| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 17 matching lines...) Expand all Loading... |
| 28 #include "net/ssl/ssl_info.h" | 28 #include "net/ssl/ssl_info.h" |
| 29 #include "net/test/cert_test_util.h" | 29 #include "net/test/cert_test_util.h" |
| 30 #include "testing/gtest/include/gtest/gtest.h" | 30 #include "testing/gtest/include/gtest/gtest.h" |
| 31 | 31 |
| 32 #if defined(USE_OPENSSL) | 32 #if defined(USE_OPENSSL) |
| 33 #include "crypto/openssl_util.h" | 33 #include "crypto/openssl_util.h" |
| 34 #else | 34 #else |
| 35 #include "crypto/nss_util.h" | 35 #include "crypto/nss_util.h" |
| 36 #endif | 36 #endif |
| 37 | 37 |
| 38 namespace { | |
| 39 | |
| 40 const char kReportUri[] = "http://example.test/test"; | |
| 41 | |
| 42 } // namespace | |
| 43 | |
| 44 namespace net { | 38 namespace net { |
| 45 | 39 |
| 46 class TransportSecurityStateTest : public testing::Test { | 40 class TransportSecurityStateTest : public testing::Test { |
| 47 public: | 41 public: |
| 48 void SetUp() override { | 42 void SetUp() override { |
| 49 #if defined(USE_OPENSSL) | 43 #if defined(USE_OPENSSL) |
| 50 crypto::EnsureOpenSSLInit(); | 44 crypto::EnsureOpenSSLInit(); |
| 51 #else | 45 #else |
| 52 crypto::EnsureNSSInit(); | 46 crypto::EnsureNSSInit(); |
| 53 #endif | 47 #endif |
| (...skipping 159 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 213 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test")); | 207 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test")); |
| 214 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test")); | 208 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test")); |
| 215 EXPECT_FALSE(state.ShouldUpgradeToSSL("test")); | 209 EXPECT_FALSE(state.ShouldUpgradeToSSL("test")); |
| 216 EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test")); | 210 EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test")); |
| 217 } | 211 } |
| 218 | 212 |
| 219 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule | 213 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule |
| 220 // with it, regardless of the includeSubDomains bit. This is a regression test | 214 // with it, regardless of the includeSubDomains bit. This is a regression test |
| 221 // for https://crbug.com/469957. | 215 // for https://crbug.com/469957. |
| 222 TEST_F(TransportSecurityStateTest, SubdomainCarveout) { | 216 TEST_F(TransportSecurityStateTest, SubdomainCarveout) { |
| 223 const GURL report_uri(kReportUri); | |
| 224 TransportSecurityState state; | 217 TransportSecurityState state; |
| 225 const base::Time current_time(base::Time::Now()); | 218 const base::Time current_time(base::Time::Now()); |
| 226 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 219 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 227 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 220 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 228 | 221 |
| 229 state.AddHSTS("example1.test", expiry, true); | 222 state.AddHSTS("example1.test", expiry, true); |
| 230 state.AddHSTS("foo.example1.test", expiry, false); | 223 state.AddHSTS("foo.example1.test", expiry, false); |
| 231 | 224 |
| 232 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), | 225 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); |
| 233 report_uri); | 226 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes()); |
| 234 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes(), | |
| 235 report_uri); | |
| 236 | 227 |
| 237 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 228 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| 238 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 229 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| 239 | 230 |
| 240 // The foo.example1.test rule overrides the example1.test rule, so | 231 // The foo.example1.test rule overrides the example1.test rule, so |
| 241 // bar.foo.example1.test has no HSTS state. | 232 // bar.foo.example1.test has no HSTS state. |
| 242 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); | 233 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); |
| 243 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); | 234 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); |
| 244 | 235 |
| 245 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); | 236 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); |
| 246 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 237 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
| 247 | 238 |
| 248 // The foo.example2.test rule overrides the example1.test rule, so | 239 // The foo.example2.test rule overrides the example1.test rule, so |
| 249 // bar.foo.example2.test has no HPKP state. | 240 // bar.foo.example2.test has no HPKP state. |
| 250 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test")); | 241 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test")); |
| 251 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); | 242 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); |
| 252 | 243 |
| 253 // Expire the foo.example*.test rules. | 244 // Expire the foo.example*.test rules. |
| 254 state.AddHSTS("foo.example1.test", older, false); | 245 state.AddHSTS("foo.example1.test", older, false); |
| 255 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes(), | 246 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes()); |
| 256 report_uri); | |
| 257 | 247 |
| 258 // Now the base example*.test rules apply to bar.foo.example*.test. | 248 // Now the base example*.test rules apply to bar.foo.example*.test. |
| 259 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); | 249 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); |
| 260 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); | 250 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); |
| 261 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test")); | 251 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test")); |
| 262 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); | 252 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); |
| 263 } | 253 } |
| 264 | 254 |
| 265 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { | 255 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { |
| 266 const GURL report_uri(kReportUri); | |
| 267 TransportSecurityState state; | 256 TransportSecurityState state; |
| 268 const base::Time current_time(base::Time::Now()); | 257 const base::Time current_time(base::Time::Now()); |
| 269 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 258 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 270 | 259 |
| 271 state.AddHSTS("example1.test", expiry, false); | 260 state.AddHSTS("example1.test", expiry, false); |
| 272 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), | 261 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); |
| 273 report_uri); | |
| 274 | 262 |
| 275 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. | 263 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. |
| 276 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); | 264 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); |
| 277 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test")); | 265 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test")); |
| 278 } | 266 } |
| 279 | 267 |
| 280 // Tests that HPKP and HSTS state both expire. Also tests that expired entries | 268 // Tests that HPKP and HSTS state both expire. Also tests that expired entries |
| 281 // are pruned. | 269 // are pruned. |
| 282 TEST_F(TransportSecurityStateTest, Expiration) { | 270 TEST_F(TransportSecurityStateTest, Expiration) { |
| 283 const GURL report_uri(kReportUri); | |
| 284 TransportSecurityState state; | 271 TransportSecurityState state; |
| 285 const base::Time current_time(base::Time::Now()); | 272 const base::Time current_time(base::Time::Now()); |
| 286 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 273 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 287 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 274 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 288 | 275 |
| 289 // Note: this test assumes that inserting an entry with an expiration time in | 276 // Note: this test assumes that inserting an entry with an expiration time in |
| 290 // the past works and is pruned on query. | 277 // the past works and is pruned on query. |
| 291 state.AddHSTS("example1.test", older, false); | 278 state.AddHSTS("example1.test", older, false); |
| 292 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); | 279 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 293 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 280 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
| 294 // Querying |state| for a domain should flush out expired entries. | 281 // Querying |state| for a domain should flush out expired entries. |
| 295 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 282 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 296 | 283 |
| 297 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), | 284 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); |
| 298 report_uri); | |
| 299 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 285 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 300 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 286 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 301 // Querying |state| for a domain should flush out expired entries. | 287 // Querying |state| for a domain should flush out expired entries. |
| 302 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 288 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 303 | 289 |
| 304 state.AddHSTS("example1.test", older, false); | 290 state.AddHSTS("example1.test", older, false); |
| 305 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), | 291 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); |
| 306 report_uri); | |
| 307 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); | 292 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 308 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 293 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 309 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); | 294 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); |
| 310 // Querying |state| for a domain should flush out expired entries. | 295 // Querying |state| for a domain should flush out expired entries. |
| 311 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 296 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 312 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 297 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 313 | 298 |
| 314 // Test that HSTS can outlive HPKP. | 299 // Test that HSTS can outlive HPKP. |
| 315 state.AddHSTS("example1.test", expiry, false); | 300 state.AddHSTS("example1.test", expiry, false); |
| 316 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), | 301 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); |
| 317 report_uri); | |
| 318 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 302 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| 319 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 303 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 320 | 304 |
| 321 // Test that HPKP can outlive HSTS. | 305 // Test that HPKP can outlive HSTS. |
| 322 state.AddHSTS("example2.test", older, false); | 306 state.AddHSTS("example2.test", older, false); |
| 323 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), | 307 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); |
| 324 report_uri); | |
| 325 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 308 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
| 326 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); | 309 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); |
| 327 } | 310 } |
| 328 | 311 |
| 329 TEST_F(TransportSecurityStateTest, InvalidDomains) { | 312 TEST_F(TransportSecurityStateTest, InvalidDomains) { |
| 330 TransportSecurityState state; | 313 TransportSecurityState state; |
| 331 const base::Time current_time(base::Time::Now()); | 314 const base::Time current_time(base::Time::Now()); |
| 332 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 315 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 333 | 316 |
| 334 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test")); | 317 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test")); |
| 335 bool include_subdomains = true; | 318 bool include_subdomains = true; |
| 336 state.AddHSTS("example.test", expiry, include_subdomains); | 319 state.AddHSTS("example.test", expiry, include_subdomains); |
| 337 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test")); | 320 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test")); |
| 338 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test")); | 321 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test")); |
| 339 } | 322 } |
| 340 | 323 |
| 341 // Tests that HPKP and HSTS state are queried independently for subdomain | 324 // Tests that HPKP and HSTS state are queried independently for subdomain |
| 342 // matches. | 325 // matches. |
| 343 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { | 326 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { |
| 344 const GURL report_uri(kReportUri); | |
| 345 TransportSecurityState state; | 327 TransportSecurityState state; |
| 346 const base::Time current_time(base::Time::Now()); | 328 const base::Time current_time(base::Time::Now()); |
| 347 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 329 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 348 | 330 |
| 349 state.AddHSTS("example1.test", expiry, true); | 331 state.AddHSTS("example1.test", expiry, true); |
| 350 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes(), | 332 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes()); |
| 351 report_uri); | |
| 352 | 333 |
| 353 state.AddHSTS("example2.test", expiry, false); | 334 state.AddHSTS("example2.test", expiry, false); |
| 354 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), | 335 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); |
| 355 report_uri); | |
| 356 | 336 |
| 357 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 337 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| 358 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); | 338 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); |
| 359 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test")); | 339 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test")); |
| 360 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 340 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
| 361 } | 341 } |
| 362 | 342 |
| 363 // Tests that HPKP and HSTS state are inserted and overridden independently. | 343 // Tests that HPKP and HSTS state are inserted and overridden independently. |
| 364 TEST_F(TransportSecurityStateTest, IndependentInsertion) { | 344 TEST_F(TransportSecurityStateTest, IndependentInsertion) { |
| 365 const GURL report_uri(kReportUri); | |
| 366 TransportSecurityState state; | 345 TransportSecurityState state; |
| 367 const base::Time current_time(base::Time::Now()); | 346 const base::Time current_time(base::Time::Now()); |
| 368 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 347 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 369 | 348 |
| 370 // Place an includeSubdomains HSTS entry below a normal HPKP entry. | 349 // Place an includeSubdomains HSTS entry below a normal HPKP entry. |
| 371 state.AddHSTS("example1.test", expiry, true); | 350 state.AddHSTS("example1.test", expiry, true); |
| 372 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes(), | 351 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes()); |
| 373 report_uri); | |
| 374 | 352 |
| 375 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 353 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| 376 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); | 354 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); |
| 377 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 355 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| 378 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 356 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 379 | 357 |
| 380 // Drop the includeSubdomains from the HSTS entry. | 358 // Drop the includeSubdomains from the HSTS entry. |
| 381 state.AddHSTS("example1.test", expiry, false); | 359 state.AddHSTS("example1.test", expiry, false); |
| 382 | 360 |
| 383 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test")); | 361 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| 384 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); | 362 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); |
| 385 | 363 |
| 386 // Place an includeSubdomains HPKP entry below a normal HSTS entry. | 364 // Place an includeSubdomains HPKP entry below a normal HSTS entry. |
| 387 state.AddHSTS("foo.example2.test", expiry, false); | 365 state.AddHSTS("foo.example2.test", expiry, false); |
| 388 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), | 366 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); |
| 389 report_uri); | |
| 390 | 367 |
| 391 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); | 368 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
| 392 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 369 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
| 393 | 370 |
| 394 // Drop the includeSubdomains from the HSTS entry. | 371 // Drop the includeSubdomains from the HSTS entry. |
| 395 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), | 372 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); |
| 396 report_uri); | |
| 397 | 373 |
| 398 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); | 374 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
| 399 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); | 375 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); |
| 400 } | 376 } |
| 401 | 377 |
| 402 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the | 378 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the |
| 403 // states are not mixed together. | 379 // states are not mixed together. |
| 404 TEST_F(TransportSecurityStateTest, DynamicDomainState) { | 380 TEST_F(TransportSecurityStateTest, DynamicDomainState) { |
| 405 const GURL report_uri(kReportUri); | |
| 406 TransportSecurityState state; | 381 TransportSecurityState state; |
| 407 const base::Time current_time(base::Time::Now()); | 382 const base::Time current_time(base::Time::Now()); |
| 408 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); | 383 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); |
| 409 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); | 384 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); |
| 410 | 385 |
| 411 state.AddHSTS("example.com", expiry1, true); | 386 state.AddHSTS("example.com", expiry1, true); |
| 412 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes(), | 387 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes()); |
| 413 report_uri); | |
| 414 | 388 |
| 415 TransportSecurityState::STSState sts_state; | 389 TransportSecurityState::STSState sts_state; |
| 416 TransportSecurityState::PKPState pkp_state; | 390 TransportSecurityState::PKPState pkp_state; |
| 417 ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state)); | 391 ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state)); |
| 418 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 392 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| 419 EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); | 393 EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); |
| 420 EXPECT_TRUE(pkp_state.HasPublicKeyPins()); | 394 EXPECT_TRUE(pkp_state.HasPublicKeyPins()); |
| 421 EXPECT_TRUE(sts_state.include_subdomains); | 395 EXPECT_TRUE(sts_state.include_subdomains); |
| 422 EXPECT_FALSE(pkp_state.include_subdomains); | 396 EXPECT_FALSE(pkp_state.include_subdomains); |
| 423 EXPECT_EQ(expiry1, sts_state.expiry); | 397 EXPECT_EQ(expiry1, sts_state.expiry); |
| 424 EXPECT_EQ(expiry2, pkp_state.expiry); | 398 EXPECT_EQ(expiry2, pkp_state.expiry); |
| 425 EXPECT_EQ("example.com", sts_state.domain); | 399 EXPECT_EQ("example.com", sts_state.domain); |
| 426 EXPECT_EQ("foo.example.com", pkp_state.domain); | 400 EXPECT_EQ("foo.example.com", pkp_state.domain); |
| 427 } | 401 } |
| 428 | 402 |
| 429 // Tests that new pins always override previous pins. This should be true for | 403 // Tests that new pins always override previous pins. This should be true for |
| 430 // both pins at the same domain or includeSubdomains pins at a parent domain. | 404 // both pins at the same domain or includeSubdomains pins at a parent domain. |
| 431 TEST_F(TransportSecurityStateTest, NewPinsOverride) { | 405 TEST_F(TransportSecurityStateTest, NewPinsOverride) { |
| 432 const GURL report_uri(kReportUri); | |
| 433 TransportSecurityState state; | 406 TransportSecurityState state; |
| 434 TransportSecurityState::PKPState pkp_state; | 407 TransportSecurityState::PKPState pkp_state; |
| 435 const base::Time current_time(base::Time::Now()); | 408 const base::Time current_time(base::Time::Now()); |
| 436 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 409 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 437 HashValue hash1(HASH_VALUE_SHA1); | 410 HashValue hash1(HASH_VALUE_SHA1); |
| 438 memset(hash1.data(), 0x01, hash1.size()); | 411 memset(hash1.data(), 0x01, hash1.size()); |
| 439 HashValue hash2(HASH_VALUE_SHA1); | 412 HashValue hash2(HASH_VALUE_SHA1); |
| 440 memset(hash2.data(), 0x02, hash1.size()); | 413 memset(hash2.data(), 0x02, hash1.size()); |
| 441 HashValue hash3(HASH_VALUE_SHA1); | 414 HashValue hash3(HASH_VALUE_SHA1); |
| 442 memset(hash3.data(), 0x03, hash1.size()); | 415 memset(hash3.data(), 0x03, hash1.size()); |
| 443 | 416 |
| 444 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1), | 417 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1)); |
| 445 report_uri); | |
| 446 | 418 |
| 447 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 419 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| 448 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 420 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
| 449 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1)); | 421 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1)); |
| 450 | 422 |
| 451 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2), | 423 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2)); |
| 452 report_uri); | |
| 453 | 424 |
| 454 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 425 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| 455 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 426 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
| 456 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2)); | 427 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2)); |
| 457 | 428 |
| 458 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3), | 429 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3)); |
| 459 report_uri); | |
| 460 | 430 |
| 461 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 431 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| 462 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 432 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
| 463 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash3)); | 433 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash3)); |
| 464 } | 434 } |
| 465 | 435 |
| 466 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | 436 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
| 467 TransportSecurityState state; | 437 TransportSecurityState state; |
| 468 const base::Time current_time(base::Time::Now()); | 438 const base::Time current_time(base::Time::Now()); |
| 469 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 439 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 470 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 440 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 471 | 441 |
| 472 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 442 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
| 473 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 443 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
| 474 bool include_subdomains = false; | 444 bool include_subdomains = false; |
| 475 state.AddHSTS("example.com", expiry, include_subdomains); | 445 state.AddHSTS("example.com", expiry, include_subdomains); |
| 476 state.AddHPKP("example.com", expiry, include_subdomains, | 446 state.AddHPKP("example.com", expiry, include_subdomains, |
| 477 GetSampleSPKIHashes(), GURL()); | 447 GetSampleSPKIHashes()); |
| 478 | 448 |
| 479 state.DeleteAllDynamicDataSince(expiry); | 449 state.DeleteAllDynamicDataSince(expiry); |
| 480 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); | 450 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); |
| 481 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 451 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
| 482 state.DeleteAllDynamicDataSince(older); | 452 state.DeleteAllDynamicDataSince(older); |
| 483 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 453 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
| 484 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 454 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
| 485 | 455 |
| 486 // STS and PKP data in |state| should be empty now. | 456 // STS and PKP data in |state| should be empty now. |
| 487 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 457 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 488 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 458 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 489 } | 459 } |
| 490 | 460 |
| 491 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | 461 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
| 492 TransportSecurityState state; | 462 TransportSecurityState state; |
| 493 const base::Time current_time(base::Time::Now()); | 463 const base::Time current_time(base::Time::Now()); |
| 494 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 464 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 495 bool include_subdomains = false; | 465 bool include_subdomains = false; |
| 496 | 466 |
| 497 state.AddHSTS("example1.test", expiry, include_subdomains); | 467 state.AddHSTS("example1.test", expiry, include_subdomains); |
| 498 state.AddHPKP("example1.test", expiry, include_subdomains, | 468 state.AddHPKP("example1.test", expiry, include_subdomains, |
| 499 GetSampleSPKIHashes(), GURL()); | 469 GetSampleSPKIHashes()); |
| 500 | 470 |
| 501 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 471 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| 502 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 472 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
| 503 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); | 473 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); |
| 504 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); | 474 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); |
| 505 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); | 475 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); |
| 506 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 476 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
| 507 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 477 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 508 } | 478 } |
| 509 | 479 |
| (...skipping 596 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1106 // These hosts used to only be HSTS when SNI was available. | 1076 // These hosts used to only be HSTS when SNI was available. |
| 1107 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1077 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
| 1108 "gmail.com")); | 1078 "gmail.com")); |
| 1109 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1079 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
| 1110 "googlegroups.com")); | 1080 "googlegroups.com")); |
| 1111 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1081 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
| 1112 "www.googlegroups.com")); | 1082 "www.googlegroups.com")); |
| 1113 } | 1083 } |
| 1114 | 1084 |
| 1115 } // namespace net | 1085 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1249823002:
Revert of Parse HPKP report-uri and persist in TransportSecurityPersister (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master