OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
11 #include "base/base64.h" | 11 #include "base/base64.h" |
12 #include "base/files/file_path.h" | 12 #include "base/files/file_path.h" |
13 #include "base/json/json_reader.h" | |
13 #include "base/rand_util.h" | 14 #include "base/rand_util.h" |
14 #include "base/sha1.h" | 15 #include "base/sha1.h" |
15 #include "base/strings/string_piece.h" | 16 #include "base/strings/string_piece.h" |
17 #include "base/values.h" | |
16 #include "crypto/sha2.h" | 18 #include "crypto/sha2.h" |
19 #include "net/base/host_port_pair.h" | |
17 #include "net/base/net_errors.h" | 20 #include "net/base/net_errors.h" |
18 #include "net/base/test_completion_callback.h" | 21 #include "net/base/test_completion_callback.h" |
19 #include "net/base/test_data_directory.h" | 22 #include "net/base/test_data_directory.h" |
20 #include "net/cert/asn1_util.h" | 23 #include "net/cert/asn1_util.h" |
21 #include "net/cert/cert_verifier.h" | 24 #include "net/cert/cert_verifier.h" |
22 #include "net/cert/cert_verify_result.h" | 25 #include "net/cert/cert_verify_result.h" |
23 #include "net/cert/test_root_certs.h" | 26 #include "net/cert/test_root_certs.h" |
24 #include "net/cert/x509_cert_types.h" | 27 #include "net/cert/x509_cert_types.h" |
25 #include "net/cert/x509_certificate.h" | 28 #include "net/cert/x509_certificate.h" |
26 #include "net/http/http_util.h" | 29 #include "net/http/http_util.h" |
27 #include "net/log/net_log.h" | 30 #include "net/log/net_log.h" |
28 #include "net/ssl/ssl_info.h" | 31 #include "net/ssl/ssl_info.h" |
29 #include "net/test/cert_test_util.h" | 32 #include "net/test/cert_test_util.h" |
30 #include "testing/gtest/include/gtest/gtest.h" | 33 #include "testing/gtest/include/gtest/gtest.h" |
31 | 34 |
32 #if defined(USE_OPENSSL) | 35 #if defined(USE_OPENSSL) |
33 #include "crypto/openssl_util.h" | 36 #include "crypto/openssl_util.h" |
34 #else | 37 #else |
35 #include "crypto/nss_util.h" | 38 #include "crypto/nss_util.h" |
36 #endif | 39 #endif |
37 | 40 |
38 namespace { | 41 namespace net { |
39 | 42 |
40 const char kReportUri[] = "http://example.test/test"; | 43 const char kReportUri[] = "http://example.test/test"; |
estark
2015/07/23 08:53:29
Is everything supposed to be in the net namespace
davidben
2015/07/24 20:42:55
See my second comment here:
https://codereview.chr
estark
2015/07/25 00:10:31
Done. I left the existing test fixtures and tests
| |
41 | 44 |
42 } // namespace | 45 // A mock ReportSender that just remembers the latest report |
46 // URI and report to be sent. | |
47 class MockCertificateReportSender | |
48 : public TransportSecurityState::ReportSender { | |
49 public: | |
50 MockCertificateReportSender() {} | |
51 ~MockCertificateReportSender() override {} | |
43 | 52 |
44 namespace net { | 53 void Send(const GURL& report_uri, const std::string& report) override { |
54 latest_report_uri_ = report_uri; | |
55 latest_report_ = report; | |
56 } | |
57 | |
58 const GURL& latest_report_uri() { return latest_report_uri_; } | |
59 const std::string& latest_report() { return latest_report_; } | |
60 | |
61 private: | |
62 GURL latest_report_uri_; | |
63 std::string latest_report_; | |
64 }; | |
65 | |
66 void CompareCertificateChainWithList( | |
67 const scoped_refptr<X509Certificate>& cert_chain, | |
68 const base::ListValue* cert_list) { | |
69 ASSERT_TRUE(cert_chain); | |
70 std::vector<std::string> pem_encoded_chain; | |
71 cert_chain->GetPEMEncodedChain(&pem_encoded_chain); | |
72 EXPECT_EQ(pem_encoded_chain.size(), cert_list->GetSize()); | |
73 | |
74 for (size_t i = 0; i < pem_encoded_chain.size(); i++) { | |
75 std::string list_cert; | |
76 ASSERT_TRUE(cert_list->GetString(i, &list_cert)); | |
77 EXPECT_EQ(pem_encoded_chain[i], list_cert); | |
78 } | |
79 } | |
80 | |
81 void CheckHPKPReport( | |
82 const std::string& report, | |
83 const HostPortPair& host_port_pair, | |
84 const base::Time& expiry, | |
85 bool include_subdomains, | |
86 const std::string& noted_hostname, | |
87 const scoped_refptr<X509Certificate>& served_certificate_chain, | |
88 const scoped_refptr<X509Certificate>& validated_certificate_chain, | |
89 const net::HashValueVector& known_pins) { | |
90 // TODO(estark): check time in RFC3339 format. | |
91 | |
92 scoped_ptr<base::Value> value(base::JSONReader::Read(report)); | |
93 ASSERT_TRUE(value); | |
94 ASSERT_TRUE(value->IsType(base::Value::TYPE_DICTIONARY)); | |
95 | |
96 scoped_ptr<base::DictionaryValue> report_dict( | |
97 static_cast<base::DictionaryValue*>(value.release())); | |
davidben
2015/07/24 20:42:55
You can also do:
base::DictionaryValue* report_d
estark
2015/07/25 00:10:31
Done.
| |
98 | |
99 std::string report_hostname; | |
100 EXPECT_TRUE(report_dict->GetString("hostname", &report_hostname)); | |
101 EXPECT_EQ(host_port_pair.host(), report_hostname); | |
102 | |
103 int report_port; | |
104 EXPECT_TRUE(report_dict->GetInteger("port", &report_port)); | |
105 EXPECT_EQ(host_port_pair.port(), report_port); | |
106 | |
107 bool report_include_subdomains; | |
108 EXPECT_TRUE(report_dict->GetBoolean("include-subdomains", | |
109 &report_include_subdomains)); | |
110 EXPECT_EQ(include_subdomains, report_include_subdomains); | |
111 | |
112 std::string report_noted_hostname; | |
113 EXPECT_TRUE(report_dict->GetString("noted-hostname", &report_noted_hostname)); | |
114 EXPECT_EQ(noted_hostname, report_noted_hostname); | |
115 | |
116 base::ListValue* report_served_certificate_chain; | |
117 EXPECT_TRUE(report_dict->GetList("served-certificate-chain", | |
118 &report_served_certificate_chain)); | |
119 ASSERT_NO_FATAL_FAILURE(CompareCertificateChainWithList( | |
120 served_certificate_chain, report_served_certificate_chain)); | |
121 | |
122 base::ListValue* report_validated_certificate_chain; | |
123 EXPECT_TRUE(report_dict->GetList("validated-certificate-chain", | |
124 &report_validated_certificate_chain)); | |
125 ASSERT_NO_FATAL_FAILURE(CompareCertificateChainWithList( | |
126 validated_certificate_chain, report_validated_certificate_chain)); | |
127 } | |
45 | 128 |
46 class TransportSecurityStateTest : public testing::Test { | 129 class TransportSecurityStateTest : public testing::Test { |
47 public: | 130 public: |
48 void SetUp() override { | 131 void SetUp() override { |
49 #if defined(USE_OPENSSL) | 132 #if defined(USE_OPENSSL) |
50 crypto::EnsureOpenSSLInit(); | 133 crypto::EnsureOpenSSLInit(); |
51 #else | 134 #else |
52 crypto::EnsureNSSInit(); | 135 crypto::EnsureNSSInit(); |
53 #endif | 136 #endif |
54 } | 137 } |
(...skipping 1050 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1105 | 1188 |
1106 // These hosts used to only be HSTS when SNI was available. | 1189 // These hosts used to only be HSTS when SNI was available. |
1107 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1190 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1108 "gmail.com")); | 1191 "gmail.com")); |
1109 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1192 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1110 "googlegroups.com")); | 1193 "googlegroups.com")); |
1111 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1194 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1112 "www.googlegroups.com")); | 1195 "www.googlegroups.com")); |
1113 } | 1196 } |
1114 | 1197 |
1198 TEST_F(TransportSecurityStateTest, HPKPReporting) { | |
1199 const char kHost[] = "example.test"; | |
1200 const char kSubdomain[] = "foo.example.test"; | |
1201 const uint16_t kPort = 443; | |
davidben
2015/07/24 20:42:55
Nit: static const
estark
2015/07/25 00:10:31
Done.
| |
1202 HostPortPair host_port_pair(kHost, kPort); | |
1203 HostPortPair subdomain_host_port_pair(kSubdomain, kPort); | |
1204 GURL report_uri("http://www.example.test/report"); | |
1205 // Two dummy certs to use as the server-sent and validated chains. The | |
1206 // contents don't matter. | |
1207 scoped_refptr<X509Certificate> cert1 = | |
1208 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | |
1209 scoped_refptr<X509Certificate> cert2 = | |
1210 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | |
1211 ASSERT_TRUE(cert1); | |
1212 ASSERT_TRUE(cert2); | |
1213 | |
1214 // kGoodPath is blog.torproject.org. | |
1215 static const char* const kGoodPath[] = { | |
1216 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", | |
1217 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=", | |
1218 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=", | |
1219 NULL, | |
1220 }; | |
1221 | |
1222 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for | |
1223 // torproject.org. | |
1224 static const char* const kBadPath[] = { | |
1225 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", | |
1226 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=", | |
1227 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", | |
1228 NULL, | |
1229 }; | |
1230 | |
1231 HashValueVector good_hashes, bad_hashes; | |
1232 | |
1233 for (size_t i = 0; kGoodPath[i]; i++) | |
1234 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | |
1235 for (size_t i = 0; kBadPath[i]; i++) | |
1236 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | |
1237 | |
1238 TransportSecurityState state; | |
1239 MockCertificateReportSender mock_report_sender; | |
1240 state.SetReportSender(&mock_report_sender); | |
1241 | |
1242 const base::Time current_time(base::Time::Now()); | |
davidben
2015/07/24 20:42:55
Nit: I'd probably just use equals here.
estark
2015/07/25 00:10:31
Done.
| |
1243 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
1244 state.AddHPKP(kHost, expiry, true, good_hashes, report_uri); | |
1245 | |
1246 EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); | |
1247 EXPECT_EQ(std::string(), mock_report_sender.latest_report()); | |
1248 | |
1249 std::string failure_log; | |
1250 EXPECT_FALSE(state.CheckPublicKeyPins( | |
1251 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), | |
1252 TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); | |
1253 | |
1254 // No report should have been sent because of the DO_NOT_SEND_REPORT | |
davidben
2015/07/24 20:42:55
DO_NOT_SEND_REPORT -> DISABLE_PIN_REPORTS?
estark
2015/07/25 00:10:31
Done.
| |
1255 // argument. | |
1256 EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); | |
1257 EXPECT_EQ(std::string(), mock_report_sender.latest_report()); | |
1258 | |
1259 EXPECT_TRUE(state.CheckPublicKeyPins( | |
1260 host_port_pair, true, good_hashes, cert1.get(), cert2.get(), | |
1261 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); | |
1262 | |
1263 // No report should have been sent because there was no violation. | |
1264 EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); | |
1265 EXPECT_EQ(std::string(), mock_report_sender.latest_report()); | |
1266 | |
1267 EXPECT_FALSE(state.CheckPublicKeyPins( | |
1268 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), | |
1269 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); | |
1270 | |
1271 // Now a report should have been sent. Check that it contains the | |
1272 // right information. | |
1273 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); | |
1274 std::string report = mock_report_sender.latest_report(); | |
1275 ASSERT_FALSE(report.empty()); | |
1276 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, expiry, true, | |
1277 kHost, cert1.get(), cert2.get(), | |
1278 good_hashes)); | |
1279 | |
1280 EXPECT_FALSE(state.CheckPublicKeyPins( | |
1281 subdomain_host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), | |
1282 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); | |
1283 | |
1284 // Now a report should have been sent for the subdomain. Check that it | |
1285 // contains the right information. | |
1286 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); | |
1287 report = mock_report_sender.latest_report(); | |
1288 ASSERT_FALSE(report.empty()); | |
1289 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, subdomain_host_port_pair, | |
1290 expiry, true, kHost, cert1.get(), | |
1291 cert2.get(), good_hashes)); | |
1292 } | |
1293 | |
1115 } // namespace net | 1294 } // namespace net |
OLD | NEW |