OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
50 : public TransportSecurityState::ReportSender { | 50 : public TransportSecurityState::ReportSender { |
51 public: | 51 public: |
52 MockCertificateReportSender() {} | 52 MockCertificateReportSender() {} |
53 ~MockCertificateReportSender() override {} | 53 ~MockCertificateReportSender() override {} |
54 | 54 |
55 void Send(const GURL& report_uri, const std::string& report) override { | 55 void Send(const GURL& report_uri, const std::string& report) override { |
56 latest_report_uri_ = report_uri; | 56 latest_report_uri_ = report_uri; |
57 latest_report_ = report; | 57 latest_report_ = report; |
58 } | 58 } |
59 | 59 |
60 void Clear() { | |
61 latest_report_uri_ = GURL(); | |
62 latest_report_ = std::string(); | |
63 } | |
64 | |
60 const GURL& latest_report_uri() { return latest_report_uri_; } | 65 const GURL& latest_report_uri() { return latest_report_uri_; } |
61 const std::string& latest_report() { return latest_report_; } | 66 const std::string& latest_report() { return latest_report_; } |
62 | 67 |
63 private: | 68 private: |
64 GURL latest_report_uri_; | 69 GURL latest_report_uri_; |
65 std::string latest_report_; | 70 std::string latest_report_; |
66 }; | 71 }; |
67 | 72 |
68 void CompareCertificateChainWithList( | 73 void CompareCertificateChainWithList( |
69 const scoped_refptr<X509Certificate>& cert_chain, | 74 const scoped_refptr<X509Certificate>& cert_chain, |
(...skipping 1199 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1269 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); | 1274 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); |
1270 | 1275 |
1271 // Now a report should have been sent. Check that it contains the | 1276 // Now a report should have been sent. Check that it contains the |
1272 // right information. | 1277 // right information. |
1273 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); | 1278 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); |
1274 std::string report = mock_report_sender.latest_report(); | 1279 std::string report = mock_report_sender.latest_report(); |
1275 ASSERT_FALSE(report.empty()); | 1280 ASSERT_FALSE(report.empty()); |
1276 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, expiry, true, | 1281 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, expiry, true, |
1277 kHost, cert1.get(), cert2.get(), | 1282 kHost, cert1.get(), cert2.get(), |
1278 good_hashes)); | 1283 good_hashes)); |
1279 | 1284 mock_report_sender.Clear(); |
1280 EXPECT_FALSE(state.CheckPublicKeyPins( | 1285 EXPECT_FALSE(state.CheckPublicKeyPins( |
1281 subdomain_host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), | 1286 subdomain_host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), |
1282 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); | 1287 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); |
1283 | 1288 |
1284 // Now a report should have been sent for the subdomain. Check that it | 1289 // Now a report should have been sent for the subdomain. Check that it |
1285 // contains the right information. | 1290 // contains the right information. |
1286 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); | 1291 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); |
1287 report = mock_report_sender.latest_report(); | 1292 report = mock_report_sender.latest_report(); |
1288 ASSERT_FALSE(report.empty()); | 1293 ASSERT_FALSE(report.empty()); |
1289 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, subdomain_host_port_pair, | 1294 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, subdomain_host_port_pair, |
1290 expiry, true, kHost, cert1.get(), | 1295 expiry, true, kHost, cert1.get(), |
1291 cert2.get(), good_hashes)); | 1296 cert2.get(), good_hashes)); |
1297 | |
1298 // Check that a report is not sent for a Report-Only header with no | |
1299 // violation. | |
Ryan Sleevi
2015/07/30 01:52:17
Seems like this could / should just be a new test?
estark
2015/07/31 00:49:44
Done.
| |
1300 mock_report_sender.Clear(); | |
1301 const std::string pin1 = "m9lHYJYke9k0GtVZ+bXSQYE8nDI="; | |
1302 const std::string pin2 = "o5OZxATDsgmwgcIfIWIneMJ0jkw="; | |
1303 const std::string pin3 = "wHqYaI2J+6sFZAwRfap9ZbjKzE4="; | |
1304 std::string header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 + | |
1305 "\";pin-sha1=\"" + pin3 + "\";report-uri=\"" + | |
1306 report_uri.spec() + "\""; | |
1307 SSLInfo ssl_info; | |
1308 ssl_info.is_issued_by_known_root = true; | |
1309 ssl_info.unverified_cert = cert1; | |
1310 ssl_info.cert = cert2; | |
1311 for (size_t i = 0; kGoodPath[i]; i++) | |
1312 EXPECT_TRUE(AddHash(kGoodPath[i], &ssl_info.public_key_hashes)); | |
1313 | |
1314 EXPECT_TRUE( | |
1315 state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info)); | |
1316 EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); | |
1317 EXPECT_EQ(std::string(), mock_report_sender.latest_report()); | |
1318 | |
1319 // Check that a report is sent for a Report-Only header with a | |
1320 // violation. | |
1321 ssl_info.public_key_hashes.clear(); | |
1322 for (size_t i = 0; kBadPath[i]; i++) | |
1323 EXPECT_TRUE(AddHash(kBadPath[i], &ssl_info.public_key_hashes)); | |
1324 | |
1325 EXPECT_TRUE( | |
1326 state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info)); | |
1327 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); | |
1328 report = mock_report_sender.latest_report(); | |
1329 ASSERT_FALSE(report.empty()); | |
1330 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, expiry, false, | |
1331 kHost, cert1.get(), cert2.get(), | |
1332 good_hashes)); | |
1333 | |
1334 // Test that Report-Only reports are not sent on certs that chain to | |
1335 // local roots. | |
Ryan Sleevi
2015/07/30 01:52:17
Ditto here as perhaps a unique test.
estark
2015/07/31 00:49:44
Done.
| |
1336 mock_report_sender.Clear(); | |
1337 ssl_info.is_issued_by_known_root = false; | |
1338 EXPECT_TRUE( | |
1339 state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info)); | |
1340 EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); | |
1341 EXPECT_EQ(std::string(), mock_report_sender.latest_report()); | |
1342 | |
1343 // Test that ProcessHPKPReportOnlyHeader() returns false if a | |
1344 // report-uri wasn't specified or if the header fails to parse; | |
Ryan Sleevi
2015/07/30 01:52:16
Ditto for unique test :)
estark
2015/07/31 00:49:44
Done.
| |
1345 header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 + "\";pin-sha1=\"" + | |
1346 pin3 + "\""; | |
1347 EXPECT_FALSE( | |
1348 state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info)); | |
1349 header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 + "\";pin-sha1=\"" + | |
1350 pin3 + "\";report-uri=\""; | |
1351 EXPECT_FALSE( | |
1352 state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info)); | |
1292 } | 1353 } |
1293 | 1354 |
1294 } // namespace net | 1355 } // namespace net |
OLD | NEW |