OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 1396 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1407 for (size_t i = 0; kGoodPath[i]; i++) | 1407 for (size_t i = 0; kGoodPath[i]; i++) |
1408 EXPECT_TRUE(AddHash(kGoodPath[i], &ssl_info.public_key_hashes)); | 1408 EXPECT_TRUE(AddHash(kGoodPath[i], &ssl_info.public_key_hashes)); |
1409 | 1409 |
1410 EXPECT_FALSE( | 1410 EXPECT_FALSE( |
1411 state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info)); | 1411 state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info)); |
1412 header += ";report-uri=\""; | 1412 header += ";report-uri=\""; |
1413 EXPECT_FALSE( | 1413 EXPECT_FALSE( |
1414 state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info)); | 1414 state.ProcessHPKPReportOnlyHeader(header, host_port_pair, ssl_info)); |
1415 } | 1415 } |
1416 | 1416 |
| 1417 // Tests that pinning violations on preloaded pins trigger reports when |
| 1418 // the preloaded pin contains a report URI. |
| 1419 TEST_F(TransportSecurityStateTest, PreloadedPKPReportUri) { |
| 1420 const char kPreloadedPinDomain[] = "www.google.com"; |
| 1421 const uint16_t kPort = 443; |
| 1422 HostPortPair host_port_pair(kPreloadedPinDomain, kPort); |
| 1423 |
| 1424 TransportSecurityState state; |
| 1425 MockCertificateReportSender mock_report_sender; |
| 1426 state.SetReportSender(&mock_report_sender); |
| 1427 |
| 1428 ASSERT_TRUE( |
| 1429 TransportSecurityState::IsGooglePinnedProperty(kPreloadedPinDomain)); |
| 1430 EnableStaticPins(&state); |
| 1431 |
| 1432 TransportSecurityState::PKPState pkp_state; |
| 1433 TransportSecurityState::STSState unused_sts_state; |
| 1434 ASSERT_TRUE(state.GetStaticDomainState(kPreloadedPinDomain, &unused_sts_state, |
| 1435 &pkp_state)); |
| 1436 |
| 1437 GURL report_uri = pkp_state.report_uri; |
| 1438 ASSERT_TRUE(report_uri.is_valid()); |
| 1439 ASSERT_FALSE(report_uri.is_empty()); |
| 1440 |
| 1441 // Two dummy certs to use as the server-sent and validated chains. The |
| 1442 // contents don't matter, as long as they are not the real google.com |
| 1443 // certs in the pins. |
| 1444 scoped_refptr<X509Certificate> cert1 = |
| 1445 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 1446 scoped_refptr<X509Certificate> cert2 = |
| 1447 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 1448 ASSERT_TRUE(cert1); |
| 1449 ASSERT_TRUE(cert2); |
| 1450 |
| 1451 HashValueVector bad_hashes; |
| 1452 for (size_t i = 0; kBadPath[i]; i++) |
| 1453 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
| 1454 |
| 1455 // Trigger a violation and check that it sends a report. |
| 1456 std::string failure_log; |
| 1457 EXPECT_FALSE(state.CheckPublicKeyPins( |
| 1458 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), |
| 1459 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); |
| 1460 |
| 1461 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); |
| 1462 |
| 1463 std::string report = mock_report_sender.latest_report(); |
| 1464 ASSERT_FALSE(report.empty()); |
| 1465 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport( |
| 1466 report, host_port_pair, pkp_state.include_subdomains, pkp_state.domain, |
| 1467 cert1.get(), cert2.get(), pkp_state.spki_hashes)); |
| 1468 } |
| 1469 |
1417 } // namespace net | 1470 } // namespace net |
OLD | NEW |