Chromium Code Reviews Chromium Code Reviews
Issue 2034843003:
Add Expect-Staple to preload list (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 27 matching lines...) Expand all Loading... | |
| 38 namespace net { | 38 namespace net { |
| 39 | 39 |
| 40 namespace { | 40 namespace { |
| 41 | 41 |
| 42 const char kHost[] = "example.test"; | 42 const char kHost[] = "example.test"; |
| 43 const char kSubdomain[] = "foo.example.test"; | 43 const char kSubdomain[] = "foo.example.test"; |
| 44 const uint16_t kPort = 443; | 44 const uint16_t kPort = 443; |
| 45 const char kReportUri[] = "http://report-example.test/test"; | 45 const char kReportUri[] = "http://report-example.test/test"; |
| 46 const char kExpectCTStaticHostname[] = "preloaded-expect-ct.badssl.com"; | 46 const char kExpectCTStaticHostname[] = "preloaded-expect-ct.badssl.com"; |
| 47 const char kExpectCTStaticReportURI[] = "https://report.badssl.com/expect-ct"; | 47 const char kExpectCTStaticReportURI[] = "https://report.badssl.com/expect-ct"; |
| 48 const char kExpectStapleStaticHostname[] = "preloaded-expect-staple.badssl.com"; | |
| 49 const char kExpectStapleStaticReportURI[] = | |
| 50 "https://report.badssl.com/expect-staple"; | |
| 51 const char kExpectStapleStaticIncludeSubdomainsHostname[] = | |
| 52 "expect-staple-test.badssl.com"; | |
| 48 | 53 |
| 49 // kGoodPath is blog.torproject.org. | 54 // kGoodPath is blog.torproject.org. |
| 50 const char* const kGoodPath[] = { | 55 const char* const kGoodPath[] = { |
| 51 "sha1/Yz4vayd/83rQfDXkDPn2yhzIScw=", | 56 "sha1/Yz4vayd/83rQfDXkDPn2yhzIScw=", |
| 52 "sha1/3lKvjNsfmrn+WmfDhvr2iVh/yRs=", | 57 "sha1/3lKvjNsfmrn+WmfDhvr2iVh/yRs=", |
| 53 "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM=", | 58 "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM=", |
| 54 "sha256/4osU79hfY3P2+WJGlT2mxmSL+5FIwLEVxTQcavyBNgQ=", | 59 "sha256/4osU79hfY3P2+WJGlT2mxmSL+5FIwLEVxTQcavyBNgQ=", |
| 55 "sha256/k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws=", | 60 "sha256/k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws=", |
| 56 "sha256/WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=", | 61 "sha256/WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=", |
| 57 nullptr, | 62 nullptr, |
| (...skipping 181 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 239 } | 244 } |
| 240 | 245 |
| 241 static void EnableStaticPins(TransportSecurityState* state) { | 246 static void EnableStaticPins(TransportSecurityState* state) { |
| 242 state->enable_static_pins_ = true; | 247 state->enable_static_pins_ = true; |
| 243 } | 248 } |
| 244 | 249 |
| 245 static void EnableStaticExpectCT(TransportSecurityState* state) { | 250 static void EnableStaticExpectCT(TransportSecurityState* state) { |
| 246 state->enable_static_expect_ct_ = true; | 251 state->enable_static_expect_ct_ = true; |
| 247 } | 252 } |
| 248 | 253 |
| 254 static void EnableStaticExpectStaple(TransportSecurityState* state) { | |
| 255 state->enable_static_expect_staple_ = true; | |
| 256 } | |
| 257 | |
| 249 static HashValueVector GetSampleSPKIHashes() { | 258 static HashValueVector GetSampleSPKIHashes() { |
| 250 HashValueVector spki_hashes; | 259 HashValueVector spki_hashes; |
| 251 HashValue hash(HASH_VALUE_SHA256); | 260 HashValue hash(HASH_VALUE_SHA256); |
| 252 memset(hash.data(), 0, hash.size()); | 261 memset(hash.data(), 0, hash.size()); |
| 253 spki_hashes.push_back(hash); | 262 spki_hashes.push_back(hash); |
| 254 return spki_hashes; | 263 return spki_hashes; |
| 255 } | 264 } |
| 256 | 265 |
| 257 protected: | 266 protected: |
| 258 bool GetStaticDomainState(TransportSecurityState* state, | 267 bool GetStaticDomainState(TransportSecurityState* state, |
| 259 const std::string& host, | 268 const std::string& host, |
| 260 TransportSecurityState::STSState* sts_result, | 269 TransportSecurityState::STSState* sts_result, |
| 261 TransportSecurityState::PKPState* pkp_result) { | 270 TransportSecurityState::PKPState* pkp_result) { |
| 262 return state->GetStaticDomainState(host, sts_result, pkp_result); | 271 return state->GetStaticDomainState(host, sts_result, pkp_result); |
| 263 } | 272 } |
| 264 | 273 |
| 265 bool GetExpectCTState(TransportSecurityState* state, | 274 bool GetExpectCTState(TransportSecurityState* state, |
| 266 const std::string& host, | 275 const std::string& host, |
| 267 TransportSecurityState::ExpectCTState* result) { | 276 TransportSecurityState::ExpectCTState* result) { |
| 268 return state->GetStaticExpectCTState(host, result); | 277 return state->GetStaticExpectCTState(host, result); |
| 269 } | 278 } |
| 279 | |
| 280 bool GetExpectStapleState(TransportSecurityState* state, | |
| 281 const std::string& host, | |
| 282 TransportSecurityState::ExpectStapleState* result) { | |
| 283 return state->GetStaticExpectStapleState(host, result); | |
| 284 } | |
| 270 }; | 285 }; |
| 271 | 286 |
| 272 TEST_F(TransportSecurityStateTest, DomainNameOddities) { | 287 TEST_F(TransportSecurityStateTest, DomainNameOddities) { |
| 273 TransportSecurityState state; | 288 TransportSecurityState state; |
| 274 const base::Time current_time(base::Time::Now()); | 289 const base::Time current_time(base::Time::Now()); |
| 275 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 290 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 276 | 291 |
| 277 // DNS suffix search tests. Some DNS resolvers allow a terminal "." to | 292 // DNS suffix search tests. Some DNS resolvers allow a terminal "." to |
| 278 // indicate not perform DNS suffix searching. Ensure that regardless | 293 // indicate not perform DNS suffix searching. Ensure that regardless |
| 279 // of how this is treated at the resolver layer, or at the URL/origin | 294 // of how this is treated at the resolver layer, or at the URL/origin |
| (...skipping 1380 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1660 TransportSecurityStateTest::EnableStaticExpectCT(&state); | 1675 TransportSecurityStateTest::EnableStaticExpectCT(&state); |
| 1661 TransportSecurityState::ExpectCTState expect_ct_state; | 1676 TransportSecurityState::ExpectCTState expect_ct_state; |
| 1662 EXPECT_TRUE( | 1677 EXPECT_TRUE( |
| 1663 GetExpectCTState(&state, kExpectCTStaticHostname, &expect_ct_state)); | 1678 GetExpectCTState(&state, kExpectCTStaticHostname, &expect_ct_state)); |
| 1664 EXPECT_EQ(kExpectCTStaticHostname, expect_ct_state.domain); | 1679 EXPECT_EQ(kExpectCTStaticHostname, expect_ct_state.domain); |
| 1665 EXPECT_EQ(GURL(kExpectCTStaticReportURI), expect_ct_state.report_uri); | 1680 EXPECT_EQ(GURL(kExpectCTStaticReportURI), expect_ct_state.report_uri); |
| 1666 EXPECT_FALSE( | 1681 EXPECT_FALSE( |
| 1667 GetExpectCTState(&state, "pinning-test.badssl.com", &expect_ct_state)); | 1682 GetExpectCTState(&state, "pinning-test.badssl.com", &expect_ct_state)); |
| 1668 } | 1683 } |
| 1669 | 1684 |
| 1685 // Tests that static (preloaded) expect staple state is read correctly. | |
| 1686 TEST_F(TransportSecurityStateTest, PreloadedExpectStaple) { | |
| 1687 TransportSecurityState state; | |
| 1688 TransportSecurityStateTest::EnableStaticExpectStaple(&state); | |
| 1689 TransportSecurityState::ExpectStapleState expect_staple_state; | |
| 1690 EXPECT_TRUE(GetExpectStapleState(&state, kExpectStapleStaticHostname, | |
| 1691 &expect_staple_state)); | |
| 1692 EXPECT_EQ(kExpectStapleStaticHostname, expect_staple_state.domain); | |
| 1693 EXPECT_EQ(GURL(kExpectStapleStaticReportURI), expect_staple_state.report_uri); | |
| 1694 EXPECT_FALSE(expect_staple_state.include_subdomains); | |
| 1695 EXPECT_FALSE(GetExpectStapleState(&state, "pinning-test.badssl.com", | |
| 1696 &expect_staple_state)); | |
|
estark
2016/06/02 22:41:51
Can you add a test that a subdomain of kExpectStap
dadrian
2016/06/02 23:17:24
Done.
| |
| 1697 } | |
| 1698 | |
| 1699 TEST_F(TransportSecurityStateTest, PreloadedExpectStapleIncludeSubdomains) { | |
| 1700 TransportSecurityState state; | |
| 1701 TransportSecurityStateTest::EnableStaticExpectStaple(&state); | |
| 1702 TransportSecurityState::ExpectStapleState expect_staple_state; | |
| 1703 std::string subdomain = "subdomain."; | |
| 1704 subdomain += kExpectStapleStaticIncludeSubdomainsHostname; | |
| 1705 EXPECT_TRUE(GetExpectStapleState(&state, subdomain, &expect_staple_state)); | |
| 1706 EXPECT_EQ(kExpectStapleStaticIncludeSubdomainsHostname, | |
| 1707 expect_staple_state.domain); | |
| 1708 EXPECT_TRUE(expect_staple_state.include_subdomains); | |
| 1709 EXPECT_EQ(GURL(kExpectStapleStaticReportURI), expect_staple_state.report_uri); | |
| 1710 } | |
| 1711 | |
| 1670 // Tests that the Expect CT reporter is not notified for invalid or absent | 1712 // Tests that the Expect CT reporter is not notified for invalid or absent |
| 1671 // header values. | 1713 // header values. |
| 1672 TEST_F(TransportSecurityStateTest, InvalidExpectCTHeader) { | 1714 TEST_F(TransportSecurityStateTest, InvalidExpectCTHeader) { |
| 1673 HostPortPair host_port(kExpectCTStaticHostname, 443); | 1715 HostPortPair host_port(kExpectCTStaticHostname, 443); |
| 1674 SSLInfo ssl_info; | 1716 SSLInfo ssl_info; |
| 1675 ssl_info.ct_compliance_details_available = true; | 1717 ssl_info.ct_compliance_details_available = true; |
| 1676 ssl_info.ct_cert_policy_compliance = | 1718 ssl_info.ct_cert_policy_compliance = |
| 1677 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; | 1719 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; |
| 1678 ssl_info.is_issued_by_known_root = true; | 1720 ssl_info.is_issued_by_known_root = true; |
| 1679 | 1721 |
| (...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1798 EXPECT_EQ(1u, reporter.num_failures()); | 1840 EXPECT_EQ(1u, reporter.num_failures()); |
| 1799 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); | 1841 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); |
| 1800 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, | 1842 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, |
| 1801 reporter.ssl_info().ct_cert_policy_compliance); | 1843 reporter.ssl_info().ct_cert_policy_compliance); |
| 1802 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); | 1844 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); |
| 1803 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); | 1845 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); |
| 1804 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); | 1846 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); |
| 1805 } | 1847 } |
| 1806 | 1848 |
| 1807 } // namespace net | 1849 } // namespace net |
| OLD | NEW |
