| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <stdint.h> | 5 #include <stdint.h> |
| 6 #include <algorithm> | 6 #include <algorithm> |
| 7 | 7 |
| 8 #include "base/base64.h" | 8 #include "base/base64.h" |
| 9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
| 10 #include "base/strings/string_piece.h" | 10 #include "base/strings/string_piece.h" |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 57 std::string GetTestPin(uint8 label, HashValueTag tag) { | 57 std::string GetTestPin(uint8 label, HashValueTag tag) { |
| 58 return GetTestPinImpl(label, tag, true); | 58 return GetTestPinImpl(label, tag, true); |
| 59 } | 59 } |
| 60 | 60 |
| 61 std::string GetTestPinUnquoted(uint8 label, HashValueTag tag) { | 61 std::string GetTestPinUnquoted(uint8 label, HashValueTag tag) { |
| 62 return GetTestPinImpl(label, tag, false); | 62 return GetTestPinImpl(label, tag, false); |
| 63 } | 63 } |
| 64 | 64 |
| 65 }; | 65 }; |
| 66 | 66 |
| 67 // Parses the given header |value| as both a Public-Key-Pins-Report-Only |
| 68 // and Public-Key-Pins header. Returns true if the value parses |
| 69 // successfully for both header types, and if the parsed hashes and |
| 70 // report_uri match for both header types. |
| 71 bool ParseAsHPKPHeader(const std::string& value, |
| 72 const HashValueVector& chain_hashes, |
| 73 base::TimeDelta* max_age, |
| 74 bool* include_subdomains, |
| 75 HashValueVector* hashes, |
| 76 GURL* report_uri) { |
| 77 GURL report_only_uri; |
| 78 bool report_only_include_subdomains; |
| 79 HashValueVector report_only_hashes; |
| 80 if (!ParseHPKPReportOnlyHeader(value, &report_only_include_subdomains, |
| 81 &report_only_hashes, &report_only_uri)) { |
| 82 return false; |
| 83 } |
| 84 |
| 85 bool result = ParseHPKPHeader(value, chain_hashes, max_age, |
| 86 include_subdomains, hashes, report_uri); |
| 87 if (!result || report_only_include_subdomains != *include_subdomains || |
| 88 report_only_uri != *report_uri || |
| 89 report_only_hashes.size() != hashes->size()) { |
| 90 return false; |
| 91 } |
| 92 |
| 93 for (size_t i = 0; i < report_only_hashes.size(); i++) { |
| 94 if (!(*hashes)[i].Equals(report_only_hashes[i])) |
| 95 return false; |
| 96 } |
| 97 |
| 98 return true; |
| 99 } |
| 67 | 100 |
| 68 class HttpSecurityHeadersTest : public testing::Test { | 101 class HttpSecurityHeadersTest : public testing::Test { |
| 69 }; | 102 }; |
| 70 | 103 |
| 71 | 104 |
| 72 TEST_F(HttpSecurityHeadersTest, BogusHeaders) { | 105 TEST_F(HttpSecurityHeadersTest, BogusHeaders) { |
| 73 base::TimeDelta max_age; | 106 base::TimeDelta max_age; |
| 74 bool include_subdomains = false; | 107 bool include_subdomains = false; |
| 75 | 108 |
| 76 EXPECT_FALSE( | 109 EXPECT_FALSE( |
| (...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 158 // Set some fake "chain" hashes | 191 // Set some fake "chain" hashes |
| 159 chain_hashes.push_back(GetTestHashValue(1, tag)); | 192 chain_hashes.push_back(GetTestHashValue(1, tag)); |
| 160 chain_hashes.push_back(GetTestHashValue(2, tag)); | 193 chain_hashes.push_back(GetTestHashValue(2, tag)); |
| 161 chain_hashes.push_back(GetTestHashValue(3, tag)); | 194 chain_hashes.push_back(GetTestHashValue(3, tag)); |
| 162 | 195 |
| 163 // The good pin must be in the chain, the backup pin must not be | 196 // The good pin must be in the chain, the backup pin must not be |
| 164 std::string good_pin = GetTestPin(2, tag); | 197 std::string good_pin = GetTestPin(2, tag); |
| 165 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag); | 198 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag); |
| 166 std::string backup_pin = GetTestPin(4, tag); | 199 std::string backup_pin = GetTestPin(4, tag); |
| 167 | 200 |
| 168 EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age, | 201 EXPECT_FALSE(ParseAsHPKPHeader(std::string(), chain_hashes, &max_age, |
| 169 &include_subdomains, &hashes, &report_uri)); | 202 &include_subdomains, &hashes, &report_uri)); |
| 170 EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age, | 203 EXPECT_FALSE(ParseAsHPKPHeader(" ", chain_hashes, &max_age, |
| 171 &include_subdomains, &hashes, &report_uri)); | 204 &include_subdomains, &hashes, &report_uri)); |
| 172 EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age, | 205 EXPECT_FALSE(ParseAsHPKPHeader("abc", chain_hashes, &max_age, |
| 173 &include_subdomains, &hashes, &report_uri)); | 206 &include_subdomains, &hashes, &report_uri)); |
| 174 EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age, | 207 EXPECT_FALSE(ParseAsHPKPHeader(" abc", chain_hashes, &max_age, |
| 175 &include_subdomains, &hashes, &report_uri)); | 208 &include_subdomains, &hashes, &report_uri)); |
| 176 EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age, | 209 EXPECT_FALSE(ParseAsHPKPHeader(" abc ", chain_hashes, &max_age, |
| 177 &include_subdomains, &hashes, &report_uri)); | 210 &include_subdomains, &hashes, &report_uri)); |
| 178 EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age, | 211 EXPECT_FALSE(ParseAsHPKPHeader("max-age", chain_hashes, &max_age, |
| 179 &include_subdomains, &hashes, &report_uri)); | 212 &include_subdomains, &hashes, &report_uri)); |
| 180 EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age, | 213 EXPECT_FALSE(ParseAsHPKPHeader(" max-age", chain_hashes, &max_age, |
| 181 &include_subdomains, &hashes, &report_uri)); | 214 &include_subdomains, &hashes, &report_uri)); |
| 182 EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age, | 215 EXPECT_FALSE(ParseAsHPKPHeader(" max-age ", chain_hashes, &max_age, |
| 183 &include_subdomains, &hashes, &report_uri)); | 216 &include_subdomains, &hashes, &report_uri)); |
| 184 EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age, | 217 EXPECT_FALSE(ParseAsHPKPHeader("max-age=", chain_hashes, &max_age, |
| 185 &include_subdomains, &hashes, &report_uri)); | 218 &include_subdomains, &hashes, &report_uri)); |
| 186 EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age, | 219 EXPECT_FALSE(ParseAsHPKPHeader(" max-age=", chain_hashes, &max_age, |
| 187 &include_subdomains, &hashes, &report_uri)); | 220 &include_subdomains, &hashes, &report_uri)); |
| 188 EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age, | 221 EXPECT_FALSE(ParseAsHPKPHeader(" max-age =", chain_hashes, &max_age, |
| 189 &include_subdomains, &hashes, &report_uri)); | 222 &include_subdomains, &hashes, &report_uri)); |
| 190 EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age, | 223 EXPECT_FALSE(ParseAsHPKPHeader(" max-age= ", chain_hashes, &max_age, |
| 191 &include_subdomains, &hashes, &report_uri)); | 224 &include_subdomains, &hashes, &report_uri)); |
| 192 EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes, &max_age, | 225 EXPECT_FALSE(ParseAsHPKPHeader(" max-age = ", chain_hashes, &max_age, |
| 193 &include_subdomains, &hashes, &report_uri)); | 226 &include_subdomains, &hashes, &report_uri)); |
| 194 EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes, &max_age, | 227 EXPECT_FALSE(ParseAsHPKPHeader(" max-age = xy", chain_hashes, &max_age, |
| 195 &include_subdomains, &hashes, &report_uri)); | 228 &include_subdomains, &hashes, &report_uri)); |
| 196 EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923", chain_hashes, | 229 EXPECT_FALSE(ParseAsHPKPHeader(" max-age = 3488a923", chain_hashes, |
| 197 &max_age, &include_subdomains, &hashes, | 230 &max_age, &include_subdomains, &hashes, |
| 198 &report_uri)); | 231 &report_uri)); |
| 199 EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes, &max_age, | 232 EXPECT_FALSE(ParseAsHPKPHeader("max-age=3488a923 ", chain_hashes, &max_age, |
| 200 &include_subdomains, &hashes, &report_uri)); | 233 &include_subdomains, &hashes, &report_uri)); |
| 201 EXPECT_FALSE(ParseHPKPHeader( | 234 EXPECT_FALSE(ParseAsHPKPHeader( |
| 202 "max-ag=3488923pins=" + good_pin + "," + backup_pin, chain_hashes, | 235 "max-ag=3488923pins=" + good_pin + "," + backup_pin, chain_hashes, |
| 203 &max_age, &include_subdomains, &hashes, &report_uri)); | 236 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 204 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;pins=" + good_pin + "," + | 237 EXPECT_FALSE(ParseAsHPKPHeader( |
| 205 backup_pin + "report-uri=\"http://foo.com\"", | 238 "max-age=3488923;pins=" + good_pin + "," + backup_pin + |
| 206 chain_hashes, &max_age, &include_subdomains, | 239 "report-uri=\"http://foo.com\"", |
| 207 &hashes, &report_uri)); | 240 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 208 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin, chain_hashes, | 241 EXPECT_FALSE(ParseAsHPKPHeader("max-aged=3488923" + backup_pin, chain_hashes, |
| 209 &max_age, &include_subdomains, &hashes, | 242 &max_age, &include_subdomains, &hashes, |
| 210 &report_uri)); | 243 &report_uri)); |
| 211 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin, chain_hashes, | 244 EXPECT_FALSE(ParseAsHPKPHeader("max-aged=3488923; " + backup_pin, |
| 212 &max_age, &include_subdomains, &hashes, | 245 chain_hashes, &max_age, &include_subdomains, |
| 213 &report_uri)); | 246 &hashes, &report_uri)); |
| 214 EXPECT_FALSE(ParseHPKPHeader( | 247 EXPECT_FALSE(ParseAsHPKPHeader( |
| 215 "max-aged=3488923; " + backup_pin + ";" + backup_pin, chain_hashes, | 248 "max-aged=3488923; " + backup_pin + ";" + backup_pin, chain_hashes, |
| 216 &max_age, &include_subdomains, &hashes, &report_uri)); | 249 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 217 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" + good_pin, | 250 EXPECT_FALSE(ParseAsHPKPHeader( |
| 218 chain_hashes, &max_age, &include_subdomains, | 251 "max-aged=3488923; " + good_pin + ";" + good_pin, chain_hashes, &max_age, |
| 219 &hashes, &report_uri)); | 252 &include_subdomains, &hashes, &report_uri)); |
| 220 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin, chain_hashes, | 253 EXPECT_FALSE(ParseAsHPKPHeader("max-aged=3488923; " + good_pin, chain_hashes, |
| 221 &max_age, &include_subdomains, &hashes, | 254 &max_age, &include_subdomains, &hashes, |
| 222 &report_uri)); | 255 &report_uri)); |
| 223 EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age, | 256 EXPECT_FALSE(ParseAsHPKPHeader("max-age==3488923", chain_hashes, &max_age, |
| 224 &include_subdomains, &hashes, &report_uri)); | 257 &include_subdomains, &hashes, &report_uri)); |
| 225 EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age, | 258 EXPECT_FALSE(ParseAsHPKPHeader("amax-age=3488923", chain_hashes, &max_age, |
| 226 &include_subdomains, &hashes, &report_uri)); | 259 &include_subdomains, &hashes, &report_uri)); |
| 227 EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age, | 260 EXPECT_FALSE(ParseAsHPKPHeader("max-age=-3488923", chain_hashes, &max_age, |
| 228 &include_subdomains, &hashes, &report_uri)); | 261 &include_subdomains, &hashes, &report_uri)); |
| 229 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age, | 262 EXPECT_FALSE(ParseAsHPKPHeader("max-age=3488923;", chain_hashes, &max_age, |
| 230 &include_subdomains, &hashes, &report_uri)); | 263 &include_subdomains, &hashes, &report_uri)); |
| 231 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes, &max_age, | 264 EXPECT_FALSE(ParseAsHPKPHeader("max-age=3488923 e", chain_hashes, |
| 232 &include_subdomains, &hashes, &report_uri)); | 265 &max_age, &include_subdomains, &hashes, |
| 233 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain", | 266 &report_uri)); |
| 234 chain_hashes, &max_age, &include_subdomains, | 267 EXPECT_FALSE(ParseAsHPKPHeader("max-age=3488923 includesubdomain", |
| 235 &hashes, &report_uri)); | 268 chain_hashes, &max_age, &include_subdomains, |
| 236 EXPECT_FALSE(ParseHPKPHeader( | 269 &hashes, &report_uri)); |
| 270 EXPECT_FALSE(ParseAsHPKPHeader( |
| 237 "max-age=3488923 report-uri=\"http://foo.com\"", chain_hashes, | 271 "max-age=3488923 report-uri=\"http://foo.com\"", chain_hashes, |
| 238 &max_age, &include_subdomains, &hashes, &report_uri)); | 272 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 239 EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age, | 273 EXPECT_FALSE(ParseAsHPKPHeader("max-age=34889.23", chain_hashes, &max_age, |
| 240 &include_subdomains, &hashes, &report_uri)); | 274 &include_subdomains, &hashes, &report_uri)); |
| 241 EXPECT_FALSE(ParseHPKPHeader( | 275 EXPECT_FALSE(ParseAsHPKPHeader( |
| 242 "max-age=243; " + good_pin_unquoted + ";" + backup_pin, chain_hashes, | 276 "max-age=243; " + good_pin_unquoted + ";" + backup_pin, chain_hashes, |
| 243 &max_age, &include_subdomains, &hashes, &report_uri)); | 277 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 244 EXPECT_FALSE(ParseHPKPHeader( | 278 EXPECT_FALSE(ParseAsHPKPHeader( |
| 245 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=;", | 279 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=;", |
| 246 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 280 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 247 EXPECT_FALSE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + | 281 EXPECT_FALSE(ParseAsHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + |
| 248 ";report-uri=http://foo.com;", | 282 ";report-uri=http://foo.com;", |
| 249 chain_hashes, &max_age, &include_subdomains, | 283 chain_hashes, &max_age, &include_subdomains, |
| 250 &hashes, &report_uri)); | 284 &hashes, &report_uri)); |
| 251 EXPECT_FALSE(ParseHPKPHeader( | 285 EXPECT_FALSE(ParseAsHPKPHeader( |
| 252 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=''", | 286 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=''", |
| 253 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 287 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 254 | 288 |
| 255 // Test that the parser rejects misquoted strings. | 289 // Test that the parser rejects misquoted strings. |
| 256 EXPECT_FALSE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | 290 EXPECT_FALSE(ParseAsHPKPHeader( |
| 257 "; report-uri=\"http://foo;bar\'", | 291 "max-age=999; " + backup_pin + "; " + good_pin + |
| 258 chain_hashes, &max_age, &include_subdomains, | 292 "; report-uri=\"http://foo;bar\'", |
| 259 &hashes, &report_uri)); | 293 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 260 | 294 |
| 261 // Test that the parser rejects invalid report-uris. | 295 // Test that the parser rejects invalid report-uris. |
| 262 EXPECT_FALSE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | 296 EXPECT_FALSE(ParseAsHPKPHeader("max-age=999; " + backup_pin + "; " + |
| 263 "; report-uri=\"foo;bar\'", | 297 good_pin + "; report-uri=\"foo;bar\'", |
| 264 chain_hashes, &max_age, &include_subdomains, | 298 chain_hashes, &max_age, &include_subdomains, |
| 265 &hashes, &report_uri)); | 299 &hashes, &report_uri)); |
| 266 | 300 |
| 267 // Check the out args were not updated by checking the default | 301 // Check the out args were not updated by checking the default |
| 268 // values for its predictable fields. | 302 // values for its predictable fields. |
| 269 EXPECT_EQ(0, max_age.InSeconds()); | 303 EXPECT_EQ(0, max_age.InSeconds()); |
| 270 EXPECT_EQ(hashes.size(), (size_t)0); | 304 EXPECT_EQ(hashes.size(), (size_t)0); |
| 271 } | 305 } |
| 272 | 306 |
| 273 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { | 307 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { |
| 274 base::TimeDelta max_age; | 308 base::TimeDelta max_age; |
| 275 base::TimeDelta expect_max_age; | 309 base::TimeDelta expect_max_age; |
| (...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 439 // Set some fake "chain" hashes into chain_hashes | 473 // Set some fake "chain" hashes into chain_hashes |
| 440 chain_hashes.push_back(GetTestHashValue(1, tag)); | 474 chain_hashes.push_back(GetTestHashValue(1, tag)); |
| 441 chain_hashes.push_back(GetTestHashValue(2, tag)); | 475 chain_hashes.push_back(GetTestHashValue(2, tag)); |
| 442 chain_hashes.push_back(GetTestHashValue(3, tag)); | 476 chain_hashes.push_back(GetTestHashValue(3, tag)); |
| 443 | 477 |
| 444 // The good pin must be in the chain, the backup pin must not be | 478 // The good pin must be in the chain, the backup pin must not be |
| 445 std::string good_pin = GetTestPin(2, tag); | 479 std::string good_pin = GetTestPin(2, tag); |
| 446 std::string good_pin2 = GetTestPin(3, tag); | 480 std::string good_pin2 = GetTestPin(3, tag); |
| 447 std::string backup_pin = GetTestPin(4, tag); | 481 std::string backup_pin = GetTestPin(4, tag); |
| 448 | 482 |
| 449 EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin, | 483 EXPECT_TRUE(ParseAsHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin, |
| 450 chain_hashes, &max_age, &include_subdomains, | 484 chain_hashes, &max_age, &include_subdomains, |
| 451 &hashes, &report_uri)); | 485 &hashes, &report_uri)); |
| 452 expect_max_age = base::TimeDelta::FromSeconds(243); | 486 expect_max_age = base::TimeDelta::FromSeconds(243); |
| 453 EXPECT_EQ(expect_max_age, max_age); | 487 EXPECT_EQ(expect_max_age, max_age); |
| 454 EXPECT_FALSE(include_subdomains); | 488 EXPECT_FALSE(include_subdomains); |
| 455 EXPECT_TRUE(report_uri.is_empty()); | 489 EXPECT_TRUE(report_uri.is_empty()); |
| 456 | 490 |
| 457 EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + | 491 EXPECT_TRUE(ParseAsHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + |
| 458 "; report-uri= \"http://example.test/foo\"", | 492 "; report-uri= \"http://example.test/foo\"", |
| 459 chain_hashes, &max_age, &include_subdomains, | 493 chain_hashes, &max_age, &include_subdomains, |
| 460 &hashes, &report_uri)); | 494 &hashes, &report_uri)); |
| 461 expect_max_age = base::TimeDelta::FromSeconds(243); | 495 expect_max_age = base::TimeDelta::FromSeconds(243); |
| 462 expect_report_uri = GURL("http://example.test/foo"); | 496 expect_report_uri = GURL("http://example.test/foo"); |
| 463 EXPECT_EQ(expect_max_age, max_age); | 497 EXPECT_EQ(expect_max_age, max_age); |
| 464 EXPECT_FALSE(include_subdomains); | 498 EXPECT_FALSE(include_subdomains); |
| 465 EXPECT_EQ(expect_report_uri, report_uri); | 499 EXPECT_EQ(expect_report_uri, report_uri); |
| 466 | 500 |
| 467 EXPECT_TRUE(ParseHPKPHeader( | 501 EXPECT_TRUE(ParseAsHPKPHeader( |
| 468 " " + good_pin + "; " + backup_pin + | 502 " " + good_pin + "; " + backup_pin + |
| 469 " ; Max-agE = 567; repOrT-URi = \"http://example.test/foo\"", | 503 " ; Max-agE = 567; repOrT-URi = \"http://example.test/foo\"", |
| 470 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 504 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 471 expect_max_age = base::TimeDelta::FromSeconds(567); | 505 expect_max_age = base::TimeDelta::FromSeconds(567); |
| 472 expect_report_uri = GURL("http://example.test/foo"); | 506 expect_report_uri = GURL("http://example.test/foo"); |
| 473 EXPECT_EQ(expect_max_age, max_age); | 507 EXPECT_EQ(expect_max_age, max_age); |
| 474 EXPECT_FALSE(include_subdomains); | 508 EXPECT_FALSE(include_subdomains); |
| 475 EXPECT_EQ(expect_report_uri, report_uri); | 509 EXPECT_EQ(expect_report_uri, report_uri); |
| 476 | 510 |
| 477 EXPECT_TRUE(ParseHPKPHeader("includeSubDOMAINS;" + good_pin + ";" + | 511 EXPECT_TRUE(ParseAsHPKPHeader("includeSubDOMAINS;" + good_pin + ";" + |
| 478 backup_pin + " ; mAx-aGe = 890 ", | 512 backup_pin + " ; mAx-aGe = 890 ", |
| 479 chain_hashes, &max_age, &include_subdomains, | 513 chain_hashes, &max_age, &include_subdomains, |
| 480 &hashes, &report_uri)); | 514 &hashes, &report_uri)); |
| 481 expect_max_age = base::TimeDelta::FromSeconds(890); | 515 expect_max_age = base::TimeDelta::FromSeconds(890); |
| 482 EXPECT_EQ(expect_max_age, max_age); | 516 EXPECT_EQ(expect_max_age, max_age); |
| 483 EXPECT_TRUE(include_subdomains); | 517 EXPECT_TRUE(include_subdomains); |
| 484 | 518 |
| 485 EXPECT_TRUE(ParseHPKPHeader( | 519 EXPECT_TRUE(ParseAsHPKPHeader( |
| 486 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", chain_hashes, | 520 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", chain_hashes, |
| 487 &max_age, &include_subdomains, &hashes, &report_uri)); | 521 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 488 expect_max_age = base::TimeDelta::FromSeconds(123); | 522 expect_max_age = base::TimeDelta::FromSeconds(123); |
| 489 EXPECT_EQ(expect_max_age, max_age); | 523 EXPECT_EQ(expect_max_age, max_age); |
| 490 EXPECT_FALSE(include_subdomains); | 524 EXPECT_FALSE(include_subdomains); |
| 491 | 525 |
| 492 EXPECT_TRUE(ParseHPKPHeader( | 526 EXPECT_TRUE(ParseAsHPKPHeader( |
| 493 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", chain_hashes, | 527 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", chain_hashes, |
| 494 &max_age, &include_subdomains, &hashes, &report_uri)); | 528 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 495 expect_max_age = base::TimeDelta::FromSeconds(394082); | 529 expect_max_age = base::TimeDelta::FromSeconds(394082); |
| 496 EXPECT_EQ(expect_max_age, max_age); | 530 EXPECT_EQ(expect_max_age, max_age); |
| 497 EXPECT_FALSE(include_subdomains); | 531 EXPECT_FALSE(include_subdomains); |
| 498 | 532 |
| 499 EXPECT_TRUE(ParseHPKPHeader( | 533 EXPECT_TRUE(ParseAsHPKPHeader( |
| 500 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", chain_hashes, | 534 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", chain_hashes, |
| 501 &max_age, &include_subdomains, &hashes, &report_uri)); | 535 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 502 expect_max_age = base::TimeDelta::FromSeconds( | 536 expect_max_age = base::TimeDelta::FromSeconds( |
| 503 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299)))); | 537 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299)))); |
| 504 EXPECT_EQ(expect_max_age, max_age); | 538 EXPECT_EQ(expect_max_age, max_age); |
| 505 EXPECT_FALSE(include_subdomains); | 539 EXPECT_FALSE(include_subdomains); |
| 506 | 540 |
| 507 EXPECT_TRUE(ParseHPKPHeader( | 541 EXPECT_TRUE(ParseAsHPKPHeader( |
| 508 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " + | 542 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " + |
| 509 good_pin + ";" + backup_pin + "; ", | 543 good_pin + ";" + backup_pin + "; ", |
| 510 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 544 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 511 expect_max_age = base::TimeDelta::FromSeconds( | 545 expect_max_age = base::TimeDelta::FromSeconds( |
| 512 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038)))); | 546 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038)))); |
| 513 EXPECT_EQ(expect_max_age, max_age); | 547 EXPECT_EQ(expect_max_age, max_age); |
| 514 EXPECT_TRUE(include_subdomains); | 548 EXPECT_TRUE(include_subdomains); |
| 515 | 549 |
| 516 EXPECT_TRUE(ParseHPKPHeader(" max-age=0 ; " + good_pin + ";" + backup_pin, | 550 EXPECT_TRUE(ParseAsHPKPHeader( |
| 517 chain_hashes, &max_age, &include_subdomains, | 551 " max-age=0 ; " + good_pin + ";" + backup_pin, chain_hashes, &max_age, |
| 518 &hashes, &report_uri)); | 552 &include_subdomains, &hashes, &report_uri)); |
| 519 expect_max_age = base::TimeDelta::FromSeconds(0); | 553 expect_max_age = base::TimeDelta::FromSeconds(0); |
| 520 EXPECT_EQ(expect_max_age, max_age); | 554 EXPECT_EQ(expect_max_age, max_age); |
| 521 EXPECT_FALSE(include_subdomains); | 555 EXPECT_FALSE(include_subdomains); |
| 522 | 556 |
| 523 EXPECT_TRUE(ParseHPKPHeader( | 557 EXPECT_TRUE(ParseAsHPKPHeader( |
| 524 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin, | 558 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin, |
| 525 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 559 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 526 expect_max_age = base::TimeDelta::FromSeconds(0); | 560 expect_max_age = base::TimeDelta::FromSeconds(0); |
| 527 EXPECT_EQ(expect_max_age, max_age); | 561 EXPECT_EQ(expect_max_age, max_age); |
| 528 EXPECT_TRUE(include_subdomains); | 562 EXPECT_TRUE(include_subdomains); |
| 529 | 563 |
| 530 EXPECT_TRUE(ParseHPKPHeader( | 564 EXPECT_TRUE(ParseAsHPKPHeader( |
| 531 " max-age=999999999999999999999999999999999999999999999 ; " + | 565 " max-age=999999999999999999999999999999999999999999999 ; " + |
| 532 backup_pin + ";" + good_pin + "; ", | 566 backup_pin + ";" + good_pin + "; ", |
| 533 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 567 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 534 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); | 568 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); |
| 535 EXPECT_EQ(expect_max_age, max_age); | 569 EXPECT_EQ(expect_max_age, max_age); |
| 536 EXPECT_FALSE(include_subdomains); | 570 EXPECT_FALSE(include_subdomains); |
| 537 | 571 |
| 538 EXPECT_TRUE(ParseHPKPHeader( | 572 EXPECT_TRUE(ParseAsHPKPHeader( |
| 539 " max-age=999999999999999999999999999999999999999999999 ; " + | 573 " max-age=999999999999999999999999999999999999999999999 ; " + |
| 540 backup_pin + ";" + good_pin + | 574 backup_pin + ";" + good_pin + |
| 541 "; report-uri=\"http://example.test/foo\"", | 575 "; report-uri=\"http://example.test/foo\"", |
| 542 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 576 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
| 543 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); | 577 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); |
| 544 expect_report_uri = GURL("http://example.test/foo"); | 578 expect_report_uri = GURL("http://example.test/foo"); |
| 545 EXPECT_EQ(expect_max_age, max_age); | 579 EXPECT_EQ(expect_max_age, max_age); |
| 546 EXPECT_FALSE(include_subdomains); | 580 EXPECT_FALSE(include_subdomains); |
| 547 EXPECT_EQ(expect_report_uri, report_uri); | 581 EXPECT_EQ(expect_report_uri, report_uri); |
| 548 | 582 |
| 549 // Test that parsing a different header resets the hashes. | 583 // Test that parsing a different header resets the hashes. |
| 550 hashes.clear(); | 584 hashes.clear(); |
| 551 EXPECT_TRUE(ParseHPKPHeader( | 585 EXPECT_TRUE(ParseAsHPKPHeader( |
| 552 " max-age=999; " + backup_pin + ";" + good_pin + "; ", chain_hashes, | 586 " max-age=999; " + backup_pin + ";" + good_pin + "; ", chain_hashes, |
| 553 &max_age, &include_subdomains, &hashes, &report_uri)); | 587 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 554 EXPECT_EQ(2u, hashes.size()); | 588 EXPECT_EQ(2u, hashes.size()); |
| 555 EXPECT_TRUE(ParseHPKPHeader( | 589 EXPECT_TRUE(ParseAsHPKPHeader( |
| 556 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, | 590 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, |
| 557 &max_age, &include_subdomains, &hashes, &report_uri)); | 591 &max_age, &include_subdomains, &hashes, &report_uri)); |
| 558 EXPECT_EQ(2u, hashes.size()); | 592 EXPECT_EQ(2u, hashes.size()); |
| 559 | 593 |
| 560 // Test that the parser correctly parses an unencoded ';' inside a | 594 // Test that the parser correctly parses an unencoded ';' inside a |
| 561 // quoted report-uri. | 595 // quoted report-uri. |
| 562 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | 596 EXPECT_TRUE(ParseAsHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + |
| 563 "; report-uri=\"http://foo.com/?;bar\"", | 597 "; report-uri=\"http://foo.com/?;bar\"", |
| 564 chain_hashes, &max_age, &include_subdomains, | 598 chain_hashes, &max_age, &include_subdomains, |
| 565 &hashes, &report_uri)); | 599 &hashes, &report_uri)); |
| 566 expect_max_age = base::TimeDelta::FromSeconds(999); | 600 expect_max_age = base::TimeDelta::FromSeconds(999); |
| 567 expect_report_uri = GURL("http://foo.com/?;bar"); | 601 expect_report_uri = GURL("http://foo.com/?;bar"); |
| 568 EXPECT_EQ(expect_max_age, max_age); | 602 EXPECT_EQ(expect_max_age, max_age); |
| 569 EXPECT_FALSE(include_subdomains); | 603 EXPECT_FALSE(include_subdomains); |
| 570 EXPECT_EQ(expect_report_uri, report_uri); | 604 EXPECT_EQ(expect_report_uri, report_uri); |
| 571 | 605 |
| 572 // Test that the parser correctly parses a report-uri with a >0x7f | 606 // Test that the parser correctly parses a report-uri with a >0x7f |
| 573 // character. | 607 // character. |
| 574 std::string uri = "http://foo.com/"; | 608 std::string uri = "http://foo.com/"; |
| 575 uri += char(0x7f); | 609 uri += char(0x7f); |
| 576 expect_report_uri = GURL(uri); | 610 expect_report_uri = GURL(uri); |
| 577 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | 611 EXPECT_TRUE(ParseAsHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + |
| 578 "; report-uri=\"" + uri + "\"", | 612 "; report-uri=\"" + uri + "\"", |
| 579 chain_hashes, &max_age, &include_subdomains, | 613 chain_hashes, &max_age, &include_subdomains, |
| 580 &hashes, &report_uri)); | 614 &hashes, &report_uri)); |
| 581 expect_max_age = base::TimeDelta::FromSeconds(999); | 615 expect_max_age = base::TimeDelta::FromSeconds(999); |
| 582 EXPECT_EQ(expect_max_age, max_age); | 616 EXPECT_EQ(expect_max_age, max_age); |
| 583 EXPECT_FALSE(include_subdomains); | 617 EXPECT_FALSE(include_subdomains); |
| 584 EXPECT_EQ(expect_report_uri, report_uri); | 618 EXPECT_EQ(expect_report_uri, report_uri); |
| 585 | 619 |
| 586 // Test that the parser allows quoted max-age values. | 620 // Test that the parser allows quoted max-age values. |
| 587 EXPECT_TRUE(ParseHPKPHeader("max-age='999'; " + backup_pin + "; " + good_pin, | 621 EXPECT_TRUE(ParseAsHPKPHeader( |
| 588 chain_hashes, &max_age, &include_subdomains, | 622 "max-age='999'; " + backup_pin + "; " + good_pin, chain_hashes, &max_age, |
| 589 &hashes, &report_uri)); | 623 &include_subdomains, &hashes, &report_uri)); |
| 590 expect_max_age = base::TimeDelta::FromSeconds(999); | 624 expect_max_age = base::TimeDelta::FromSeconds(999); |
| 591 EXPECT_EQ(expect_max_age, max_age); | 625 EXPECT_EQ(expect_max_age, max_age); |
| 592 EXPECT_FALSE(include_subdomains); | 626 EXPECT_FALSE(include_subdomains); |
| 593 | 627 |
| 594 // Test that the parser handles escaped values. | 628 // Test that the parser handles escaped values. |
| 595 expect_report_uri = GURL("http://foo.com'a"); | 629 expect_report_uri = GURL("http://foo.com'a"); |
| 596 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | 630 EXPECT_TRUE(ParseAsHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + |
| 597 "; report-uri='http://foo.com\\'\\a'", | 631 "; report-uri='http://foo.com\\'\\a'", |
| 598 chain_hashes, &max_age, &include_subdomains, | 632 chain_hashes, &max_age, &include_subdomains, |
| 599 &hashes, &report_uri)); | 633 &hashes, &report_uri)); |
| 600 expect_max_age = base::TimeDelta::FromSeconds(999); | 634 expect_max_age = base::TimeDelta::FromSeconds(999); |
| 601 EXPECT_EQ(expect_max_age, max_age); | 635 EXPECT_EQ(expect_max_age, max_age); |
| 602 EXPECT_FALSE(include_subdomains); | 636 EXPECT_FALSE(include_subdomains); |
| 603 EXPECT_EQ(expect_report_uri, report_uri); | 637 EXPECT_EQ(expect_report_uri, report_uri); |
| 638 |
| 639 // Test that the parser does not require max-age for Report-Only |
| 640 // headers. |
| 641 expect_report_uri = GURL("http://foo.com"); |
| 642 EXPECT_TRUE(ParseHPKPReportOnlyHeader( |
| 643 backup_pin + "; " + good_pin + "; report-uri='http://foo.com'", |
| 644 &include_subdomains, &hashes, &report_uri)); |
| 645 EXPECT_EQ(expect_report_uri, report_uri); |
| 604 } | 646 } |
| 605 | 647 |
| 606 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { | 648 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { |
| 607 TestBogusPinsHeaders(HASH_VALUE_SHA1); | 649 TestBogusPinsHeaders(HASH_VALUE_SHA1); |
| 608 } | 650 } |
| 609 | 651 |
| 610 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { | 652 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { |
| 611 TestBogusPinsHeaders(HASH_VALUE_SHA256); | 653 TestBogusPinsHeaders(HASH_VALUE_SHA256); |
| 612 } | 654 } |
| 613 | 655 |
| (...skipping 256 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 870 ssl_info)); | 912 ssl_info)); |
| 871 | 913 |
| 872 // The old pins must still exist. | 914 // The old pins must still exist. |
| 873 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 915 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
| 874 EXPECT_TRUE(state.CheckPublicKeyPins( | 916 EXPECT_TRUE(state.CheckPublicKeyPins( |
| 875 domain_port, is_issued_by_known_root, ssl_info.public_key_hashes, nullptr, | 917 domain_port, is_issued_by_known_root, ssl_info.public_key_hashes, nullptr, |
| 876 nullptr, TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); | 918 nullptr, TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); |
| 877 } | 919 } |
| 878 | 920 |
| 879 }; // namespace net | 921 }; // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1267513003:
Add parsing for Public-Key-Pins-Report-Only header (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master