OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 27 matching lines...) Expand all Loading... | |
38 namespace net { | 38 namespace net { |
39 | 39 |
40 namespace { | 40 namespace { |
41 | 41 |
42 const char kHost[] = "example.test"; | 42 const char kHost[] = "example.test"; |
43 const char kSubdomain[] = "foo.example.test"; | 43 const char kSubdomain[] = "foo.example.test"; |
44 const uint16_t kPort = 443; | 44 const uint16_t kPort = 443; |
45 const char kReportUri[] = "http://report-example.test/test"; | 45 const char kReportUri[] = "http://report-example.test/test"; |
46 const char kExpectCTStaticHostname[] = "preloaded-expect-ct.badssl.com"; | 46 const char kExpectCTStaticHostname[] = "preloaded-expect-ct.badssl.com"; |
47 const char kExpectCTStaticReportURI[] = "https://report.badssl.com/expect-ct"; | 47 const char kExpectCTStaticReportURI[] = "https://report.badssl.com/expect-ct"; |
48 const char kExpectStapleStaticHostname[] = "preloaded-expect-staple.badssl.com"; | |
49 const char kExpectStapleStaticReportURI[] = | |
50 "https://report.badssl.com/expect-staple"; | |
51 const char kExpectStapleStaticIncludeSubdomainsHostname[] = | |
52 "expect-staple-test.badssl.com"; | |
48 | 53 |
49 // kGoodPath is blog.torproject.org. | 54 // kGoodPath is blog.torproject.org. |
50 const char* const kGoodPath[] = { | 55 const char* const kGoodPath[] = { |
51 "sha1/Yz4vayd/83rQfDXkDPn2yhzIScw=", | 56 "sha1/Yz4vayd/83rQfDXkDPn2yhzIScw=", |
52 "sha1/3lKvjNsfmrn+WmfDhvr2iVh/yRs=", | 57 "sha1/3lKvjNsfmrn+WmfDhvr2iVh/yRs=", |
53 "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM=", | 58 "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM=", |
54 "sha256/4osU79hfY3P2+WJGlT2mxmSL+5FIwLEVxTQcavyBNgQ=", | 59 "sha256/4osU79hfY3P2+WJGlT2mxmSL+5FIwLEVxTQcavyBNgQ=", |
55 "sha256/k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws=", | 60 "sha256/k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws=", |
56 "sha256/WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=", | 61 "sha256/WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=", |
57 nullptr, | 62 nullptr, |
(...skipping 181 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
239 } | 244 } |
240 | 245 |
241 static void EnableStaticPins(TransportSecurityState* state) { | 246 static void EnableStaticPins(TransportSecurityState* state) { |
242 state->enable_static_pins_ = true; | 247 state->enable_static_pins_ = true; |
243 } | 248 } |
244 | 249 |
245 static void EnableStaticExpectCT(TransportSecurityState* state) { | 250 static void EnableStaticExpectCT(TransportSecurityState* state) { |
246 state->enable_static_expect_ct_ = true; | 251 state->enable_static_expect_ct_ = true; |
247 } | 252 } |
248 | 253 |
254 static void EnableStaticExpectStaple(TransportSecurityState* state) { | |
255 state->enable_static_expect_staple_ = true; | |
256 } | |
257 | |
249 static HashValueVector GetSampleSPKIHashes() { | 258 static HashValueVector GetSampleSPKIHashes() { |
250 HashValueVector spki_hashes; | 259 HashValueVector spki_hashes; |
251 HashValue hash(HASH_VALUE_SHA256); | 260 HashValue hash(HASH_VALUE_SHA256); |
252 memset(hash.data(), 0, hash.size()); | 261 memset(hash.data(), 0, hash.size()); |
253 spki_hashes.push_back(hash); | 262 spki_hashes.push_back(hash); |
254 return spki_hashes; | 263 return spki_hashes; |
255 } | 264 } |
256 | 265 |
257 protected: | 266 protected: |
258 bool GetStaticDomainState(TransportSecurityState* state, | 267 bool GetStaticDomainState(TransportSecurityState* state, |
259 const std::string& host, | 268 const std::string& host, |
260 TransportSecurityState::STSState* sts_result, | 269 TransportSecurityState::STSState* sts_result, |
261 TransportSecurityState::PKPState* pkp_result) { | 270 TransportSecurityState::PKPState* pkp_result) { |
262 return state->GetStaticDomainState(host, sts_result, pkp_result); | 271 return state->GetStaticDomainState(host, sts_result, pkp_result); |
263 } | 272 } |
264 | 273 |
265 bool GetExpectCTState(TransportSecurityState* state, | 274 bool GetExpectCTState(TransportSecurityState* state, |
266 const std::string& host, | 275 const std::string& host, |
267 TransportSecurityState::ExpectCTState* result) { | 276 TransportSecurityState::ExpectCTState* result) { |
268 return state->GetStaticExpectCTState(host, result); | 277 return state->GetStaticExpectCTState(host, result); |
269 } | 278 } |
279 | |
280 bool GetExpectStapleState(TransportSecurityState* state, | |
281 const std::string& host, | |
282 TransportSecurityState::ExpectStapleState* result) { | |
283 return state->GetStaticExpectStapleState(host, result); | |
284 } | |
270 }; | 285 }; |
271 | 286 |
272 TEST_F(TransportSecurityStateTest, DomainNameOddities) { | 287 TEST_F(TransportSecurityStateTest, DomainNameOddities) { |
273 TransportSecurityState state; | 288 TransportSecurityState state; |
274 const base::Time current_time(base::Time::Now()); | 289 const base::Time current_time(base::Time::Now()); |
275 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 290 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
276 | 291 |
277 // DNS suffix search tests. Some DNS resolvers allow a terminal "." to | 292 // DNS suffix search tests. Some DNS resolvers allow a terminal "." to |
278 // indicate not perform DNS suffix searching. Ensure that regardless | 293 // indicate not perform DNS suffix searching. Ensure that regardless |
279 // of how this is treated at the resolver layer, or at the URL/origin | 294 // of how this is treated at the resolver layer, or at the URL/origin |
(...skipping 1380 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1660 TransportSecurityStateTest::EnableStaticExpectCT(&state); | 1675 TransportSecurityStateTest::EnableStaticExpectCT(&state); |
1661 TransportSecurityState::ExpectCTState expect_ct_state; | 1676 TransportSecurityState::ExpectCTState expect_ct_state; |
1662 EXPECT_TRUE( | 1677 EXPECT_TRUE( |
1663 GetExpectCTState(&state, kExpectCTStaticHostname, &expect_ct_state)); | 1678 GetExpectCTState(&state, kExpectCTStaticHostname, &expect_ct_state)); |
1664 EXPECT_EQ(kExpectCTStaticHostname, expect_ct_state.domain); | 1679 EXPECT_EQ(kExpectCTStaticHostname, expect_ct_state.domain); |
1665 EXPECT_EQ(GURL(kExpectCTStaticReportURI), expect_ct_state.report_uri); | 1680 EXPECT_EQ(GURL(kExpectCTStaticReportURI), expect_ct_state.report_uri); |
1666 EXPECT_FALSE( | 1681 EXPECT_FALSE( |
1667 GetExpectCTState(&state, "pinning-test.badssl.com", &expect_ct_state)); | 1682 GetExpectCTState(&state, "pinning-test.badssl.com", &expect_ct_state)); |
1668 } | 1683 } |
1669 | 1684 |
1685 // Tests that static (preloaded) expect staple state is read correctly. | |
1686 TEST_F(TransportSecurityStateTest, PreloadedExpectStaple) { | |
1687 TransportSecurityState state; | |
1688 TransportSecurityStateTest::EnableStaticExpectStaple(&state); | |
1689 TransportSecurityState::ExpectStapleState expect_staple_state; | |
1690 EXPECT_TRUE(GetExpectStapleState(&state, kExpectStapleStaticHostname, | |
1691 &expect_staple_state)); | |
1692 EXPECT_EQ(kExpectStapleStaticHostname, expect_staple_state.domain); | |
1693 EXPECT_EQ(GURL(kExpectStapleStaticReportURI), expect_staple_state.report_uri); | |
1694 EXPECT_FALSE(expect_staple_state.include_subdomains); | |
1695 EXPECT_FALSE(GetExpectStapleState(&state, "pinning-test.badssl.com", | |
1696 &expect_staple_state)); | |
estark
2016/06/02 22:41:51
Can you add a test that a subdomain of kExpectStap
dadrian
2016/06/02 23:17:24
Done.
| |
1697 } | |
1698 | |
1699 TEST_F(TransportSecurityStateTest, PreloadedExpectStapleIncludeSubdomains) { | |
1700 TransportSecurityState state; | |
1701 TransportSecurityStateTest::EnableStaticExpectStaple(&state); | |
1702 TransportSecurityState::ExpectStapleState expect_staple_state; | |
1703 std::string subdomain = "subdomain."; | |
1704 subdomain += kExpectStapleStaticIncludeSubdomainsHostname; | |
1705 EXPECT_TRUE(GetExpectStapleState(&state, subdomain, &expect_staple_state)); | |
1706 EXPECT_EQ(kExpectStapleStaticIncludeSubdomainsHostname, | |
1707 expect_staple_state.domain); | |
1708 EXPECT_TRUE(expect_staple_state.include_subdomains); | |
1709 EXPECT_EQ(GURL(kExpectStapleStaticReportURI), expect_staple_state.report_uri); | |
1710 } | |
1711 | |
1670 // Tests that the Expect CT reporter is not notified for invalid or absent | 1712 // Tests that the Expect CT reporter is not notified for invalid or absent |
1671 // header values. | 1713 // header values. |
1672 TEST_F(TransportSecurityStateTest, InvalidExpectCTHeader) { | 1714 TEST_F(TransportSecurityStateTest, InvalidExpectCTHeader) { |
1673 HostPortPair host_port(kExpectCTStaticHostname, 443); | 1715 HostPortPair host_port(kExpectCTStaticHostname, 443); |
1674 SSLInfo ssl_info; | 1716 SSLInfo ssl_info; |
1675 ssl_info.ct_compliance_details_available = true; | 1717 ssl_info.ct_compliance_details_available = true; |
1676 ssl_info.ct_cert_policy_compliance = | 1718 ssl_info.ct_cert_policy_compliance = |
1677 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; | 1719 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; |
1678 ssl_info.is_issued_by_known_root = true; | 1720 ssl_info.is_issued_by_known_root = true; |
1679 | 1721 |
(...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1798 EXPECT_EQ(1u, reporter.num_failures()); | 1840 EXPECT_EQ(1u, reporter.num_failures()); |
1799 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); | 1841 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); |
1800 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, | 1842 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, |
1801 reporter.ssl_info().ct_cert_policy_compliance); | 1843 reporter.ssl_info().ct_cert_policy_compliance); |
1802 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); | 1844 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); |
1803 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); | 1845 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); |
1804 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); | 1846 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); |
1805 } | 1847 } |
1806 | 1848 |
1807 } // namespace net | 1849 } // namespace net |
OLD | NEW |