| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/base/transport_security_state.h" | |
| 6 | |
| 7 #include <algorithm> | |
| 8 #include <string> | |
| 9 #include <vector> | |
| 10 | |
| 11 #include "base/base64.h" | |
| 12 #include "base/files/file_path.h" | |
| 13 #include "base/sha1.h" | |
| 14 #include "base/string_piece.h" | |
| 15 #include "crypto/sha2.h" | |
| 16 #include "net/base/asn1_util.h" | |
| 17 #include "net/base/cert_test_util.h" | |
| 18 #include "net/base/cert_verifier.h" | |
| 19 #include "net/base/cert_verify_result.h" | |
| 20 #include "net/base/net_errors.h" | |
| 21 #include "net/base/net_log.h" | |
| 22 #include "net/base/ssl_info.h" | |
| 23 #include "net/base/test_completion_callback.h" | |
| 24 #include "net/base/test_data_directory.h" | |
| 25 #include "net/base/test_root_certs.h" | |
| 26 #include "net/base/x509_cert_types.h" | |
| 27 #include "net/base/x509_certificate.h" | |
| 28 #include "net/http/http_util.h" | |
| 29 #include "testing/gtest/include/gtest/gtest.h" | |
| 30 | |
| 31 #if defined(USE_OPENSSL) | |
| 32 #include "crypto/openssl_util.h" | |
| 33 #else | |
| 34 #include "crypto/nss_util.h" | |
| 35 #endif | |
| 36 | |
| 37 namespace net { | |
| 38 | |
| 39 class TransportSecurityStateTest : public testing::Test { | |
| 40 virtual void SetUp() { | |
| 41 #if defined(USE_OPENSSL) | |
| 42 crypto::EnsureOpenSSLInit(); | |
| 43 #else | |
| 44 crypto::EnsureNSSInit(); | |
| 45 #endif | |
| 46 } | |
| 47 | |
| 48 protected: | |
| 49 std::string CanonicalizeHost(const std::string& host) { | |
| 50 return TransportSecurityState::CanonicalizeHost(host); | |
| 51 } | |
| 52 | |
| 53 bool GetStaticDomainState(TransportSecurityState* state, | |
| 54 const std::string& host, | |
| 55 bool sni_enabled, | |
| 56 TransportSecurityState::DomainState* result) { | |
| 57 return state->GetStaticDomainState(host, sni_enabled, result); | |
| 58 } | |
| 59 | |
| 60 void EnableHost(TransportSecurityState* state, | |
| 61 const std::string& host, | |
| 62 const TransportSecurityState::DomainState& domain_state) { | |
| 63 return state->EnableHost(host, domain_state); | |
| 64 } | |
| 65 }; | |
| 66 | |
| 67 TEST_F(TransportSecurityStateTest, SimpleMatches) { | |
| 68 TransportSecurityState state; | |
| 69 TransportSecurityState::DomainState domain_state; | |
| 70 const base::Time current_time(base::Time::Now()); | |
| 71 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
| 72 | |
| 73 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); | |
| 74 bool include_subdomains = false; | |
| 75 state.AddHSTS("yahoo.com", expiry, include_subdomains); | |
| 76 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); | |
| 77 } | |
| 78 | |
| 79 TEST_F(TransportSecurityStateTest, MatchesCase1) { | |
| 80 TransportSecurityState state; | |
| 81 TransportSecurityState::DomainState domain_state; | |
| 82 const base::Time current_time(base::Time::Now()); | |
| 83 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
| 84 | |
| 85 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); | |
| 86 bool include_subdomains = false; | |
| 87 state.AddHSTS("YAhoo.coM", expiry, include_subdomains); | |
| 88 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); | |
| 89 } | |
| 90 | |
| 91 TEST_F(TransportSecurityStateTest, MatchesCase2) { | |
| 92 TransportSecurityState state; | |
| 93 TransportSecurityState::DomainState domain_state; | |
| 94 const base::Time current_time(base::Time::Now()); | |
| 95 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
| 96 | |
| 97 EXPECT_FALSE(state.GetDomainState("YAhoo.coM", true, &domain_state)); | |
| 98 bool include_subdomains = false; | |
| 99 state.AddHSTS("yahoo.com", expiry, include_subdomains); | |
| 100 EXPECT_TRUE(state.GetDomainState("YAhoo.coM", true, &domain_state)); | |
| 101 } | |
| 102 | |
| 103 TEST_F(TransportSecurityStateTest, SubdomainMatches) { | |
| 104 TransportSecurityState state; | |
| 105 TransportSecurityState::DomainState domain_state; | |
| 106 const base::Time current_time(base::Time::Now()); | |
| 107 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
| 108 | |
| 109 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); | |
| 110 bool include_subdomains = true; | |
| 111 state.AddHSTS("yahoo.com", expiry, include_subdomains); | |
| 112 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); | |
| 113 EXPECT_TRUE(state.GetDomainState("foo.yahoo.com", true, &domain_state)); | |
| 114 EXPECT_TRUE(state.GetDomainState("foo.bar.yahoo.com", true, &domain_state)); | |
| 115 EXPECT_TRUE(state.GetDomainState("foo.bar.baz.yahoo.com", true, | |
| 116 &domain_state)); | |
| 117 EXPECT_FALSE(state.GetDomainState("com", true, &domain_state)); | |
| 118 } | |
| 119 | |
| 120 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | |
| 121 TransportSecurityState state; | |
| 122 TransportSecurityState::DomainState domain_state; | |
| 123 const base::Time current_time(base::Time::Now()); | |
| 124 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
| 125 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | |
| 126 | |
| 127 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); | |
| 128 bool include_subdomains = false; | |
| 129 state.AddHSTS("yahoo.com", expiry, include_subdomains); | |
| 130 | |
| 131 state.DeleteAllDynamicDataSince(expiry); | |
| 132 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); | |
| 133 state.DeleteAllDynamicDataSince(older); | |
| 134 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); | |
| 135 } | |
| 136 | |
| 137 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | |
| 138 TransportSecurityState state; | |
| 139 TransportSecurityState::DomainState domain_state; | |
| 140 const base::Time current_time(base::Time::Now()); | |
| 141 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
| 142 bool include_subdomains = false; | |
| 143 state.AddHSTS("yahoo.com", expiry, include_subdomains); | |
| 144 | |
| 145 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); | |
| 146 EXPECT_FALSE(state.GetDomainState("example.com", true, &domain_state)); | |
| 147 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); | |
| 148 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); | |
| 149 } | |
| 150 | |
| 151 TEST_F(TransportSecurityStateTest, IsPreloaded) { | |
| 152 const std::string paypal = | |
| 153 CanonicalizeHost("paypal.com"); | |
| 154 const std::string www_paypal = | |
| 155 CanonicalizeHost("www.paypal.com"); | |
| 156 const std::string a_www_paypal = | |
| 157 CanonicalizeHost("a.www.paypal.com"); | |
| 158 const std::string abc_paypal = | |
| 159 CanonicalizeHost("a.b.c.paypal.com"); | |
| 160 const std::string example = | |
| 161 CanonicalizeHost("example.com"); | |
| 162 const std::string aypal = | |
| 163 CanonicalizeHost("aypal.com"); | |
| 164 | |
| 165 TransportSecurityState state; | |
| 166 TransportSecurityState::DomainState domain_state; | |
| 167 | |
| 168 EXPECT_FALSE(GetStaticDomainState(&state, paypal, true, &domain_state)); | |
| 169 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, true, &domain_state)); | |
| 170 EXPECT_FALSE(domain_state.include_subdomains); | |
| 171 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, true, &domain_state)); | |
| 172 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, true, &domain_state)); | |
| 173 EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state)); | |
| 174 EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state)); | |
| 175 } | |
| 176 | |
| 177 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { | |
| 178 TransportSecurityState state; | |
| 179 TransportSecurityState::DomainState domain_state; | |
| 180 | |
| 181 // The domain wasn't being set, leading to a blank string in the | |
| 182 // chrome://net-internals/#hsts UI. So test that. | |
| 183 EXPECT_TRUE(state.GetDomainState("market.android.com", true, &domain_state)); | |
| 184 EXPECT_EQ(domain_state.domain, "market.android.com"); | |
| 185 EXPECT_TRUE(state.GetDomainState("sub.market.android.com", true, | |
| 186 &domain_state)); | |
| 187 EXPECT_EQ(domain_state.domain, "market.android.com"); | |
| 188 } | |
| 189 | |
| 190 static bool ShouldRedirect(const char* hostname) { | |
| 191 TransportSecurityState state; | |
| 192 TransportSecurityState::DomainState domain_state; | |
| 193 return state.GetDomainState(hostname, true /* SNI ok */, &domain_state) && | |
| 194 domain_state.ShouldUpgradeToSSL(); | |
| 195 } | |
| 196 | |
| 197 static bool HasState(const char* hostname) { | |
| 198 TransportSecurityState state; | |
| 199 TransportSecurityState::DomainState domain_state; | |
| 200 return state.GetDomainState(hostname, true /* SNI ok */, &domain_state); | |
| 201 } | |
| 202 | |
| 203 static bool HasPublicKeyPins(const char* hostname, bool sni_enabled) { | |
| 204 TransportSecurityState state; | |
| 205 TransportSecurityState::DomainState domain_state; | |
| 206 if (!state.GetDomainState(hostname, sni_enabled, &domain_state)) | |
| 207 return false; | |
| 208 | |
| 209 return domain_state.HasPublicKeyPins(); | |
| 210 } | |
| 211 | |
| 212 static bool HasPublicKeyPins(const char* hostname) { | |
| 213 return HasPublicKeyPins(hostname, true); | |
| 214 } | |
| 215 | |
| 216 static bool OnlyPinning(const char *hostname) { | |
| 217 TransportSecurityState state; | |
| 218 TransportSecurityState::DomainState domain_state; | |
| 219 if (!state.GetDomainState(hostname, true /* SNI ok */, &domain_state)) | |
| 220 return false; | |
| 221 | |
| 222 return (domain_state.static_spki_hashes.size() > 0 || | |
| 223 domain_state.bad_static_spki_hashes.size() > 0 || | |
| 224 domain_state.dynamic_spki_hashes.size() > 0) && | |
| 225 !domain_state.ShouldUpgradeToSSL(); | |
| 226 } | |
| 227 | |
| 228 TEST_F(TransportSecurityStateTest, Preloaded) { | |
| 229 TransportSecurityState state; | |
| 230 TransportSecurityState::DomainState domain_state; | |
| 231 | |
| 232 // We do more extensive checks for the first domain. | |
| 233 EXPECT_TRUE(state.GetDomainState("www.paypal.com", true, &domain_state)); | |
| 234 EXPECT_EQ(domain_state.upgrade_mode, | |
| 235 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); | |
| 236 EXPECT_FALSE(domain_state.include_subdomains); | |
| 237 | |
| 238 EXPECT_FALSE(HasState("paypal.com")); | |
| 239 EXPECT_FALSE(HasState("www2.paypal.com")); | |
| 240 EXPECT_FALSE(HasState("www2.paypal.com")); | |
| 241 | |
| 242 // Google hosts: | |
| 243 | |
| 244 EXPECT_TRUE(ShouldRedirect("chrome.google.com")); | |
| 245 EXPECT_TRUE(ShouldRedirect("checkout.google.com")); | |
| 246 EXPECT_TRUE(ShouldRedirect("health.google.com")); | |
| 247 EXPECT_TRUE(ShouldRedirect("docs.google.com")); | |
| 248 EXPECT_TRUE(ShouldRedirect("sites.google.com")); | |
| 249 EXPECT_TRUE(ShouldRedirect("drive.google.com")); | |
| 250 EXPECT_TRUE(ShouldRedirect("spreadsheets.google.com")); | |
| 251 EXPECT_TRUE(ShouldRedirect("appengine.google.com")); | |
| 252 EXPECT_TRUE(ShouldRedirect("market.android.com")); | |
| 253 EXPECT_TRUE(ShouldRedirect("encrypted.google.com")); | |
| 254 EXPECT_TRUE(ShouldRedirect("accounts.google.com")); | |
| 255 EXPECT_TRUE(ShouldRedirect("profiles.google.com")); | |
| 256 EXPECT_TRUE(ShouldRedirect("mail.google.com")); | |
| 257 EXPECT_TRUE(ShouldRedirect("chatenabled.mail.google.com")); | |
| 258 EXPECT_TRUE(ShouldRedirect("talkgadget.google.com")); | |
| 259 EXPECT_TRUE(ShouldRedirect("hostedtalkgadget.google.com")); | |
| 260 EXPECT_TRUE(ShouldRedirect("talk.google.com")); | |
| 261 EXPECT_TRUE(ShouldRedirect("plus.google.com")); | |
| 262 EXPECT_TRUE(ShouldRedirect("groups.google.com")); | |
| 263 EXPECT_TRUE(ShouldRedirect("apis.google.com")); | |
| 264 EXPECT_FALSE(ShouldRedirect("chart.apis.google.com")); | |
| 265 EXPECT_TRUE(ShouldRedirect("ssl.google-analytics.com")); | |
| 266 EXPECT_TRUE(ShouldRedirect("gmail.com")); | |
| 267 EXPECT_TRUE(ShouldRedirect("www.gmail.com")); | |
| 268 EXPECT_TRUE(ShouldRedirect("googlemail.com")); | |
| 269 EXPECT_TRUE(ShouldRedirect("www.googlemail.com")); | |
| 270 EXPECT_TRUE(ShouldRedirect("googleplex.com")); | |
| 271 EXPECT_TRUE(ShouldRedirect("www.googleplex.com")); | |
| 272 EXPECT_FALSE(HasState("m.gmail.com")); | |
| 273 EXPECT_FALSE(HasState("m.googlemail.com")); | |
| 274 | |
| 275 EXPECT_TRUE(OnlyPinning("www.google.com")); | |
| 276 EXPECT_TRUE(OnlyPinning("foo.google.com")); | |
| 277 EXPECT_TRUE(OnlyPinning("google.com")); | |
| 278 EXPECT_TRUE(OnlyPinning("www.youtube.com")); | |
| 279 EXPECT_TRUE(OnlyPinning("youtube.com")); | |
| 280 EXPECT_TRUE(OnlyPinning("i.ytimg.com")); | |
| 281 EXPECT_TRUE(OnlyPinning("ytimg.com")); | |
| 282 EXPECT_TRUE(OnlyPinning("googleusercontent.com")); | |
| 283 EXPECT_TRUE(OnlyPinning("www.googleusercontent.com")); | |
| 284 EXPECT_TRUE(OnlyPinning("www.google-analytics.com")); | |
| 285 EXPECT_TRUE(OnlyPinning("googleapis.com")); | |
| 286 EXPECT_TRUE(OnlyPinning("googleadservices.com")); | |
| 287 EXPECT_TRUE(OnlyPinning("googlecode.com")); | |
| 288 EXPECT_TRUE(OnlyPinning("appspot.com")); | |
| 289 EXPECT_TRUE(OnlyPinning("googlesyndication.com")); | |
| 290 EXPECT_TRUE(OnlyPinning("doubleclick.net")); | |
| 291 EXPECT_TRUE(OnlyPinning("googlegroups.com")); | |
| 292 | |
| 293 // Tests for domains that don't work without SNI. | |
| 294 EXPECT_FALSE(state.GetDomainState("gmail.com", false, &domain_state)); | |
| 295 EXPECT_FALSE(state.GetDomainState("www.gmail.com", false, &domain_state)); | |
| 296 EXPECT_FALSE(state.GetDomainState("m.gmail.com", false, &domain_state)); | |
| 297 EXPECT_FALSE(state.GetDomainState("googlemail.com", false, &domain_state)); | |
| 298 EXPECT_FALSE(state.GetDomainState("www.googlemail.com", false, | |
| 299 &domain_state)); | |
| 300 EXPECT_FALSE(state.GetDomainState("m.googlemail.com", false, &domain_state)); | |
| 301 | |
| 302 // Other hosts: | |
| 303 | |
| 304 EXPECT_TRUE(ShouldRedirect("aladdinschools.appspot.com")); | |
| 305 | |
| 306 EXPECT_TRUE(ShouldRedirect("ottospora.nl")); | |
| 307 EXPECT_TRUE(ShouldRedirect("www.ottospora.nl")); | |
| 308 | |
| 309 EXPECT_TRUE(ShouldRedirect("www.paycheckrecords.com")); | |
| 310 | |
| 311 EXPECT_TRUE(ShouldRedirect("lastpass.com")); | |
| 312 EXPECT_TRUE(ShouldRedirect("www.lastpass.com")); | |
| 313 EXPECT_FALSE(HasState("blog.lastpass.com")); | |
| 314 | |
| 315 EXPECT_TRUE(ShouldRedirect("keyerror.com")); | |
| 316 EXPECT_TRUE(ShouldRedirect("www.keyerror.com")); | |
| 317 | |
| 318 EXPECT_TRUE(ShouldRedirect("entropia.de")); | |
| 319 EXPECT_TRUE(ShouldRedirect("www.entropia.de")); | |
| 320 EXPECT_FALSE(HasState("foo.entropia.de")); | |
| 321 | |
| 322 EXPECT_TRUE(ShouldRedirect("www.elanex.biz")); | |
| 323 EXPECT_FALSE(HasState("elanex.biz")); | |
| 324 EXPECT_FALSE(HasState("foo.elanex.biz")); | |
| 325 | |
| 326 EXPECT_TRUE(ShouldRedirect("sunshinepress.org")); | |
| 327 EXPECT_TRUE(ShouldRedirect("www.sunshinepress.org")); | |
| 328 EXPECT_TRUE(ShouldRedirect("a.b.sunshinepress.org")); | |
| 329 | |
| 330 EXPECT_TRUE(ShouldRedirect("www.noisebridge.net")); | |
| 331 EXPECT_FALSE(HasState("noisebridge.net")); | |
| 332 EXPECT_FALSE(HasState("foo.noisebridge.net")); | |
| 333 | |
| 334 EXPECT_TRUE(ShouldRedirect("neg9.org")); | |
| 335 EXPECT_FALSE(HasState("www.neg9.org")); | |
| 336 | |
| 337 EXPECT_TRUE(ShouldRedirect("riseup.net")); | |
| 338 EXPECT_TRUE(ShouldRedirect("foo.riseup.net")); | |
| 339 | |
| 340 EXPECT_TRUE(ShouldRedirect("factor.cc")); | |
| 341 EXPECT_FALSE(HasState("www.factor.cc")); | |
| 342 | |
| 343 EXPECT_TRUE(ShouldRedirect("members.mayfirst.org")); | |
| 344 EXPECT_TRUE(ShouldRedirect("support.mayfirst.org")); | |
| 345 EXPECT_TRUE(ShouldRedirect("id.mayfirst.org")); | |
| 346 EXPECT_TRUE(ShouldRedirect("lists.mayfirst.org")); | |
| 347 EXPECT_FALSE(HasState("www.mayfirst.org")); | |
| 348 | |
| 349 EXPECT_TRUE(ShouldRedirect("romab.com")); | |
| 350 EXPECT_TRUE(ShouldRedirect("www.romab.com")); | |
| 351 EXPECT_TRUE(ShouldRedirect("foo.romab.com")); | |
| 352 | |
| 353 EXPECT_TRUE(ShouldRedirect("logentries.com")); | |
| 354 EXPECT_TRUE(ShouldRedirect("www.logentries.com")); | |
| 355 EXPECT_FALSE(HasState("foo.logentries.com")); | |
| 356 | |
| 357 EXPECT_TRUE(ShouldRedirect("stripe.com")); | |
| 358 EXPECT_TRUE(ShouldRedirect("foo.stripe.com")); | |
| 359 | |
| 360 EXPECT_TRUE(ShouldRedirect("cloudsecurityalliance.org")); | |
| 361 EXPECT_TRUE(ShouldRedirect("foo.cloudsecurityalliance.org")); | |
| 362 | |
| 363 EXPECT_TRUE(ShouldRedirect("login.sapo.pt")); | |
| 364 EXPECT_TRUE(ShouldRedirect("foo.login.sapo.pt")); | |
| 365 | |
| 366 EXPECT_TRUE(ShouldRedirect("mattmccutchen.net")); | |
| 367 EXPECT_TRUE(ShouldRedirect("foo.mattmccutchen.net")); | |
| 368 | |
| 369 EXPECT_TRUE(ShouldRedirect("betnet.fr")); | |
| 370 EXPECT_TRUE(ShouldRedirect("foo.betnet.fr")); | |
| 371 | |
| 372 EXPECT_TRUE(ShouldRedirect("uprotect.it")); | |
| 373 EXPECT_TRUE(ShouldRedirect("foo.uprotect.it")); | |
| 374 | |
| 375 EXPECT_TRUE(ShouldRedirect("squareup.com")); | |
| 376 EXPECT_FALSE(HasState("foo.squareup.com")); | |
| 377 | |
| 378 EXPECT_TRUE(ShouldRedirect("cert.se")); | |
| 379 EXPECT_TRUE(ShouldRedirect("foo.cert.se")); | |
| 380 | |
| 381 EXPECT_TRUE(ShouldRedirect("crypto.is")); | |
| 382 EXPECT_TRUE(ShouldRedirect("foo.crypto.is")); | |
| 383 | |
| 384 EXPECT_TRUE(ShouldRedirect("simon.butcher.name")); | |
| 385 EXPECT_TRUE(ShouldRedirect("foo.simon.butcher.name")); | |
| 386 | |
| 387 EXPECT_TRUE(ShouldRedirect("linx.net")); | |
| 388 EXPECT_TRUE(ShouldRedirect("foo.linx.net")); | |
| 389 | |
| 390 EXPECT_TRUE(ShouldRedirect("dropcam.com")); | |
| 391 EXPECT_TRUE(ShouldRedirect("www.dropcam.com")); | |
| 392 EXPECT_FALSE(HasState("foo.dropcam.com")); | |
| 393 | |
| 394 EXPECT_TRUE(state.GetDomainState("torproject.org", false, &domain_state)); | |
| 395 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | |
| 396 EXPECT_TRUE(state.GetDomainState("www.torproject.org", false, | |
| 397 &domain_state)); | |
| 398 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | |
| 399 EXPECT_TRUE(state.GetDomainState("check.torproject.org", false, | |
| 400 &domain_state)); | |
| 401 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | |
| 402 EXPECT_TRUE(state.GetDomainState("blog.torproject.org", false, | |
| 403 &domain_state)); | |
| 404 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | |
| 405 EXPECT_TRUE(ShouldRedirect("ebanking.indovinabank.com.vn")); | |
| 406 EXPECT_TRUE(ShouldRedirect("foo.ebanking.indovinabank.com.vn")); | |
| 407 | |
| 408 EXPECT_TRUE(ShouldRedirect("epoxate.com")); | |
| 409 EXPECT_FALSE(HasState("foo.epoxate.com")); | |
| 410 | |
| 411 EXPECT_TRUE(HasPublicKeyPins("torproject.org")); | |
| 412 EXPECT_TRUE(HasPublicKeyPins("www.torproject.org")); | |
| 413 EXPECT_TRUE(HasPublicKeyPins("check.torproject.org")); | |
| 414 EXPECT_TRUE(HasPublicKeyPins("blog.torproject.org")); | |
| 415 EXPECT_FALSE(HasState("foo.torproject.org")); | |
| 416 | |
| 417 EXPECT_TRUE(ShouldRedirect("www.moneybookers.com")); | |
| 418 EXPECT_FALSE(HasState("moneybookers.com")); | |
| 419 | |
| 420 EXPECT_TRUE(ShouldRedirect("ledgerscope.net")); | |
| 421 EXPECT_TRUE(ShouldRedirect("www.ledgerscope.net")); | |
| 422 EXPECT_FALSE(HasState("status.ledgerscope.net")); | |
| 423 | |
| 424 EXPECT_TRUE(ShouldRedirect("kyps.net")); | |
| 425 EXPECT_TRUE(ShouldRedirect("www.kyps.net")); | |
| 426 EXPECT_FALSE(HasState("foo.kyps.net")); | |
| 427 | |
| 428 EXPECT_TRUE(ShouldRedirect("foo.app.recurly.com")); | |
| 429 EXPECT_TRUE(ShouldRedirect("foo.api.recurly.com")); | |
| 430 | |
| 431 EXPECT_TRUE(ShouldRedirect("greplin.com")); | |
| 432 EXPECT_TRUE(ShouldRedirect("www.greplin.com")); | |
| 433 EXPECT_FALSE(HasState("foo.greplin.com")); | |
| 434 | |
| 435 EXPECT_TRUE(ShouldRedirect("luneta.nearbuysystems.com")); | |
| 436 EXPECT_TRUE(ShouldRedirect("foo.luneta.nearbuysystems.com")); | |
| 437 | |
| 438 EXPECT_TRUE(ShouldRedirect("ubertt.org")); | |
| 439 EXPECT_TRUE(ShouldRedirect("foo.ubertt.org")); | |
| 440 | |
| 441 EXPECT_TRUE(ShouldRedirect("pixi.me")); | |
| 442 EXPECT_TRUE(ShouldRedirect("www.pixi.me")); | |
| 443 | |
| 444 EXPECT_TRUE(ShouldRedirect("grepular.com")); | |
| 445 EXPECT_TRUE(ShouldRedirect("www.grepular.com")); | |
| 446 | |
| 447 EXPECT_TRUE(ShouldRedirect("mydigipass.com")); | |
| 448 EXPECT_FALSE(ShouldRedirect("foo.mydigipass.com")); | |
| 449 EXPECT_TRUE(ShouldRedirect("www.mydigipass.com")); | |
| 450 EXPECT_FALSE(ShouldRedirect("foo.www.mydigipass.com")); | |
| 451 EXPECT_TRUE(ShouldRedirect("developer.mydigipass.com")); | |
| 452 EXPECT_FALSE(ShouldRedirect("foo.developer.mydigipass.com")); | |
| 453 EXPECT_TRUE(ShouldRedirect("www.developer.mydigipass.com")); | |
| 454 EXPECT_FALSE(ShouldRedirect("foo.www.developer.mydigipass.com")); | |
| 455 EXPECT_TRUE(ShouldRedirect("sandbox.mydigipass.com")); | |
| 456 EXPECT_FALSE(ShouldRedirect("foo.sandbox.mydigipass.com")); | |
| 457 EXPECT_TRUE(ShouldRedirect("www.sandbox.mydigipass.com")); | |
| 458 EXPECT_FALSE(ShouldRedirect("foo.www.sandbox.mydigipass.com")); | |
| 459 | |
| 460 EXPECT_TRUE(ShouldRedirect("crypto.cat")); | |
| 461 EXPECT_FALSE(ShouldRedirect("foo.crypto.cat")); | |
| 462 | |
| 463 EXPECT_TRUE(ShouldRedirect("bigshinylock.minazo.net")); | |
| 464 EXPECT_TRUE(ShouldRedirect("foo.bigshinylock.minazo.net")); | |
| 465 | |
| 466 EXPECT_TRUE(ShouldRedirect("crate.io")); | |
| 467 EXPECT_TRUE(ShouldRedirect("foo.crate.io")); | |
| 468 | |
| 469 EXPECT_TRUE(HasPublicKeyPins("www.twitter.com")); | |
| 470 } | |
| 471 | |
| 472 TEST_F(TransportSecurityStateTest, LongNames) { | |
| 473 TransportSecurityState state; | |
| 474 const char kLongName[] = | |
| 475 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" | |
| 476 "WaveletIdDomainAndBlipBlipid"; | |
| 477 TransportSecurityState::DomainState domain_state; | |
| 478 // Just checks that we don't hit a NOTREACHED. | |
| 479 EXPECT_FALSE(state.GetDomainState(kLongName, true, &domain_state)); | |
| 480 } | |
| 481 | |
| 482 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { | |
| 483 TransportSecurityState state; | |
| 484 TransportSecurityState::DomainState domain_state; | |
| 485 | |
| 486 EXPECT_TRUE(state.GetDomainState("chrome.google.com", true, &domain_state)); | |
| 487 EXPECT_TRUE(HasPublicKeyPins("chrome.google.com")); | |
| 488 | |
| 489 HashValueVector hashes; | |
| 490 // Checks that a built-in list does exist. | |
| 491 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes)); | |
| 492 EXPECT_FALSE(HasPublicKeyPins("www.paypal.com")); | |
| 493 | |
| 494 EXPECT_TRUE(HasPublicKeyPins("docs.google.com")); | |
| 495 EXPECT_TRUE(HasPublicKeyPins("1.docs.google.com")); | |
| 496 EXPECT_TRUE(HasPublicKeyPins("sites.google.com")); | |
| 497 EXPECT_TRUE(HasPublicKeyPins("drive.google.com")); | |
| 498 EXPECT_TRUE(HasPublicKeyPins("spreadsheets.google.com")); | |
| 499 EXPECT_TRUE(HasPublicKeyPins("health.google.com")); | |
| 500 EXPECT_TRUE(HasPublicKeyPins("checkout.google.com")); | |
| 501 EXPECT_TRUE(HasPublicKeyPins("appengine.google.com")); | |
| 502 EXPECT_TRUE(HasPublicKeyPins("market.android.com")); | |
| 503 EXPECT_TRUE(HasPublicKeyPins("encrypted.google.com")); | |
| 504 EXPECT_TRUE(HasPublicKeyPins("accounts.google.com")); | |
| 505 EXPECT_TRUE(HasPublicKeyPins("profiles.google.com")); | |
| 506 EXPECT_TRUE(HasPublicKeyPins("mail.google.com")); | |
| 507 EXPECT_TRUE(HasPublicKeyPins("chatenabled.mail.google.com")); | |
| 508 EXPECT_TRUE(HasPublicKeyPins("talkgadget.google.com")); | |
| 509 EXPECT_TRUE(HasPublicKeyPins("hostedtalkgadget.google.com")); | |
| 510 EXPECT_TRUE(HasPublicKeyPins("talk.google.com")); | |
| 511 EXPECT_TRUE(HasPublicKeyPins("plus.google.com")); | |
| 512 EXPECT_TRUE(HasPublicKeyPins("groups.google.com")); | |
| 513 EXPECT_TRUE(HasPublicKeyPins("apis.google.com")); | |
| 514 | |
| 515 EXPECT_TRUE(HasPublicKeyPins("ssl.gstatic.com")); | |
| 516 EXPECT_FALSE(HasPublicKeyPins("www.gstatic.com")); | |
| 517 EXPECT_TRUE(HasPublicKeyPins("ssl.google-analytics.com")); | |
| 518 EXPECT_TRUE(HasPublicKeyPins("www.googleplex.com")); | |
| 519 | |
| 520 // Disabled in order to help track down pinning failures --agl | |
| 521 EXPECT_TRUE(HasPublicKeyPins("twitter.com")); | |
| 522 EXPECT_FALSE(HasPublicKeyPins("foo.twitter.com")); | |
| 523 EXPECT_TRUE(HasPublicKeyPins("www.twitter.com")); | |
| 524 EXPECT_TRUE(HasPublicKeyPins("api.twitter.com")); | |
| 525 EXPECT_TRUE(HasPublicKeyPins("oauth.twitter.com")); | |
| 526 EXPECT_TRUE(HasPublicKeyPins("mobile.twitter.com")); | |
| 527 EXPECT_TRUE(HasPublicKeyPins("dev.twitter.com")); | |
| 528 EXPECT_TRUE(HasPublicKeyPins("business.twitter.com")); | |
| 529 EXPECT_TRUE(HasPublicKeyPins("platform.twitter.com")); | |
| 530 EXPECT_TRUE(HasPublicKeyPins("si0.twimg.com")); | |
| 531 EXPECT_TRUE(HasPublicKeyPins("twimg0-a.akamaihd.net")); | |
| 532 } | |
| 533 | |
| 534 static bool AddHash(const std::string& type_and_base64, | |
| 535 HashValueVector* out) { | |
| 536 HashValue hash; | |
| 537 if (!hash.FromString(type_and_base64)) | |
| 538 return false; | |
| 539 | |
| 540 out->push_back(hash); | |
| 541 return true; | |
| 542 } | |
| 543 | |
| 544 TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCerts) { | |
| 545 // kGoodPath is plus.google.com via Google Internet Authority. | |
| 546 static const char* kGoodPath[] = { | |
| 547 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", | |
| 548 "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=", | |
| 549 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", | |
| 550 NULL, | |
| 551 }; | |
| 552 | |
| 553 // kBadPath is plus.google.com via Trustcenter, which contains a required | |
| 554 // certificate (Equifax root), but also an excluded certificate | |
| 555 // (Trustcenter). | |
| 556 static const char* kBadPath[] = { | |
| 557 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", | |
| 558 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=", | |
| 559 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", | |
| 560 NULL, | |
| 561 }; | |
| 562 | |
| 563 HashValueVector good_hashes, bad_hashes; | |
| 564 | |
| 565 for (size_t i = 0; kGoodPath[i]; i++) { | |
| 566 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | |
| 567 } | |
| 568 for (size_t i = 0; kBadPath[i]; i++) { | |
| 569 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | |
| 570 } | |
| 571 | |
| 572 TransportSecurityState state; | |
| 573 TransportSecurityState::DomainState domain_state; | |
| 574 EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); | |
| 575 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | |
| 576 | |
| 577 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); | |
| 578 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); | |
| 579 } | |
| 580 | |
| 581 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { | |
| 582 // kGoodPath is blog.torproject.org. | |
| 583 static const char* kGoodPath[] = { | |
| 584 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", | |
| 585 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=", | |
| 586 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=", | |
| 587 NULL, | |
| 588 }; | |
| 589 | |
| 590 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for | |
| 591 // torproject.org. | |
| 592 static const char* kBadPath[] = { | |
| 593 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", | |
| 594 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=", | |
| 595 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", | |
| 596 NULL, | |
| 597 }; | |
| 598 | |
| 599 HashValueVector good_hashes, bad_hashes; | |
| 600 | |
| 601 for (size_t i = 0; kGoodPath[i]; i++) { | |
| 602 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | |
| 603 } | |
| 604 for (size_t i = 0; kBadPath[i]; i++) { | |
| 605 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | |
| 606 } | |
| 607 | |
| 608 TransportSecurityState state; | |
| 609 TransportSecurityState::DomainState domain_state; | |
| 610 EXPECT_TRUE(state.GetDomainState("blog.torproject.org", true, &domain_state)); | |
| 611 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | |
| 612 | |
| 613 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); | |
| 614 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); | |
| 615 } | |
| 616 | |
| 617 TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { | |
| 618 static const char* ee_sha1 = "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU="; | |
| 619 static const char* ee_sha256 = | |
| 620 "sha256/sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I="; | |
| 621 static const char* google_1024_sha1 = "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0="; | |
| 622 static const char* google_1024_sha256 = | |
| 623 "sha256/trlUMquuV/4CDLK3T0+fkXPIxwivyecyrOIyeQR8bQU="; | |
| 624 static const char* equifax_sha1 = "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q="; | |
| 625 static const char* equifax_sha256 = | |
| 626 "sha256//1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY="; | |
| 627 static const char* trustcenter_sha1 = "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k="; | |
| 628 static const char* trustcenter_sha256 = | |
| 629 "sha256/Dq58KIA4NMLsboWMLU8/aTREzaAGEFW+EtUule8dd/M="; | |
| 630 | |
| 631 // Good chains for plus.google.com chain up through google_1024_sha{1,256} | |
| 632 // to equifax_sha{1,256}. Bad chains chain up to Equifax through | |
| 633 // trustcenter_sha{1,256}, which is a blacklisted key. Even though Equifax | |
| 634 // and Google1024 are known-good, the blacklistedness of Trustcenter | |
| 635 // should override and cause pin validation failure. | |
| 636 | |
| 637 TransportSecurityState state; | |
| 638 TransportSecurityState::DomainState domain_state; | |
| 639 EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); | |
| 640 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | |
| 641 | |
| 642 // The statically-defined pins are all SHA-1, so we add some SHA-256 pins | |
| 643 // manually: | |
| 644 EXPECT_TRUE(AddHash(google_1024_sha256, &domain_state.static_spki_hashes)); | |
| 645 EXPECT_TRUE(AddHash(trustcenter_sha256, | |
| 646 &domain_state.bad_static_spki_hashes)); | |
| 647 | |
| 648 // Try an all-good SHA1 chain. | |
| 649 HashValueVector validated_chain; | |
| 650 EXPECT_TRUE(AddHash(ee_sha1, &validated_chain)); | |
| 651 EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain)); | |
| 652 EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain)); | |
| 653 EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 654 | |
| 655 // Try an all-bad SHA1 chain. | |
| 656 validated_chain.clear(); | |
| 657 EXPECT_TRUE(AddHash(ee_sha1, &validated_chain)); | |
| 658 EXPECT_TRUE(AddHash(trustcenter_sha1, &validated_chain)); | |
| 659 EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain)); | |
| 660 EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 661 | |
| 662 // Try an all-good SHA-256 chain. | |
| 663 validated_chain.clear(); | |
| 664 EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); | |
| 665 EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain)); | |
| 666 EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); | |
| 667 EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 668 | |
| 669 // Try an all-bad SHA-256 chain. | |
| 670 validated_chain.clear(); | |
| 671 EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); | |
| 672 EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain)); | |
| 673 EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); | |
| 674 EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 675 | |
| 676 // Try a mixed-hash good chain. | |
| 677 validated_chain.clear(); | |
| 678 EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); | |
| 679 EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain)); | |
| 680 EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); | |
| 681 EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 682 | |
| 683 // Try a mixed-hash bad chain. | |
| 684 validated_chain.clear(); | |
| 685 EXPECT_TRUE(AddHash(ee_sha1, &validated_chain)); | |
| 686 EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain)); | |
| 687 EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain)); | |
| 688 EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 689 | |
| 690 // Try a chain with all good hashes. | |
| 691 validated_chain.clear(); | |
| 692 EXPECT_TRUE(AddHash(ee_sha1, &validated_chain)); | |
| 693 EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain)); | |
| 694 EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain)); | |
| 695 EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); | |
| 696 EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain)); | |
| 697 EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); | |
| 698 EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 699 | |
| 700 // Try a chain with all bad hashes. | |
| 701 validated_chain.clear(); | |
| 702 EXPECT_TRUE(AddHash(ee_sha1, &validated_chain)); | |
| 703 EXPECT_TRUE(AddHash(trustcenter_sha1, &validated_chain)); | |
| 704 EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain)); | |
| 705 EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); | |
| 706 EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain)); | |
| 707 EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); | |
| 708 EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 709 } | |
| 710 | |
| 711 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { | |
| 712 TransportSecurityState state; | |
| 713 TransportSecurityState::DomainState domain_state; | |
| 714 | |
| 715 EXPECT_FALSE(ShouldRedirect("www.google-analytics.com")); | |
| 716 | |
| 717 EXPECT_FALSE(HasPublicKeyPins("www.google-analytics.com", false)); | |
| 718 EXPECT_TRUE(HasPublicKeyPins("www.google-analytics.com")); | |
| 719 EXPECT_TRUE(HasPublicKeyPins("google.com")); | |
| 720 EXPECT_TRUE(HasPublicKeyPins("www.google.com")); | |
| 721 EXPECT_TRUE(HasPublicKeyPins("mail-attachment.googleusercontent.com")); | |
| 722 EXPECT_TRUE(HasPublicKeyPins("www.youtube.com")); | |
| 723 EXPECT_TRUE(HasPublicKeyPins("i.ytimg.com")); | |
| 724 EXPECT_TRUE(HasPublicKeyPins("googleapis.com")); | |
| 725 EXPECT_TRUE(HasPublicKeyPins("ajax.googleapis.com")); | |
| 726 EXPECT_TRUE(HasPublicKeyPins("googleadservices.com")); | |
| 727 EXPECT_TRUE(HasPublicKeyPins("pagead2.googleadservices.com")); | |
| 728 EXPECT_TRUE(HasPublicKeyPins("googlecode.com")); | |
| 729 EXPECT_TRUE(HasPublicKeyPins("kibbles.googlecode.com")); | |
| 730 EXPECT_TRUE(HasPublicKeyPins("appspot.com")); | |
| 731 EXPECT_TRUE(HasPublicKeyPins("googlesyndication.com")); | |
| 732 EXPECT_TRUE(HasPublicKeyPins("doubleclick.net")); | |
| 733 EXPECT_TRUE(HasPublicKeyPins("ad.doubleclick.net")); | |
| 734 EXPECT_FALSE(HasPublicKeyPins("learn.doubleclick.net")); | |
| 735 EXPECT_TRUE(HasPublicKeyPins("a.googlegroups.com")); | |
| 736 EXPECT_FALSE(HasPublicKeyPins("a.googlegroups.com", false)); | |
| 737 } | |
| 738 | |
| 739 TEST_F(TransportSecurityStateTest, OverrideBuiltins) { | |
| 740 EXPECT_TRUE(HasPublicKeyPins("google.com")); | |
| 741 EXPECT_FALSE(ShouldRedirect("google.com")); | |
| 742 EXPECT_FALSE(ShouldRedirect("www.google.com")); | |
| 743 | |
| 744 TransportSecurityState state; | |
| 745 TransportSecurityState::DomainState domain_state; | |
| 746 const base::Time current_time(base::Time::Now()); | |
| 747 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
| 748 domain_state.upgrade_expiry = expiry; | |
| 749 EnableHost(&state, "www.google.com", domain_state); | |
| 750 | |
| 751 EXPECT_TRUE(state.GetDomainState("www.google.com", true, &domain_state)); | |
| 752 } | |
| 753 | |
| 754 static const uint8 kSidePinLeafSPKI[] = { | |
| 755 0x30, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, | |
| 756 0x01, 0x01, 0x05, 0x00, 0x03, 0x4b, 0x00, 0x30, 0x48, 0x02, 0x41, 0x00, 0xe4, | |
| 757 0x1d, 0xcc, 0xf2, 0x92, 0xe7, 0x7a, 0xc6, 0x36, 0xf7, 0x1a, 0x62, 0x31, 0x7d, | |
| 758 0x37, 0xea, 0x0d, 0xa2, 0xa8, 0x12, 0x2b, 0xc2, 0x1c, 0x82, 0x3e, 0xa5, 0x70, | |
| 759 0x4a, 0x83, 0x5d, 0x9b, 0x84, 0x82, 0x70, 0xa4, 0x88, 0x98, 0x98, 0x41, 0x29, | |
| 760 0x31, 0xcb, 0x6e, 0x2a, 0x54, 0x65, 0x14, 0x60, 0xcc, 0x00, 0xe8, 0x10, 0x30, | |
| 761 0x0a, 0x4a, 0xd1, 0xa7, 0x52, 0xfe, 0x2d, 0x31, 0x2a, 0x1d, 0x0d, 0x02, 0x03, | |
| 762 0x01, 0x00, 0x01, | |
| 763 }; | |
| 764 | |
| 765 static const uint8 kSidePinInfo[] = { | |
| 766 0x01, 0x00, 0x53, 0x50, 0x49, 0x4e, 0xa0, 0x00, 0x03, 0x00, 0x53, 0x49, 0x47, | |
| 767 0x00, 0x50, 0x55, 0x42, 0x4b, 0x41, 0x4c, 0x47, 0x4f, 0x47, 0x00, 0x41, 0x00, | |
| 768 0x04, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0xfb, 0x26, 0xd5, 0xe8, 0x76, 0x35, | |
| 769 0x96, 0x6d, 0x91, 0x9b, 0x5b, 0x27, 0xe6, 0x09, 0x1c, 0x7b, 0x6c, 0xcd, 0xc8, | |
| 770 0x10, 0x25, 0x95, 0xc0, 0xa5, 0xf6, 0x6c, 0x6f, 0xfb, 0x59, 0x1e, 0x2d, 0xf4, | |
| 771 0x02, 0x20, 0x33, 0x0a, 0xf8, 0x8b, 0x3e, 0xc4, 0xca, 0x75, 0x28, 0xdf, 0x5f, | |
| 772 0xab, 0xe4, 0x46, 0xa0, 0xdd, 0x2d, 0xe5, 0xad, 0xc3, 0x81, 0x44, 0x70, 0xb2, | |
| 773 0x10, 0x87, 0xe8, 0xc3, 0xd6, 0x6e, 0x12, 0x5d, 0x04, 0x67, 0x0b, 0x7d, 0xf2, | |
| 774 0x99, 0x75, 0x57, 0x99, 0x3a, 0x98, 0xf8, 0xe4, 0xdf, 0x79, 0xdf, 0x8e, 0x02, | |
| 775 0x2c, 0xbe, 0xd8, 0xfd, 0x75, 0x80, 0x18, 0xb1, 0x6f, 0x43, 0xd9, 0x8a, 0x79, | |
| 776 0xc3, 0x6e, 0x18, 0xdf, 0x79, 0xc0, 0x59, 0xab, 0xd6, 0x77, 0x37, 0x6a, 0x94, | |
| 777 0x5a, 0x7e, 0xfb, 0xa9, 0xc5, 0x54, 0x14, 0x3a, 0x7b, 0x97, 0x17, 0x2a, 0xb6, | |
| 778 0x1e, 0x59, 0x4f, 0x2f, 0xb1, 0x15, 0x1a, 0x34, 0x50, 0x32, 0x35, 0x36, | |
| 779 }; | |
| 780 | |
| 781 static const uint8 kSidePinExpectedHash[20] = { | |
| 782 0xb5, 0x91, 0x66, 0x47, 0x43, 0x16, 0x62, 0x86, 0xd4, 0x1e, 0x5d, 0x36, 0xe1, | |
| 783 0xc4, 0x09, 0x3d, 0x2d, 0x1d, 0xea, 0x1e, | |
| 784 }; | |
| 785 | |
| 786 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) { | |
| 787 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | |
| 788 "www.example.com", true)); | |
| 789 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | |
| 790 "www.paypal.com", true)); | |
| 791 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | |
| 792 "mail.twitter.com", true)); | |
| 793 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | |
| 794 "www.google.com.int", true)); | |
| 795 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | |
| 796 "jottit.com", true)); | |
| 797 // learn.doubleclick.net has a more specific match than | |
| 798 // *.doubleclick.com, and has 0 or NULL for its required certs. | |
| 799 // This test ensures that the exact-match-preferred behavior | |
| 800 // works. | |
| 801 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | |
| 802 "learn.doubleclick.net", true)); | |
| 803 | |
| 804 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 805 "encrypted.google.com", true)); | |
| 806 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 807 "mail.google.com", true)); | |
| 808 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 809 "accounts.google.com", true)); | |
| 810 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 811 "doubleclick.net", true)); | |
| 812 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 813 "ad.doubleclick.net", true)); | |
| 814 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 815 "youtube.com", true)); | |
| 816 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 817 "www.profiles.google.com", true)); | |
| 818 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 819 "checkout.google.com", true)); | |
| 820 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 821 "googleadservices.com", true)); | |
| 822 | |
| 823 // Test with sni_enabled false: | |
| 824 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | |
| 825 "www.example.com", false)); | |
| 826 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | |
| 827 "www.paypal.com", false)); | |
| 828 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 829 "checkout.google.com", false)); | |
| 830 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 831 "googleadservices.com", false)); | |
| 832 | |
| 833 // Test some SNI hosts: | |
| 834 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 835 "gmail.com", true)); | |
| 836 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 837 "googlegroups.com", true)); | |
| 838 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | |
| 839 "www.googlegroups.com", true)); | |
| 840 // Expect to fail for SNI hosts when not searching the SNI list: | |
| 841 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | |
| 842 "gmail.com", false)); | |
| 843 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | |
| 844 "googlegroups.com", false)); | |
| 845 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | |
| 846 "www.googlegroups.com", false)); | |
| 847 } | |
| 848 | |
| 849 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 12680003:
net: split net/ssl out of net/base (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src