Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1805)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/transport_security_state_unittest.cc

Issue 1266723003: Process Public-Key-Pin-Report-Only headers (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/http/transport_security_state.cc ('K') | « net/http/transport_security_state.cc ('k') | net/url_request/url_request_http_job.cc » ('j') | net/url_request/url_request_http_job.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/transport_security_state_unittest.cc
diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc
index 31c4062892d488d25378759b777b9d788f8f9833..eb4f966d7c67ad0fa96f083cfcc3c7a2fe46b8e0 100644
--- a/net/http/transport_security_state_unittest.cc
+++ b/net/http/transport_security_state_unittest.cc
@@ -57,6 +57,11 @@ class MockCertificateReportSender
latest_report_ = report;
}
+ void Clear() {
+ latest_report_uri_ = GURL();
+ latest_report_ = std::string();
+ }
+
const GURL& latest_report_uri() { return latest_report_uri_; }
const std::string& latest_report() { return latest_report_; }
@@ -1276,7 +1281,7 @@ TEST_F(TransportSecurityStateTest, HPKPReporting) {
ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, expiry, true,
kHost, cert1.get(), cert2.get(),
good_hashes));
-
+ mock_report_sender.Clear();
EXPECT_FALSE(state.CheckPublicKeyPins(
subdomain_host_port_pair, true, bad_hashes, cert1.get(), cert2.get(),
TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log));
@@ -1289,6 +1294,62 @@ TEST_F(TransportSecurityStateTest, HPKPReporting) {
ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, subdomain_host_port_pair,
expiry, true, kHost, cert1.get(),
cert2.get(), good_hashes));
+
+ // Check that a report is not sent for a Report-Only header with no
+ // violation.
Ryan Sleevi 2015/07/30 01:52:17 Seems like this could / should just be a new test?
estark 2015/07/31 00:49:44 Done.
+ mock_report_sender.Clear();
+ const std::string pin1 = "m9lHYJYke9k0GtVZ+bXSQYE8nDI=";
+ const std::string pin2 = "o5OZxATDsgmwgcIfIWIneMJ0jkw=";
+ const std::string pin3 = "wHqYaI2J+6sFZAwRfap9ZbjKzE4=";
+ std::string header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 +
+ "\";pin-sha1=\"" + pin3 + "\";report-uri=\"" +
+ report_uri.spec() + "\"";
+ SSLInfo ssl_info;
+ ssl_info.is_issued_by_known_root = true;
+ ssl_info.unverified_cert = cert1;
+ ssl_info.cert = cert2;
+ for (size_t i = 0; kGoodPath[i]; i++)
+ EXPECT_TRUE(AddHash(kGoodPath[i], &ssl_info.public_key_hashes));
+
+ EXPECT_TRUE(
+ state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info));
+ EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri());
+ EXPECT_EQ(std::string(), mock_report_sender.latest_report());
+
+ // Check that a report is sent for a Report-Only header with a
+ // violation.
+ ssl_info.public_key_hashes.clear();
+ for (size_t i = 0; kBadPath[i]; i++)
+ EXPECT_TRUE(AddHash(kBadPath[i], &ssl_info.public_key_hashes));
+
+ EXPECT_TRUE(
+ state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info));
+ EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri());
+ report = mock_report_sender.latest_report();
+ ASSERT_FALSE(report.empty());
+ ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, expiry, false,
+ kHost, cert1.get(), cert2.get(),
+ good_hashes));
+
+ // Test that Report-Only reports are not sent on certs that chain to
+ // local roots.
Ryan Sleevi 2015/07/30 01:52:17 Ditto here as perhaps a unique test.
estark 2015/07/31 00:49:44 Done.
+ mock_report_sender.Clear();
+ ssl_info.is_issued_by_known_root = false;
+ EXPECT_TRUE(
+ state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info));
+ EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri());
+ EXPECT_EQ(std::string(), mock_report_sender.latest_report());
+
+ // Test that ProcessHPKPReportOnlyHeader() returns false if a
+ // report-uri wasn't specified or if the header fails to parse;
Ryan Sleevi 2015/07/30 01:52:16 Ditto for unique test :)
estark 2015/07/31 00:49:44 Done.
+ header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 + "\";pin-sha1=\"" +
+ pin3 + "\"";
+ EXPECT_FALSE(
+ state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info));
+ header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 + "\";pin-sha1=\"" +
+ pin3 + "\";report-uri=\"";
+ EXPECT_FALSE(
+ state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info));
}
} // namespace net
« net/http/transport_security_state.cc ('K') | « net/http/transport_security_state.cc ('k') | net/url_request/url_request_http_job.cc » ('j') | net/url_request/url_request_http_job.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698