Process Public-Key-Pin-Report-Only headers

net/http/transport_security_state_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 24 matching lines @@
 #if defined(USE_OPENSSL)
 #include "crypto/openssl_util.h"
 #else
 #include "crypto/nss_util.h"
 #endif
 
 namespace net {
 
 namespace {
 
+const char kHost[] = "example.test";
+const char kSubdomain[] = "foo.example.test";
+const uint16_t kPort = 443;
 const char kReportUri[] = "http://example.test/test";
 
+// kGoodPath is blog.torproject.org.
+const char* const kGoodPath[] = {
+    "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
+    "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=", NULL,
+};
+
+// kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
+// torproject.org.
+const char* const kBadPath[] = {
+    "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
+    "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", NULL,
+};
+
 // A mock ReportSender that just remembers the latest report
 // URI and report to be sent.
 class MockCertificateReportSender
     : public TransportSecurityState::ReportSender {
  public:
   MockCertificateReportSender() {}
   ~MockCertificateReportSender() override {}
 
   void Send(const GURL& report_uri, const std::string& report) override {
     latest_report_uri_ = report_uri;
     latest_report_ = report;
   }
 
+  void Clear() {
+    latest_report_uri_ = GURL();
+    latest_report_ = std::string();
+  }
+
   const GURL& latest_report_uri() { return latest_report_uri_; }
   const std::string& latest_report() { return latest_report_; }
 
  private:
   GURL latest_report_uri_;
   std::string latest_report_;
 };
 
 void CompareCertificateChainWithList(
     const scoped_refptr<X509Certificate>& cert_chain,
     const base::ListValue* cert_list) {
   ASSERT_TRUE(cert_chain);
   std::vector<std::string> pem_encoded_chain;
   cert_chain->GetPEMEncodedChain(&pem_encoded_chain);
   EXPECT_EQ(pem_encoded_chain.size(), cert_list->GetSize());
 
   for (size_t i = 0; i < pem_encoded_chain.size(); i++) {
     std::string list_cert;
     ASSERT_TRUE(cert_list->GetString(i, &list_cert));
     EXPECT_EQ(pem_encoded_chain[i], list_cert);
   }
 }
 
 void CheckHPKPReport(
     const std::string& report,
     const HostPortPair& host_port_pair,
-    const base::Time& expiry,
     bool include_subdomains,
     const std::string& noted_hostname,
     const scoped_refptr<X509Certificate>& served_certificate_chain,
     const scoped_refptr<X509Certificate>& validated_certificate_chain,
     const HashValueVector& known_pins) {
-  // TODO(estark): check time in RFC3339 format.
-
   scoped_ptr<base::Value> value(base::JSONReader::Read(report));
   ASSERT_TRUE(value);
   ASSERT_TRUE(value->IsType(base::Value::TYPE_DICTIONARY));
 
   base::DictionaryValue* report_dict;
   ASSERT_TRUE(value->GetAsDictionary(&report_dict));
 
   std::string report_hostname;
   EXPECT_TRUE(report_dict->GetString("hostname", &report_hostname));
   EXPECT_EQ(host_port_pair.host(), report_hostname);
 
   int report_port;
   EXPECT_TRUE(report_dict->GetInteger("port", &report_port));
   EXPECT_EQ(host_port_pair.port(), report_port);
 
   bool report_include_subdomains;
   EXPECT_TRUE(report_dict->GetBoolean("include-subdomains",
                                       &report_include_subdomains));
   EXPECT_EQ(include_subdomains, report_include_subdomains);
 
   std::string report_noted_hostname;
   EXPECT_TRUE(report_dict->GetString("noted-hostname", &report_noted_hostname));
   EXPECT_EQ(noted_hostname, report_noted_hostname);
 
+  // TODO(estark): check times in RFC3339 format.
+
+  std::string report_expiration;
+  EXPECT_TRUE(
+      report_dict->GetString("effective-expiration-date", &report_expiration));
+  EXPECT_FALSE(report_expiration.empty());
+
+  std::string report_date;
+  EXPECT_TRUE(report_dict->GetString("date-time", &report_date));
+  EXPECT_FALSE(report_date.empty());
+
   base::ListValue* report_served_certificate_chain;
   EXPECT_TRUE(report_dict->GetList("served-certificate-chain",
                                    &report_served_certificate_chain));
   ASSERT_NO_FATAL_FAILURE(CompareCertificateChainWithList(
       served_certificate_chain, report_served_certificate_chain));
 
   base::ListValue* report_validated_certificate_chain;
   EXPECT_TRUE(report_dict->GetList("validated-certificate-chain",
                                    &report_validated_certificate_chain));
   ASSERT_NO_FATAL_FAILURE(CompareCertificateChainWithList(
@@ skipping 922 matching lines @@
                     HashValueVector* out) {
   HashValue hash;
   if (!hash.FromString(type_and_base64))
     return false;
 
   out->push_back(hash);
   return true;
 }
 
 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
-  // kGoodPath is blog.torproject.org.
-  static const char* const kGoodPath[] = {
-    "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
-    "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
-    "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
-    NULL,
-  };
-
-  // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
-  // torproject.org.
-  static const char* const kBadPath[] = {
-    "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
-    "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
-    "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
-    NULL,
-  };
-
   HashValueVector good_hashes, bad_hashes;
 
   for (size_t i = 0; kGoodPath[i]; i++) {
     EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
   }
   for (size_t i = 0; kBadPath[i]; i++) {
     EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
   }
 
   TransportSecurityState state;
@@ skipping 106 matching lines @@
   // These hosts used to only be HSTS when SNI was available.
   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
       "gmail.com"));
   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
       "googlegroups.com"));
   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
       "www.googlegroups.com"));
 }
 
 TEST_F(TransportSecurityStateTest, HPKPReporting) {
-  const char kHost[] = "example.test";
-  const char kSubdomain[] = "foo.example.test";
-  static const uint16_t kPort = 443;
   HostPortPair host_port_pair(kHost, kPort);
   HostPortPair subdomain_host_port_pair(kSubdomain, kPort);
-  GURL report_uri("http://www.example.test/report");
+  GURL report_uri(kReportUri);
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
       ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
   ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
 
-  // kGoodPath is blog.torproject.org.
-  static const char* const kGoodPath[] = {
-      "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
-      "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=", NULL,
-  };
-
-  // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
-  // torproject.org.
-  static const char* const kBadPath[] = {
-      "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
-      "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", NULL,
-  };
-
   HashValueVector good_hashes, bad_hashes;
 
   for (size_t i = 0; kGoodPath[i]; i++)
     EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
   for (size_t i = 0; kBadPath[i]; i++)
     EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
 
   TransportSecurityState state;
   MockCertificateReportSender mock_report_sender;
   state.SetReportSender(&mock_report_sender);
@@ skipping 25 matching lines @@
 
   EXPECT_FALSE(state.CheckPublicKeyPins(
       host_port_pair, true, bad_hashes, cert1.get(), cert2.get(),
       TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log));
 
   // Now a report should have been sent. Check that it contains the
   // right information.
   EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri());
   std::string report = mock_report_sender.latest_report();
   ASSERT_FALSE(report.empty());
-  ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, expiry, true,
-                                          kHost, cert1.get(), cert2.get(),
+  ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, true, kHost,
+                                          cert1.get(), cert2.get(),
                                           good_hashes));
-
+  mock_report_sender.Clear();
   EXPECT_FALSE(state.CheckPublicKeyPins(
       subdomain_host_port_pair, true, bad_hashes, cert1.get(), cert2.get(),
       TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log));
 
   // Now a report should have been sent for the subdomain. Check that it
   // contains the right information.
   EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri());
   report = mock_report_sender.latest_report();
   ASSERT_FALSE(report.empty());
   ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, subdomain_host_port_pair,
-                                          expiry, true, kHost, cert1.get(),
-                                          cert2.get(), good_hashes));
+                                          true, kHost, cert1.get(), cert2.get(),
+                                          good_hashes));
+}
+
+TEST_F(TransportSecurityStateTest, HPKPReportOnly) {
+  HostPortPair host_port_pair(kHost, kPort);
+  GURL report_uri(kReportUri);
+  // Two dummy certs to use as the server-sent and validated chains. The
+  // contents don't matter.
+  scoped_refptr<X509Certificate> cert1 =
+      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+  scoped_refptr<X509Certificate> cert2 =
+      ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert1);
+  ASSERT_TRUE(cert2);
+
+  TransportSecurityState state;
+  MockCertificateReportSender mock_report_sender;
+  state.SetReportSender(&mock_report_sender);
+
+  // Check that a report is not sent for a Report-Only header with no
+  // violation.
+  const std::string pin1 = "m9lHYJYke9k0GtVZ+bXSQYE8nDI=";
+  const std::string pin2 = "o5OZxATDsgmwgcIfIWIneMJ0jkw=";
+  const std::string pin3 = "wHqYaI2J+6sFZAwRfap9ZbjKzE4=";

[davidben, 2015/07/31 19:45:08]

Since these have to match kGoodPath, perhaps hoist them up next to kGoodPath's
definition too? Also since they're duplicated a bunch.

(Or maybe hoist header up? Saves you having to assemble it and stuff. I guess
the third test has a different header. *shrug* Whichever. If you want to hoist
the whole header, I suppose the last test's pins needn't be anything meaningful.
Or you could hoist just the pins.)

[estark, 2015/07/31 20:37:33]

Done.

+  std::string header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 +
+                       "\";pin-sha1=\"" + pin3 + "\";report-uri=\"" +
+                       report_uri.spec() + "\";includeSubdomains";
+  SSLInfo ssl_info;
+  ssl_info.is_issued_by_known_root = true;
+  ssl_info.unverified_cert = cert1;
+  ssl_info.cert = cert2;
+  for (size_t i = 0; kGoodPath[i]; i++)
+    EXPECT_TRUE(AddHash(kGoodPath[i], &ssl_info.public_key_hashes));
+
+  EXPECT_TRUE(
+      state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info));
+  EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri());
+  EXPECT_EQ(std::string(), mock_report_sender.latest_report());
+
+  // Check that a report is sent for a Report-Only header with a
+  // violation.
+  ssl_info.public_key_hashes.clear();
+  for (size_t i = 0; kBadPath[i]; i++)
+    EXPECT_TRUE(AddHash(kBadPath[i], &ssl_info.public_key_hashes));
+
+  EXPECT_TRUE(
+      state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info));
+  EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri());
+  std::string report = mock_report_sender.latest_report();
+  ASSERT_FALSE(report.empty());
+  ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, true, kHost,
+                                          cert1.get(), cert2.get(),
+                                          ssl_info.public_key_hashes));
+}
+
+// Test that Report-Only reports are not sent on certs that chain to
+// local roots.
+TEST_F(TransportSecurityStateTest, HPKPReportOnlyOnLocalRoot) {
+  HostPortPair host_port_pair(kHost, kPort);
+  GURL report_uri(kReportUri);
+  // Two dummy certs to use as the server-sent and validated chains. The
+  // contents don't matter.
+  scoped_refptr<X509Certificate> cert1 =
+      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+  scoped_refptr<X509Certificate> cert2 =
+      ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert1);
+  ASSERT_TRUE(cert2);
+
+  const std::string pin1 = "m9lHYJYke9k0GtVZ+bXSQYE8nDI=";
+  const std::string pin2 = "o5OZxATDsgmwgcIfIWIneMJ0jkw=";
+  const std::string pin3 = "wHqYaI2J+6sFZAwRfap9ZbjKzE4=";
+  std::string header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 +
+                       "\";pin-sha1=\"" + pin3 + "\";report-uri=\"" +
+                       report_uri.spec() + "\";includeSubdomains";
+
+  TransportSecurityState state;
+  MockCertificateReportSender mock_report_sender;
+  state.SetReportSender(&mock_report_sender);
+
+  SSLInfo ssl_info;
+  ssl_info.is_issued_by_known_root = true;
+  ssl_info.unverified_cert = cert1;
+  ssl_info.cert = cert2;
+  for (size_t i = 0; kGoodPath[i]; i++)
+    EXPECT_TRUE(AddHash(kGoodPath[i], &ssl_info.public_key_hashes));
+  ssl_info.is_issued_by_known_root = false;
+
+  EXPECT_TRUE(
+      state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info));
+  EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri());
+  EXPECT_EQ(std::string(), mock_report_sender.latest_report());
+}
+
+// Test that ProcessHPKPReportOnlyHeader() returns false if a report-uri
+// wasn't specified or if the header fails to parse.
+TEST_F(TransportSecurityStateTest, HPKPReportOnlyParseErrors) {
+  HostPortPair host_port_pair(kHost, kPort);
+  GURL report_uri(kReportUri);
+  // Two dummy certs to use as the server-sent and validated chains. The
+  // contents don't matter.
+  scoped_refptr<X509Certificate> cert1 =
+      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+  scoped_refptr<X509Certificate> cert2 =
+      ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert1);
+  ASSERT_TRUE(cert2);
+
+  const std::string pin1 = "m9lHYJYke9k0GtVZ+bXSQYE8nDI=";
+  const std::string pin2 = "o5OZxATDsgmwgcIfIWIneMJ0jkw=";
+  const std::string pin3 = "wHqYaI2J+6sFZAwRfap9ZbjKzE4=";
+  std::string header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 +
+                       "\";pin-sha1=\"" + pin3 + "\"";
+
+  TransportSecurityState state;
+  MockCertificateReportSender mock_report_sender;
+  state.SetReportSender(&mock_report_sender);
+
+  SSLInfo ssl_info;
+  ssl_info.is_issued_by_known_root = true;
+  ssl_info.unverified_cert = cert1;
+  ssl_info.cert = cert2;
+  for (size_t i = 0; kGoodPath[i]; i++)
+    EXPECT_TRUE(AddHash(kGoodPath[i], &ssl_info.public_key_hashes));
+
+  EXPECT_FALSE(
+      state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info));
+  header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 + "\";pin-sha1=\"" +
+           pin3 + "\";report-uri=\"";
+  EXPECT_FALSE(
+      state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info));
 }
 
 }  // namespace net