OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 17 matching lines...) Expand all Loading... |
28 #include "net/ssl/ssl_info.h" | 28 #include "net/ssl/ssl_info.h" |
29 #include "net/test/cert_test_util.h" | 29 #include "net/test/cert_test_util.h" |
30 #include "testing/gtest/include/gtest/gtest.h" | 30 #include "testing/gtest/include/gtest/gtest.h" |
31 | 31 |
32 #if defined(USE_OPENSSL) | 32 #if defined(USE_OPENSSL) |
33 #include "crypto/openssl_util.h" | 33 #include "crypto/openssl_util.h" |
34 #else | 34 #else |
35 #include "crypto/nss_util.h" | 35 #include "crypto/nss_util.h" |
36 #endif | 36 #endif |
37 | 37 |
38 namespace { | |
39 | |
40 const char kReportUri[] = "http://example.test/test"; | |
41 | |
42 } // namespace | |
43 | |
44 namespace net { | 38 namespace net { |
45 | 39 |
46 class TransportSecurityStateTest : public testing::Test { | 40 class TransportSecurityStateTest : public testing::Test { |
47 public: | 41 public: |
48 void SetUp() override { | 42 void SetUp() override { |
49 #if defined(USE_OPENSSL) | 43 #if defined(USE_OPENSSL) |
50 crypto::EnsureOpenSSLInit(); | 44 crypto::EnsureOpenSSLInit(); |
51 #else | 45 #else |
52 crypto::EnsureNSSInit(); | 46 crypto::EnsureNSSInit(); |
53 #endif | 47 #endif |
(...skipping 159 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
213 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test")); | 207 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test")); |
214 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test")); | 208 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test")); |
215 EXPECT_FALSE(state.ShouldUpgradeToSSL("test")); | 209 EXPECT_FALSE(state.ShouldUpgradeToSSL("test")); |
216 EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test")); | 210 EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test")); |
217 } | 211 } |
218 | 212 |
219 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule | 213 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule |
220 // with it, regardless of the includeSubDomains bit. This is a regression test | 214 // with it, regardless of the includeSubDomains bit. This is a regression test |
221 // for https://crbug.com/469957. | 215 // for https://crbug.com/469957. |
222 TEST_F(TransportSecurityStateTest, SubdomainCarveout) { | 216 TEST_F(TransportSecurityStateTest, SubdomainCarveout) { |
223 const GURL report_uri(kReportUri); | |
224 TransportSecurityState state; | 217 TransportSecurityState state; |
225 const base::Time current_time(base::Time::Now()); | 218 const base::Time current_time(base::Time::Now()); |
226 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 219 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
227 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 220 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
228 | 221 |
229 state.AddHSTS("example1.test", expiry, true); | 222 state.AddHSTS("example1.test", expiry, true); |
230 state.AddHSTS("foo.example1.test", expiry, false); | 223 state.AddHSTS("foo.example1.test", expiry, false); |
231 | 224 |
232 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), | 225 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); |
233 report_uri); | 226 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes()); |
234 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes(), | |
235 report_uri); | |
236 | 227 |
237 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 228 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
238 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 229 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
239 | 230 |
240 // The foo.example1.test rule overrides the example1.test rule, so | 231 // The foo.example1.test rule overrides the example1.test rule, so |
241 // bar.foo.example1.test has no HSTS state. | 232 // bar.foo.example1.test has no HSTS state. |
242 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); | 233 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); |
243 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); | 234 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); |
244 | 235 |
245 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); | 236 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); |
246 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 237 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
247 | 238 |
248 // The foo.example2.test rule overrides the example1.test rule, so | 239 // The foo.example2.test rule overrides the example1.test rule, so |
249 // bar.foo.example2.test has no HPKP state. | 240 // bar.foo.example2.test has no HPKP state. |
250 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test")); | 241 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test")); |
251 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); | 242 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); |
252 | 243 |
253 // Expire the foo.example*.test rules. | 244 // Expire the foo.example*.test rules. |
254 state.AddHSTS("foo.example1.test", older, false); | 245 state.AddHSTS("foo.example1.test", older, false); |
255 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes(), | 246 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes()); |
256 report_uri); | |
257 | 247 |
258 // Now the base example*.test rules apply to bar.foo.example*.test. | 248 // Now the base example*.test rules apply to bar.foo.example*.test. |
259 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); | 249 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); |
260 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); | 250 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test")); |
261 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test")); | 251 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test")); |
262 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); | 252 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test")); |
263 } | 253 } |
264 | 254 |
265 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { | 255 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { |
266 const GURL report_uri(kReportUri); | |
267 TransportSecurityState state; | 256 TransportSecurityState state; |
268 const base::Time current_time(base::Time::Now()); | 257 const base::Time current_time(base::Time::Now()); |
269 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 258 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
270 | 259 |
271 state.AddHSTS("example1.test", expiry, false); | 260 state.AddHSTS("example1.test", expiry, false); |
272 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), | 261 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); |
273 report_uri); | |
274 | 262 |
275 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. | 263 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. |
276 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); | 264 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); |
277 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test")); | 265 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test")); |
278 } | 266 } |
279 | 267 |
280 // Tests that HPKP and HSTS state both expire. Also tests that expired entries | 268 // Tests that HPKP and HSTS state both expire. Also tests that expired entries |
281 // are pruned. | 269 // are pruned. |
282 TEST_F(TransportSecurityStateTest, Expiration) { | 270 TEST_F(TransportSecurityStateTest, Expiration) { |
283 const GURL report_uri(kReportUri); | |
284 TransportSecurityState state; | 271 TransportSecurityState state; |
285 const base::Time current_time(base::Time::Now()); | 272 const base::Time current_time(base::Time::Now()); |
286 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 273 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
287 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 274 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
288 | 275 |
289 // Note: this test assumes that inserting an entry with an expiration time in | 276 // Note: this test assumes that inserting an entry with an expiration time in |
290 // the past works and is pruned on query. | 277 // the past works and is pruned on query. |
291 state.AddHSTS("example1.test", older, false); | 278 state.AddHSTS("example1.test", older, false); |
292 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); | 279 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); |
293 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 280 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
294 // Querying |state| for a domain should flush out expired entries. | 281 // Querying |state| for a domain should flush out expired entries. |
295 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 282 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
296 | 283 |
297 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), | 284 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); |
298 report_uri); | |
299 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 285 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
300 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 286 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
301 // Querying |state| for a domain should flush out expired entries. | 287 // Querying |state| for a domain should flush out expired entries. |
302 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 288 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
303 | 289 |
304 state.AddHSTS("example1.test", older, false); | 290 state.AddHSTS("example1.test", older, false); |
305 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), | 291 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); |
306 report_uri); | |
307 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); | 292 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); |
308 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 293 EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
309 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); | 294 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); |
310 // Querying |state| for a domain should flush out expired entries. | 295 // Querying |state| for a domain should flush out expired entries. |
311 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 296 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
312 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 297 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
313 | 298 |
314 // Test that HSTS can outlive HPKP. | 299 // Test that HSTS can outlive HPKP. |
315 state.AddHSTS("example1.test", expiry, false); | 300 state.AddHSTS("example1.test", expiry, false); |
316 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), | 301 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); |
317 report_uri); | |
318 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 302 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
319 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 303 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
320 | 304 |
321 // Test that HPKP can outlive HSTS. | 305 // Test that HPKP can outlive HSTS. |
322 state.AddHSTS("example2.test", older, false); | 306 state.AddHSTS("example2.test", older, false); |
323 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), | 307 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); |
324 report_uri); | |
325 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 308 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
326 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); | 309 EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); |
327 } | 310 } |
328 | 311 |
329 TEST_F(TransportSecurityStateTest, InvalidDomains) { | 312 TEST_F(TransportSecurityStateTest, InvalidDomains) { |
330 TransportSecurityState state; | 313 TransportSecurityState state; |
331 const base::Time current_time(base::Time::Now()); | 314 const base::Time current_time(base::Time::Now()); |
332 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 315 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
333 | 316 |
334 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test")); | 317 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test")); |
335 bool include_subdomains = true; | 318 bool include_subdomains = true; |
336 state.AddHSTS("example.test", expiry, include_subdomains); | 319 state.AddHSTS("example.test", expiry, include_subdomains); |
337 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test")); | 320 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test")); |
338 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test")); | 321 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test")); |
339 } | 322 } |
340 | 323 |
341 // Tests that HPKP and HSTS state are queried independently for subdomain | 324 // Tests that HPKP and HSTS state are queried independently for subdomain |
342 // matches. | 325 // matches. |
343 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { | 326 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { |
344 const GURL report_uri(kReportUri); | |
345 TransportSecurityState state; | 327 TransportSecurityState state; |
346 const base::Time current_time(base::Time::Now()); | 328 const base::Time current_time(base::Time::Now()); |
347 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 329 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
348 | 330 |
349 state.AddHSTS("example1.test", expiry, true); | 331 state.AddHSTS("example1.test", expiry, true); |
350 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes(), | 332 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes()); |
351 report_uri); | |
352 | 333 |
353 state.AddHSTS("example2.test", expiry, false); | 334 state.AddHSTS("example2.test", expiry, false); |
354 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), | 335 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); |
355 report_uri); | |
356 | 336 |
357 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 337 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
358 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); | 338 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); |
359 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test")); | 339 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test")); |
360 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 340 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
361 } | 341 } |
362 | 342 |
363 // Tests that HPKP and HSTS state are inserted and overridden independently. | 343 // Tests that HPKP and HSTS state are inserted and overridden independently. |
364 TEST_F(TransportSecurityStateTest, IndependentInsertion) { | 344 TEST_F(TransportSecurityStateTest, IndependentInsertion) { |
365 const GURL report_uri(kReportUri); | |
366 TransportSecurityState state; | 345 TransportSecurityState state; |
367 const base::Time current_time(base::Time::Now()); | 346 const base::Time current_time(base::Time::Now()); |
368 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 347 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
369 | 348 |
370 // Place an includeSubdomains HSTS entry below a normal HPKP entry. | 349 // Place an includeSubdomains HSTS entry below a normal HPKP entry. |
371 state.AddHSTS("example1.test", expiry, true); | 350 state.AddHSTS("example1.test", expiry, true); |
372 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes(), | 351 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes()); |
373 report_uri); | |
374 | 352 |
375 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); | 353 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
376 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); | 354 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); |
377 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 355 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
378 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 356 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
379 | 357 |
380 // Drop the includeSubdomains from the HSTS entry. | 358 // Drop the includeSubdomains from the HSTS entry. |
381 state.AddHSTS("example1.test", expiry, false); | 359 state.AddHSTS("example1.test", expiry, false); |
382 | 360 |
383 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test")); | 361 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test")); |
384 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); | 362 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); |
385 | 363 |
386 // Place an includeSubdomains HPKP entry below a normal HSTS entry. | 364 // Place an includeSubdomains HPKP entry below a normal HSTS entry. |
387 state.AddHSTS("foo.example2.test", expiry, false); | 365 state.AddHSTS("foo.example2.test", expiry, false); |
388 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), | 366 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); |
389 report_uri); | |
390 | 367 |
391 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); | 368 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
392 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); | 369 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
393 | 370 |
394 // Drop the includeSubdomains from the HSTS entry. | 371 // Drop the includeSubdomains from the HSTS entry. |
395 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), | 372 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); |
396 report_uri); | |
397 | 373 |
398 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); | 374 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
399 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); | 375 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); |
400 } | 376 } |
401 | 377 |
402 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the | 378 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the |
403 // states are not mixed together. | 379 // states are not mixed together. |
404 TEST_F(TransportSecurityStateTest, DynamicDomainState) { | 380 TEST_F(TransportSecurityStateTest, DynamicDomainState) { |
405 const GURL report_uri(kReportUri); | |
406 TransportSecurityState state; | 381 TransportSecurityState state; |
407 const base::Time current_time(base::Time::Now()); | 382 const base::Time current_time(base::Time::Now()); |
408 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); | 383 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); |
409 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); | 384 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); |
410 | 385 |
411 state.AddHSTS("example.com", expiry1, true); | 386 state.AddHSTS("example.com", expiry1, true); |
412 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes(), | 387 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes()); |
413 report_uri); | |
414 | 388 |
415 TransportSecurityState::STSState sts_state; | 389 TransportSecurityState::STSState sts_state; |
416 TransportSecurityState::PKPState pkp_state; | 390 TransportSecurityState::PKPState pkp_state; |
417 ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state)); | 391 ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state)); |
418 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 392 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
419 EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); | 393 EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); |
420 EXPECT_TRUE(pkp_state.HasPublicKeyPins()); | 394 EXPECT_TRUE(pkp_state.HasPublicKeyPins()); |
421 EXPECT_TRUE(sts_state.include_subdomains); | 395 EXPECT_TRUE(sts_state.include_subdomains); |
422 EXPECT_FALSE(pkp_state.include_subdomains); | 396 EXPECT_FALSE(pkp_state.include_subdomains); |
423 EXPECT_EQ(expiry1, sts_state.expiry); | 397 EXPECT_EQ(expiry1, sts_state.expiry); |
424 EXPECT_EQ(expiry2, pkp_state.expiry); | 398 EXPECT_EQ(expiry2, pkp_state.expiry); |
425 EXPECT_EQ("example.com", sts_state.domain); | 399 EXPECT_EQ("example.com", sts_state.domain); |
426 EXPECT_EQ("foo.example.com", pkp_state.domain); | 400 EXPECT_EQ("foo.example.com", pkp_state.domain); |
427 } | 401 } |
428 | 402 |
429 // Tests that new pins always override previous pins. This should be true for | 403 // Tests that new pins always override previous pins. This should be true for |
430 // both pins at the same domain or includeSubdomains pins at a parent domain. | 404 // both pins at the same domain or includeSubdomains pins at a parent domain. |
431 TEST_F(TransportSecurityStateTest, NewPinsOverride) { | 405 TEST_F(TransportSecurityStateTest, NewPinsOverride) { |
432 const GURL report_uri(kReportUri); | |
433 TransportSecurityState state; | 406 TransportSecurityState state; |
434 TransportSecurityState::PKPState pkp_state; | 407 TransportSecurityState::PKPState pkp_state; |
435 const base::Time current_time(base::Time::Now()); | 408 const base::Time current_time(base::Time::Now()); |
436 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 409 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
437 HashValue hash1(HASH_VALUE_SHA1); | 410 HashValue hash1(HASH_VALUE_SHA1); |
438 memset(hash1.data(), 0x01, hash1.size()); | 411 memset(hash1.data(), 0x01, hash1.size()); |
439 HashValue hash2(HASH_VALUE_SHA1); | 412 HashValue hash2(HASH_VALUE_SHA1); |
440 memset(hash2.data(), 0x02, hash1.size()); | 413 memset(hash2.data(), 0x02, hash1.size()); |
441 HashValue hash3(HASH_VALUE_SHA1); | 414 HashValue hash3(HASH_VALUE_SHA1); |
442 memset(hash3.data(), 0x03, hash1.size()); | 415 memset(hash3.data(), 0x03, hash1.size()); |
443 | 416 |
444 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1), | 417 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1)); |
445 report_uri); | |
446 | 418 |
447 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 419 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
448 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 420 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
449 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1)); | 421 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1)); |
450 | 422 |
451 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2), | 423 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2)); |
452 report_uri); | |
453 | 424 |
454 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 425 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
455 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 426 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
456 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2)); | 427 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2)); |
457 | 428 |
458 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3), | 429 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3)); |
459 report_uri); | |
460 | 430 |
461 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 431 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
462 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 432 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
463 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash3)); | 433 EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash3)); |
464 } | 434 } |
465 | 435 |
466 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | 436 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
467 TransportSecurityState state; | 437 TransportSecurityState state; |
468 const base::Time current_time(base::Time::Now()); | 438 const base::Time current_time(base::Time::Now()); |
469 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 439 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
470 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 440 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
471 | 441 |
472 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 442 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
473 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 443 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
474 bool include_subdomains = false; | 444 bool include_subdomains = false; |
475 state.AddHSTS("example.com", expiry, include_subdomains); | 445 state.AddHSTS("example.com", expiry, include_subdomains); |
476 state.AddHPKP("example.com", expiry, include_subdomains, | 446 state.AddHPKP("example.com", expiry, include_subdomains, |
477 GetSampleSPKIHashes(), GURL()); | 447 GetSampleSPKIHashes()); |
478 | 448 |
479 state.DeleteAllDynamicDataSince(expiry); | 449 state.DeleteAllDynamicDataSince(expiry); |
480 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); | 450 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); |
481 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 451 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
482 state.DeleteAllDynamicDataSince(older); | 452 state.DeleteAllDynamicDataSince(older); |
483 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 453 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
484 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 454 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
485 | 455 |
486 // STS and PKP data in |state| should be empty now. | 456 // STS and PKP data in |state| should be empty now. |
487 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 457 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
488 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 458 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
489 } | 459 } |
490 | 460 |
491 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | 461 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
492 TransportSecurityState state; | 462 TransportSecurityState state; |
493 const base::Time current_time(base::Time::Now()); | 463 const base::Time current_time(base::Time::Now()); |
494 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 464 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
495 bool include_subdomains = false; | 465 bool include_subdomains = false; |
496 | 466 |
497 state.AddHSTS("example1.test", expiry, include_subdomains); | 467 state.AddHSTS("example1.test", expiry, include_subdomains); |
498 state.AddHPKP("example1.test", expiry, include_subdomains, | 468 state.AddHPKP("example1.test", expiry, include_subdomains, |
499 GetSampleSPKIHashes(), GURL()); | 469 GetSampleSPKIHashes()); |
500 | 470 |
501 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 471 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
502 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 472 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
503 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); | 473 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); |
504 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); | 474 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); |
505 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); | 475 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); |
506 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 476 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
507 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 477 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
508 } | 478 } |
509 | 479 |
(...skipping 596 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1106 // These hosts used to only be HSTS when SNI was available. | 1076 // These hosts used to only be HSTS when SNI was available. |
1107 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1077 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1108 "gmail.com")); | 1078 "gmail.com")); |
1109 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1079 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1110 "googlegroups.com")); | 1080 "googlegroups.com")); |
1111 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1081 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1112 "www.googlegroups.com")); | 1082 "www.googlegroups.com")); |
1113 } | 1083 } |
1114 | 1084 |
1115 } // namespace net | 1085 } // namespace net |
OLD | NEW |