net/http/http_security_headers_unittest.cc - Issue 1267513003: Add parsing for Public-Key-Pins-Report-Only header

Side by Side Diff: net/http/http_security_headers_unittest.cc

Issue 1267513003: Add parsing for Public-Key-Pins-Report-Only header (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 5 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <stdint.h>	5 #include <stdint.h>

6 #include <algorithm>	6 #include <algorithm>

7	7

8 #include "base/base64.h"	8 #include "base/base64.h"

9 #include "base/sha1.h"	9 #include "base/sha1.h"

10 #include "base/strings/string_piece.h"	10 #include "base/strings/string_piece.h"

(...skipping 46 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
57 std::string GetTestPin(uint8 label, HashValueTag tag) {	57 std::string GetTestPin(uint8 label, HashValueTag tag) {

58 return GetTestPinImpl(label, tag, true);	58 return GetTestPinImpl(label, tag, true);

59 }	59 }

60	60

61 std::string GetTestPinUnquoted(uint8 label, HashValueTag tag) {	61 std::string GetTestPinUnquoted(uint8 label, HashValueTag tag) {

62 return GetTestPinImpl(label, tag, false);	62 return GetTestPinImpl(label, tag, false);

63 }	63 }

64	64

65 };	65 };

66	66

	67 // Parses the given header \|value\| as both a Public-Key-Pins-Report-Only

	68 // and Public-Key-Pins header. Returns true if the value parses

	69 // successfully for both header types, and if the parsed hashes and

	70 // report_uri match for both header types.

	71 bool ParseBothHPKPHeaders(const std::string& value,
	Ryan Sleevi 2015/07/30 01:43:50 Naming wise, this feels a bit odd - you're not par Naming wise, this feels a bit odd - you're not parsing both headers simultaneously, except that's what seems to read as. RFC 7469 calls these "Public-Key-Directives" ABNF, but on a grammar nit, perhaps "ParseEitherHPKPHeader" ? Or simply "ParseHPKPHeader", since both PKP and PKP-RO are HPKP headers :) estark 2015/07/30 02:43:49 I thought it might be weird to shadow net::ParseHP Show quoted text On 2015/07/30 01:43:50, Ryan Sleevi wrote: > Naming wise, this feels a bit odd - you're not parsing both headers > simultaneously, except that's what seems to read as. > > RFC 7469 calls these "Public-Key-Directives" ABNF, but on a grammar nit, perhaps > "ParseEitherHPKPHeader" ? Or simply "ParseHPKPHeader", since both PKP and PKP-RO > are HPKP headers :) I thought it might be weird to shadow net::ParseHPKPHeader()... but maybe that's okay? Otherwise I'm fine with ParseEitherHPKPHeader(). Ryan Sleevi 2015/07/30 02:53:32 ParsesAsHPKPHeader ? :) Show quoted text On 2015/07/30 02:43:49, estark wrote: > On 2015/07/30 01:43:50, Ryan Sleevi wrote: > > Naming wise, this feels a bit odd - you're not parsing both headers > > simultaneously, except that's what seems to read as. > > > > RFC 7469 calls these "Public-Key-Directives" ABNF, but on a grammar nit, > perhaps > > "ParseEitherHPKPHeader" ? Or simply "ParseHPKPHeader", since both PKP and > PKP-RO > > are HPKP headers :) > > I thought it might be weird to shadow net::ParseHPKPHeader()... but maybe that's > okay? Otherwise I'm fine with ParseEitherHPKPHeader(). ParsesAsHPKPHeader ? :) estark 2015/07/30 15:21:21 Done. Show quoted text On 2015/07/30 02:53:32, Ryan Sleevi wrote: > On 2015/07/30 02:43:49, estark wrote: > > On 2015/07/30 01:43:50, Ryan Sleevi wrote: > > > Naming wise, this feels a bit odd - you're not parsing both headers > > > simultaneously, except that's what seems to read as. > > > > > > RFC 7469 calls these "Public-Key-Directives" ABNF, but on a grammar nit, > > perhaps > > > "ParseEitherHPKPHeader" ? Or simply "ParseHPKPHeader", since both PKP and > > PKP-RO > > > are HPKP headers :) > > > > I thought it might be weird to shadow net::ParseHPKPHeader()... but maybe > that's > > okay? Otherwise I'm fine with ParseEitherHPKPHeader(). > > ParsesAsHPKPHeader ? :) Done.
	72 const HashValueVector& chain_hashes,

	73 base::TimeDelta* max_age,

	74 bool* include_subdomains,

	75 HashValueVector* hashes,

	76 GURL* report_uri) {

	77 GURL report_only_uri;

	78 HashValueVector report_only_hashes;

	79 if (!ParseHPKPReportOnlyHeader(value, &report_only_hashes,

	80 &report_only_uri)) {

	81 return false;

	82 }

	83

	84 bool result = ParseHPKPHeader(value, chain_hashes, max_age,

	85 include_subdomains, hashes, report_uri);

	86 if (!result \|\| report_only_uri != *report_uri \|\|

	87 report_only_hashes.size() != hashes->size()) {

	88 return false;

	89 }

	90

	91 for (size_t i = 0; i < report_only_hashes.size(); i++) {

	92 if (!(*hashes)[i].Equals(report_only_hashes[i]))

	93 return false;

	94 }

	95

	96 return true;

	97 }

67	98

68 class HttpSecurityHeadersTest : public testing::Test {	99 class HttpSecurityHeadersTest : public testing::Test {

69 };	100 };

70	101

71	102

72 TEST_F(HttpSecurityHeadersTest, BogusHeaders) {	103 TEST_F(HttpSecurityHeadersTest, BogusHeaders) {

73 base::TimeDelta max_age;	104 base::TimeDelta max_age;

74 bool include_subdomains = false;	105 bool include_subdomains = false;

75	106

76 EXPECT_FALSE(	107 EXPECT_FALSE(

(...skipping 81 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
158 // Set some fake "chain" hashes	189 // Set some fake "chain" hashes

159 chain_hashes.push_back(GetTestHashValue(1, tag));	190 chain_hashes.push_back(GetTestHashValue(1, tag));

160 chain_hashes.push_back(GetTestHashValue(2, tag));	191 chain_hashes.push_back(GetTestHashValue(2, tag));

161 chain_hashes.push_back(GetTestHashValue(3, tag));	192 chain_hashes.push_back(GetTestHashValue(3, tag));

162	193

163 // The good pin must be in the chain, the backup pin must not be	194 // The good pin must be in the chain, the backup pin must not be

164 std::string good_pin = GetTestPin(2, tag);	195 std::string good_pin = GetTestPin(2, tag);

165 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag);	196 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag);

166 std::string backup_pin = GetTestPin(4, tag);	197 std::string backup_pin = GetTestPin(4, tag);

167	198

168 EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age,	199 EXPECT_FALSE(ParseBothHPKPHeaders(std::string(), chain_hashes, &max_age,

169 &include_subdomains, &hashes, &report_uri));	200 &include_subdomains, &hashes, &report_uri));

170 EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age,	201 EXPECT_FALSE(ParseBothHPKPHeaders(" ", chain_hashes, &max_age,

171 &include_subdomains, &hashes, &report_uri));	202 &include_subdomains, &hashes, &report_uri));

172 EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age,	203 EXPECT_FALSE(ParseBothHPKPHeaders("abc", chain_hashes, &max_age,

173 &include_subdomains, &hashes, &report_uri));	204 &include_subdomains, &hashes, &report_uri));

174 EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age,	205 EXPECT_FALSE(ParseBothHPKPHeaders(" abc", chain_hashes, &max_age,

175 &include_subdomains, &hashes, &report_uri));	206 &include_subdomains, &hashes, &report_uri));

176 EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age,	207 EXPECT_FALSE(ParseBothHPKPHeaders(" abc ", chain_hashes, &max_age,

177 &include_subdomains, &hashes, &report_uri));	208 &include_subdomains, &hashes, &report_uri));

178 EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age,	209 EXPECT_FALSE(ParseBothHPKPHeaders("max-age", chain_hashes, &max_age,

179 &include_subdomains, &hashes, &report_uri));	210 &include_subdomains, &hashes, &report_uri));

180 EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age,	211 EXPECT_FALSE(ParseBothHPKPHeaders(" max-age", chain_hashes, &max_age,

181 &include_subdomains, &hashes, &report_uri));	212 &include_subdomains, &hashes, &report_uri));

182 EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age,	213 EXPECT_FALSE(ParseBothHPKPHeaders(" max-age ", chain_hashes, &max_age,

183 &include_subdomains, &hashes, &report_uri));	214 &include_subdomains, &hashes, &report_uri));

184 EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age,	215 EXPECT_FALSE(ParseBothHPKPHeaders("max-age=", chain_hashes, &max_age,

185 &include_subdomains, &hashes, &report_uri));	216 &include_subdomains, &hashes, &report_uri));

186 EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age,	217 EXPECT_FALSE(ParseBothHPKPHeaders(" max-age=", chain_hashes, &max_age,

187 &include_subdomains, &hashes, &report_uri));	218 &include_subdomains, &hashes, &report_uri));

188 EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age,	219 EXPECT_FALSE(ParseBothHPKPHeaders(" max-age =", chain_hashes, &max_age,

189 &include_subdomains, &hashes, &report_uri));	220 &include_subdomains, &hashes, &report_uri));

190 EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age,	221 EXPECT_FALSE(ParseBothHPKPHeaders(" max-age= ", chain_hashes, &max_age,

191 &include_subdomains, &hashes, &report_uri));	222 &include_subdomains, &hashes, &report_uri));

192 EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes, &max_age,	223 EXPECT_FALSE(ParseBothHPKPHeaders(" max-age = ", chain_hashes,

193 &include_subdomains, &hashes, &report_uri));	224 &max_age, &include_subdomains, &hashes,

194 EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes, &max_age,	225 &report_uri));

195 &include_subdomains, &hashes, &report_uri));	226 EXPECT_FALSE(ParseBothHPKPHeaders(" max-age = xy", chain_hashes,

196 EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923", chain_hashes,	227 &max_age, &include_subdomains, &hashes,

197 &max_age, &include_subdomains, &hashes,	228 &report_uri));

198 &report_uri));	229 EXPECT_FALSE(ParseBothHPKPHeaders(" max-age = 3488a923", chain_hashes,

199 EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes, &max_age,	230 &max_age, &include_subdomains, &hashes,

200 &include_subdomains, &hashes, &report_uri));	231 &report_uri));

201 EXPECT_FALSE(ParseHPKPHeader(	232 EXPECT_FALSE(ParseBothHPKPHeaders("max-age=3488a923 ", chain_hashes,

	233 &max_age, &include_subdomains, &hashes,

	234 &report_uri));

	235 EXPECT_FALSE(ParseBothHPKPHeaders(

202 "max-ag=3488923pins=" + good_pin + "," + backup_pin, chain_hashes,	236 "max-ag=3488923pins=" + good_pin + "," + backup_pin, chain_hashes,

203 &max_age, &include_subdomains, &hashes, &report_uri));	237 &max_age, &include_subdomains, &hashes, &report_uri));

204 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;pins=" + good_pin + "," +	238 EXPECT_FALSE(ParseBothHPKPHeaders(

205 backup_pin + "report-uri=\"http://foo.com\"",	239 "max-age=3488923;pins=" + good_pin + "," + backup_pin +

206 chain_hashes, &max_age, &include_subdomains,	240 "report-uri=\"http://foo.com\"",

207 &hashes, &report_uri));	241 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

208 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin, chain_hashes,	242 EXPECT_FALSE(ParseBothHPKPHeaders("max-aged=3488923" + backup_pin,

209 &max_age, &include_subdomains, &hashes,	243 chain_hashes, &max_age, &include_subdomains,

210 &report_uri));	244 &hashes, &report_uri));

211 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin, chain_hashes,	245 EXPECT_FALSE(ParseBothHPKPHeaders("max-aged=3488923; " + backup_pin,

212 &max_age, &include_subdomains, &hashes,	246 chain_hashes, &max_age, &include_subdomains,

213 &report_uri));	247 &hashes, &report_uri));

214 EXPECT_FALSE(ParseHPKPHeader(	248 EXPECT_FALSE(ParseBothHPKPHeaders(

215 "max-aged=3488923; " + backup_pin + ";" + backup_pin, chain_hashes,	249 "max-aged=3488923; " + backup_pin + ";" + backup_pin, chain_hashes,

216 &max_age, &include_subdomains, &hashes, &report_uri));	250 &max_age, &include_subdomains, &hashes, &report_uri));

217 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" + good_pin,	251 EXPECT_FALSE(ParseBothHPKPHeaders(

218 chain_hashes, &max_age, &include_subdomains,	252 "max-aged=3488923; " + good_pin + ";" + good_pin, chain_hashes, &max_age,

219 &hashes, &report_uri));	253 &include_subdomains, &hashes, &report_uri));

220 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin, chain_hashes,	254 EXPECT_FALSE(ParseBothHPKPHeaders("max-aged=3488923; " + good_pin,

221 &max_age, &include_subdomains, &hashes,	255 chain_hashes, &max_age, &include_subdomains,

222 &report_uri));	256 &hashes, &report_uri));

223 EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age,	257 EXPECT_FALSE(ParseBothHPKPHeaders("max-age==3488923", chain_hashes, &max_age,

224 &include_subdomains, &hashes, &report_uri));	258 &include_subdomains, &hashes, &report_uri));

225 EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age,	259 EXPECT_FALSE(ParseBothHPKPHeaders("amax-age=3488923", chain_hashes, &max_age,

226 &include_subdomains, &hashes, &report_uri));	260 &include_subdomains, &hashes, &report_uri));

227 EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age,	261 EXPECT_FALSE(ParseBothHPKPHeaders("max-age=-3488923", chain_hashes, &max_age,

228 &include_subdomains, &hashes, &report_uri));	262 &include_subdomains, &hashes, &report_uri));

229 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age,	263 EXPECT_FALSE(ParseBothHPKPHeaders("max-age=3488923;", chain_hashes, &max_age,

230 &include_subdomains, &hashes, &report_uri));	264 &include_subdomains, &hashes, &report_uri));

231 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes, &max_age,	265 EXPECT_FALSE(ParseBothHPKPHeaders("max-age=3488923 e", chain_hashes,

232 &include_subdomains, &hashes, &report_uri));	266 &max_age, &include_subdomains, &hashes,

233 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain",	267 &report_uri));

234 chain_hashes, &max_age, &include_subdomains,	268 EXPECT_FALSE(ParseBothHPKPHeaders("max-age=3488923 includesubdomain",

235 &hashes, &report_uri));	269 chain_hashes, &max_age, &include_subdomains,

236 EXPECT_FALSE(ParseHPKPHeader(	270 &hashes, &report_uri));

	271 EXPECT_FALSE(ParseBothHPKPHeaders(

237 "max-age=3488923 report-uri=\"http://foo.com\"", chain_hashes,	272 "max-age=3488923 report-uri=\"http://foo.com\"", chain_hashes,

238 &max_age, &include_subdomains, &hashes, &report_uri));	273 &max_age, &include_subdomains, &hashes, &report_uri));

239 EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age,	274 EXPECT_FALSE(ParseBothHPKPHeaders("max-age=34889.23", chain_hashes, &max_age,

240 &include_subdomains, &hashes, &report_uri));	275 &include_subdomains, &hashes, &report_uri));

241 EXPECT_FALSE(ParseHPKPHeader(	276 EXPECT_FALSE(ParseBothHPKPHeaders(

242 "max-age=243; " + good_pin_unquoted + ";" + backup_pin, chain_hashes,	277 "max-age=243; " + good_pin_unquoted + ";" + backup_pin, chain_hashes,

243 &max_age, &include_subdomains, &hashes, &report_uri));	278 &max_age, &include_subdomains, &hashes, &report_uri));

244 EXPECT_FALSE(ParseHPKPHeader(	279 EXPECT_FALSE(ParseBothHPKPHeaders(

245 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=;",	280 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=;",

246 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));	281 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

247 EXPECT_FALSE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin +	282 EXPECT_FALSE(ParseBothHPKPHeaders(

248 ";report-uri=http://foo.com;",	283 "max-age=243; " + good_pin + ";" + backup_pin +

249 chain_hashes, &max_age, &include_subdomains,	284 ";report-uri=http://foo.com;",

250 &hashes, &report_uri));	285 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

251 EXPECT_FALSE(ParseHPKPHeader(	286 EXPECT_FALSE(ParseBothHPKPHeaders(

252 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=''",	287 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=''",

253 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));	288 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

254	289

255 // Test that the parser rejects misquoted strings.	290 // Test that the parser rejects misquoted strings.

256 EXPECT_FALSE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin +	291 EXPECT_FALSE(ParseBothHPKPHeaders(

257 "; report-uri=\"http://foo;bar\'",	292 "max-age=999; " + backup_pin + "; " + good_pin +

258 chain_hashes, &max_age, &include_subdomains,	293 "; report-uri=\"http://foo;bar\'",

259 &hashes, &report_uri));	294 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

260	295

261 // Test that the parser rejects invalid report-uris.	296 // Test that the parser rejects invalid report-uris.

262 EXPECT_FALSE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin +	297 EXPECT_FALSE(ParseBothHPKPHeaders("max-age=999; " + backup_pin + "; " +

263 "; report-uri=\"foo;bar\'",	298 good_pin + "; report-uri=\"foo;bar\'",

264 chain_hashes, &max_age, &include_subdomains,	299 chain_hashes, &max_age, &include_subdomains,

265 &hashes, &report_uri));	300 &hashes, &report_uri));

266	301

267 // Check the out args were not updated by checking the default	302 // Check the out args were not updated by checking the default

268 // values for its predictable fields.	303 // values for its predictable fields.

269 EXPECT_EQ(0, max_age.InSeconds());	304 EXPECT_EQ(0, max_age.InSeconds());

270 EXPECT_EQ(hashes.size(), (size_t)0);	305 EXPECT_EQ(hashes.size(), (size_t)0);

271 }	306 }

272	307

273 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) {	308 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) {

274 base::TimeDelta max_age;	309 base::TimeDelta max_age;

275 base::TimeDelta expect_max_age;	310 base::TimeDelta expect_max_age;

(...skipping 163 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
439 // Set some fake "chain" hashes into chain_hashes	474 // Set some fake "chain" hashes into chain_hashes

440 chain_hashes.push_back(GetTestHashValue(1, tag));	475 chain_hashes.push_back(GetTestHashValue(1, tag));

441 chain_hashes.push_back(GetTestHashValue(2, tag));	476 chain_hashes.push_back(GetTestHashValue(2, tag));

442 chain_hashes.push_back(GetTestHashValue(3, tag));	477 chain_hashes.push_back(GetTestHashValue(3, tag));

443	478

444 // The good pin must be in the chain, the backup pin must not be	479 // The good pin must be in the chain, the backup pin must not be

445 std::string good_pin = GetTestPin(2, tag);	480 std::string good_pin = GetTestPin(2, tag);

446 std::string good_pin2 = GetTestPin(3, tag);	481 std::string good_pin2 = GetTestPin(3, tag);

447 std::string backup_pin = GetTestPin(4, tag);	482 std::string backup_pin = GetTestPin(4, tag);

448	483

449 EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin,	484 EXPECT_TRUE(ParseBothHPKPHeaders(

450 chain_hashes, &max_age, &include_subdomains,	485 "max-age=243; " + good_pin + ";" + backup_pin, chain_hashes, &max_age,

451 &hashes, &report_uri));	486 &include_subdomains, &hashes, &report_uri));

452 expect_max_age = base::TimeDelta::FromSeconds(243);	487 expect_max_age = base::TimeDelta::FromSeconds(243);

453 EXPECT_EQ(expect_max_age, max_age);	488 EXPECT_EQ(expect_max_age, max_age);

454 EXPECT_FALSE(include_subdomains);	489 EXPECT_FALSE(include_subdomains);

455 EXPECT_TRUE(report_uri.is_empty());	490 EXPECT_TRUE(report_uri.is_empty());

456	491

457 EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin +	492 EXPECT_TRUE(ParseBothHPKPHeaders(

458 "; report-uri= \"http://example.test/foo\"",	493 "max-age=243; " + good_pin + ";" + backup_pin +

459 chain_hashes, &max_age, &include_subdomains,	494 "; report-uri= \"http://example.test/foo\"",

460 &hashes, &report_uri));	495 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

461 expect_max_age = base::TimeDelta::FromSeconds(243);	496 expect_max_age = base::TimeDelta::FromSeconds(243);

462 expect_report_uri = GURL("http://example.test/foo");	497 expect_report_uri = GURL("http://example.test/foo");

463 EXPECT_EQ(expect_max_age, max_age);	498 EXPECT_EQ(expect_max_age, max_age);

464 EXPECT_FALSE(include_subdomains);	499 EXPECT_FALSE(include_subdomains);

465 EXPECT_EQ(expect_report_uri, report_uri);	500 EXPECT_EQ(expect_report_uri, report_uri);

466	501

467 EXPECT_TRUE(ParseHPKPHeader(	502 EXPECT_TRUE(ParseBothHPKPHeaders(

468 " " + good_pin + "; " + backup_pin +	503 " " + good_pin + "; " + backup_pin +

469 " ; Max-agE = 567; repOrT-URi = \"http://example.test/foo\"",	504 " ; Max-agE = 567; repOrT-URi = \"http://example.test/foo\"",

470 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));	505 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

471 expect_max_age = base::TimeDelta::FromSeconds(567);	506 expect_max_age = base::TimeDelta::FromSeconds(567);

472 expect_report_uri = GURL("http://example.test/foo");	507 expect_report_uri = GURL("http://example.test/foo");

473 EXPECT_EQ(expect_max_age, max_age);	508 EXPECT_EQ(expect_max_age, max_age);

474 EXPECT_FALSE(include_subdomains);	509 EXPECT_FALSE(include_subdomains);

475 EXPECT_EQ(expect_report_uri, report_uri);	510 EXPECT_EQ(expect_report_uri, report_uri);

476	511

477 EXPECT_TRUE(ParseHPKPHeader("includeSubDOMAINS;" + good_pin + ";" +	512 EXPECT_TRUE(ParseBothHPKPHeaders(

478 backup_pin + " ; mAx-aGe = 890 ",	513 "includeSubDOMAINS;" + good_pin + ";" + backup_pin +

479 chain_hashes, &max_age, &include_subdomains,	514 " ; mAx-aGe = 890 ",

480 &hashes, &report_uri));	515 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

481 expect_max_age = base::TimeDelta::FromSeconds(890);	516 expect_max_age = base::TimeDelta::FromSeconds(890);

482 EXPECT_EQ(expect_max_age, max_age);	517 EXPECT_EQ(expect_max_age, max_age);

483 EXPECT_TRUE(include_subdomains);	518 EXPECT_TRUE(include_subdomains);

484	519

485 EXPECT_TRUE(ParseHPKPHeader(	520 EXPECT_TRUE(ParseBothHPKPHeaders(

486 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", chain_hashes,	521 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", chain_hashes,

487 &max_age, &include_subdomains, &hashes, &report_uri));	522 &max_age, &include_subdomains, &hashes, &report_uri));

488 expect_max_age = base::TimeDelta::FromSeconds(123);	523 expect_max_age = base::TimeDelta::FromSeconds(123);

489 EXPECT_EQ(expect_max_age, max_age);	524 EXPECT_EQ(expect_max_age, max_age);

490 EXPECT_FALSE(include_subdomains);	525 EXPECT_FALSE(include_subdomains);

491	526

492 EXPECT_TRUE(ParseHPKPHeader(	527 EXPECT_TRUE(ParseBothHPKPHeaders(

493 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", chain_hashes,	528 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", chain_hashes,

494 &max_age, &include_subdomains, &hashes, &report_uri));	529 &max_age, &include_subdomains, &hashes, &report_uri));

495 expect_max_age = base::TimeDelta::FromSeconds(394082);	530 expect_max_age = base::TimeDelta::FromSeconds(394082);

496 EXPECT_EQ(expect_max_age, max_age);	531 EXPECT_EQ(expect_max_age, max_age);

497 EXPECT_FALSE(include_subdomains);	532 EXPECT_FALSE(include_subdomains);

498	533

499 EXPECT_TRUE(ParseHPKPHeader(	534 EXPECT_TRUE(ParseBothHPKPHeaders(

500 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", chain_hashes,	535 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", chain_hashes,

501 &max_age, &include_subdomains, &hashes, &report_uri));	536 &max_age, &include_subdomains, &hashes, &report_uri));

502 expect_max_age = base::TimeDelta::FromSeconds(	537 expect_max_age = base::TimeDelta::FromSeconds(

503 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299))));	538 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299))));

504 EXPECT_EQ(expect_max_age, max_age);	539 EXPECT_EQ(expect_max_age, max_age);

505 EXPECT_FALSE(include_subdomains);	540 EXPECT_FALSE(include_subdomains);

506	541

507 EXPECT_TRUE(ParseHPKPHeader(	542 EXPECT_TRUE(ParseBothHPKPHeaders(

508 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " +	543 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " +

509 good_pin + ";" + backup_pin + "; ",	544 good_pin + ";" + backup_pin + "; ",

510 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));	545 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

511 expect_max_age = base::TimeDelta::FromSeconds(	546 expect_max_age = base::TimeDelta::FromSeconds(

512 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038))));	547 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038))));

513 EXPECT_EQ(expect_max_age, max_age);	548 EXPECT_EQ(expect_max_age, max_age);

514 EXPECT_TRUE(include_subdomains);	549 EXPECT_TRUE(include_subdomains);

515	550

516 EXPECT_TRUE(ParseHPKPHeader(" max-age=0 ; " + good_pin + ";" + backup_pin,	551 EXPECT_TRUE(ParseBothHPKPHeaders(

517 chain_hashes, &max_age, &include_subdomains,	552 " max-age=0 ; " + good_pin + ";" + backup_pin, chain_hashes, &max_age,

518 &hashes, &report_uri));	553 &include_subdomains, &hashes, &report_uri));

519 expect_max_age = base::TimeDelta::FromSeconds(0);	554 expect_max_age = base::TimeDelta::FromSeconds(0);

520 EXPECT_EQ(expect_max_age, max_age);	555 EXPECT_EQ(expect_max_age, max_age);

521 EXPECT_FALSE(include_subdomains);	556 EXPECT_FALSE(include_subdomains);

522	557

523 EXPECT_TRUE(ParseHPKPHeader(	558 EXPECT_TRUE(ParseBothHPKPHeaders(

524 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin,	559 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin,

525 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));	560 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

526 expect_max_age = base::TimeDelta::FromSeconds(0);	561 expect_max_age = base::TimeDelta::FromSeconds(0);

527 EXPECT_EQ(expect_max_age, max_age);	562 EXPECT_EQ(expect_max_age, max_age);

528 EXPECT_TRUE(include_subdomains);	563 EXPECT_TRUE(include_subdomains);

529	564

530 EXPECT_TRUE(ParseHPKPHeader(	565 EXPECT_TRUE(ParseBothHPKPHeaders(

531 " max-age=999999999999999999999999999999999999999999999 ; " +	566 " max-age=999999999999999999999999999999999999999999999 ; " +

532 backup_pin + ";" + good_pin + "; ",	567 backup_pin + ";" + good_pin + "; ",

533 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));	568 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

534 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs);	569 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs);

535 EXPECT_EQ(expect_max_age, max_age);	570 EXPECT_EQ(expect_max_age, max_age);

536 EXPECT_FALSE(include_subdomains);	571 EXPECT_FALSE(include_subdomains);

537	572

538 EXPECT_TRUE(ParseHPKPHeader(	573 EXPECT_TRUE(ParseBothHPKPHeaders(

539 " max-age=999999999999999999999999999999999999999999999 ; " +	574 " max-age=999999999999999999999999999999999999999999999 ; " +

540 backup_pin + ";" + good_pin +	575 backup_pin + ";" + good_pin +

541 "; report-uri=\"http://example.test/foo\"",	576 "; report-uri=\"http://example.test/foo\"",

542 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));	577 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

543 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs);	578 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs);

544 expect_report_uri = GURL("http://example.test/foo");	579 expect_report_uri = GURL("http://example.test/foo");

545 EXPECT_EQ(expect_max_age, max_age);	580 EXPECT_EQ(expect_max_age, max_age);

546 EXPECT_FALSE(include_subdomains);	581 EXPECT_FALSE(include_subdomains);

547 EXPECT_EQ(expect_report_uri, report_uri);	582 EXPECT_EQ(expect_report_uri, report_uri);

548	583

549 // Test that parsing a different header resets the hashes.	584 // Test that parsing a different header resets the hashes.

550 hashes.clear();	585 hashes.clear();

551 EXPECT_TRUE(ParseHPKPHeader(	586 EXPECT_TRUE(ParseBothHPKPHeaders(

552 " max-age=999; " + backup_pin + ";" + good_pin + "; ", chain_hashes,	587 " max-age=999; " + backup_pin + ";" + good_pin + "; ", chain_hashes,

553 &max_age, &include_subdomains, &hashes, &report_uri));	588 &max_age, &include_subdomains, &hashes, &report_uri));

554 EXPECT_EQ(2u, hashes.size());	589 EXPECT_EQ(2u, hashes.size());

555 EXPECT_TRUE(ParseHPKPHeader(	590 EXPECT_TRUE(ParseBothHPKPHeaders(

556 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes,	591 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes,

557 &max_age, &include_subdomains, &hashes, &report_uri));	592 &max_age, &include_subdomains, &hashes, &report_uri));

558 EXPECT_EQ(2u, hashes.size());	593 EXPECT_EQ(2u, hashes.size());

559	594

560 // Test that the parser correctly parses an unencoded ';' inside a	595 // Test that the parser correctly parses an unencoded ';' inside a

561 // quoted report-uri.	596 // quoted report-uri.

562 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin +	597 EXPECT_TRUE(ParseBothHPKPHeaders(

563 "; report-uri=\"http://foo.com/?;bar\"",	598 "max-age=999; " + backup_pin + "; " + good_pin +

564 chain_hashes, &max_age, &include_subdomains,	599 "; report-uri=\"http://foo.com/?;bar\"",

565 &hashes, &report_uri));	600 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

566 expect_max_age = base::TimeDelta::FromSeconds(999);	601 expect_max_age = base::TimeDelta::FromSeconds(999);

567 expect_report_uri = GURL("http://foo.com/?;bar");	602 expect_report_uri = GURL("http://foo.com/?;bar");

568 EXPECT_EQ(expect_max_age, max_age);	603 EXPECT_EQ(expect_max_age, max_age);

569 EXPECT_FALSE(include_subdomains);	604 EXPECT_FALSE(include_subdomains);

570 EXPECT_EQ(expect_report_uri, report_uri);	605 EXPECT_EQ(expect_report_uri, report_uri);

571	606

572 // Test that the parser correctly parses a report-uri with a >0x7f	607 // Test that the parser correctly parses a report-uri with a >0x7f

573 // character.	608 // character.

574 std::string uri = "http://foo.com/";	609 std::string uri = "http://foo.com/";

575 uri += char(0x7f);	610 uri += char(0x7f);

576 expect_report_uri = GURL(uri);	611 expect_report_uri = GURL(uri);

577 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin +	612 EXPECT_TRUE(ParseBothHPKPHeaders(

578 "; report-uri=\"" + uri + "\"",	613 "max-age=999; " + backup_pin + "; " + good_pin + "; report-uri=\"" + uri +

579 chain_hashes, &max_age, &include_subdomains,	614 "\"",

580 &hashes, &report_uri));	615 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

581 expect_max_age = base::TimeDelta::FromSeconds(999);	616 expect_max_age = base::TimeDelta::FromSeconds(999);

582 EXPECT_EQ(expect_max_age, max_age);	617 EXPECT_EQ(expect_max_age, max_age);

583 EXPECT_FALSE(include_subdomains);	618 EXPECT_FALSE(include_subdomains);

584 EXPECT_EQ(expect_report_uri, report_uri);	619 EXPECT_EQ(expect_report_uri, report_uri);

585	620

586 // Test that the parser allows quoted max-age values.	621 // Test that the parser allows quoted max-age values.

587 EXPECT_TRUE(ParseHPKPHeader("max-age='999'; " + backup_pin + "; " + good_pin,	622 EXPECT_TRUE(ParseBothHPKPHeaders(

588 chain_hashes, &max_age, &include_subdomains,	623 "max-age='999'; " + backup_pin + "; " + good_pin, chain_hashes, &max_age,

589 &hashes, &report_uri));	624 &include_subdomains, &hashes, &report_uri));

590 expect_max_age = base::TimeDelta::FromSeconds(999);	625 expect_max_age = base::TimeDelta::FromSeconds(999);

591 EXPECT_EQ(expect_max_age, max_age);	626 EXPECT_EQ(expect_max_age, max_age);

592 EXPECT_FALSE(include_subdomains);	627 EXPECT_FALSE(include_subdomains);

593	628

594 // Test that the parser handles escaped values.	629 // Test that the parser handles escaped values.

595 expect_report_uri = GURL("http://foo.com'a");	630 expect_report_uri = GURL("http://foo.com'a");

596 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin +	631 EXPECT_TRUE(ParseBothHPKPHeaders(

597 "; report-uri='http://foo.com\\'\\a'",	632 "max-age=999; " + backup_pin + "; " + good_pin +

598 chain_hashes, &max_age, &include_subdomains,	633 "; report-uri='http://foo.com\\'\\a'",

599 &hashes, &report_uri));	634 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri));

600 expect_max_age = base::TimeDelta::FromSeconds(999);	635 expect_max_age = base::TimeDelta::FromSeconds(999);

601 EXPECT_EQ(expect_max_age, max_age);	636 EXPECT_EQ(expect_max_age, max_age);

602 EXPECT_FALSE(include_subdomains);	637 EXPECT_FALSE(include_subdomains);

603 EXPECT_EQ(expect_report_uri, report_uri);	638 EXPECT_EQ(expect_report_uri, report_uri);

	639

	640 // Test that the parser does not require max-age for Report-Only

	641 // headers.

	642 expect_report_uri = GURL("http://foo.com");

	643 EXPECT_TRUE(ParseHPKPReportOnlyHeader(

	644 backup_pin + "; " + good_pin + "; report-uri='http://foo.com'", &hashes,

	645 &report_uri));

	646 EXPECT_EQ(expect_report_uri, report_uri);

604 }	647 }

605	648

606 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) {	649 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) {

607 TestBogusPinsHeaders(HASH_VALUE_SHA1);	650 TestBogusPinsHeaders(HASH_VALUE_SHA1);

608 }	651 }

609	652

610 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) {	653 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) {

611 TestBogusPinsHeaders(HASH_VALUE_SHA256);	654 TestBogusPinsHeaders(HASH_VALUE_SHA256);

612 }	655 }

613	656

(...skipping 256 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
870 ssl_info));	913 ssl_info));

871	914

872 // The old pins must still exist.	915 // The old pins must still exist.

873 EXPECT_TRUE(state.HasPublicKeyPins("example.com"));	916 EXPECT_TRUE(state.HasPublicKeyPins("example.com"));

874 EXPECT_TRUE(state.CheckPublicKeyPins(	917 EXPECT_TRUE(state.CheckPublicKeyPins(

875 domain_port, is_issued_by_known_root, ssl_info.public_key_hashes, nullptr,	918 domain_port, is_issued_by_known_root, ssl_info.public_key_hashes, nullptr,

876 nullptr, TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log));	919 nullptr, TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log));

877 }	920 }

878	921

879 }; // namespace net	922 }; // namespace net

OLD	NEW

« net/http/http_security_headers.h ('K') | « net/http/http_security_headers.cc ('k') | no next file » | no next file with comments »