OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 24 matching lines...) Expand all Loading... | |
35 #if defined(USE_OPENSSL) | 35 #if defined(USE_OPENSSL) |
36 #include "crypto/openssl_util.h" | 36 #include "crypto/openssl_util.h" |
37 #else | 37 #else |
38 #include "crypto/nss_util.h" | 38 #include "crypto/nss_util.h" |
39 #endif | 39 #endif |
40 | 40 |
41 namespace net { | 41 namespace net { |
42 | 42 |
43 namespace { | 43 namespace { |
44 | 44 |
45 const char kHost[] = "example.test"; | |
46 const char kSubdomain[] = "foo.example.test"; | |
47 const uint16_t kPort = 443; | |
45 const char kReportUri[] = "http://example.test/test"; | 48 const char kReportUri[] = "http://example.test/test"; |
46 | 49 |
50 // kGoodPath is blog.torproject.org. | |
51 const char* const kGoodPath[] = { | |
52 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=", | |
53 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=", NULL, | |
54 }; | |
55 | |
56 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for | |
57 // torproject.org. | |
58 const char* const kBadPath[] = { | |
59 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=", | |
60 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", NULL, | |
61 }; | |
62 | |
47 // A mock ReportSender that just remembers the latest report | 63 // A mock ReportSender that just remembers the latest report |
48 // URI and report to be sent. | 64 // URI and report to be sent. |
49 class MockCertificateReportSender | 65 class MockCertificateReportSender |
50 : public TransportSecurityState::ReportSender { | 66 : public TransportSecurityState::ReportSender { |
51 public: | 67 public: |
52 MockCertificateReportSender() {} | 68 MockCertificateReportSender() {} |
53 ~MockCertificateReportSender() override {} | 69 ~MockCertificateReportSender() override {} |
54 | 70 |
55 void Send(const GURL& report_uri, const std::string& report) override { | 71 void Send(const GURL& report_uri, const std::string& report) override { |
56 latest_report_uri_ = report_uri; | 72 latest_report_uri_ = report_uri; |
57 latest_report_ = report; | 73 latest_report_ = report; |
58 } | 74 } |
59 | 75 |
76 void Clear() { | |
77 latest_report_uri_ = GURL(); | |
78 latest_report_ = std::string(); | |
79 } | |
80 | |
60 const GURL& latest_report_uri() { return latest_report_uri_; } | 81 const GURL& latest_report_uri() { return latest_report_uri_; } |
61 const std::string& latest_report() { return latest_report_; } | 82 const std::string& latest_report() { return latest_report_; } |
62 | 83 |
63 private: | 84 private: |
64 GURL latest_report_uri_; | 85 GURL latest_report_uri_; |
65 std::string latest_report_; | 86 std::string latest_report_; |
66 }; | 87 }; |
67 | 88 |
68 void CompareCertificateChainWithList( | 89 void CompareCertificateChainWithList( |
69 const scoped_refptr<X509Certificate>& cert_chain, | 90 const scoped_refptr<X509Certificate>& cert_chain, |
70 const base::ListValue* cert_list) { | 91 const base::ListValue* cert_list) { |
71 ASSERT_TRUE(cert_chain); | 92 ASSERT_TRUE(cert_chain); |
72 std::vector<std::string> pem_encoded_chain; | 93 std::vector<std::string> pem_encoded_chain; |
73 cert_chain->GetPEMEncodedChain(&pem_encoded_chain); | 94 cert_chain->GetPEMEncodedChain(&pem_encoded_chain); |
74 EXPECT_EQ(pem_encoded_chain.size(), cert_list->GetSize()); | 95 EXPECT_EQ(pem_encoded_chain.size(), cert_list->GetSize()); |
75 | 96 |
76 for (size_t i = 0; i < pem_encoded_chain.size(); i++) { | 97 for (size_t i = 0; i < pem_encoded_chain.size(); i++) { |
77 std::string list_cert; | 98 std::string list_cert; |
78 ASSERT_TRUE(cert_list->GetString(i, &list_cert)); | 99 ASSERT_TRUE(cert_list->GetString(i, &list_cert)); |
79 EXPECT_EQ(pem_encoded_chain[i], list_cert); | 100 EXPECT_EQ(pem_encoded_chain[i], list_cert); |
80 } | 101 } |
81 } | 102 } |
82 | 103 |
83 void CheckHPKPReport( | 104 void CheckHPKPReport( |
84 const std::string& report, | 105 const std::string& report, |
85 const HostPortPair& host_port_pair, | 106 const HostPortPair& host_port_pair, |
86 const base::Time& expiry, | |
87 bool include_subdomains, | 107 bool include_subdomains, |
88 const std::string& noted_hostname, | 108 const std::string& noted_hostname, |
89 const scoped_refptr<X509Certificate>& served_certificate_chain, | 109 const scoped_refptr<X509Certificate>& served_certificate_chain, |
90 const scoped_refptr<X509Certificate>& validated_certificate_chain, | 110 const scoped_refptr<X509Certificate>& validated_certificate_chain, |
91 const HashValueVector& known_pins) { | 111 const HashValueVector& known_pins) { |
92 // TODO(estark): check time in RFC3339 format. | |
93 | |
94 scoped_ptr<base::Value> value(base::JSONReader::Read(report)); | 112 scoped_ptr<base::Value> value(base::JSONReader::Read(report)); |
95 ASSERT_TRUE(value); | 113 ASSERT_TRUE(value); |
96 ASSERT_TRUE(value->IsType(base::Value::TYPE_DICTIONARY)); | 114 ASSERT_TRUE(value->IsType(base::Value::TYPE_DICTIONARY)); |
97 | 115 |
98 base::DictionaryValue* report_dict; | 116 base::DictionaryValue* report_dict; |
99 ASSERT_TRUE(value->GetAsDictionary(&report_dict)); | 117 ASSERT_TRUE(value->GetAsDictionary(&report_dict)); |
100 | 118 |
101 std::string report_hostname; | 119 std::string report_hostname; |
102 EXPECT_TRUE(report_dict->GetString("hostname", &report_hostname)); | 120 EXPECT_TRUE(report_dict->GetString("hostname", &report_hostname)); |
103 EXPECT_EQ(host_port_pair.host(), report_hostname); | 121 EXPECT_EQ(host_port_pair.host(), report_hostname); |
104 | 122 |
105 int report_port; | 123 int report_port; |
106 EXPECT_TRUE(report_dict->GetInteger("port", &report_port)); | 124 EXPECT_TRUE(report_dict->GetInteger("port", &report_port)); |
107 EXPECT_EQ(host_port_pair.port(), report_port); | 125 EXPECT_EQ(host_port_pair.port(), report_port); |
108 | 126 |
109 bool report_include_subdomains; | 127 bool report_include_subdomains; |
110 EXPECT_TRUE(report_dict->GetBoolean("include-subdomains", | 128 EXPECT_TRUE(report_dict->GetBoolean("include-subdomains", |
111 &report_include_subdomains)); | 129 &report_include_subdomains)); |
112 EXPECT_EQ(include_subdomains, report_include_subdomains); | 130 EXPECT_EQ(include_subdomains, report_include_subdomains); |
113 | 131 |
114 std::string report_noted_hostname; | 132 std::string report_noted_hostname; |
115 EXPECT_TRUE(report_dict->GetString("noted-hostname", &report_noted_hostname)); | 133 EXPECT_TRUE(report_dict->GetString("noted-hostname", &report_noted_hostname)); |
116 EXPECT_EQ(noted_hostname, report_noted_hostname); | 134 EXPECT_EQ(noted_hostname, report_noted_hostname); |
117 | 135 |
136 // TODO(estark): check times in RFC3339 format. | |
137 | |
138 std::string report_expiration; | |
139 EXPECT_TRUE( | |
140 report_dict->GetString("effective-expiration-date", &report_expiration)); | |
141 EXPECT_FALSE(report_expiration.empty()); | |
142 | |
143 std::string report_date; | |
144 EXPECT_TRUE(report_dict->GetString("date-time", &report_date)); | |
145 EXPECT_FALSE(report_date.empty()); | |
146 | |
118 base::ListValue* report_served_certificate_chain; | 147 base::ListValue* report_served_certificate_chain; |
119 EXPECT_TRUE(report_dict->GetList("served-certificate-chain", | 148 EXPECT_TRUE(report_dict->GetList("served-certificate-chain", |
120 &report_served_certificate_chain)); | 149 &report_served_certificate_chain)); |
121 ASSERT_NO_FATAL_FAILURE(CompareCertificateChainWithList( | 150 ASSERT_NO_FATAL_FAILURE(CompareCertificateChainWithList( |
122 served_certificate_chain, report_served_certificate_chain)); | 151 served_certificate_chain, report_served_certificate_chain)); |
123 | 152 |
124 base::ListValue* report_validated_certificate_chain; | 153 base::ListValue* report_validated_certificate_chain; |
125 EXPECT_TRUE(report_dict->GetList("validated-certificate-chain", | 154 EXPECT_TRUE(report_dict->GetList("validated-certificate-chain", |
126 &report_validated_certificate_chain)); | 155 &report_validated_certificate_chain)); |
127 ASSERT_NO_FATAL_FAILURE(CompareCertificateChainWithList( | 156 ASSERT_NO_FATAL_FAILURE(CompareCertificateChainWithList( |
(...skipping 922 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1050 HashValueVector* out) { | 1079 HashValueVector* out) { |
1051 HashValue hash; | 1080 HashValue hash; |
1052 if (!hash.FromString(type_and_base64)) | 1081 if (!hash.FromString(type_and_base64)) |
1053 return false; | 1082 return false; |
1054 | 1083 |
1055 out->push_back(hash); | 1084 out->push_back(hash); |
1056 return true; | 1085 return true; |
1057 } | 1086 } |
1058 | 1087 |
1059 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { | 1088 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { |
1060 // kGoodPath is blog.torproject.org. | |
1061 static const char* const kGoodPath[] = { | |
1062 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", | |
1063 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=", | |
1064 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=", | |
1065 NULL, | |
1066 }; | |
1067 | |
1068 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for | |
1069 // torproject.org. | |
1070 static const char* const kBadPath[] = { | |
1071 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", | |
1072 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=", | |
1073 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", | |
1074 NULL, | |
1075 }; | |
1076 | |
1077 HashValueVector good_hashes, bad_hashes; | 1089 HashValueVector good_hashes, bad_hashes; |
1078 | 1090 |
1079 for (size_t i = 0; kGoodPath[i]; i++) { | 1091 for (size_t i = 0; kGoodPath[i]; i++) { |
1080 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | 1092 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
1081 } | 1093 } |
1082 for (size_t i = 0; kBadPath[i]; i++) { | 1094 for (size_t i = 0; kBadPath[i]; i++) { |
1083 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | 1095 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
1084 } | 1096 } |
1085 | 1097 |
1086 TransportSecurityState state; | 1098 TransportSecurityState state; |
(...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1193 // These hosts used to only be HSTS when SNI was available. | 1205 // These hosts used to only be HSTS when SNI was available. |
1194 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1206 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1195 "gmail.com")); | 1207 "gmail.com")); |
1196 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1208 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1197 "googlegroups.com")); | 1209 "googlegroups.com")); |
1198 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1210 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
1199 "www.googlegroups.com")); | 1211 "www.googlegroups.com")); |
1200 } | 1212 } |
1201 | 1213 |
1202 TEST_F(TransportSecurityStateTest, HPKPReporting) { | 1214 TEST_F(TransportSecurityStateTest, HPKPReporting) { |
1203 const char kHost[] = "example.test"; | |
1204 const char kSubdomain[] = "foo.example.test"; | |
1205 static const uint16_t kPort = 443; | |
1206 HostPortPair host_port_pair(kHost, kPort); | 1215 HostPortPair host_port_pair(kHost, kPort); |
1207 HostPortPair subdomain_host_port_pair(kSubdomain, kPort); | 1216 HostPortPair subdomain_host_port_pair(kSubdomain, kPort); |
1208 GURL report_uri("http://www.example.test/report"); | 1217 GURL report_uri(kReportUri); |
1209 // Two dummy certs to use as the server-sent and validated chains. The | 1218 // Two dummy certs to use as the server-sent and validated chains. The |
1210 // contents don't matter. | 1219 // contents don't matter. |
1211 scoped_refptr<X509Certificate> cert1 = | 1220 scoped_refptr<X509Certificate> cert1 = |
1212 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | 1221 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
1213 scoped_refptr<X509Certificate> cert2 = | 1222 scoped_refptr<X509Certificate> cert2 = |
1214 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | 1223 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
1215 ASSERT_TRUE(cert1); | 1224 ASSERT_TRUE(cert1); |
1216 ASSERT_TRUE(cert2); | 1225 ASSERT_TRUE(cert2); |
1217 | 1226 |
1218 // kGoodPath is blog.torproject.org. | |
1219 static const char* const kGoodPath[] = { | |
1220 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=", | |
1221 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=", NULL, | |
1222 }; | |
1223 | |
1224 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for | |
1225 // torproject.org. | |
1226 static const char* const kBadPath[] = { | |
1227 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=", | |
1228 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", NULL, | |
1229 }; | |
1230 | |
1231 HashValueVector good_hashes, bad_hashes; | 1227 HashValueVector good_hashes, bad_hashes; |
1232 | 1228 |
1233 for (size_t i = 0; kGoodPath[i]; i++) | 1229 for (size_t i = 0; kGoodPath[i]; i++) |
1234 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | 1230 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
1235 for (size_t i = 0; kBadPath[i]; i++) | 1231 for (size_t i = 0; kBadPath[i]; i++) |
1236 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | 1232 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
1237 | 1233 |
1238 TransportSecurityState state; | 1234 TransportSecurityState state; |
1239 MockCertificateReportSender mock_report_sender; | 1235 MockCertificateReportSender mock_report_sender; |
1240 state.SetReportSender(&mock_report_sender); | 1236 state.SetReportSender(&mock_report_sender); |
(...skipping 25 matching lines...) Expand all Loading... | |
1266 | 1262 |
1267 EXPECT_FALSE(state.CheckPublicKeyPins( | 1263 EXPECT_FALSE(state.CheckPublicKeyPins( |
1268 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), | 1264 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), |
1269 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); | 1265 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); |
1270 | 1266 |
1271 // Now a report should have been sent. Check that it contains the | 1267 // Now a report should have been sent. Check that it contains the |
1272 // right information. | 1268 // right information. |
1273 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); | 1269 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); |
1274 std::string report = mock_report_sender.latest_report(); | 1270 std::string report = mock_report_sender.latest_report(); |
1275 ASSERT_FALSE(report.empty()); | 1271 ASSERT_FALSE(report.empty()); |
1276 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, expiry, true, | 1272 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, true, kHost, |
1277 kHost, cert1.get(), cert2.get(), | 1273 cert1.get(), cert2.get(), |
1278 good_hashes)); | 1274 good_hashes)); |
1279 | 1275 mock_report_sender.Clear(); |
1280 EXPECT_FALSE(state.CheckPublicKeyPins( | 1276 EXPECT_FALSE(state.CheckPublicKeyPins( |
1281 subdomain_host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), | 1277 subdomain_host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), |
1282 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); | 1278 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); |
1283 | 1279 |
1284 // Now a report should have been sent for the subdomain. Check that it | 1280 // Now a report should have been sent for the subdomain. Check that it |
1285 // contains the right information. | 1281 // contains the right information. |
1286 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); | 1282 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); |
1287 report = mock_report_sender.latest_report(); | 1283 report = mock_report_sender.latest_report(); |
1288 ASSERT_FALSE(report.empty()); | 1284 ASSERT_FALSE(report.empty()); |
1289 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, subdomain_host_port_pair, | 1285 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, subdomain_host_port_pair, |
1290 expiry, true, kHost, cert1.get(), | 1286 true, kHost, cert1.get(), cert2.get(), |
1291 cert2.get(), good_hashes)); | 1287 good_hashes)); |
1288 } | |
1289 | |
1290 TEST_F(TransportSecurityStateTest, HPKPReportOnly) { | |
1291 HostPortPair host_port_pair(kHost, kPort); | |
1292 GURL report_uri(kReportUri); | |
1293 // Two dummy certs to use as the server-sent and validated chains. The | |
1294 // contents don't matter. | |
1295 scoped_refptr<X509Certificate> cert1 = | |
1296 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | |
1297 scoped_refptr<X509Certificate> cert2 = | |
1298 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | |
1299 ASSERT_TRUE(cert1); | |
1300 ASSERT_TRUE(cert2); | |
1301 | |
1302 TransportSecurityState state; | |
1303 MockCertificateReportSender mock_report_sender; | |
1304 state.SetReportSender(&mock_report_sender); | |
1305 | |
1306 // Check that a report is not sent for a Report-Only header with no | |
1307 // violation. | |
1308 const std::string pin1 = "m9lHYJYke9k0GtVZ+bXSQYE8nDI="; | |
1309 const std::string pin2 = "o5OZxATDsgmwgcIfIWIneMJ0jkw="; | |
1310 const std::string pin3 = "wHqYaI2J+6sFZAwRfap9ZbjKzE4="; | |
davidben
2015/07/31 19:45:08
Since these have to match kGoodPath, perhaps hoist
estark
2015/07/31 20:37:33
Done.
| |
1311 std::string header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 + | |
1312 "\";pin-sha1=\"" + pin3 + "\";report-uri=\"" + | |
1313 report_uri.spec() + "\";includeSubdomains"; | |
1314 SSLInfo ssl_info; | |
1315 ssl_info.is_issued_by_known_root = true; | |
1316 ssl_info.unverified_cert = cert1; | |
1317 ssl_info.cert = cert2; | |
1318 for (size_t i = 0; kGoodPath[i]; i++) | |
1319 EXPECT_TRUE(AddHash(kGoodPath[i], &ssl_info.public_key_hashes)); | |
1320 | |
1321 EXPECT_TRUE( | |
1322 state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info)); | |
1323 EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); | |
1324 EXPECT_EQ(std::string(), mock_report_sender.latest_report()); | |
1325 | |
1326 // Check that a report is sent for a Report-Only header with a | |
1327 // violation. | |
1328 ssl_info.public_key_hashes.clear(); | |
1329 for (size_t i = 0; kBadPath[i]; i++) | |
1330 EXPECT_TRUE(AddHash(kBadPath[i], &ssl_info.public_key_hashes)); | |
1331 | |
1332 EXPECT_TRUE( | |
1333 state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info)); | |
1334 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); | |
1335 std::string report = mock_report_sender.latest_report(); | |
1336 ASSERT_FALSE(report.empty()); | |
1337 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, true, kHost, | |
1338 cert1.get(), cert2.get(), | |
1339 ssl_info.public_key_hashes)); | |
1340 } | |
1341 | |
1342 // Test that Report-Only reports are not sent on certs that chain to | |
1343 // local roots. | |
1344 TEST_F(TransportSecurityStateTest, HPKPReportOnlyOnLocalRoot) { | |
1345 HostPortPair host_port_pair(kHost, kPort); | |
1346 GURL report_uri(kReportUri); | |
1347 // Two dummy certs to use as the server-sent and validated chains. The | |
1348 // contents don't matter. | |
1349 scoped_refptr<X509Certificate> cert1 = | |
1350 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | |
1351 scoped_refptr<X509Certificate> cert2 = | |
1352 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | |
1353 ASSERT_TRUE(cert1); | |
1354 ASSERT_TRUE(cert2); | |
1355 | |
1356 const std::string pin1 = "m9lHYJYke9k0GtVZ+bXSQYE8nDI="; | |
1357 const std::string pin2 = "o5OZxATDsgmwgcIfIWIneMJ0jkw="; | |
1358 const std::string pin3 = "wHqYaI2J+6sFZAwRfap9ZbjKzE4="; | |
1359 std::string header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 + | |
1360 "\";pin-sha1=\"" + pin3 + "\";report-uri=\"" + | |
1361 report_uri.spec() + "\";includeSubdomains"; | |
1362 | |
1363 TransportSecurityState state; | |
1364 MockCertificateReportSender mock_report_sender; | |
1365 state.SetReportSender(&mock_report_sender); | |
1366 | |
1367 SSLInfo ssl_info; | |
1368 ssl_info.is_issued_by_known_root = true; | |
1369 ssl_info.unverified_cert = cert1; | |
1370 ssl_info.cert = cert2; | |
1371 for (size_t i = 0; kGoodPath[i]; i++) | |
1372 EXPECT_TRUE(AddHash(kGoodPath[i], &ssl_info.public_key_hashes)); | |
1373 ssl_info.is_issued_by_known_root = false; | |
1374 | |
1375 EXPECT_TRUE( | |
1376 state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info)); | |
1377 EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); | |
1378 EXPECT_EQ(std::string(), mock_report_sender.latest_report()); | |
1379 } | |
1380 | |
1381 // Test that ProcessHPKPReportOnlyHeader() returns false if a report-uri | |
1382 // wasn't specified or if the header fails to parse. | |
1383 TEST_F(TransportSecurityStateTest, HPKPReportOnlyParseErrors) { | |
1384 HostPortPair host_port_pair(kHost, kPort); | |
1385 GURL report_uri(kReportUri); | |
1386 // Two dummy certs to use as the server-sent and validated chains. The | |
1387 // contents don't matter. | |
1388 scoped_refptr<X509Certificate> cert1 = | |
1389 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | |
1390 scoped_refptr<X509Certificate> cert2 = | |
1391 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | |
1392 ASSERT_TRUE(cert1); | |
1393 ASSERT_TRUE(cert2); | |
1394 | |
1395 const std::string pin1 = "m9lHYJYke9k0GtVZ+bXSQYE8nDI="; | |
1396 const std::string pin2 = "o5OZxATDsgmwgcIfIWIneMJ0jkw="; | |
1397 const std::string pin3 = "wHqYaI2J+6sFZAwRfap9ZbjKzE4="; | |
1398 std::string header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 + | |
1399 "\";pin-sha1=\"" + pin3 + "\""; | |
1400 | |
1401 TransportSecurityState state; | |
1402 MockCertificateReportSender mock_report_sender; | |
1403 state.SetReportSender(&mock_report_sender); | |
1404 | |
1405 SSLInfo ssl_info; | |
1406 ssl_info.is_issued_by_known_root = true; | |
1407 ssl_info.unverified_cert = cert1; | |
1408 ssl_info.cert = cert2; | |
1409 for (size_t i = 0; kGoodPath[i]; i++) | |
1410 EXPECT_TRUE(AddHash(kGoodPath[i], &ssl_info.public_key_hashes)); | |
1411 | |
1412 EXPECT_FALSE( | |
1413 state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info)); | |
1414 header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 + "\";pin-sha1=\"" + | |
1415 pin3 + "\";report-uri=\""; | |
1416 EXPECT_FALSE( | |
1417 state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info)); | |
1292 } | 1418 } |
1293 | 1419 |
1294 } // namespace net | 1420 } // namespace net |
OLD | NEW |