";" + backup_pin,
|
| - chain_hashes, &max_age, &include_subdomains, &hashes));
|
| + EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin,
|
| + chain_hashes, &max_age, &include_subdomains,
|
| + &hashes, &report_uri));
|
| expect_max_age = base::TimeDelta::FromSeconds(243);
|
| EXPECT_EQ(expect_max_age, max_age);
|
| EXPECT_FALSE(include_subdomains);
|
| + EXPECT_EQ(std::string(), report_uri);
|
|
|
| EXPECT_TRUE(ParseHPKPHeader(
|
| - " " + good_pin + "; " + backup_pin + " ; Max-agE = 567",
|
| - chain_hashes, &max_age, &include_subdomains, &hashes));
|
| + "max-age=243; " + good_pin + ";" + backup_pin + "; report-uri= \"/foo\"",
|
| + chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
|
| + expect_max_age = base::TimeDelta::FromSeconds(243);
|
| + expect_report_uri = "/foo";
|
| + EXPECT_EQ(expect_max_age, max_age);
|
| + EXPECT_FALSE(include_subdomains);
|
| + EXPECT_EQ(expect_report_uri, report_uri);
|
| +
|
| + EXPECT_TRUE(ParseHPKPHeader(" " + good_pin + "; " + backup_pin +
|
| + " ; Max-agE = 567; repOrT-URi = \"/foo\"",
|
| + chain_hashes, &max_age, &include_subdomains,
|
| + &hashes, &report_uri));
|
| expect_max_age = base::TimeDelta::FromSeconds(567);
|
| + expect_report_uri = "/foo";
|
| EXPECT_EQ(expect_max_age, max_age);
|
| EXPECT_FALSE(include_subdomains);
|
| + EXPECT_EQ(expect_report_uri, report_uri);
|
|
|
| - EXPECT_TRUE(ParseHPKPHeader(
|
| - "includeSubDOMAINS;" + good_pin + ";" + backup_pin +
|
| - " ; mAx-aGe = 890 ",
|
| - chain_hashes, &max_age, &include_subdomains, &hashes));
|
| + EXPECT_TRUE(ParseHPKPHeader("includeSubDOMAINS;" + good_pin + ";" +
|
| + backup_pin + " ; mAx-aGe = 890 ",
|
| + chain_hashes, &max_age, &include_subdomains,
|
| + &hashes, &report_uri));
|
| expect_max_age = base::TimeDelta::FromSeconds(890);
|
| EXPECT_EQ(expect_max_age, max_age);
|
| EXPECT_TRUE(include_subdomains);
|
|
|
| EXPECT_TRUE(ParseHPKPHeader(
|
| - good_pin + ";" + backup_pin + "; max-age=123;IGNORED;",
|
| - chain_hashes, &max_age, &include_subdomains, &hashes));
|
| + good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", chain_hashes,
|
| + &max_age, &include_subdomains, &hashes, &report_uri));
|
| expect_max_age = base::TimeDelta::FromSeconds(123);
|
| EXPECT_EQ(expect_max_age, max_age);
|
| EXPECT_FALSE(include_subdomains);
|
|
|
| EXPECT_TRUE(ParseHPKPHeader(
|
| - "max-age=394082;" + backup_pin + ";" + good_pin + "; ",
|
| - chain_hashes, &max_age, &include_subdomains, &hashes));
|
| + "max-age=394082;" + backup_pin + ";" + good_pin + "; ", chain_hashes,
|
| + &max_age, &include_subdomains, &hashes, &report_uri));
|
| expect_max_age = base::TimeDelta::FromSeconds(394082);
|
| EXPECT_EQ(expect_max_age, max_age);
|
| EXPECT_FALSE(include_subdomains);
|
|
|
| EXPECT_TRUE(ParseHPKPHeader(
|
| - "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ",
|
| - chain_hashes, &max_age, &include_subdomains, &hashes));
|
| + "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", chain_hashes,
|
| + &max_age, &include_subdomains, &hashes, &report_uri));
|
| expect_max_age = base::TimeDelta::FromSeconds(
|
| std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299))));
|
| EXPECT_EQ(expect_max_age, max_age);
|
| @@ -463,22 +493,22 @@ static void TestValidPKPHeaders(HashValueTag tag) {
|
| EXPECT_TRUE(ParseHPKPHeader(
|
| "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " +
|
| good_pin + ";" + backup_pin + "; ",
|
| - chain_hashes, &max_age, &include_subdomains, &hashes));
|
| + chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
|
| expect_max_age = base::TimeDelta::FromSeconds(
|
| std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038))));
|
| EXPECT_EQ(expect_max_age, max_age);
|
| EXPECT_TRUE(include_subdomains);
|
|
|
| - EXPECT_TRUE(ParseHPKPHeader(
|
| - " max-age=0 ; " + good_pin + ";" + backup_pin,
|
| - chain_hashes, &max_age, &include_subdomains, &hashes));
|
| + EXPECT_TRUE(ParseHPKPHeader(" max-age=0 ; " + good_pin + ";" + backup_pin,
|
| + chain_hashes, &max_age, &include_subdomains,
|
| + &hashes, &report_uri));
|
| expect_max_age = base::TimeDelta::FromSeconds(0);
|
| EXPECT_EQ(expect_max_age, max_age);
|
| EXPECT_FALSE(include_subdomains);
|
|
|
| EXPECT_TRUE(ParseHPKPHeader(
|
| " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin,
|
| - chain_hashes, &max_age, &include_subdomains, &hashes));
|
| + chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
|
| expect_max_age = base::TimeDelta::FromSeconds(0);
|
| EXPECT_EQ(expect_max_age, max_age);
|
| EXPECT_TRUE(include_subdomains);
|
| @@ -486,21 +516,30 @@ static void TestValidPKPHeaders(HashValueTag tag) {
|
| EXPECT_TRUE(ParseHPKPHeader(
|
| " max-age=999999999999999999999999999999999999999999999 ; " +
|
| backup_pin + ";" + good_pin + "; ",
|
| - chain_hashes, &max_age, &include_subdomains, &hashes));
|
| + chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
|
| + expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs);
|
| + EXPECT_EQ(expect_max_age, max_age);
|
| + EXPECT_FALSE(include_subdomains);
|
| +
|
| + EXPECT_TRUE(ParseHPKPHeader(
|
| + " max-age=999999999999999999999999999999999999999999999 ; " +
|
| + backup_pin + ";" + good_pin + "; report-uri=\"/foo\"",
|
| + chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
|
| expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs);
|
| + expect_report_uri = "/foo";
|
| EXPECT_EQ(expect_max_age, max_age);
|
| EXPECT_FALSE(include_subdomains);
|
| + EXPECT_EQ(expect_report_uri, report_uri);
|
|
|
| // Test that parsing a different header resets the hashes.
|
| hashes.clear();
|
| EXPECT_TRUE(ParseHPKPHeader(
|
| - " max-age=999; " +
|
| - backup_pin + ";" + good_pin + "; ",
|
| - chain_hashes, &max_age, &include_subdomains, &hashes));
|
| + " max-age=999; " + backup_pin + ";" + good_pin + "; ", chain_hashes,
|
| + &max_age, &include_subdomains, &hashes, &report_uri));
|
| EXPECT_EQ(2u, hashes.size());
|
| EXPECT_TRUE(ParseHPKPHeader(
|
| " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes,
|
| - &max_age, &include_subdomains, &hashes));
|
| + &max_age, &include_subdomains, &hashes, &report_uri));
|
| EXPECT_EQ(2u, hashes.size());
|
| }
|
|
|
| @@ -537,7 +576,9 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
|
| HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA1);
|
| std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1);
|
| std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1);
|
| - std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin;
|
| + std::string report_uri = "http://google.com";
|
| + std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin +
|
| + ";report-uri=\"" + report_uri + "\"";
|
|
|
| // Construct a fake SSLInfo that will pass AddHPKPHeader's checks.
|
| SSLInfo ssl_info;
|
| @@ -558,6 +599,7 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
|
| TransportSecurityState::DomainState dynamic_domain_state;
|
| EXPECT_TRUE(state.GetDynamicDomainState(domain, &dynamic_domain_state));
|
| EXPECT_EQ(2UL, dynamic_domain_state.pkp.spki_hashes.size());
|
| + EXPECT_EQ(report_uri, dynamic_domain_state.pkp.report_uri);
|
|
|
| HashValueVector::const_iterator hash =
|
| std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(),
|
| @@ -577,11 +619,13 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
|
| std::string failure_log;
|
| const bool is_issued_by_known_root = true;
|
| EXPECT_TRUE(state.CheckPublicKeyPins(
|
| - domain, is_issued_by_known_root, hashes, &failure_log));
|
| + domain, is_issued_by_known_root, hashes, 0, nullptr, nullptr,
|
| + TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));
|
|
|
| TransportSecurityState::DomainState new_dynamic_domain_state;
|
| EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state));
|
| EXPECT_EQ(2UL, new_dynamic_domain_state.pkp.spki_hashes.size());
|
| + EXPECT_EQ(report_uri, dynamic_domain_state.pkp.report_uri);
|
|
|
| hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(),
|
| new_dynamic_domain_state.pkp.spki_hashes.end(),
|
| @@ -666,11 +710,10 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0) {
|
| new_static_domain_state2.pkp.spki_hashes[1].data()[0] ^= 0x80;
|
| new_static_domain_state2.pkp.spki_hashes[2].data()[0] ^= 0x80;
|
| const bool is_issued_by_known_root = true;
|
| - EXPECT_FALSE(
|
| - state.CheckPublicKeyPins(domain,
|
| - is_issued_by_known_root,
|
| - new_static_domain_state2.pkp.spki_hashes,
|
| - &failure_log));
|
| + EXPECT_FALSE(state.CheckPublicKeyPins(
|
| + domain, is_issued_by_known_root, new_static_domain_state2.pkp.spki_hashes,
|
| + 0, nullptr, nullptr,
|
| + TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));
|
| EXPECT_NE(0UL, failure_log.length());
|
| }
|
|
|
| @@ -701,10 +744,9 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
|
| EXPECT_TRUE(state.ShouldUpgradeToSSL(domain));
|
| std::string failure_log;
|
| const bool is_issued_by_known_root = true;
|
| - EXPECT_TRUE(state.CheckPublicKeyPins(domain,
|
| - is_issued_by_known_root,
|
| - saved_hashes,
|
| - &failure_log));
|
| + EXPECT_TRUE(state.CheckPublicKeyPins(
|
| + domain, is_issued_by_known_root, saved_hashes, 0, nullptr, nullptr,
|
| + TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));
|
|
|
| // Add an HPKP header, which should only update the dynamic state.
|
| HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
|
| @@ -724,10 +766,9 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
|
| EXPECT_TRUE(state.ShouldUpgradeToSSL(domain));
|
| // The dynamic pins, which do not match |saved_hashes|, should take
|
| // precedence over the static pins and cause the check to fail.
|
| - EXPECT_FALSE(state.CheckPublicKeyPins(domain,
|
| - is_issued_by_known_root,
|
| - saved_hashes,
|
| - &failure_log));
|
| + EXPECT_FALSE(state.CheckPublicKeyPins(
|
| + domain, is_issued_by_known_root, saved_hashes, 0, nullptr, nullptr,
|
| + TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));
|
| }
|
|
|
| // Tests that seeing an invalid HPKP header leaves the existing one alone.
|
| @@ -751,9 +792,10 @@ TEST_F(HttpSecurityHeadersTest, IgnoreInvalidHeaders) {
|
| EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
|
| std::string failure_log;
|
| bool is_issued_by_known_root = true;
|
| - EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root,
|
| - ssl_info.public_key_hashes,
|
| - &failure_log));
|
| + EXPECT_TRUE(state.CheckPublicKeyPins(
|
| + "example.com", is_issued_by_known_root, ssl_info.public_key_hashes, 0,
|
| + nullptr, nullptr,
|
| + TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));
|
|
|
| // Now assert an invalid one. This should fail.
|
| EXPECT_FALSE(state.AddHPKPHeader(
|
| @@ -762,9 +804,10 @@ TEST_F(HttpSecurityHeadersTest, IgnoreInvalidHeaders) {
|
|
|
| // The old pins must still exist.
|
| EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
|
| - EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root,
|
| - ssl_info.public_key_hashes,
|
| - &failure_log));
|
| + EXPECT_TRUE(state.CheckPublicKeyPins(
|
| + "example.com", is_issued_by_known_root, ssl_info.public_key_hashes, 0,
|
| + nullptr, nullptr,
|
| + TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));
|
| }
|
|
|
| }; // namespace net
|
|
|
Chromium Code Reviews
Issue 1211933005:
Initial (partial) implementation of HPKP violation reporting (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master