OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <stdint.h> | 5 #include <stdint.h> |
6 #include <algorithm> | 6 #include <algorithm> |
7 | 7 |
8 #include "base/base64.h" | 8 #include "base/base64.h" |
9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
10 #include "base/strings/string_piece.h" | 10 #include "base/strings/string_piece.h" |
(...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
145 // values for its predictable fields. | 145 // values for its predictable fields. |
146 EXPECT_EQ(0, max_age.InSeconds()); | 146 EXPECT_EQ(0, max_age.InSeconds()); |
147 EXPECT_FALSE(include_subdomains); | 147 EXPECT_FALSE(include_subdomains); |
148 } | 148 } |
149 | 149 |
150 static void TestBogusPinsHeaders(HashValueTag tag) { | 150 static void TestBogusPinsHeaders(HashValueTag tag) { |
151 base::TimeDelta max_age; | 151 base::TimeDelta max_age; |
152 bool include_subdomains; | 152 bool include_subdomains; |
153 HashValueVector hashes; | 153 HashValueVector hashes; |
154 HashValueVector chain_hashes; | 154 HashValueVector chain_hashes; |
155 GURL report_uri; | |
156 | 155 |
157 // Set some fake "chain" hashes | 156 // Set some fake "chain" hashes |
158 chain_hashes.push_back(GetTestHashValue(1, tag)); | 157 chain_hashes.push_back(GetTestHashValue(1, tag)); |
159 chain_hashes.push_back(GetTestHashValue(2, tag)); | 158 chain_hashes.push_back(GetTestHashValue(2, tag)); |
160 chain_hashes.push_back(GetTestHashValue(3, tag)); | 159 chain_hashes.push_back(GetTestHashValue(3, tag)); |
161 | 160 |
162 // The good pin must be in the chain, the backup pin must not be | 161 // The good pin must be in the chain, the backup pin must not be |
163 std::string good_pin = GetTestPin(2, tag); | 162 std::string good_pin = GetTestPin(2, tag); |
164 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag); | 163 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag); |
165 std::string backup_pin = GetTestPin(4, tag); | 164 std::string backup_pin = GetTestPin(4, tag); |
166 | 165 |
167 EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age, | 166 EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age, |
168 &include_subdomains, &hashes, &report_uri)); | 167 &include_subdomains, &hashes)); |
169 EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age, | 168 EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age, |
170 &include_subdomains, &hashes, &report_uri)); | 169 &include_subdomains, &hashes)); |
171 EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age, | 170 EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age, |
172 &include_subdomains, &hashes, &report_uri)); | 171 &include_subdomains, &hashes)); |
173 EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age, | 172 EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age, |
174 &include_subdomains, &hashes, &report_uri)); | 173 &include_subdomains, &hashes)); |
175 EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age, | 174 EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age, |
176 &include_subdomains, &hashes, &report_uri)); | 175 &include_subdomains, &hashes)); |
177 EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age, | 176 EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age, |
178 &include_subdomains, &hashes, &report_uri)); | 177 &include_subdomains, &hashes)); |
179 EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age, | 178 EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age, |
180 &include_subdomains, &hashes, &report_uri)); | 179 &include_subdomains, &hashes)); |
181 EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age, | 180 EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age, |
182 &include_subdomains, &hashes, &report_uri)); | 181 &include_subdomains, &hashes)); |
183 EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age, | 182 EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age, |
184 &include_subdomains, &hashes, &report_uri)); | 183 &include_subdomains, &hashes)); |
185 EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age, | 184 EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age, |
186 &include_subdomains, &hashes, &report_uri)); | 185 &include_subdomains, &hashes)); |
187 EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age, | 186 EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age, |
188 &include_subdomains, &hashes, &report_uri)); | 187 &include_subdomains, &hashes)); |
189 EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age, | 188 EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age, |
190 &include_subdomains, &hashes, &report_uri)); | 189 &include_subdomains, &hashes)); |
191 EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes, &max_age, | 190 EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes, |
192 &include_subdomains, &hashes, &report_uri)); | 191 &max_age, &include_subdomains, &hashes)); |
193 EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes, &max_age, | 192 EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes, |
194 &include_subdomains, &hashes, &report_uri)); | 193 &max_age, &include_subdomains, &hashes)); |
195 EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923", chain_hashes, | 194 EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923", |
196 &max_age, &include_subdomains, &hashes, | |
197 &report_uri)); | |
198 EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes, &max_age, | |
199 &include_subdomains, &hashes, &report_uri)); | |
200 EXPECT_FALSE(ParseHPKPHeader( | |
201 "max-ag=3488923pins=" + good_pin + "," + backup_pin, chain_hashes, | |
202 &max_age, &include_subdomains, &hashes, &report_uri)); | |
203 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;pins=" + good_pin + "," + | |
204 backup_pin + "report-uri=\"http://foo.com\"", | |
205 chain_hashes, &max_age, &include_subdomains, | 195 chain_hashes, &max_age, &include_subdomains, |
206 &hashes, &report_uri)); | 196 &hashes)); |
207 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin, chain_hashes, | 197 EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes, |
208 &max_age, &include_subdomains, &hashes, | 198 &max_age, &include_subdomains, &hashes)); |
209 &report_uri)); | 199 EXPECT_FALSE(ParseHPKPHeader("max-ag=3488923pins=" + good_pin + "," + |
210 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin, chain_hashes, | 200 backup_pin, |
211 &max_age, &include_subdomains, &hashes, | |
212 &report_uri)); | |
213 EXPECT_FALSE(ParseHPKPHeader( | |
214 "max-aged=3488923; " + backup_pin + ";" + backup_pin, chain_hashes, | |
215 &max_age, &include_subdomains, &hashes, &report_uri)); | |
216 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" + good_pin, | |
217 chain_hashes, &max_age, &include_subdomains, | 201 chain_hashes, &max_age, &include_subdomains, |
218 &hashes, &report_uri)); | 202 &hashes)); |
219 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin, chain_hashes, | 203 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin, |
220 &max_age, &include_subdomains, &hashes, | 204 chain_hashes, &max_age, &include_subdomains, |
221 &report_uri)); | 205 &hashes)); |
| 206 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin, |
| 207 chain_hashes, &max_age, &include_subdomains, |
| 208 &hashes)); |
| 209 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin + ";" + |
| 210 backup_pin, |
| 211 chain_hashes, &max_age, &include_subdomains, |
| 212 &hashes)); |
| 213 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" + |
| 214 good_pin, |
| 215 chain_hashes, &max_age, &include_subdomains, |
| 216 &hashes)); |
| 217 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin, |
| 218 chain_hashes, &max_age, &include_subdomains, |
| 219 &hashes)); |
222 EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age, | 220 EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age, |
223 &include_subdomains, &hashes, &report_uri)); | 221 &include_subdomains, &hashes)); |
224 EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age, | 222 EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age, |
225 &include_subdomains, &hashes, &report_uri)); | 223 &include_subdomains, &hashes)); |
226 EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age, | 224 EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age, |
227 &include_subdomains, &hashes, &report_uri)); | 225 &include_subdomains, &hashes)); |
228 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age, | 226 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age, |
229 &include_subdomains, &hashes, &report_uri)); | 227 &include_subdomains, &hashes)); |
230 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes, &max_age, | 228 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes, |
231 &include_subdomains, &hashes, &report_uri)); | 229 &max_age, &include_subdomains, &hashes)); |
232 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain", | 230 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain", |
233 chain_hashes, &max_age, &include_subdomains, | 231 chain_hashes, &max_age, &include_subdomains, |
234 &hashes, &report_uri)); | 232 &hashes)); |
235 EXPECT_FALSE(ParseHPKPHeader( | |
236 "max-age=3488923 report-uri=\"http://foo.com\"", chain_hashes, | |
237 &max_age, &include_subdomains, &hashes, &report_uri)); | |
238 EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age, | 233 EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age, |
239 &include_subdomains, &hashes, &report_uri)); | 234 &include_subdomains, &hashes)); |
240 EXPECT_FALSE(ParseHPKPHeader( | 235 EXPECT_FALSE( |
241 "max-age=243; " + good_pin_unquoted + ";" + backup_pin, chain_hashes, | 236 ParseHPKPHeader("max-age=243; " + good_pin_unquoted + ";" + backup_pin, |
242 &max_age, &include_subdomains, &hashes, &report_uri)); | 237 chain_hashes, &max_age, &include_subdomains, &hashes)); |
243 EXPECT_FALSE(ParseHPKPHeader( | |
244 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=;", | |
245 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | |
246 EXPECT_FALSE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + | |
247 ";report-uri=http://foo.com;", | |
248 chain_hashes, &max_age, &include_subdomains, | |
249 &hashes, &report_uri)); | |
250 EXPECT_FALSE(ParseHPKPHeader( | |
251 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=''", | |
252 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | |
253 | |
254 // Test that the parser rejects misquoted strings. | |
255 EXPECT_FALSE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | |
256 "; report-uri=\"http://foo;bar\'", | |
257 chain_hashes, &max_age, &include_subdomains, | |
258 &hashes, &report_uri)); | |
259 | |
260 // Test that the parser rejects invalid report-uris. | |
261 EXPECT_FALSE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | |
262 "; report-uri=\"foo;bar\'", | |
263 chain_hashes, &max_age, &include_subdomains, | |
264 &hashes, &report_uri)); | |
265 | 238 |
266 // Check the out args were not updated by checking the default | 239 // Check the out args were not updated by checking the default |
267 // values for its predictable fields. | 240 // values for its predictable fields. |
268 EXPECT_EQ(0, max_age.InSeconds()); | 241 EXPECT_EQ(0, max_age.InSeconds()); |
269 EXPECT_EQ(hashes.size(), (size_t)0); | 242 EXPECT_EQ(hashes.size(), (size_t)0); |
270 } | 243 } |
271 | 244 |
272 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { | 245 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { |
273 base::TimeDelta max_age; | 246 base::TimeDelta max_age; |
274 base::TimeDelta expect_max_age; | 247 base::TimeDelta expect_max_age; |
(...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
425 EXPECT_EQ(expect_max_age, max_age); | 398 EXPECT_EQ(expect_max_age, max_age); |
426 EXPECT_TRUE(include_subdomains); | 399 EXPECT_TRUE(include_subdomains); |
427 } | 400 } |
428 | 401 |
429 static void TestValidPKPHeaders(HashValueTag tag) { | 402 static void TestValidPKPHeaders(HashValueTag tag) { |
430 base::TimeDelta max_age; | 403 base::TimeDelta max_age; |
431 base::TimeDelta expect_max_age; | 404 base::TimeDelta expect_max_age; |
432 bool include_subdomains; | 405 bool include_subdomains; |
433 HashValueVector hashes; | 406 HashValueVector hashes; |
434 HashValueVector chain_hashes; | 407 HashValueVector chain_hashes; |
435 GURL expect_report_uri; | |
436 GURL report_uri; | |
437 | 408 |
438 // Set some fake "chain" hashes into chain_hashes | 409 // Set some fake "chain" hashes into chain_hashes |
439 chain_hashes.push_back(GetTestHashValue(1, tag)); | 410 chain_hashes.push_back(GetTestHashValue(1, tag)); |
440 chain_hashes.push_back(GetTestHashValue(2, tag)); | 411 chain_hashes.push_back(GetTestHashValue(2, tag)); |
441 chain_hashes.push_back(GetTestHashValue(3, tag)); | 412 chain_hashes.push_back(GetTestHashValue(3, tag)); |
442 | 413 |
443 // The good pin must be in the chain, the backup pin must not be | 414 // The good pin must be in the chain, the backup pin must not be |
444 std::string good_pin = GetTestPin(2, tag); | 415 std::string good_pin = GetTestPin(2, tag); |
445 std::string good_pin2 = GetTestPin(3, tag); | 416 std::string good_pin2 = GetTestPin(3, tag); |
446 std::string backup_pin = GetTestPin(4, tag); | 417 std::string backup_pin = GetTestPin(4, tag); |
447 | 418 |
448 EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin, | 419 EXPECT_TRUE(ParseHPKPHeader( |
449 chain_hashes, &max_age, &include_subdomains, | 420 "max-age=243; " + good_pin + ";" + backup_pin, |
450 &hashes, &report_uri)); | 421 chain_hashes, &max_age, &include_subdomains, &hashes)); |
451 expect_max_age = base::TimeDelta::FromSeconds(243); | 422 expect_max_age = base::TimeDelta::FromSeconds(243); |
452 EXPECT_EQ(expect_max_age, max_age); | 423 EXPECT_EQ(expect_max_age, max_age); |
453 EXPECT_FALSE(include_subdomains); | 424 EXPECT_FALSE(include_subdomains); |
454 EXPECT_TRUE(report_uri.is_empty()); | |
455 | 425 |
456 EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + | 426 EXPECT_TRUE(ParseHPKPHeader( |
457 "; report-uri= \"http://example.test/foo\"", | 427 " " + good_pin + "; " + backup_pin + " ; Max-agE = 567", |
458 chain_hashes, &max_age, &include_subdomains, | 428 chain_hashes, &max_age, &include_subdomains, &hashes)); |
459 &hashes, &report_uri)); | 429 expect_max_age = base::TimeDelta::FromSeconds(567); |
460 expect_max_age = base::TimeDelta::FromSeconds(243); | |
461 expect_report_uri = GURL("http://example.test/foo"); | |
462 EXPECT_EQ(expect_max_age, max_age); | 430 EXPECT_EQ(expect_max_age, max_age); |
463 EXPECT_FALSE(include_subdomains); | 431 EXPECT_FALSE(include_subdomains); |
464 EXPECT_EQ(expect_report_uri, report_uri); | |
465 | 432 |
466 EXPECT_TRUE(ParseHPKPHeader( | 433 EXPECT_TRUE(ParseHPKPHeader( |
467 " " + good_pin + "; " + backup_pin + | 434 "includeSubDOMAINS;" + good_pin + ";" + backup_pin + |
468 " ; Max-agE = 567; repOrT-URi = \"http://example.test/foo\"", | 435 " ; mAx-aGe = 890 ", |
469 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 436 chain_hashes, &max_age, &include_subdomains, &hashes)); |
470 expect_max_age = base::TimeDelta::FromSeconds(567); | |
471 expect_report_uri = GURL("http://example.test/foo"); | |
472 EXPECT_EQ(expect_max_age, max_age); | |
473 EXPECT_FALSE(include_subdomains); | |
474 EXPECT_EQ(expect_report_uri, report_uri); | |
475 | |
476 EXPECT_TRUE(ParseHPKPHeader("includeSubDOMAINS;" + good_pin + ";" + | |
477 backup_pin + " ; mAx-aGe = 890 ", | |
478 chain_hashes, &max_age, &include_subdomains, | |
479 &hashes, &report_uri)); | |
480 expect_max_age = base::TimeDelta::FromSeconds(890); | 437 expect_max_age = base::TimeDelta::FromSeconds(890); |
481 EXPECT_EQ(expect_max_age, max_age); | 438 EXPECT_EQ(expect_max_age, max_age); |
482 EXPECT_TRUE(include_subdomains); | 439 EXPECT_TRUE(include_subdomains); |
483 | 440 |
484 EXPECT_TRUE(ParseHPKPHeader( | 441 EXPECT_TRUE(ParseHPKPHeader( |
485 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", chain_hashes, | 442 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", |
486 &max_age, &include_subdomains, &hashes, &report_uri)); | 443 chain_hashes, &max_age, &include_subdomains, &hashes)); |
487 expect_max_age = base::TimeDelta::FromSeconds(123); | 444 expect_max_age = base::TimeDelta::FromSeconds(123); |
488 EXPECT_EQ(expect_max_age, max_age); | 445 EXPECT_EQ(expect_max_age, max_age); |
489 EXPECT_FALSE(include_subdomains); | 446 EXPECT_FALSE(include_subdomains); |
490 | 447 |
491 EXPECT_TRUE(ParseHPKPHeader( | 448 EXPECT_TRUE(ParseHPKPHeader( |
492 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", chain_hashes, | 449 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", |
493 &max_age, &include_subdomains, &hashes, &report_uri)); | 450 chain_hashes, &max_age, &include_subdomains, &hashes)); |
494 expect_max_age = base::TimeDelta::FromSeconds(394082); | 451 expect_max_age = base::TimeDelta::FromSeconds(394082); |
495 EXPECT_EQ(expect_max_age, max_age); | 452 EXPECT_EQ(expect_max_age, max_age); |
496 EXPECT_FALSE(include_subdomains); | 453 EXPECT_FALSE(include_subdomains); |
497 | 454 |
498 EXPECT_TRUE(ParseHPKPHeader( | 455 EXPECT_TRUE(ParseHPKPHeader( |
499 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", chain_hashes, | 456 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", |
500 &max_age, &include_subdomains, &hashes, &report_uri)); | 457 chain_hashes, &max_age, &include_subdomains, &hashes)); |
501 expect_max_age = base::TimeDelta::FromSeconds( | 458 expect_max_age = base::TimeDelta::FromSeconds( |
502 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299)))); | 459 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299)))); |
503 EXPECT_EQ(expect_max_age, max_age); | 460 EXPECT_EQ(expect_max_age, max_age); |
504 EXPECT_FALSE(include_subdomains); | 461 EXPECT_FALSE(include_subdomains); |
505 | 462 |
506 EXPECT_TRUE(ParseHPKPHeader( | 463 EXPECT_TRUE(ParseHPKPHeader( |
507 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " + | 464 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " + |
508 good_pin + ";" + backup_pin + "; ", | 465 good_pin + ";" + backup_pin + "; ", |
509 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 466 chain_hashes, &max_age, &include_subdomains, &hashes)); |
510 expect_max_age = base::TimeDelta::FromSeconds( | 467 expect_max_age = base::TimeDelta::FromSeconds( |
511 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038)))); | 468 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038)))); |
512 EXPECT_EQ(expect_max_age, max_age); | 469 EXPECT_EQ(expect_max_age, max_age); |
513 EXPECT_TRUE(include_subdomains); | 470 EXPECT_TRUE(include_subdomains); |
514 | 471 |
515 EXPECT_TRUE(ParseHPKPHeader(" max-age=0 ; " + good_pin + ";" + backup_pin, | 472 EXPECT_TRUE(ParseHPKPHeader( |
516 chain_hashes, &max_age, &include_subdomains, | 473 " max-age=0 ; " + good_pin + ";" + backup_pin, |
517 &hashes, &report_uri)); | 474 chain_hashes, &max_age, &include_subdomains, &hashes)); |
518 expect_max_age = base::TimeDelta::FromSeconds(0); | 475 expect_max_age = base::TimeDelta::FromSeconds(0); |
519 EXPECT_EQ(expect_max_age, max_age); | 476 EXPECT_EQ(expect_max_age, max_age); |
520 EXPECT_FALSE(include_subdomains); | 477 EXPECT_FALSE(include_subdomains); |
521 | 478 |
522 EXPECT_TRUE(ParseHPKPHeader( | 479 EXPECT_TRUE(ParseHPKPHeader( |
523 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin, | 480 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin, |
524 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 481 chain_hashes, &max_age, &include_subdomains, &hashes)); |
525 expect_max_age = base::TimeDelta::FromSeconds(0); | 482 expect_max_age = base::TimeDelta::FromSeconds(0); |
526 EXPECT_EQ(expect_max_age, max_age); | 483 EXPECT_EQ(expect_max_age, max_age); |
527 EXPECT_TRUE(include_subdomains); | 484 EXPECT_TRUE(include_subdomains); |
528 | 485 |
529 EXPECT_TRUE(ParseHPKPHeader( | 486 EXPECT_TRUE(ParseHPKPHeader( |
530 " max-age=999999999999999999999999999999999999999999999 ; " + | 487 " max-age=999999999999999999999999999999999999999999999 ; " + |
531 backup_pin + ";" + good_pin + "; ", | 488 backup_pin + ";" + good_pin + "; ", |
532 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 489 chain_hashes, &max_age, &include_subdomains, &hashes)); |
533 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); | 490 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); |
534 EXPECT_EQ(expect_max_age, max_age); | 491 EXPECT_EQ(expect_max_age, max_age); |
535 EXPECT_FALSE(include_subdomains); | 492 EXPECT_FALSE(include_subdomains); |
536 | 493 |
537 EXPECT_TRUE(ParseHPKPHeader( | |
538 " max-age=999999999999999999999999999999999999999999999 ; " + | |
539 backup_pin + ";" + good_pin + | |
540 "; report-uri=\"http://example.test/foo\"", | |
541 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | |
542 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); | |
543 expect_report_uri = GURL("http://example.test/foo"); | |
544 EXPECT_EQ(expect_max_age, max_age); | |
545 EXPECT_FALSE(include_subdomains); | |
546 EXPECT_EQ(expect_report_uri, report_uri); | |
547 | |
548 // Test that parsing a different header resets the hashes. | 494 // Test that parsing a different header resets the hashes. |
549 hashes.clear(); | 495 hashes.clear(); |
550 EXPECT_TRUE(ParseHPKPHeader( | 496 EXPECT_TRUE(ParseHPKPHeader( |
551 " max-age=999; " + backup_pin + ";" + good_pin + "; ", chain_hashes, | 497 " max-age=999; " + |
552 &max_age, &include_subdomains, &hashes, &report_uri)); | 498 backup_pin + ";" + good_pin + "; ", |
| 499 chain_hashes, &max_age, &include_subdomains, &hashes)); |
553 EXPECT_EQ(2u, hashes.size()); | 500 EXPECT_EQ(2u, hashes.size()); |
554 EXPECT_TRUE(ParseHPKPHeader( | 501 EXPECT_TRUE(ParseHPKPHeader( |
555 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, | 502 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, |
556 &max_age, &include_subdomains, &hashes, &report_uri)); | 503 &max_age, &include_subdomains, &hashes)); |
557 EXPECT_EQ(2u, hashes.size()); | 504 EXPECT_EQ(2u, hashes.size()); |
558 | |
559 // Test that the parser correctly parses an unencoded ';' inside a | |
560 // quoted report-uri. | |
561 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | |
562 "; report-uri=\"http://foo.com/?;bar\"", | |
563 chain_hashes, &max_age, &include_subdomains, | |
564 &hashes, &report_uri)); | |
565 expect_max_age = base::TimeDelta::FromSeconds(999); | |
566 expect_report_uri = GURL("http://foo.com/?;bar"); | |
567 EXPECT_EQ(expect_max_age, max_age); | |
568 EXPECT_FALSE(include_subdomains); | |
569 EXPECT_EQ(expect_report_uri, report_uri); | |
570 | |
571 // Test that the parser correctly parses a report-uri with a >0x7f | |
572 // character. | |
573 std::string uri = "http://foo.com/"; | |
574 uri += char(0x7f); | |
575 expect_report_uri = GURL(uri); | |
576 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | |
577 "; report-uri=\"" + uri + "\"", | |
578 chain_hashes, &max_age, &include_subdomains, | |
579 &hashes, &report_uri)); | |
580 expect_max_age = base::TimeDelta::FromSeconds(999); | |
581 EXPECT_EQ(expect_max_age, max_age); | |
582 EXPECT_FALSE(include_subdomains); | |
583 EXPECT_EQ(expect_report_uri, report_uri); | |
584 | |
585 // Test that the parser allows quoted max-age values. | |
586 EXPECT_TRUE(ParseHPKPHeader("max-age='999'; " + backup_pin + "; " + good_pin, | |
587 chain_hashes, &max_age, &include_subdomains, | |
588 &hashes, &report_uri)); | |
589 expect_max_age = base::TimeDelta::FromSeconds(999); | |
590 EXPECT_EQ(expect_max_age, max_age); | |
591 EXPECT_FALSE(include_subdomains); | |
592 | |
593 // Test that the parser handles escaped values. | |
594 expect_report_uri = GURL("http://foo.com'a"); | |
595 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | |
596 "; report-uri='http://foo.com\\'\\a'", | |
597 chain_hashes, &max_age, &include_subdomains, | |
598 &hashes, &report_uri)); | |
599 expect_max_age = base::TimeDelta::FromSeconds(999); | |
600 EXPECT_EQ(expect_max_age, max_age); | |
601 EXPECT_FALSE(include_subdomains); | |
602 EXPECT_EQ(expect_report_uri, report_uri); | |
603 } | 505 } |
604 | 506 |
605 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { | 507 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { |
606 TestBogusPinsHeaders(HASH_VALUE_SHA1); | 508 TestBogusPinsHeaders(HASH_VALUE_SHA1); |
607 } | 509 } |
608 | 510 |
609 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { | 511 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { |
610 TestBogusPinsHeaders(HASH_VALUE_SHA256); | 512 TestBogusPinsHeaders(HASH_VALUE_SHA256); |
611 } | 513 } |
612 | 514 |
(...skipping 16 matching lines...) Expand all Loading... |
629 EXPECT_TRUE( | 531 EXPECT_TRUE( |
630 state.GetStaticDomainState(domain, &static_sts_state, &static_pkp_state)); | 532 state.GetStaticDomainState(domain, &static_sts_state, &static_pkp_state)); |
631 EXPECT_GT(static_pkp_state.spki_hashes.size(), 1UL); | 533 EXPECT_GT(static_pkp_state.spki_hashes.size(), 1UL); |
632 HashValueVector saved_hashes = static_pkp_state.spki_hashes; | 534 HashValueVector saved_hashes = static_pkp_state.spki_hashes; |
633 | 535 |
634 // Add a header, which should only update the dynamic state. | 536 // Add a header, which should only update the dynamic state. |
635 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1); | 537 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1); |
636 HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA1); | 538 HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA1); |
637 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1); | 539 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1); |
638 std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1); | 540 std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1); |
639 GURL report_uri("http://google.com"); | 541 std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin; |
640 std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin + | |
641 ";report-uri=\"" + report_uri.spec() + "\""; | |
642 | 542 |
643 // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. | 543 // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. |
644 SSLInfo ssl_info; | 544 SSLInfo ssl_info; |
645 ssl_info.public_key_hashes.push_back(good_hash); | 545 ssl_info.public_key_hashes.push_back(good_hash); |
646 ssl_info.public_key_hashes.push_back(saved_hashes[0]); | 546 ssl_info.public_key_hashes.push_back(saved_hashes[0]); |
647 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); | 547 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); |
648 | 548 |
649 // Expect the static state to remain unchanged. | 549 // Expect the static state to remain unchanged. |
650 TransportSecurityState::STSState new_static_sts_state; | 550 TransportSecurityState::STSState new_static_sts_state; |
651 TransportSecurityState::PKPState new_static_pkp_state; | 551 TransportSecurityState::PKPState new_static_pkp_state; |
652 EXPECT_TRUE(state.GetStaticDomainState(domain, &new_static_sts_state, | 552 EXPECT_TRUE(state.GetStaticDomainState(domain, &new_static_sts_state, |
653 &new_static_pkp_state)); | 553 &new_static_pkp_state)); |
654 for (size_t i = 0; i < saved_hashes.size(); ++i) { | 554 for (size_t i = 0; i < saved_hashes.size(); ++i) { |
655 EXPECT_TRUE( | 555 EXPECT_TRUE( |
656 HashValuesEqual(saved_hashes[i])(new_static_pkp_state.spki_hashes[i])); | 556 HashValuesEqual(saved_hashes[i])(new_static_pkp_state.spki_hashes[i])); |
657 } | 557 } |
658 | 558 |
659 // Expect the dynamic state to reflect the header. | 559 // Expect the dynamic state to reflect the header. |
660 TransportSecurityState::PKPState dynamic_pkp_state; | 560 TransportSecurityState::PKPState dynamic_pkp_state; |
661 EXPECT_TRUE(state.GetDynamicPKPState(domain, &dynamic_pkp_state)); | 561 EXPECT_TRUE(state.GetDynamicPKPState(domain, &dynamic_pkp_state)); |
662 EXPECT_EQ(2UL, dynamic_pkp_state.spki_hashes.size()); | 562 EXPECT_EQ(2UL, dynamic_pkp_state.spki_hashes.size()); |
663 EXPECT_EQ(report_uri, dynamic_pkp_state.report_uri); | |
664 | 563 |
665 HashValueVector::const_iterator hash = std::find_if( | 564 HashValueVector::const_iterator hash = std::find_if( |
666 dynamic_pkp_state.spki_hashes.begin(), | 565 dynamic_pkp_state.spki_hashes.begin(), |
667 dynamic_pkp_state.spki_hashes.end(), HashValuesEqual(good_hash)); | 566 dynamic_pkp_state.spki_hashes.end(), HashValuesEqual(good_hash)); |
668 EXPECT_NE(dynamic_pkp_state.spki_hashes.end(), hash); | 567 EXPECT_NE(dynamic_pkp_state.spki_hashes.end(), hash); |
669 | 568 |
670 hash = std::find_if(dynamic_pkp_state.spki_hashes.begin(), | 569 hash = std::find_if(dynamic_pkp_state.spki_hashes.begin(), |
671 dynamic_pkp_state.spki_hashes.end(), | 570 dynamic_pkp_state.spki_hashes.end(), |
672 HashValuesEqual(backup_hash)); | 571 HashValuesEqual(backup_hash)); |
673 EXPECT_NE(dynamic_pkp_state.spki_hashes.end(), hash); | 572 EXPECT_NE(dynamic_pkp_state.spki_hashes.end(), hash); |
674 | 573 |
675 // Expect the overall state to reflect the header, too. | 574 // Expect the overall state to reflect the header, too. |
676 EXPECT_TRUE(state.HasPublicKeyPins(domain)); | 575 EXPECT_TRUE(state.HasPublicKeyPins(domain)); |
677 HashValueVector hashes; | 576 HashValueVector hashes; |
678 hashes.push_back(good_hash); | 577 hashes.push_back(good_hash); |
679 std::string failure_log; | 578 std::string failure_log; |
680 const bool is_issued_by_known_root = true; | 579 const bool is_issued_by_known_root = true; |
681 EXPECT_TRUE(state.CheckPublicKeyPins( | 580 EXPECT_TRUE(state.CheckPublicKeyPins( |
682 domain, is_issued_by_known_root, hashes, &failure_log)); | 581 domain, is_issued_by_known_root, hashes, &failure_log)); |
683 | 582 |
684 TransportSecurityState::PKPState new_dynamic_pkp_state; | 583 TransportSecurityState::PKPState new_dynamic_pkp_state; |
685 EXPECT_TRUE(state.GetDynamicPKPState(domain, &new_dynamic_pkp_state)); | 584 EXPECT_TRUE(state.GetDynamicPKPState(domain, &new_dynamic_pkp_state)); |
686 EXPECT_EQ(2UL, new_dynamic_pkp_state.spki_hashes.size()); | 585 EXPECT_EQ(2UL, new_dynamic_pkp_state.spki_hashes.size()); |
687 EXPECT_EQ(report_uri, new_dynamic_pkp_state.report_uri); | |
688 | 586 |
689 hash = std::find_if(new_dynamic_pkp_state.spki_hashes.begin(), | 587 hash = std::find_if(new_dynamic_pkp_state.spki_hashes.begin(), |
690 new_dynamic_pkp_state.spki_hashes.end(), | 588 new_dynamic_pkp_state.spki_hashes.end(), |
691 HashValuesEqual(good_hash)); | 589 HashValuesEqual(good_hash)); |
692 EXPECT_NE(new_dynamic_pkp_state.spki_hashes.end(), hash); | 590 EXPECT_NE(new_dynamic_pkp_state.spki_hashes.end(), hash); |
693 | 591 |
694 hash = std::find_if(new_dynamic_pkp_state.spki_hashes.begin(), | 592 hash = std::find_if(new_dynamic_pkp_state.spki_hashes.begin(), |
695 new_dynamic_pkp_state.spki_hashes.end(), | 593 new_dynamic_pkp_state.spki_hashes.end(), |
696 HashValuesEqual(backup_hash)); | 594 HashValuesEqual(backup_hash)); |
697 EXPECT_NE(new_dynamic_pkp_state.spki_hashes.end(), hash); | 595 EXPECT_NE(new_dynamic_pkp_state.spki_hashes.end(), hash); |
(...skipping 167 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
865 ssl_info)); | 763 ssl_info)); |
866 | 764 |
867 // The old pins must still exist. | 765 // The old pins must still exist. |
868 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 766 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
869 EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root, | 767 EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root, |
870 ssl_info.public_key_hashes, | 768 ssl_info.public_key_hashes, |
871 &failure_log)); | 769 &failure_log)); |
872 } | 770 } |
873 | 771 |
874 }; // namespace net | 772 }; // namespace net |
OLD | NEW |