Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(214)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/http_security_headers_unittest.cc

Issue 1249823002: Revert of Parse HPKP report-uri and persist in TransportSecurityPersister (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/http/http_security_headers.cc ('k') | net/http/http_util.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <stdint.h> 5 #include <stdint.h>
6 #include <algorithm> 6 #include <algorithm>
7 7
8 #include "base/base64.h" 8 #include "base/base64.h"
9 #include "base/sha1.h" 9 #include "base/sha1.h"
10 #include "base/strings/string_piece.h" 10 #include "base/strings/string_piece.h"
(...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after
145 // values for its predictable fields. 145 // values for its predictable fields.
146 EXPECT_EQ(0, max_age.InSeconds()); 146 EXPECT_EQ(0, max_age.InSeconds());
147 EXPECT_FALSE(include_subdomains); 147 EXPECT_FALSE(include_subdomains);
148 } 148 }
149 149
150 static void TestBogusPinsHeaders(HashValueTag tag) { 150 static void TestBogusPinsHeaders(HashValueTag tag) {
151 base::TimeDelta max_age; 151 base::TimeDelta max_age;
152 bool include_subdomains; 152 bool include_subdomains;
153 HashValueVector hashes; 153 HashValueVector hashes;
154 HashValueVector chain_hashes; 154 HashValueVector chain_hashes;
155 GURL report_uri;
156 155
157 // Set some fake "chain" hashes 156 // Set some fake "chain" hashes
158 chain_hashes.push_back(GetTestHashValue(1, tag)); 157 chain_hashes.push_back(GetTestHashValue(1, tag));
159 chain_hashes.push_back(GetTestHashValue(2, tag)); 158 chain_hashes.push_back(GetTestHashValue(2, tag));
160 chain_hashes.push_back(GetTestHashValue(3, tag)); 159 chain_hashes.push_back(GetTestHashValue(3, tag));
161 160
162 // The good pin must be in the chain, the backup pin must not be 161 // The good pin must be in the chain, the backup pin must not be
163 std::string good_pin = GetTestPin(2, tag); 162 std::string good_pin = GetTestPin(2, tag);
164 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag); 163 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag);
165 std::string backup_pin = GetTestPin(4, tag); 164 std::string backup_pin = GetTestPin(4, tag);
166 165
167 EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age, 166 EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age,
168 &include_subdomains, &hashes, &report_uri)); 167 &include_subdomains, &hashes));
169 EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age, 168 EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age,
170 &include_subdomains, &hashes, &report_uri)); 169 &include_subdomains, &hashes));
171 EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age, 170 EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age,
172 &include_subdomains, &hashes, &report_uri)); 171 &include_subdomains, &hashes));
173 EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age, 172 EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age,
174 &include_subdomains, &hashes, &report_uri)); 173 &include_subdomains, &hashes));
175 EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age, 174 EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age,
176 &include_subdomains, &hashes, &report_uri)); 175 &include_subdomains, &hashes));
177 EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age, 176 EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age,
178 &include_subdomains, &hashes, &report_uri)); 177 &include_subdomains, &hashes));
179 EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age, 178 EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age,
180 &include_subdomains, &hashes, &report_uri)); 179 &include_subdomains, &hashes));
181 EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age, 180 EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age,
182 &include_subdomains, &hashes, &report_uri)); 181 &include_subdomains, &hashes));
183 EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age, 182 EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age,
184 &include_subdomains, &hashes, &report_uri)); 183 &include_subdomains, &hashes));
185 EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age, 184 EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age,
186 &include_subdomains, &hashes, &report_uri)); 185 &include_subdomains, &hashes));
187 EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age, 186 EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age,
188 &include_subdomains, &hashes, &report_uri)); 187 &include_subdomains, &hashes));
189 EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age, 188 EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age,
190 &include_subdomains, &hashes, &report_uri)); 189 &include_subdomains, &hashes));
191 EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes, &max_age, 190 EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes,
192 &include_subdomains, &hashes, &report_uri)); 191 &max_age, &include_subdomains, &hashes));
193 EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes, &max_age, 192 EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes,
194 &include_subdomains, &hashes, &report_uri)); 193 &max_age, &include_subdomains, &hashes));
195 EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923", chain_hashes, 194 EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923",
196 &max_age, &include_subdomains, &hashes,
197 &report_uri));
198 EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes, &max_age,
199 &include_subdomains, &hashes, &report_uri));
200 EXPECT_FALSE(ParseHPKPHeader(
201 "max-ag=3488923pins=" + good_pin + "," + backup_pin, chain_hashes,
202 &max_age, &include_subdomains, &hashes, &report_uri));
203 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;pins=" + good_pin + "," +
204 backup_pin + "report-uri=\"http://foo.com\"",
205 chain_hashes, &max_age, &include_subdomains, 195 chain_hashes, &max_age, &include_subdomains,
206 &hashes, &report_uri)); 196 &hashes));
207 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin, chain_hashes, 197 EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes,
208 &max_age, &include_subdomains, &hashes, 198 &max_age, &include_subdomains, &hashes));
209 &report_uri)); 199 EXPECT_FALSE(ParseHPKPHeader("max-ag=3488923pins=" + good_pin + "," +
210 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin, chain_hashes, 200 backup_pin,
211 &max_age, &include_subdomains, &hashes,
212 &report_uri));
213 EXPECT_FALSE(ParseHPKPHeader(
214 "max-aged=3488923; " + backup_pin + ";" + backup_pin, chain_hashes,
215 &max_age, &include_subdomains, &hashes, &report_uri));
216 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" + good_pin,
217 chain_hashes, &max_age, &include_subdomains, 201 chain_hashes, &max_age, &include_subdomains,
218 &hashes, &report_uri)); 202 &hashes));
219 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin, chain_hashes, 203 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin,
220 &max_age, &include_subdomains, &hashes, 204 chain_hashes, &max_age, &include_subdomains,
221 &report_uri)); 205 &hashes));
206 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin,
207 chain_hashes, &max_age, &include_subdomains,
208 &hashes));
209 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin + ";" +
210 backup_pin,
211 chain_hashes, &max_age, &include_subdomains,
212 &hashes));
213 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" +
214 good_pin,
215 chain_hashes, &max_age, &include_subdomains,
216 &hashes));
217 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin,
218 chain_hashes, &max_age, &include_subdomains,
219 &hashes));
222 EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age, 220 EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age,
223 &include_subdomains, &hashes, &report_uri)); 221 &include_subdomains, &hashes));
224 EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age, 222 EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age,
225 &include_subdomains, &hashes, &report_uri)); 223 &include_subdomains, &hashes));
226 EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age, 224 EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age,
227 &include_subdomains, &hashes, &report_uri)); 225 &include_subdomains, &hashes));
228 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age, 226 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age,
229 &include_subdomains, &hashes, &report_uri)); 227 &include_subdomains, &hashes));
230 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes, &max_age, 228 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes,
231 &include_subdomains, &hashes, &report_uri)); 229 &max_age, &include_subdomains, &hashes));
232 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain", 230 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain",
233 chain_hashes, &max_age, &include_subdomains, 231 chain_hashes, &max_age, &include_subdomains,
234 &hashes, &report_uri)); 232 &hashes));
235 EXPECT_FALSE(ParseHPKPHeader(
236 "max-age=3488923 report-uri=\"http://foo.com\"", chain_hashes,
237 &max_age, &include_subdomains, &hashes, &report_uri));
238 EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age, 233 EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age,
239 &include_subdomains, &hashes, &report_uri)); 234 &include_subdomains, &hashes));
240 EXPECT_FALSE(ParseHPKPHeader( 235 EXPECT_FALSE(
241 "max-age=243; " + good_pin_unquoted + ";" + backup_pin, chain_hashes, 236 ParseHPKPHeader("max-age=243; " + good_pin_unquoted + ";" + backup_pin,
242 &max_age, &include_subdomains, &hashes, &report_uri)); 237 chain_hashes, &max_age, &include_subdomains, &hashes));
243 EXPECT_FALSE(ParseHPKPHeader(
244 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=;",
245 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
246 EXPECT_FALSE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin +
247 ";report-uri=http://foo.com;",
248 chain_hashes, &max_age, &include_subdomains,
249 &hashes, &report_uri));
250 EXPECT_FALSE(ParseHPKPHeader(
251 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=''",
252 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
253
254 // Test that the parser rejects misquoted strings.
255 EXPECT_FALSE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin +
256 "; report-uri=\"http://foo;bar\'",
257 chain_hashes, &max_age, &include_subdomains,
258 &hashes, &report_uri));
259
260 // Test that the parser rejects invalid report-uris.
261 EXPECT_FALSE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin +
262 "; report-uri=\"foo;bar\'",
263 chain_hashes, &max_age, &include_subdomains,
264 &hashes, &report_uri));
265 238
266 // Check the out args were not updated by checking the default 239 // Check the out args were not updated by checking the default
267 // values for its predictable fields. 240 // values for its predictable fields.
268 EXPECT_EQ(0, max_age.InSeconds()); 241 EXPECT_EQ(0, max_age.InSeconds());
269 EXPECT_EQ(hashes.size(), (size_t)0); 242 EXPECT_EQ(hashes.size(), (size_t)0);
270 } 243 }
271 244
272 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { 245 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) {
273 base::TimeDelta max_age; 246 base::TimeDelta max_age;
274 base::TimeDelta expect_max_age; 247 base::TimeDelta expect_max_age;
(...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after
425 EXPECT_EQ(expect_max_age, max_age); 398 EXPECT_EQ(expect_max_age, max_age);
426 EXPECT_TRUE(include_subdomains); 399 EXPECT_TRUE(include_subdomains);
427 } 400 }
428 401
429 static void TestValidPKPHeaders(HashValueTag tag) { 402 static void TestValidPKPHeaders(HashValueTag tag) {
430 base::TimeDelta max_age; 403 base::TimeDelta max_age;
431 base::TimeDelta expect_max_age; 404 base::TimeDelta expect_max_age;
432 bool include_subdomains; 405 bool include_subdomains;
433 HashValueVector hashes; 406 HashValueVector hashes;
434 HashValueVector chain_hashes; 407 HashValueVector chain_hashes;
435 GURL expect_report_uri;
436 GURL report_uri;
437 408
438 // Set some fake "chain" hashes into chain_hashes 409 // Set some fake "chain" hashes into chain_hashes
439 chain_hashes.push_back(GetTestHashValue(1, tag)); 410 chain_hashes.push_back(GetTestHashValue(1, tag));
440 chain_hashes.push_back(GetTestHashValue(2, tag)); 411 chain_hashes.push_back(GetTestHashValue(2, tag));
441 chain_hashes.push_back(GetTestHashValue(3, tag)); 412 chain_hashes.push_back(GetTestHashValue(3, tag));
442 413
443 // The good pin must be in the chain, the backup pin must not be 414 // The good pin must be in the chain, the backup pin must not be
444 std::string good_pin = GetTestPin(2, tag); 415 std::string good_pin = GetTestPin(2, tag);
445 std::string good_pin2 = GetTestPin(3, tag); 416 std::string good_pin2 = GetTestPin(3, tag);
446 std::string backup_pin = GetTestPin(4, tag); 417 std::string backup_pin = GetTestPin(4, tag);
447 418
448 EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin, 419 EXPECT_TRUE(ParseHPKPHeader(
449 chain_hashes, &max_age, &include_subdomains, 420 "max-age=243; " + good_pin + ";" + backup_pin,
450 &hashes, &report_uri)); 421 chain_hashes, &max_age, &include_subdomains, &hashes));
451 expect_max_age = base::TimeDelta::FromSeconds(243); 422 expect_max_age = base::TimeDelta::FromSeconds(243);
452 EXPECT_EQ(expect_max_age, max_age); 423 EXPECT_EQ(expect_max_age, max_age);
453 EXPECT_FALSE(include_subdomains); 424 EXPECT_FALSE(include_subdomains);
454 EXPECT_TRUE(report_uri.is_empty());
455 425
456 EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + 426 EXPECT_TRUE(ParseHPKPHeader(
457 "; report-uri= \"http://example.test/foo\"", 427 " " + good_pin + "; " + backup_pin + " ; Max-agE = 567",
458 chain_hashes, &max_age, &include_subdomains, 428 chain_hashes, &max_age, &include_subdomains, &hashes));
459 &hashes, &report_uri)); 429 expect_max_age = base::TimeDelta::FromSeconds(567);
460 expect_max_age = base::TimeDelta::FromSeconds(243);
461 expect_report_uri = GURL("http://example.test/foo");
462 EXPECT_EQ(expect_max_age, max_age); 430 EXPECT_EQ(expect_max_age, max_age);
463 EXPECT_FALSE(include_subdomains); 431 EXPECT_FALSE(include_subdomains);
464 EXPECT_EQ(expect_report_uri, report_uri);
465 432
466 EXPECT_TRUE(ParseHPKPHeader( 433 EXPECT_TRUE(ParseHPKPHeader(
467 " " + good_pin + "; " + backup_pin + 434 "includeSubDOMAINS;" + good_pin + ";" + backup_pin +
468 " ; Max-agE = 567; repOrT-URi = \"http://example.test/foo\"", 435 " ; mAx-aGe = 890 ",
469 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); 436 chain_hashes, &max_age, &include_subdomains, &hashes));
470 expect_max_age = base::TimeDelta::FromSeconds(567);
471 expect_report_uri = GURL("http://example.test/foo");
472 EXPECT_EQ(expect_max_age, max_age);
473 EXPECT_FALSE(include_subdomains);
474 EXPECT_EQ(expect_report_uri, report_uri);
475
476 EXPECT_TRUE(ParseHPKPHeader("includeSubDOMAINS;" + good_pin + ";" +
477 backup_pin + " ; mAx-aGe = 890 ",
478 chain_hashes, &max_age, &include_subdomains,
479 &hashes, &report_uri));
480 expect_max_age = base::TimeDelta::FromSeconds(890); 437 expect_max_age = base::TimeDelta::FromSeconds(890);
481 EXPECT_EQ(expect_max_age, max_age); 438 EXPECT_EQ(expect_max_age, max_age);
482 EXPECT_TRUE(include_subdomains); 439 EXPECT_TRUE(include_subdomains);
483 440
484 EXPECT_TRUE(ParseHPKPHeader( 441 EXPECT_TRUE(ParseHPKPHeader(
485 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", chain_hashes, 442 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;",
486 &max_age, &include_subdomains, &hashes, &report_uri)); 443 chain_hashes, &max_age, &include_subdomains, &hashes));
487 expect_max_age = base::TimeDelta::FromSeconds(123); 444 expect_max_age = base::TimeDelta::FromSeconds(123);
488 EXPECT_EQ(expect_max_age, max_age); 445 EXPECT_EQ(expect_max_age, max_age);
489 EXPECT_FALSE(include_subdomains); 446 EXPECT_FALSE(include_subdomains);
490 447
491 EXPECT_TRUE(ParseHPKPHeader( 448 EXPECT_TRUE(ParseHPKPHeader(
492 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", chain_hashes, 449 "max-age=394082;" + backup_pin + ";" + good_pin + "; ",
493 &max_age, &include_subdomains, &hashes, &report_uri)); 450 chain_hashes, &max_age, &include_subdomains, &hashes));
494 expect_max_age = base::TimeDelta::FromSeconds(394082); 451 expect_max_age = base::TimeDelta::FromSeconds(394082);
495 EXPECT_EQ(expect_max_age, max_age); 452 EXPECT_EQ(expect_max_age, max_age);
496 EXPECT_FALSE(include_subdomains); 453 EXPECT_FALSE(include_subdomains);
497 454
498 EXPECT_TRUE(ParseHPKPHeader( 455 EXPECT_TRUE(ParseHPKPHeader(
499 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", chain_hashes, 456 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ",
500 &max_age, &include_subdomains, &hashes, &report_uri)); 457 chain_hashes, &max_age, &include_subdomains, &hashes));
501 expect_max_age = base::TimeDelta::FromSeconds( 458 expect_max_age = base::TimeDelta::FromSeconds(
502 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299)))); 459 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299))));
503 EXPECT_EQ(expect_max_age, max_age); 460 EXPECT_EQ(expect_max_age, max_age);
504 EXPECT_FALSE(include_subdomains); 461 EXPECT_FALSE(include_subdomains);
505 462
506 EXPECT_TRUE(ParseHPKPHeader( 463 EXPECT_TRUE(ParseHPKPHeader(
507 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " + 464 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " +
508 good_pin + ";" + backup_pin + "; ", 465 good_pin + ";" + backup_pin + "; ",
509 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); 466 chain_hashes, &max_age, &include_subdomains, &hashes));
510 expect_max_age = base::TimeDelta::FromSeconds( 467 expect_max_age = base::TimeDelta::FromSeconds(
511 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038)))); 468 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038))));
512 EXPECT_EQ(expect_max_age, max_age); 469 EXPECT_EQ(expect_max_age, max_age);
513 EXPECT_TRUE(include_subdomains); 470 EXPECT_TRUE(include_subdomains);
514 471
515 EXPECT_TRUE(ParseHPKPHeader(" max-age=0 ; " + good_pin + ";" + backup_pin, 472 EXPECT_TRUE(ParseHPKPHeader(
516 chain_hashes, &max_age, &include_subdomains, 473 " max-age=0 ; " + good_pin + ";" + backup_pin,
517 &hashes, &report_uri)); 474 chain_hashes, &max_age, &include_subdomains, &hashes));
518 expect_max_age = base::TimeDelta::FromSeconds(0); 475 expect_max_age = base::TimeDelta::FromSeconds(0);
519 EXPECT_EQ(expect_max_age, max_age); 476 EXPECT_EQ(expect_max_age, max_age);
520 EXPECT_FALSE(include_subdomains); 477 EXPECT_FALSE(include_subdomains);
521 478
522 EXPECT_TRUE(ParseHPKPHeader( 479 EXPECT_TRUE(ParseHPKPHeader(
523 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin, 480 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin,
524 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); 481 chain_hashes, &max_age, &include_subdomains, &hashes));
525 expect_max_age = base::TimeDelta::FromSeconds(0); 482 expect_max_age = base::TimeDelta::FromSeconds(0);
526 EXPECT_EQ(expect_max_age, max_age); 483 EXPECT_EQ(expect_max_age, max_age);
527 EXPECT_TRUE(include_subdomains); 484 EXPECT_TRUE(include_subdomains);
528 485
529 EXPECT_TRUE(ParseHPKPHeader( 486 EXPECT_TRUE(ParseHPKPHeader(
530 " max-age=999999999999999999999999999999999999999999999 ; " + 487 " max-age=999999999999999999999999999999999999999999999 ; " +
531 backup_pin + ";" + good_pin + "; ", 488 backup_pin + ";" + good_pin + "; ",
532 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); 489 chain_hashes, &max_age, &include_subdomains, &hashes));
533 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); 490 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs);
534 EXPECT_EQ(expect_max_age, max_age); 491 EXPECT_EQ(expect_max_age, max_age);
535 EXPECT_FALSE(include_subdomains); 492 EXPECT_FALSE(include_subdomains);
536 493
537 EXPECT_TRUE(ParseHPKPHeader(
538 " max-age=999999999999999999999999999999999999999999999 ; " +
539 backup_pin + ";" + good_pin +
540 "; report-uri=\"http://example.test/foo\"",
541 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));
542 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs);
543 expect_report_uri = GURL("http://example.test/foo");
544 EXPECT_EQ(expect_max_age, max_age);
545 EXPECT_FALSE(include_subdomains);
546 EXPECT_EQ(expect_report_uri, report_uri);
547
548 // Test that parsing a different header resets the hashes. 494 // Test that parsing a different header resets the hashes.
549 hashes.clear(); 495 hashes.clear();
550 EXPECT_TRUE(ParseHPKPHeader( 496 EXPECT_TRUE(ParseHPKPHeader(
551 " max-age=999; " + backup_pin + ";" + good_pin + "; ", chain_hashes, 497 " max-age=999; " +
552 &max_age, &include_subdomains, &hashes, &report_uri)); 498 backup_pin + ";" + good_pin + "; ",
499 chain_hashes, &max_age, &include_subdomains, &hashes));
553 EXPECT_EQ(2u, hashes.size()); 500 EXPECT_EQ(2u, hashes.size());
554 EXPECT_TRUE(ParseHPKPHeader( 501 EXPECT_TRUE(ParseHPKPHeader(
555 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, 502 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes,
556 &max_age, &include_subdomains, &hashes, &report_uri)); 503 &max_age, &include_subdomains, &hashes));
557 EXPECT_EQ(2u, hashes.size()); 504 EXPECT_EQ(2u, hashes.size());
558
559 // Test that the parser correctly parses an unencoded ';' inside a
560 // quoted report-uri.
561 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin +
562 "; report-uri=\"http://foo.com/?;bar\"",
563 chain_hashes, &max_age, &include_subdomains,
564 &hashes, &report_uri));
565 expect_max_age = base::TimeDelta::FromSeconds(999);
566 expect_report_uri = GURL("http://foo.com/?;bar");
567 EXPECT_EQ(expect_max_age, max_age);
568 EXPECT_FALSE(include_subdomains);
569 EXPECT_EQ(expect_report_uri, report_uri);
570
571 // Test that the parser correctly parses a report-uri with a >0x7f
572 // character.
573 std::string uri = "http://foo.com/";
574 uri += char(0x7f);
575 expect_report_uri = GURL(uri);
576 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin +
577 "; report-uri=\"" + uri + "\"",
578 chain_hashes, &max_age, &include_subdomains,
579 &hashes, &report_uri));
580 expect_max_age = base::TimeDelta::FromSeconds(999);
581 EXPECT_EQ(expect_max_age, max_age);
582 EXPECT_FALSE(include_subdomains);
583 EXPECT_EQ(expect_report_uri, report_uri);
584
585 // Test that the parser allows quoted max-age values.
586 EXPECT_TRUE(ParseHPKPHeader("max-age='999'; " + backup_pin + "; " + good_pin,
587 chain_hashes, &max_age, &include_subdomains,
588 &hashes, &report_uri));
589 expect_max_age = base::TimeDelta::FromSeconds(999);
590 EXPECT_EQ(expect_max_age, max_age);
591 EXPECT_FALSE(include_subdomains);
592
593 // Test that the parser handles escaped values.
594 expect_report_uri = GURL("http://foo.com'a");
595 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin +
596 "; report-uri='http://foo.com\\'\\a'",
597 chain_hashes, &max_age, &include_subdomains,
598 &hashes, &report_uri));
599 expect_max_age = base::TimeDelta::FromSeconds(999);
600 EXPECT_EQ(expect_max_age, max_age);
601 EXPECT_FALSE(include_subdomains);
602 EXPECT_EQ(expect_report_uri, report_uri);
603 } 505 }
604 506
605 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { 507 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) {
606 TestBogusPinsHeaders(HASH_VALUE_SHA1); 508 TestBogusPinsHeaders(HASH_VALUE_SHA1);
607 } 509 }
608 510
609 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { 511 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) {
610 TestBogusPinsHeaders(HASH_VALUE_SHA256); 512 TestBogusPinsHeaders(HASH_VALUE_SHA256);
611 } 513 }
612 514
(...skipping 16 matching lines...) Expand all
629 EXPECT_TRUE( 531 EXPECT_TRUE(
630 state.GetStaticDomainState(domain, &static_sts_state, &static_pkp_state)); 532 state.GetStaticDomainState(domain, &static_sts_state, &static_pkp_state));
631 EXPECT_GT(static_pkp_state.spki_hashes.size(), 1UL); 533 EXPECT_GT(static_pkp_state.spki_hashes.size(), 1UL);
632 HashValueVector saved_hashes = static_pkp_state.spki_hashes; 534 HashValueVector saved_hashes = static_pkp_state.spki_hashes;
633 535
634 // Add a header, which should only update the dynamic state. 536 // Add a header, which should only update the dynamic state.
635 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1); 537 HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
636 HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA1); 538 HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA1);
637 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1); 539 std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1);
638 std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1); 540 std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1);
639 GURL report_uri("http://google.com"); 541 std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin;
640 std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin +
641 ";report-uri=\"" + report_uri.spec() + "\"";
642 542
643 // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. 543 // Construct a fake SSLInfo that will pass AddHPKPHeader's checks.
644 SSLInfo ssl_info; 544 SSLInfo ssl_info;
645 ssl_info.public_key_hashes.push_back(good_hash); 545 ssl_info.public_key_hashes.push_back(good_hash);
646 ssl_info.public_key_hashes.push_back(saved_hashes[0]); 546 ssl_info.public_key_hashes.push_back(saved_hashes[0]);
647 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); 547 EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info));
648 548
649 // Expect the static state to remain unchanged. 549 // Expect the static state to remain unchanged.
650 TransportSecurityState::STSState new_static_sts_state; 550 TransportSecurityState::STSState new_static_sts_state;
651 TransportSecurityState::PKPState new_static_pkp_state; 551 TransportSecurityState::PKPState new_static_pkp_state;
652 EXPECT_TRUE(state.GetStaticDomainState(domain, &new_static_sts_state, 552 EXPECT_TRUE(state.GetStaticDomainState(domain, &new_static_sts_state,
653 &new_static_pkp_state)); 553 &new_static_pkp_state));
654 for (size_t i = 0; i < saved_hashes.size(); ++i) { 554 for (size_t i = 0; i < saved_hashes.size(); ++i) {
655 EXPECT_TRUE( 555 EXPECT_TRUE(
656 HashValuesEqual(saved_hashes[i])(new_static_pkp_state.spki_hashes[i])); 556 HashValuesEqual(saved_hashes[i])(new_static_pkp_state.spki_hashes[i]));
657 } 557 }
658 558
659 // Expect the dynamic state to reflect the header. 559 // Expect the dynamic state to reflect the header.
660 TransportSecurityState::PKPState dynamic_pkp_state; 560 TransportSecurityState::PKPState dynamic_pkp_state;
661 EXPECT_TRUE(state.GetDynamicPKPState(domain, &dynamic_pkp_state)); 561 EXPECT_TRUE(state.GetDynamicPKPState(domain, &dynamic_pkp_state));
662 EXPECT_EQ(2UL, dynamic_pkp_state.spki_hashes.size()); 562 EXPECT_EQ(2UL, dynamic_pkp_state.spki_hashes.size());
663 EXPECT_EQ(report_uri, dynamic_pkp_state.report_uri);
664 563
665 HashValueVector::const_iterator hash = std::find_if( 564 HashValueVector::const_iterator hash = std::find_if(
666 dynamic_pkp_state.spki_hashes.begin(), 565 dynamic_pkp_state.spki_hashes.begin(),
667 dynamic_pkp_state.spki_hashes.end(), HashValuesEqual(good_hash)); 566 dynamic_pkp_state.spki_hashes.end(), HashValuesEqual(good_hash));
668 EXPECT_NE(dynamic_pkp_state.spki_hashes.end(), hash); 567 EXPECT_NE(dynamic_pkp_state.spki_hashes.end(), hash);
669 568
670 hash = std::find_if(dynamic_pkp_state.spki_hashes.begin(), 569 hash = std::find_if(dynamic_pkp_state.spki_hashes.begin(),
671 dynamic_pkp_state.spki_hashes.end(), 570 dynamic_pkp_state.spki_hashes.end(),
672 HashValuesEqual(backup_hash)); 571 HashValuesEqual(backup_hash));
673 EXPECT_NE(dynamic_pkp_state.spki_hashes.end(), hash); 572 EXPECT_NE(dynamic_pkp_state.spki_hashes.end(), hash);
674 573
675 // Expect the overall state to reflect the header, too. 574 // Expect the overall state to reflect the header, too.
676 EXPECT_TRUE(state.HasPublicKeyPins(domain)); 575 EXPECT_TRUE(state.HasPublicKeyPins(domain));
677 HashValueVector hashes; 576 HashValueVector hashes;
678 hashes.push_back(good_hash); 577 hashes.push_back(good_hash);
679 std::string failure_log; 578 std::string failure_log;
680 const bool is_issued_by_known_root = true; 579 const bool is_issued_by_known_root = true;
681 EXPECT_TRUE(state.CheckPublicKeyPins( 580 EXPECT_TRUE(state.CheckPublicKeyPins(
682 domain, is_issued_by_known_root, hashes, &failure_log)); 581 domain, is_issued_by_known_root, hashes, &failure_log));
683 582
684 TransportSecurityState::PKPState new_dynamic_pkp_state; 583 TransportSecurityState::PKPState new_dynamic_pkp_state;
685 EXPECT_TRUE(state.GetDynamicPKPState(domain, &new_dynamic_pkp_state)); 584 EXPECT_TRUE(state.GetDynamicPKPState(domain, &new_dynamic_pkp_state));
686 EXPECT_EQ(2UL, new_dynamic_pkp_state.spki_hashes.size()); 585 EXPECT_EQ(2UL, new_dynamic_pkp_state.spki_hashes.size());
687 EXPECT_EQ(report_uri, new_dynamic_pkp_state.report_uri);
688 586
689 hash = std::find_if(new_dynamic_pkp_state.spki_hashes.begin(), 587 hash = std::find_if(new_dynamic_pkp_state.spki_hashes.begin(),
690 new_dynamic_pkp_state.spki_hashes.end(), 588 new_dynamic_pkp_state.spki_hashes.end(),
691 HashValuesEqual(good_hash)); 589 HashValuesEqual(good_hash));
692 EXPECT_NE(new_dynamic_pkp_state.spki_hashes.end(), hash); 590 EXPECT_NE(new_dynamic_pkp_state.spki_hashes.end(), hash);
693 591
694 hash = std::find_if(new_dynamic_pkp_state.spki_hashes.begin(), 592 hash = std::find_if(new_dynamic_pkp_state.spki_hashes.begin(),
695 new_dynamic_pkp_state.spki_hashes.end(), 593 new_dynamic_pkp_state.spki_hashes.end(),
696 HashValuesEqual(backup_hash)); 594 HashValuesEqual(backup_hash));
697 EXPECT_NE(new_dynamic_pkp_state.spki_hashes.end(), hash); 595 EXPECT_NE(new_dynamic_pkp_state.spki_hashes.end(), hash);
(...skipping 167 matching lines...) Expand 10 before | Expand all | Expand 10 after
865 ssl_info)); 763 ssl_info));
866 764
867 // The old pins must still exist. 765 // The old pins must still exist.
868 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); 766 EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
869 EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root, 767 EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root,
870 ssl_info.public_key_hashes, 768 ssl_info.public_key_hashes,
871 &failure_log)); 769 &failure_log));
872 } 770 }
873 771
874 }; // namespace net 772 }; // namespace net
OLDNEW
« no previous file with comments | « net/http/http_security_headers.cc ('k') | net/http/http_util.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698