OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <stdint.h> | 5 #include <stdint.h> |
6 #include <algorithm> | 6 #include <algorithm> |
7 | 7 |
8 #include "base/base64.h" | 8 #include "base/base64.h" |
9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
10 #include "base/strings/string_piece.h" | 10 #include "base/strings/string_piece.h" |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
57 std::string GetTestPin(uint8 label, HashValueTag tag) { | 57 std::string GetTestPin(uint8 label, HashValueTag tag) { |
58 return GetTestPinImpl(label, tag, true); | 58 return GetTestPinImpl(label, tag, true); |
59 } | 59 } |
60 | 60 |
61 std::string GetTestPinUnquoted(uint8 label, HashValueTag tag) { | 61 std::string GetTestPinUnquoted(uint8 label, HashValueTag tag) { |
62 return GetTestPinImpl(label, tag, false); | 62 return GetTestPinImpl(label, tag, false); |
63 } | 63 } |
64 | 64 |
65 }; | 65 }; |
66 | 66 |
| 67 // Parses the given header |value| as both a Public-Key-Pins-Report-Only |
| 68 // and Public-Key-Pins header. Returns true if the value parses |
| 69 // successfully for both header types, and if the parsed hashes and |
| 70 // report_uri match for both header types. |
| 71 bool ParseAsHPKPHeader(const std::string& value, |
| 72 const HashValueVector& chain_hashes, |
| 73 base::TimeDelta* max_age, |
| 74 bool* include_subdomains, |
| 75 HashValueVector* hashes, |
| 76 GURL* report_uri) { |
| 77 GURL report_only_uri; |
| 78 bool report_only_include_subdomains; |
| 79 HashValueVector report_only_hashes; |
| 80 if (!ParseHPKPReportOnlyHeader(value, &report_only_include_subdomains, |
| 81 &report_only_hashes, &report_only_uri)) { |
| 82 return false; |
| 83 } |
| 84 |
| 85 bool result = ParseHPKPHeader(value, chain_hashes, max_age, |
| 86 include_subdomains, hashes, report_uri); |
| 87 if (!result || report_only_include_subdomains != *include_subdomains || |
| 88 report_only_uri != *report_uri || |
| 89 report_only_hashes.size() != hashes->size()) { |
| 90 return false; |
| 91 } |
| 92 |
| 93 for (size_t i = 0; i < report_only_hashes.size(); i++) { |
| 94 if (!(*hashes)[i].Equals(report_only_hashes[i])) |
| 95 return false; |
| 96 } |
| 97 |
| 98 return true; |
| 99 } |
67 | 100 |
68 class HttpSecurityHeadersTest : public testing::Test { | 101 class HttpSecurityHeadersTest : public testing::Test { |
69 }; | 102 }; |
70 | 103 |
71 | 104 |
72 TEST_F(HttpSecurityHeadersTest, BogusHeaders) { | 105 TEST_F(HttpSecurityHeadersTest, BogusHeaders) { |
73 base::TimeDelta max_age; | 106 base::TimeDelta max_age; |
74 bool include_subdomains = false; | 107 bool include_subdomains = false; |
75 | 108 |
76 EXPECT_FALSE( | 109 EXPECT_FALSE( |
(...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
158 // Set some fake "chain" hashes | 191 // Set some fake "chain" hashes |
159 chain_hashes.push_back(GetTestHashValue(1, tag)); | 192 chain_hashes.push_back(GetTestHashValue(1, tag)); |
160 chain_hashes.push_back(GetTestHashValue(2, tag)); | 193 chain_hashes.push_back(GetTestHashValue(2, tag)); |
161 chain_hashes.push_back(GetTestHashValue(3, tag)); | 194 chain_hashes.push_back(GetTestHashValue(3, tag)); |
162 | 195 |
163 // The good pin must be in the chain, the backup pin must not be | 196 // The good pin must be in the chain, the backup pin must not be |
164 std::string good_pin = GetTestPin(2, tag); | 197 std::string good_pin = GetTestPin(2, tag); |
165 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag); | 198 std::string good_pin_unquoted = GetTestPinUnquoted(2, tag); |
166 std::string backup_pin = GetTestPin(4, tag); | 199 std::string backup_pin = GetTestPin(4, tag); |
167 | 200 |
168 EXPECT_FALSE(ParseHPKPHeader(std::string(), chain_hashes, &max_age, | 201 EXPECT_FALSE(ParseAsHPKPHeader(std::string(), chain_hashes, &max_age, |
169 &include_subdomains, &hashes, &report_uri)); | 202 &include_subdomains, &hashes, &report_uri)); |
170 EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age, | 203 EXPECT_FALSE(ParseAsHPKPHeader(" ", chain_hashes, &max_age, |
171 &include_subdomains, &hashes, &report_uri)); | 204 &include_subdomains, &hashes, &report_uri)); |
172 EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age, | 205 EXPECT_FALSE(ParseAsHPKPHeader("abc", chain_hashes, &max_age, |
173 &include_subdomains, &hashes, &report_uri)); | 206 &include_subdomains, &hashes, &report_uri)); |
174 EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age, | 207 EXPECT_FALSE(ParseAsHPKPHeader(" abc", chain_hashes, &max_age, |
175 &include_subdomains, &hashes, &report_uri)); | 208 &include_subdomains, &hashes, &report_uri)); |
176 EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age, | 209 EXPECT_FALSE(ParseAsHPKPHeader(" abc ", chain_hashes, &max_age, |
177 &include_subdomains, &hashes, &report_uri)); | 210 &include_subdomains, &hashes, &report_uri)); |
178 EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age, | 211 EXPECT_FALSE(ParseAsHPKPHeader("max-age", chain_hashes, &max_age, |
179 &include_subdomains, &hashes, &report_uri)); | 212 &include_subdomains, &hashes, &report_uri)); |
180 EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age, | 213 EXPECT_FALSE(ParseAsHPKPHeader(" max-age", chain_hashes, &max_age, |
181 &include_subdomains, &hashes, &report_uri)); | 214 &include_subdomains, &hashes, &report_uri)); |
182 EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age, | 215 EXPECT_FALSE(ParseAsHPKPHeader(" max-age ", chain_hashes, &max_age, |
183 &include_subdomains, &hashes, &report_uri)); | 216 &include_subdomains, &hashes, &report_uri)); |
184 EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age, | 217 EXPECT_FALSE(ParseAsHPKPHeader("max-age=", chain_hashes, &max_age, |
185 &include_subdomains, &hashes, &report_uri)); | 218 &include_subdomains, &hashes, &report_uri)); |
186 EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age, | 219 EXPECT_FALSE(ParseAsHPKPHeader(" max-age=", chain_hashes, &max_age, |
187 &include_subdomains, &hashes, &report_uri)); | 220 &include_subdomains, &hashes, &report_uri)); |
188 EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age, | 221 EXPECT_FALSE(ParseAsHPKPHeader(" max-age =", chain_hashes, &max_age, |
189 &include_subdomains, &hashes, &report_uri)); | 222 &include_subdomains, &hashes, &report_uri)); |
190 EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age, | 223 EXPECT_FALSE(ParseAsHPKPHeader(" max-age= ", chain_hashes, &max_age, |
191 &include_subdomains, &hashes, &report_uri)); | 224 &include_subdomains, &hashes, &report_uri)); |
192 EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes, &max_age, | 225 EXPECT_FALSE(ParseAsHPKPHeader(" max-age = ", chain_hashes, &max_age, |
193 &include_subdomains, &hashes, &report_uri)); | 226 &include_subdomains, &hashes, &report_uri)); |
194 EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes, &max_age, | 227 EXPECT_FALSE(ParseAsHPKPHeader(" max-age = xy", chain_hashes, &max_age, |
195 &include_subdomains, &hashes, &report_uri)); | 228 &include_subdomains, &hashes, &report_uri)); |
196 EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923", chain_hashes, | 229 EXPECT_FALSE(ParseAsHPKPHeader(" max-age = 3488a923", chain_hashes, |
197 &max_age, &include_subdomains, &hashes, | 230 &max_age, &include_subdomains, &hashes, |
198 &report_uri)); | 231 &report_uri)); |
199 EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes, &max_age, | 232 EXPECT_FALSE(ParseAsHPKPHeader("max-age=3488a923 ", chain_hashes, &max_age, |
200 &include_subdomains, &hashes, &report_uri)); | 233 &include_subdomains, &hashes, &report_uri)); |
201 EXPECT_FALSE(ParseHPKPHeader( | 234 EXPECT_FALSE(ParseAsHPKPHeader( |
202 "max-ag=3488923pins=" + good_pin + "," + backup_pin, chain_hashes, | 235 "max-ag=3488923pins=" + good_pin + "," + backup_pin, chain_hashes, |
203 &max_age, &include_subdomains, &hashes, &report_uri)); | 236 &max_age, &include_subdomains, &hashes, &report_uri)); |
204 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;pins=" + good_pin + "," + | 237 EXPECT_FALSE(ParseAsHPKPHeader( |
205 backup_pin + "report-uri=\"http://foo.com\"", | 238 "max-age=3488923;pins=" + good_pin + "," + backup_pin + |
206 chain_hashes, &max_age, &include_subdomains, | 239 "report-uri=\"http://foo.com\"", |
207 &hashes, &report_uri)); | 240 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
208 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin, chain_hashes, | 241 EXPECT_FALSE(ParseAsHPKPHeader("max-aged=3488923" + backup_pin, chain_hashes, |
209 &max_age, &include_subdomains, &hashes, | 242 &max_age, &include_subdomains, &hashes, |
210 &report_uri)); | 243 &report_uri)); |
211 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin, chain_hashes, | 244 EXPECT_FALSE(ParseAsHPKPHeader("max-aged=3488923; " + backup_pin, |
212 &max_age, &include_subdomains, &hashes, | 245 chain_hashes, &max_age, &include_subdomains, |
213 &report_uri)); | 246 &hashes, &report_uri)); |
214 EXPECT_FALSE(ParseHPKPHeader( | 247 EXPECT_FALSE(ParseAsHPKPHeader( |
215 "max-aged=3488923; " + backup_pin + ";" + backup_pin, chain_hashes, | 248 "max-aged=3488923; " + backup_pin + ";" + backup_pin, chain_hashes, |
216 &max_age, &include_subdomains, &hashes, &report_uri)); | 249 &max_age, &include_subdomains, &hashes, &report_uri)); |
217 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" + good_pin, | 250 EXPECT_FALSE(ParseAsHPKPHeader( |
218 chain_hashes, &max_age, &include_subdomains, | 251 "max-aged=3488923; " + good_pin + ";" + good_pin, chain_hashes, &max_age, |
219 &hashes, &report_uri)); | 252 &include_subdomains, &hashes, &report_uri)); |
220 EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin, chain_hashes, | 253 EXPECT_FALSE(ParseAsHPKPHeader("max-aged=3488923; " + good_pin, chain_hashes, |
221 &max_age, &include_subdomains, &hashes, | 254 &max_age, &include_subdomains, &hashes, |
222 &report_uri)); | 255 &report_uri)); |
223 EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age, | 256 EXPECT_FALSE(ParseAsHPKPHeader("max-age==3488923", chain_hashes, &max_age, |
224 &include_subdomains, &hashes, &report_uri)); | 257 &include_subdomains, &hashes, &report_uri)); |
225 EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age, | 258 EXPECT_FALSE(ParseAsHPKPHeader("amax-age=3488923", chain_hashes, &max_age, |
226 &include_subdomains, &hashes, &report_uri)); | 259 &include_subdomains, &hashes, &report_uri)); |
227 EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age, | 260 EXPECT_FALSE(ParseAsHPKPHeader("max-age=-3488923", chain_hashes, &max_age, |
228 &include_subdomains, &hashes, &report_uri)); | 261 &include_subdomains, &hashes, &report_uri)); |
229 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age, | 262 EXPECT_FALSE(ParseAsHPKPHeader("max-age=3488923;", chain_hashes, &max_age, |
230 &include_subdomains, &hashes, &report_uri)); | 263 &include_subdomains, &hashes, &report_uri)); |
231 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes, &max_age, | 264 EXPECT_FALSE(ParseAsHPKPHeader("max-age=3488923 e", chain_hashes, |
232 &include_subdomains, &hashes, &report_uri)); | 265 &max_age, &include_subdomains, &hashes, |
233 EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain", | 266 &report_uri)); |
234 chain_hashes, &max_age, &include_subdomains, | 267 EXPECT_FALSE(ParseAsHPKPHeader("max-age=3488923 includesubdomain", |
235 &hashes, &report_uri)); | 268 chain_hashes, &max_age, &include_subdomains, |
236 EXPECT_FALSE(ParseHPKPHeader( | 269 &hashes, &report_uri)); |
| 270 EXPECT_FALSE(ParseAsHPKPHeader( |
237 "max-age=3488923 report-uri=\"http://foo.com\"", chain_hashes, | 271 "max-age=3488923 report-uri=\"http://foo.com\"", chain_hashes, |
238 &max_age, &include_subdomains, &hashes, &report_uri)); | 272 &max_age, &include_subdomains, &hashes, &report_uri)); |
239 EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age, | 273 EXPECT_FALSE(ParseAsHPKPHeader("max-age=34889.23", chain_hashes, &max_age, |
240 &include_subdomains, &hashes, &report_uri)); | 274 &include_subdomains, &hashes, &report_uri)); |
241 EXPECT_FALSE(ParseHPKPHeader( | 275 EXPECT_FALSE(ParseAsHPKPHeader( |
242 "max-age=243; " + good_pin_unquoted + ";" + backup_pin, chain_hashes, | 276 "max-age=243; " + good_pin_unquoted + ";" + backup_pin, chain_hashes, |
243 &max_age, &include_subdomains, &hashes, &report_uri)); | 277 &max_age, &include_subdomains, &hashes, &report_uri)); |
244 EXPECT_FALSE(ParseHPKPHeader( | 278 EXPECT_FALSE(ParseAsHPKPHeader( |
245 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=;", | 279 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=;", |
246 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 280 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
247 EXPECT_FALSE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + | 281 EXPECT_FALSE(ParseAsHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + |
248 ";report-uri=http://foo.com;", | 282 ";report-uri=http://foo.com;", |
249 chain_hashes, &max_age, &include_subdomains, | 283 chain_hashes, &max_age, &include_subdomains, |
250 &hashes, &report_uri)); | 284 &hashes, &report_uri)); |
251 EXPECT_FALSE(ParseHPKPHeader( | 285 EXPECT_FALSE(ParseAsHPKPHeader( |
252 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=''", | 286 "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=''", |
253 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 287 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
254 | 288 |
255 // Test that the parser rejects misquoted strings. | 289 // Test that the parser rejects misquoted strings. |
256 EXPECT_FALSE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | 290 EXPECT_FALSE(ParseAsHPKPHeader( |
257 "; report-uri=\"http://foo;bar\'", | 291 "max-age=999; " + backup_pin + "; " + good_pin + |
258 chain_hashes, &max_age, &include_subdomains, | 292 "; report-uri=\"http://foo;bar\'", |
259 &hashes, &report_uri)); | 293 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
260 | 294 |
261 // Test that the parser rejects invalid report-uris. | 295 // Test that the parser rejects invalid report-uris. |
262 EXPECT_FALSE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | 296 EXPECT_FALSE(ParseAsHPKPHeader("max-age=999; " + backup_pin + "; " + |
263 "; report-uri=\"foo;bar\'", | 297 good_pin + "; report-uri=\"foo;bar\'", |
264 chain_hashes, &max_age, &include_subdomains, | 298 chain_hashes, &max_age, &include_subdomains, |
265 &hashes, &report_uri)); | 299 &hashes, &report_uri)); |
266 | 300 |
267 // Check the out args were not updated by checking the default | 301 // Check the out args were not updated by checking the default |
268 // values for its predictable fields. | 302 // values for its predictable fields. |
269 EXPECT_EQ(0, max_age.InSeconds()); | 303 EXPECT_EQ(0, max_age.InSeconds()); |
270 EXPECT_EQ(hashes.size(), (size_t)0); | 304 EXPECT_EQ(hashes.size(), (size_t)0); |
271 } | 305 } |
272 | 306 |
273 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { | 307 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { |
274 base::TimeDelta max_age; | 308 base::TimeDelta max_age; |
275 base::TimeDelta expect_max_age; | 309 base::TimeDelta expect_max_age; |
(...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
439 // Set some fake "chain" hashes into chain_hashes | 473 // Set some fake "chain" hashes into chain_hashes |
440 chain_hashes.push_back(GetTestHashValue(1, tag)); | 474 chain_hashes.push_back(GetTestHashValue(1, tag)); |
441 chain_hashes.push_back(GetTestHashValue(2, tag)); | 475 chain_hashes.push_back(GetTestHashValue(2, tag)); |
442 chain_hashes.push_back(GetTestHashValue(3, tag)); | 476 chain_hashes.push_back(GetTestHashValue(3, tag)); |
443 | 477 |
444 // The good pin must be in the chain, the backup pin must not be | 478 // The good pin must be in the chain, the backup pin must not be |
445 std::string good_pin = GetTestPin(2, tag); | 479 std::string good_pin = GetTestPin(2, tag); |
446 std::string good_pin2 = GetTestPin(3, tag); | 480 std::string good_pin2 = GetTestPin(3, tag); |
447 std::string backup_pin = GetTestPin(4, tag); | 481 std::string backup_pin = GetTestPin(4, tag); |
448 | 482 |
449 EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin, | 483 EXPECT_TRUE(ParseAsHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin, |
450 chain_hashes, &max_age, &include_subdomains, | 484 chain_hashes, &max_age, &include_subdomains, |
451 &hashes, &report_uri)); | 485 &hashes, &report_uri)); |
452 expect_max_age = base::TimeDelta::FromSeconds(243); | 486 expect_max_age = base::TimeDelta::FromSeconds(243); |
453 EXPECT_EQ(expect_max_age, max_age); | 487 EXPECT_EQ(expect_max_age, max_age); |
454 EXPECT_FALSE(include_subdomains); | 488 EXPECT_FALSE(include_subdomains); |
455 EXPECT_TRUE(report_uri.is_empty()); | 489 EXPECT_TRUE(report_uri.is_empty()); |
456 | 490 |
457 EXPECT_TRUE(ParseHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + | 491 EXPECT_TRUE(ParseAsHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + |
458 "; report-uri= \"http://example.test/foo\"", | 492 "; report-uri= \"http://example.test/foo\"", |
459 chain_hashes, &max_age, &include_subdomains, | 493 chain_hashes, &max_age, &include_subdomains, |
460 &hashes, &report_uri)); | 494 &hashes, &report_uri)); |
461 expect_max_age = base::TimeDelta::FromSeconds(243); | 495 expect_max_age = base::TimeDelta::FromSeconds(243); |
462 expect_report_uri = GURL("http://example.test/foo"); | 496 expect_report_uri = GURL("http://example.test/foo"); |
463 EXPECT_EQ(expect_max_age, max_age); | 497 EXPECT_EQ(expect_max_age, max_age); |
464 EXPECT_FALSE(include_subdomains); | 498 EXPECT_FALSE(include_subdomains); |
465 EXPECT_EQ(expect_report_uri, report_uri); | 499 EXPECT_EQ(expect_report_uri, report_uri); |
466 | 500 |
467 EXPECT_TRUE(ParseHPKPHeader( | 501 EXPECT_TRUE(ParseAsHPKPHeader( |
468 " " + good_pin + "; " + backup_pin + | 502 " " + good_pin + "; " + backup_pin + |
469 " ; Max-agE = 567; repOrT-URi = \"http://example.test/foo\"", | 503 " ; Max-agE = 567; repOrT-URi = \"http://example.test/foo\"", |
470 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 504 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
471 expect_max_age = base::TimeDelta::FromSeconds(567); | 505 expect_max_age = base::TimeDelta::FromSeconds(567); |
472 expect_report_uri = GURL("http://example.test/foo"); | 506 expect_report_uri = GURL("http://example.test/foo"); |
473 EXPECT_EQ(expect_max_age, max_age); | 507 EXPECT_EQ(expect_max_age, max_age); |
474 EXPECT_FALSE(include_subdomains); | 508 EXPECT_FALSE(include_subdomains); |
475 EXPECT_EQ(expect_report_uri, report_uri); | 509 EXPECT_EQ(expect_report_uri, report_uri); |
476 | 510 |
477 EXPECT_TRUE(ParseHPKPHeader("includeSubDOMAINS;" + good_pin + ";" + | 511 EXPECT_TRUE(ParseAsHPKPHeader("includeSubDOMAINS;" + good_pin + ";" + |
478 backup_pin + " ; mAx-aGe = 890 ", | 512 backup_pin + " ; mAx-aGe = 890 ", |
479 chain_hashes, &max_age, &include_subdomains, | 513 chain_hashes, &max_age, &include_subdomains, |
480 &hashes, &report_uri)); | 514 &hashes, &report_uri)); |
481 expect_max_age = base::TimeDelta::FromSeconds(890); | 515 expect_max_age = base::TimeDelta::FromSeconds(890); |
482 EXPECT_EQ(expect_max_age, max_age); | 516 EXPECT_EQ(expect_max_age, max_age); |
483 EXPECT_TRUE(include_subdomains); | 517 EXPECT_TRUE(include_subdomains); |
484 | 518 |
485 EXPECT_TRUE(ParseHPKPHeader( | 519 EXPECT_TRUE(ParseAsHPKPHeader( |
486 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", chain_hashes, | 520 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", chain_hashes, |
487 &max_age, &include_subdomains, &hashes, &report_uri)); | 521 &max_age, &include_subdomains, &hashes, &report_uri)); |
488 expect_max_age = base::TimeDelta::FromSeconds(123); | 522 expect_max_age = base::TimeDelta::FromSeconds(123); |
489 EXPECT_EQ(expect_max_age, max_age); | 523 EXPECT_EQ(expect_max_age, max_age); |
490 EXPECT_FALSE(include_subdomains); | 524 EXPECT_FALSE(include_subdomains); |
491 | 525 |
492 EXPECT_TRUE(ParseHPKPHeader( | 526 EXPECT_TRUE(ParseAsHPKPHeader( |
493 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", chain_hashes, | 527 "max-age=394082;" + backup_pin + ";" + good_pin + "; ", chain_hashes, |
494 &max_age, &include_subdomains, &hashes, &report_uri)); | 528 &max_age, &include_subdomains, &hashes, &report_uri)); |
495 expect_max_age = base::TimeDelta::FromSeconds(394082); | 529 expect_max_age = base::TimeDelta::FromSeconds(394082); |
496 EXPECT_EQ(expect_max_age, max_age); | 530 EXPECT_EQ(expect_max_age, max_age); |
497 EXPECT_FALSE(include_subdomains); | 531 EXPECT_FALSE(include_subdomains); |
498 | 532 |
499 EXPECT_TRUE(ParseHPKPHeader( | 533 EXPECT_TRUE(ParseAsHPKPHeader( |
500 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", chain_hashes, | 534 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", chain_hashes, |
501 &max_age, &include_subdomains, &hashes, &report_uri)); | 535 &max_age, &include_subdomains, &hashes, &report_uri)); |
502 expect_max_age = base::TimeDelta::FromSeconds( | 536 expect_max_age = base::TimeDelta::FromSeconds( |
503 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299)))); | 537 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(39408299)))); |
504 EXPECT_EQ(expect_max_age, max_age); | 538 EXPECT_EQ(expect_max_age, max_age); |
505 EXPECT_FALSE(include_subdomains); | 539 EXPECT_FALSE(include_subdomains); |
506 | 540 |
507 EXPECT_TRUE(ParseHPKPHeader( | 541 EXPECT_TRUE(ParseAsHPKPHeader( |
508 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " + | 542 "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " + |
509 good_pin + ";" + backup_pin + "; ", | 543 good_pin + ";" + backup_pin + "; ", |
510 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 544 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
511 expect_max_age = base::TimeDelta::FromSeconds( | 545 expect_max_age = base::TimeDelta::FromSeconds( |
512 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038)))); | 546 std::min(kMaxHSTSAgeSecs, static_cast<int64>(INT64_C(394082038)))); |
513 EXPECT_EQ(expect_max_age, max_age); | 547 EXPECT_EQ(expect_max_age, max_age); |
514 EXPECT_TRUE(include_subdomains); | 548 EXPECT_TRUE(include_subdomains); |
515 | 549 |
516 EXPECT_TRUE(ParseHPKPHeader(" max-age=0 ; " + good_pin + ";" + backup_pin, | 550 EXPECT_TRUE(ParseAsHPKPHeader( |
517 chain_hashes, &max_age, &include_subdomains, | 551 " max-age=0 ; " + good_pin + ";" + backup_pin, chain_hashes, &max_age, |
518 &hashes, &report_uri)); | 552 &include_subdomains, &hashes, &report_uri)); |
519 expect_max_age = base::TimeDelta::FromSeconds(0); | 553 expect_max_age = base::TimeDelta::FromSeconds(0); |
520 EXPECT_EQ(expect_max_age, max_age); | 554 EXPECT_EQ(expect_max_age, max_age); |
521 EXPECT_FALSE(include_subdomains); | 555 EXPECT_FALSE(include_subdomains); |
522 | 556 |
523 EXPECT_TRUE(ParseHPKPHeader( | 557 EXPECT_TRUE(ParseAsHPKPHeader( |
524 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin, | 558 " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin, |
525 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 559 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
526 expect_max_age = base::TimeDelta::FromSeconds(0); | 560 expect_max_age = base::TimeDelta::FromSeconds(0); |
527 EXPECT_EQ(expect_max_age, max_age); | 561 EXPECT_EQ(expect_max_age, max_age); |
528 EXPECT_TRUE(include_subdomains); | 562 EXPECT_TRUE(include_subdomains); |
529 | 563 |
530 EXPECT_TRUE(ParseHPKPHeader( | 564 EXPECT_TRUE(ParseAsHPKPHeader( |
531 " max-age=999999999999999999999999999999999999999999999 ; " + | 565 " max-age=999999999999999999999999999999999999999999999 ; " + |
532 backup_pin + ";" + good_pin + "; ", | 566 backup_pin + ";" + good_pin + "; ", |
533 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 567 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
534 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); | 568 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); |
535 EXPECT_EQ(expect_max_age, max_age); | 569 EXPECT_EQ(expect_max_age, max_age); |
536 EXPECT_FALSE(include_subdomains); | 570 EXPECT_FALSE(include_subdomains); |
537 | 571 |
538 EXPECT_TRUE(ParseHPKPHeader( | 572 EXPECT_TRUE(ParseAsHPKPHeader( |
539 " max-age=999999999999999999999999999999999999999999999 ; " + | 573 " max-age=999999999999999999999999999999999999999999999 ; " + |
540 backup_pin + ";" + good_pin + | 574 backup_pin + ";" + good_pin + |
541 "; report-uri=\"http://example.test/foo\"", | 575 "; report-uri=\"http://example.test/foo\"", |
542 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); | 576 chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); |
543 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); | 577 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); |
544 expect_report_uri = GURL("http://example.test/foo"); | 578 expect_report_uri = GURL("http://example.test/foo"); |
545 EXPECT_EQ(expect_max_age, max_age); | 579 EXPECT_EQ(expect_max_age, max_age); |
546 EXPECT_FALSE(include_subdomains); | 580 EXPECT_FALSE(include_subdomains); |
547 EXPECT_EQ(expect_report_uri, report_uri); | 581 EXPECT_EQ(expect_report_uri, report_uri); |
548 | 582 |
549 // Test that parsing a different header resets the hashes. | 583 // Test that parsing a different header resets the hashes. |
550 hashes.clear(); | 584 hashes.clear(); |
551 EXPECT_TRUE(ParseHPKPHeader( | 585 EXPECT_TRUE(ParseAsHPKPHeader( |
552 " max-age=999; " + backup_pin + ";" + good_pin + "; ", chain_hashes, | 586 " max-age=999; " + backup_pin + ";" + good_pin + "; ", chain_hashes, |
553 &max_age, &include_subdomains, &hashes, &report_uri)); | 587 &max_age, &include_subdomains, &hashes, &report_uri)); |
554 EXPECT_EQ(2u, hashes.size()); | 588 EXPECT_EQ(2u, hashes.size()); |
555 EXPECT_TRUE(ParseHPKPHeader( | 589 EXPECT_TRUE(ParseAsHPKPHeader( |
556 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, | 590 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, |
557 &max_age, &include_subdomains, &hashes, &report_uri)); | 591 &max_age, &include_subdomains, &hashes, &report_uri)); |
558 EXPECT_EQ(2u, hashes.size()); | 592 EXPECT_EQ(2u, hashes.size()); |
559 | 593 |
560 // Test that the parser correctly parses an unencoded ';' inside a | 594 // Test that the parser correctly parses an unencoded ';' inside a |
561 // quoted report-uri. | 595 // quoted report-uri. |
562 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | 596 EXPECT_TRUE(ParseAsHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + |
563 "; report-uri=\"http://foo.com/?;bar\"", | 597 "; report-uri=\"http://foo.com/?;bar\"", |
564 chain_hashes, &max_age, &include_subdomains, | 598 chain_hashes, &max_age, &include_subdomains, |
565 &hashes, &report_uri)); | 599 &hashes, &report_uri)); |
566 expect_max_age = base::TimeDelta::FromSeconds(999); | 600 expect_max_age = base::TimeDelta::FromSeconds(999); |
567 expect_report_uri = GURL("http://foo.com/?;bar"); | 601 expect_report_uri = GURL("http://foo.com/?;bar"); |
568 EXPECT_EQ(expect_max_age, max_age); | 602 EXPECT_EQ(expect_max_age, max_age); |
569 EXPECT_FALSE(include_subdomains); | 603 EXPECT_FALSE(include_subdomains); |
570 EXPECT_EQ(expect_report_uri, report_uri); | 604 EXPECT_EQ(expect_report_uri, report_uri); |
571 | 605 |
572 // Test that the parser correctly parses a report-uri with a >0x7f | 606 // Test that the parser correctly parses a report-uri with a >0x7f |
573 // character. | 607 // character. |
574 std::string uri = "http://foo.com/"; | 608 std::string uri = "http://foo.com/"; |
575 uri += char(0x7f); | 609 uri += char(0x7f); |
576 expect_report_uri = GURL(uri); | 610 expect_report_uri = GURL(uri); |
577 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | 611 EXPECT_TRUE(ParseAsHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + |
578 "; report-uri=\"" + uri + "\"", | 612 "; report-uri=\"" + uri + "\"", |
579 chain_hashes, &max_age, &include_subdomains, | 613 chain_hashes, &max_age, &include_subdomains, |
580 &hashes, &report_uri)); | 614 &hashes, &report_uri)); |
581 expect_max_age = base::TimeDelta::FromSeconds(999); | 615 expect_max_age = base::TimeDelta::FromSeconds(999); |
582 EXPECT_EQ(expect_max_age, max_age); | 616 EXPECT_EQ(expect_max_age, max_age); |
583 EXPECT_FALSE(include_subdomains); | 617 EXPECT_FALSE(include_subdomains); |
584 EXPECT_EQ(expect_report_uri, report_uri); | 618 EXPECT_EQ(expect_report_uri, report_uri); |
585 | 619 |
586 // Test that the parser allows quoted max-age values. | 620 // Test that the parser allows quoted max-age values. |
587 EXPECT_TRUE(ParseHPKPHeader("max-age='999'; " + backup_pin + "; " + good_pin, | 621 EXPECT_TRUE(ParseAsHPKPHeader( |
588 chain_hashes, &max_age, &include_subdomains, | 622 "max-age='999'; " + backup_pin + "; " + good_pin, chain_hashes, &max_age, |
589 &hashes, &report_uri)); | 623 &include_subdomains, &hashes, &report_uri)); |
590 expect_max_age = base::TimeDelta::FromSeconds(999); | 624 expect_max_age = base::TimeDelta::FromSeconds(999); |
591 EXPECT_EQ(expect_max_age, max_age); | 625 EXPECT_EQ(expect_max_age, max_age); |
592 EXPECT_FALSE(include_subdomains); | 626 EXPECT_FALSE(include_subdomains); |
593 | 627 |
594 // Test that the parser handles escaped values. | 628 // Test that the parser handles escaped values. |
595 expect_report_uri = GURL("http://foo.com'a"); | 629 expect_report_uri = GURL("http://foo.com'a"); |
596 EXPECT_TRUE(ParseHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + | 630 EXPECT_TRUE(ParseAsHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + |
597 "; report-uri='http://foo.com\\'\\a'", | 631 "; report-uri='http://foo.com\\'\\a'", |
598 chain_hashes, &max_age, &include_subdomains, | 632 chain_hashes, &max_age, &include_subdomains, |
599 &hashes, &report_uri)); | 633 &hashes, &report_uri)); |
600 expect_max_age = base::TimeDelta::FromSeconds(999); | 634 expect_max_age = base::TimeDelta::FromSeconds(999); |
601 EXPECT_EQ(expect_max_age, max_age); | 635 EXPECT_EQ(expect_max_age, max_age); |
602 EXPECT_FALSE(include_subdomains); | 636 EXPECT_FALSE(include_subdomains); |
603 EXPECT_EQ(expect_report_uri, report_uri); | 637 EXPECT_EQ(expect_report_uri, report_uri); |
| 638 |
| 639 // Test that the parser does not require max-age for Report-Only |
| 640 // headers. |
| 641 expect_report_uri = GURL("http://foo.com"); |
| 642 EXPECT_TRUE(ParseHPKPReportOnlyHeader( |
| 643 backup_pin + "; " + good_pin + "; report-uri='http://foo.com'", |
| 644 &include_subdomains, &hashes, &report_uri)); |
| 645 EXPECT_EQ(expect_report_uri, report_uri); |
604 } | 646 } |
605 | 647 |
606 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { | 648 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { |
607 TestBogusPinsHeaders(HASH_VALUE_SHA1); | 649 TestBogusPinsHeaders(HASH_VALUE_SHA1); |
608 } | 650 } |
609 | 651 |
610 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { | 652 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { |
611 TestBogusPinsHeaders(HASH_VALUE_SHA256); | 653 TestBogusPinsHeaders(HASH_VALUE_SHA256); |
612 } | 654 } |
613 | 655 |
(...skipping 256 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
870 ssl_info)); | 912 ssl_info)); |
871 | 913 |
872 // The old pins must still exist. | 914 // The old pins must still exist. |
873 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 915 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
874 EXPECT_TRUE(state.CheckPublicKeyPins( | 916 EXPECT_TRUE(state.CheckPublicKeyPins( |
875 domain_port, is_issued_by_known_root, ssl_info.public_key_hashes, nullptr, | 917 domain_port, is_issued_by_known_root, ssl_info.public_key_hashes, nullptr, |
876 nullptr, TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); | 918 nullptr, TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); |
877 } | 919 } |
878 | 920 |
879 }; // namespace net | 921 }; // namespace net |
OLD | NEW |