Send HPKP violation reports when a pin check fails

net/http/transport_security_state_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
 #include "base/base64.h"
 #include "base/files/file_path.h"
+#include "base/json/json_reader.h"
 #include "base/rand_util.h"
 #include "base/sha1.h"
 #include "base/strings/string_piece.h"
+#include "base/values.h"
 #include "crypto/sha2.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_completion_callback.h"
 #include "net/base/test_data_directory.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/test_root_certs.h"
 #include "net/cert/x509_cert_types.h"
 #include "net/cert/x509_certificate.h"
+#include "net/http/certificate_report_sender.h"
 #include "net/http/http_util.h"
+#include "net/http/transport_security_reporter.h"
 #include "net/log/net_log.h"
 #include "net/ssl/ssl_info.h"
 #include "net/test/cert_test_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 #if defined(USE_OPENSSL)
 #include "crypto/openssl_util.h"
 #else
 #include "crypto/nss_util.h"
 #endif
 
+namespace {
+
+// A mock CertificateReportSender that just remembers the latest report
+// URI and report to be sent.
+class MockCertificateReportSender : public net::CertificateReportSender {
+ public:
+  MockCertificateReportSender() {}
+  ~MockCertificateReportSender() override {}
+
+  void Send(const GURL& report_uri, const std::string& report) override {
+    latest_report_uri_ = report_uri;
+    latest_report_ = report;
+  }
+
+  const GURL& latest_report_uri() { return latest_report_uri_; }
+  const std::string& latest_report() { return latest_report_; }
+
+ private:
+  GURL latest_report_uri_;
+  std::string latest_report_;
+};
+
+void CompareCertificateChainWithList(
+    const scoped_refptr<net::X509Certificate>& cert_chain,
+    const base::ListValue* cert_list) {
+  ASSERT_TRUE(cert_chain);
+  std::vector<std::string> pem_encoded_chain;
+  cert_chain->GetPEMEncodedChain(&pem_encoded_chain);
+  EXPECT_EQ(pem_encoded_chain.size(), cert_list->GetSize());
+
+  for (size_t i = 0; i < pem_encoded_chain.size(); i++) {
+    std::string list_cert;
+    ASSERT_TRUE(cert_list->GetString(i, &list_cert));
+    EXPECT_EQ(pem_encoded_chain[i], list_cert);
+  }
+}
+
+void CheckHPKPReport(
+    const std::string& report,
+    const std::string& hostname,
+    uint16_t port,
+    const base::Time& expiry,
+    bool include_subdomains,
+    const std::string& noted_hostname,
+    const scoped_refptr<net::X509Certificate>& served_certificate_chain,
+    const scoped_refptr<net::X509Certificate>& validated_certificate_chain,
+    const net::HashValueVector& known_pins) {
+  // TODO(estark): check time in RFC3339 format.
+
+  scoped_ptr<base::Value> value(base::JSONReader::Read(report));
+  ASSERT_TRUE(value);
+  ASSERT_TRUE(value->IsType(base::Value::TYPE_DICTIONARY));
+
+  scoped_ptr<base::DictionaryValue> report_dict(
+      static_cast<base::DictionaryValue*>(value.release()));
+
+  std::string report_hostname;
+  EXPECT_TRUE(report_dict->GetString("hostname", &report_hostname));
+  EXPECT_EQ(hostname, report_hostname);
+
+  int report_port;
+  EXPECT_TRUE(report_dict->GetInteger("port", &report_port));
+  EXPECT_EQ(port, report_port);
+
+  bool report_include_subdomains;
+  EXPECT_TRUE(report_dict->GetBoolean("include-subdomains",
+                                      &report_include_subdomains));
+  EXPECT_EQ(include_subdomains, report_include_subdomains);
+
+  std::string report_noted_hostname;
+  EXPECT_TRUE(report_dict->GetString("hostname", &report_noted_hostname));
+  EXPECT_EQ(hostname, report_noted_hostname);
+
+  base::ListValue* report_served_certificate_chain;
+  EXPECT_TRUE(report_dict->GetList("served-certificate-chain",
+                                   &report_served_certificate_chain));
+  CompareCertificateChainWithList(served_certificate_chain,

[Ryan Sleevi, 2015/06/26 20:22:19]

BUG: You ASSERT_TRUE() in CompareCertificateChainWithList , which will abort
that, but it won't stop processing this code.

I believe you want ASSERT_NO_FATAL_FAILURE() [see
https://code.google.com/p/googletest/wiki/AdvancedGuide#Propagating_Fatal_Fai...
]

[estark, 2015/07/09 22:18:41]

Done.

+                                  report_served_certificate_chain);
+
+  base::ListValue* report_validated_certificate_chain;
+  EXPECT_TRUE(report_dict->GetList("validated-certificate-chain",
+                                   &report_validated_certificate_chain));
+  CompareCertificateChainWithList(validated_certificate_chain,
+                                  report_validated_certificate_chain);
+}
+
+}  // namespace
+
 namespace net {
 
 class TransportSecurityStateTest : public testing::Test {
  public:
   void SetUp() override {
 #if defined(USE_OPENSSL)
     crypto::EnsureOpenSSLInit();
 #else
     crypto::EnsureNSSInit();
 #endif
@@ skipping 1024 matching lines @@
 
   // These hosts used to only be HSTS when SNI was available.
   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
       "gmail.com"));
   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
       "googlegroups.com"));
   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
       "www.googlegroups.com"));
 }
 
+TEST_F(TransportSecurityStateTest, HPKPReporting) {
+  const char kHost[] = "example.com";
+  const char kSubdomain[] = "foo.example.com";
+  const uint16_t kPort = 443;
+  GURL report_uri("http://www.example.com/report");
+  // Two dummy certs to use as the server-sent and validated chains. The
+  // contents don't matter.
+  scoped_refptr<X509Certificate> cert1 =
+      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+  scoped_refptr<X509Certificate> cert2 =
+      ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert1);
+  ASSERT_TRUE(cert2);
+
+  // kGoodPath is blog.torproject.org.
+  static const char* const kGoodPath[] = {
+      "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
+      "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
+      "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
+      NULL,
+  };
+
+  // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
+  // torproject.org.
+  static const char* const kBadPath[] = {
+      "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
+      "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
+      "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
+      NULL,
+  };
+
+  HashValueVector good_hashes, bad_hashes;
+
+  for (size_t i = 0; kGoodPath[i]; i++) {
+    EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
+  }

[Ryan Sleevi, 2015/06/26 20:22:19]

no braces

[estark, 2015/07/09 22:18:41]

Done.

+  for (size_t i = 0; kBadPath[i]; i++) {
+    EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
+  }
+
+  TransportSecurityState state;
+  MockCertificateReportSender* mock_report_sender =
+      new MockCertificateReportSender();
+  TransportSecurityReporter reporter(
+      &state, scoped_ptr<CertificateReportSender>(mock_report_sender));
+
+  const base::Time current_time(base::Time::Now());
+  const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+  state.AddHPKP(kHost, expiry, true, good_hashes, report_uri.spec());
+
+  EXPECT_EQ(GURL(), mock_report_sender->latest_report_uri());
+  EXPECT_EQ(std::string(), mock_report_sender->latest_report());
+
+  std::string failure_log;
+  EXPECT_FALSE(state.CheckPublicKeyPins(
+      kHost, true, bad_hashes, kPort, cert1, cert2,
+      TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));
+
+  // No report should have been sent because of the DO_NOT_SEND_REPORT
+  // argument.
+  EXPECT_EQ(GURL(), mock_report_sender->latest_report_uri());
+  EXPECT_EQ(std::string(), mock_report_sender->latest_report());
+
+  EXPECT_TRUE(state.CheckPublicKeyPins(
+      kHost, true, good_hashes, kPort, cert1, cert2,
+      TransportSecurityState::SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));
+
+  // No report should have been sent because there was no violation.
+  EXPECT_EQ(GURL(), mock_report_sender->latest_report_uri());
+  EXPECT_EQ(std::string(), mock_report_sender->latest_report());
+
+  EXPECT_FALSE(state.CheckPublicKeyPins(
+      kHost, true, bad_hashes, kPort, cert1, cert2,
+      TransportSecurityState::SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));
+
+  // Now a report should have been sent. Check that it contains the
+  // right information.
+  EXPECT_EQ(report_uri, mock_report_sender->latest_report_uri());
+  std::string report = mock_report_sender->latest_report();
+  ASSERT_FALSE(report.empty());
+  CheckHPKPReport(report, kHost, kPort, expiry, true, kHost, cert1, cert2,

[Ryan Sleevi, 2015/06/26 20:22:20]

You don't propogate failures here either - re: ASSERT_NO_FATAL

[estark, 2015/07/09 22:18:41]

Done.

+                  good_hashes);
+
+  EXPECT_FALSE(state.CheckPublicKeyPins(
+      kSubdomain, true, bad_hashes, kPort, cert1, cert2,
+      TransportSecurityState::SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));
+
+  // Now a report should have been sent for the subdomain. Check that it
+  // contains the
+  // right information.
+  EXPECT_EQ(report_uri, mock_report_sender->latest_report_uri());
+  report = mock_report_sender->latest_report();
+  ASSERT_FALSE(report.empty());
+  CheckHPKPReport(report, kSubdomain, kPort, expiry, true, kHost, cert1, cert2,
+                  good_hashes);
+}
+
 }  // namespace net