OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
11 #include "base/base64.h" | 11 #include "base/base64.h" |
12 #include "base/files/file_path.h" | 12 #include "base/files/file_path.h" |
| 13 #include "base/json/json_reader.h" |
13 #include "base/rand_util.h" | 14 #include "base/rand_util.h" |
14 #include "base/sha1.h" | 15 #include "base/sha1.h" |
15 #include "base/strings/string_piece.h" | 16 #include "base/strings/string_piece.h" |
| 17 #include "base/values.h" |
16 #include "crypto/sha2.h" | 18 #include "crypto/sha2.h" |
17 #include "net/base/net_errors.h" | 19 #include "net/base/net_errors.h" |
18 #include "net/base/test_completion_callback.h" | 20 #include "net/base/test_completion_callback.h" |
19 #include "net/base/test_data_directory.h" | 21 #include "net/base/test_data_directory.h" |
20 #include "net/cert/asn1_util.h" | 22 #include "net/cert/asn1_util.h" |
21 #include "net/cert/cert_verifier.h" | 23 #include "net/cert/cert_verifier.h" |
22 #include "net/cert/cert_verify_result.h" | 24 #include "net/cert/cert_verify_result.h" |
23 #include "net/cert/test_root_certs.h" | 25 #include "net/cert/test_root_certs.h" |
24 #include "net/cert/x509_cert_types.h" | 26 #include "net/cert/x509_cert_types.h" |
25 #include "net/cert/x509_certificate.h" | 27 #include "net/cert/x509_certificate.h" |
| 28 #include "net/http/certificate_report_sender.h" |
26 #include "net/http/http_util.h" | 29 #include "net/http/http_util.h" |
| 30 #include "net/http/transport_security_reporter.h" |
27 #include "net/log/net_log.h" | 31 #include "net/log/net_log.h" |
28 #include "net/ssl/ssl_info.h" | 32 #include "net/ssl/ssl_info.h" |
29 #include "net/test/cert_test_util.h" | 33 #include "net/test/cert_test_util.h" |
30 #include "testing/gtest/include/gtest/gtest.h" | 34 #include "testing/gtest/include/gtest/gtest.h" |
31 | 35 |
32 #if defined(USE_OPENSSL) | 36 #if defined(USE_OPENSSL) |
33 #include "crypto/openssl_util.h" | 37 #include "crypto/openssl_util.h" |
34 #else | 38 #else |
35 #include "crypto/nss_util.h" | 39 #include "crypto/nss_util.h" |
36 #endif | 40 #endif |
37 | 41 |
38 namespace { | 42 namespace { |
39 | 43 |
40 const char kReportUri[] = "http://example.test/test"; | 44 const char kReportUri[] = "http://example.test/test"; |
41 | 45 |
| 46 // A mock CertificateReportSender that just remembers the latest report |
| 47 // URI and report to be sent. |
| 48 class MockCertificateReportSender : public net::CertificateReportSender { |
| 49 public: |
| 50 MockCertificateReportSender() {} |
| 51 ~MockCertificateReportSender() override {} |
| 52 |
| 53 void Send(const GURL& report_uri, const std::string& report) override { |
| 54 latest_report_uri_ = report_uri; |
| 55 latest_report_ = report; |
| 56 } |
| 57 |
| 58 const GURL& latest_report_uri() { return latest_report_uri_; } |
| 59 const std::string& latest_report() { return latest_report_; } |
| 60 |
| 61 private: |
| 62 GURL latest_report_uri_; |
| 63 std::string latest_report_; |
| 64 }; |
| 65 |
| 66 void CompareCertificateChainWithList( |
| 67 const scoped_refptr<net::X509Certificate>& cert_chain, |
| 68 const base::ListValue* cert_list) { |
| 69 ASSERT_TRUE(cert_chain); |
| 70 std::vector<std::string> pem_encoded_chain; |
| 71 cert_chain->GetPEMEncodedChain(&pem_encoded_chain); |
| 72 EXPECT_EQ(pem_encoded_chain.size(), cert_list->GetSize()); |
| 73 |
| 74 for (size_t i = 0; i < pem_encoded_chain.size(); i++) { |
| 75 std::string list_cert; |
| 76 ASSERT_TRUE(cert_list->GetString(i, &list_cert)); |
| 77 EXPECT_EQ(pem_encoded_chain[i], list_cert); |
| 78 } |
| 79 } |
| 80 |
| 81 void CheckHPKPReport( |
| 82 const std::string& report, |
| 83 const std::string& hostname, |
| 84 uint16_t port, |
| 85 const base::Time& expiry, |
| 86 bool include_subdomains, |
| 87 const std::string& noted_hostname, |
| 88 const scoped_refptr<net::X509Certificate>& served_certificate_chain, |
| 89 const scoped_refptr<net::X509Certificate>& validated_certificate_chain, |
| 90 const net::HashValueVector& known_pins) { |
| 91 // TODO(estark): check time in RFC3339 format. |
| 92 |
| 93 scoped_ptr<base::Value> value(base::JSONReader::Read(report)); |
| 94 ASSERT_TRUE(value); |
| 95 ASSERT_TRUE(value->IsType(base::Value::TYPE_DICTIONARY)); |
| 96 |
| 97 scoped_ptr<base::DictionaryValue> report_dict( |
| 98 static_cast<base::DictionaryValue*>(value.release())); |
| 99 |
| 100 std::string report_hostname; |
| 101 EXPECT_TRUE(report_dict->GetString("hostname", &report_hostname)); |
| 102 EXPECT_EQ(hostname, report_hostname); |
| 103 |
| 104 int report_port; |
| 105 EXPECT_TRUE(report_dict->GetInteger("port", &report_port)); |
| 106 EXPECT_EQ(port, report_port); |
| 107 |
| 108 bool report_include_subdomains; |
| 109 EXPECT_TRUE(report_dict->GetBoolean("include-subdomains", |
| 110 &report_include_subdomains)); |
| 111 EXPECT_EQ(include_subdomains, report_include_subdomains); |
| 112 |
| 113 std::string report_noted_hostname; |
| 114 EXPECT_TRUE(report_dict->GetString("hostname", &report_noted_hostname)); |
| 115 EXPECT_EQ(hostname, report_noted_hostname); |
| 116 |
| 117 base::ListValue* report_served_certificate_chain; |
| 118 EXPECT_TRUE(report_dict->GetList("served-certificate-chain", |
| 119 &report_served_certificate_chain)); |
| 120 ASSERT_NO_FATAL_FAILURE(CompareCertificateChainWithList( |
| 121 served_certificate_chain, report_served_certificate_chain)); |
| 122 |
| 123 base::ListValue* report_validated_certificate_chain; |
| 124 EXPECT_TRUE(report_dict->GetList("validated-certificate-chain", |
| 125 &report_validated_certificate_chain)); |
| 126 ASSERT_NO_FATAL_FAILURE(CompareCertificateChainWithList( |
| 127 validated_certificate_chain, report_validated_certificate_chain)); |
| 128 } |
| 129 |
42 } // namespace | 130 } // namespace |
43 | 131 |
44 namespace net { | 132 namespace net { |
45 | 133 |
46 class TransportSecurityStateTest : public testing::Test { | 134 class TransportSecurityStateTest : public testing::Test { |
47 public: | 135 public: |
48 void SetUp() override { | 136 void SetUp() override { |
49 #if defined(USE_OPENSSL) | 137 #if defined(USE_OPENSSL) |
50 crypto::EnsureOpenSSLInit(); | 138 crypto::EnsureOpenSSLInit(); |
51 #else | 139 #else |
(...skipping 1053 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1105 | 1193 |
1106 // These hosts used to only be HSTS when SNI was available. | 1194 // These hosts used to only be HSTS when SNI was available. |
1107 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1195 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1108 "gmail.com")); | 1196 "gmail.com")); |
1109 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1197 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1110 "googlegroups.com")); | 1198 "googlegroups.com")); |
1111 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1199 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1112 "www.googlegroups.com")); | 1200 "www.googlegroups.com")); |
1113 } | 1201 } |
1114 | 1202 |
| 1203 TEST_F(TransportSecurityStateTest, HPKPReporting) { |
| 1204 const char kHost[] = "example.test"; |
| 1205 const char kSubdomain[] = "foo.example.test"; |
| 1206 const uint16_t kPort = 443; |
| 1207 GURL report_uri("http://www.example.test/report"); |
| 1208 // Two dummy certs to use as the server-sent and validated chains. The |
| 1209 // contents don't matter. |
| 1210 scoped_refptr<X509Certificate> cert1 = |
| 1211 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 1212 scoped_refptr<X509Certificate> cert2 = |
| 1213 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 1214 ASSERT_TRUE(cert1); |
| 1215 ASSERT_TRUE(cert2); |
| 1216 |
| 1217 // kGoodPath is blog.torproject.org. |
| 1218 static const char* const kGoodPath[] = { |
| 1219 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", |
| 1220 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=", |
| 1221 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=", |
| 1222 NULL, |
| 1223 }; |
| 1224 |
| 1225 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for |
| 1226 // torproject.org. |
| 1227 static const char* const kBadPath[] = { |
| 1228 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", |
| 1229 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=", |
| 1230 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", |
| 1231 NULL, |
| 1232 }; |
| 1233 |
| 1234 HashValueVector good_hashes, bad_hashes; |
| 1235 |
| 1236 for (size_t i = 0; kGoodPath[i]; i++) |
| 1237 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
| 1238 for (size_t i = 0; kBadPath[i]; i++) |
| 1239 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
| 1240 |
| 1241 TransportSecurityState state; |
| 1242 MockCertificateReportSender* mock_report_sender = |
| 1243 new MockCertificateReportSender(); |
| 1244 TransportSecurityReporter reporter( |
| 1245 &state, scoped_ptr<CertificateReportSender>(mock_report_sender)); |
| 1246 |
| 1247 const base::Time current_time(base::Time::Now()); |
| 1248 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 1249 state.AddHPKP(kHost, expiry, true, good_hashes, report_uri); |
| 1250 |
| 1251 EXPECT_EQ(GURL(), mock_report_sender->latest_report_uri()); |
| 1252 EXPECT_EQ(std::string(), mock_report_sender->latest_report()); |
| 1253 |
| 1254 std::string failure_log; |
| 1255 EXPECT_FALSE(state.CheckPublicKeyPins( |
| 1256 kHost, true, bad_hashes, kPort, cert1.get(), cert2.get(), |
| 1257 TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); |
| 1258 |
| 1259 // No report should have been sent because of the DO_NOT_SEND_REPORT |
| 1260 // argument. |
| 1261 EXPECT_EQ(GURL(), mock_report_sender->latest_report_uri()); |
| 1262 EXPECT_EQ(std::string(), mock_report_sender->latest_report()); |
| 1263 |
| 1264 EXPECT_TRUE(state.CheckPublicKeyPins( |
| 1265 kHost, true, good_hashes, kPort, cert1.get(), cert2.get(), |
| 1266 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); |
| 1267 |
| 1268 // No report should have been sent because there was no violation. |
| 1269 EXPECT_EQ(GURL(), mock_report_sender->latest_report_uri()); |
| 1270 EXPECT_EQ(std::string(), mock_report_sender->latest_report()); |
| 1271 |
| 1272 EXPECT_FALSE(state.CheckPublicKeyPins( |
| 1273 kHost, true, bad_hashes, kPort, cert1.get(), cert2.get(), |
| 1274 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); |
| 1275 |
| 1276 // Now a report should have been sent. Check that it contains the |
| 1277 // right information. |
| 1278 EXPECT_EQ(report_uri, mock_report_sender->latest_report_uri()); |
| 1279 std::string report = mock_report_sender->latest_report(); |
| 1280 ASSERT_FALSE(report.empty()); |
| 1281 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, kHost, kPort, expiry, true, |
| 1282 kHost, cert1.get(), cert2.get(), |
| 1283 good_hashes)); |
| 1284 |
| 1285 EXPECT_FALSE(state.CheckPublicKeyPins( |
| 1286 kSubdomain, true, bad_hashes, kPort, cert1.get(), cert2.get(), |
| 1287 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); |
| 1288 |
| 1289 // Now a report should have been sent for the subdomain. Check that it |
| 1290 // contains the |
| 1291 // right information. |
| 1292 EXPECT_EQ(report_uri, mock_report_sender->latest_report_uri()); |
| 1293 report = mock_report_sender->latest_report(); |
| 1294 ASSERT_FALSE(report.empty()); |
| 1295 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, kSubdomain, kPort, expiry, |
| 1296 true, kHost, cert1.get(), cert2.get(), |
| 1297 good_hashes)); |
| 1298 } |
| 1299 |
1115 } // namespace net | 1300 } // namespace net |
OLD | NEW |