OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
63 return state->EnableHost(host, domain_state); | 63 return state->EnableHost(host, domain_state); |
64 } | 64 } |
65 }; | 65 }; |
66 | 66 |
67 TEST_F(TransportSecurityStateTest, SimpleMatches) { | 67 TEST_F(TransportSecurityStateTest, SimpleMatches) { |
68 TransportSecurityState state; | 68 TransportSecurityState state; |
69 TransportSecurityState::DomainState domain_state; | 69 TransportSecurityState::DomainState domain_state; |
70 const base::Time current_time(base::Time::Now()); | 70 const base::Time current_time(base::Time::Now()); |
71 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 71 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
72 | 72 |
73 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 73 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); |
74 bool include_subdomains = false; | 74 bool include_subdomains = false; |
75 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 75 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
76 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 76 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); |
77 } | 77 } |
78 | 78 |
79 TEST_F(TransportSecurityStateTest, MatchesCase1) { | 79 TEST_F(TransportSecurityStateTest, MatchesCase1) { |
80 TransportSecurityState state; | 80 TransportSecurityState state; |
81 TransportSecurityState::DomainState domain_state; | 81 TransportSecurityState::DomainState domain_state; |
82 const base::Time current_time(base::Time::Now()); | 82 const base::Time current_time(base::Time::Now()); |
83 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 83 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
84 | 84 |
85 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 85 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); |
86 bool include_subdomains = false; | 86 bool include_subdomains = false; |
87 state.AddHSTS("YAhoo.coM", expiry, include_subdomains); | 87 state.AddHSTS("YAhoo.coM", expiry, include_subdomains); |
88 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 88 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); |
89 } | 89 } |
90 | 90 |
91 TEST_F(TransportSecurityStateTest, MatchesCase2) { | 91 TEST_F(TransportSecurityStateTest, MatchesCase2) { |
92 TransportSecurityState state; | 92 TransportSecurityState state; |
93 TransportSecurityState::DomainState domain_state; | 93 TransportSecurityState::DomainState domain_state; |
94 const base::Time current_time(base::Time::Now()); | 94 const base::Time current_time(base::Time::Now()); |
95 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 95 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
96 | 96 |
97 EXPECT_FALSE(state.GetDomainState("YAhoo.coM", true, true, &domain_state)); | 97 EXPECT_FALSE(state.GetDomainState("YAhoo.coM", true, &domain_state)); |
98 bool include_subdomains = false; | 98 bool include_subdomains = false; |
99 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 99 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
100 EXPECT_TRUE(state.GetDomainState("YAhoo.coM", true, true, &domain_state)); | 100 EXPECT_TRUE(state.GetDomainState("YAhoo.coM", true, &domain_state)); |
101 } | 101 } |
102 | 102 |
103 TEST_F(TransportSecurityStateTest, SubdomainMatches) { | 103 TEST_F(TransportSecurityStateTest, SubdomainMatches) { |
104 TransportSecurityState state; | 104 TransportSecurityState state; |
105 TransportSecurityState::DomainState domain_state; | 105 TransportSecurityState::DomainState domain_state; |
106 const base::Time current_time(base::Time::Now()); | 106 const base::Time current_time(base::Time::Now()); |
107 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 107 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
108 | 108 |
109 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 109 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); |
110 bool include_subdomains = true; | 110 bool include_subdomains = true; |
111 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 111 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
112 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 112 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); |
113 EXPECT_TRUE(state.GetDomainState("foo.yahoo.com", true, true, &domain_state)); | 113 EXPECT_TRUE(state.GetDomainState("foo.yahoo.com", true, &domain_state)); |
114 EXPECT_TRUE( | 114 EXPECT_TRUE(state.GetDomainState("foo.bar.yahoo.com", true, &domain_state)); |
115 state.GetDomainState("foo.bar.yahoo.com", true, true, &domain_state)); | 115 EXPECT_TRUE(state.GetDomainState("foo.bar.baz.yahoo.com", true, |
116 EXPECT_TRUE( | 116 &domain_state)); |
117 state.GetDomainState("foo.bar.baz.yahoo.com", true, true, &domain_state)); | 117 EXPECT_FALSE(state.GetDomainState("com", true, &domain_state)); |
118 EXPECT_FALSE(state.GetDomainState("com", true, true, &domain_state)); | |
119 } | 118 } |
120 | 119 |
121 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | 120 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
122 TransportSecurityState state; | 121 TransportSecurityState state; |
123 TransportSecurityState::DomainState domain_state; | 122 TransportSecurityState::DomainState domain_state; |
124 const base::Time current_time(base::Time::Now()); | 123 const base::Time current_time(base::Time::Now()); |
125 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 124 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
126 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 125 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
127 | 126 |
128 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 127 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); |
129 bool include_subdomains = false; | 128 bool include_subdomains = false; |
130 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 129 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
131 | 130 |
132 state.DeleteAllDynamicDataSince(expiry); | 131 state.DeleteAllDynamicDataSince(expiry); |
133 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 132 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); |
134 state.DeleteAllDynamicDataSince(older); | 133 state.DeleteAllDynamicDataSince(older); |
135 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 134 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); |
136 } | 135 } |
137 | 136 |
138 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | 137 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
139 TransportSecurityState state; | 138 TransportSecurityState state; |
140 TransportSecurityState::DomainState domain_state; | 139 TransportSecurityState::DomainState domain_state; |
141 const base::Time current_time(base::Time::Now()); | 140 const base::Time current_time(base::Time::Now()); |
142 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 141 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
143 bool include_subdomains = false; | 142 bool include_subdomains = false; |
144 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 143 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
145 | 144 |
146 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 145 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); |
147 EXPECT_FALSE(state.GetDomainState("example.com", true, true, &domain_state)); | 146 EXPECT_FALSE(state.GetDomainState("example.com", true, &domain_state)); |
148 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); | 147 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); |
149 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 148 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); |
150 } | 149 } |
151 | 150 |
152 TEST_F(TransportSecurityStateTest, IsPreloaded) { | 151 TEST_F(TransportSecurityStateTest, IsPreloaded) { |
153 const std::string paypal = CanonicalizeHost("paypal.com"); | 152 const std::string paypal = CanonicalizeHost("paypal.com"); |
154 const std::string www_paypal = CanonicalizeHost("www.paypal.com"); | 153 const std::string www_paypal = CanonicalizeHost("www.paypal.com"); |
155 const std::string foo_paypal = CanonicalizeHost("foo.paypal.com"); | 154 const std::string foo_paypal = CanonicalizeHost("foo.paypal.com"); |
156 const std::string a_www_paypal = CanonicalizeHost("a.www.paypal.com"); | 155 const std::string a_www_paypal = CanonicalizeHost("a.www.paypal.com"); |
157 const std::string abc_paypal = CanonicalizeHost("a.b.c.paypal.com"); | 156 const std::string abc_paypal = CanonicalizeHost("a.b.c.paypal.com"); |
158 const std::string example = CanonicalizeHost("example.com"); | 157 const std::string example = CanonicalizeHost("example.com"); |
159 const std::string aypal = CanonicalizeHost("aypal.com"); | 158 const std::string aypal = CanonicalizeHost("aypal.com"); |
(...skipping 10 matching lines...) Expand all Loading... |
170 EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state)); | 169 EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state)); |
171 EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state)); | 170 EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state)); |
172 } | 171 } |
173 | 172 |
174 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { | 173 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { |
175 TransportSecurityState state; | 174 TransportSecurityState state; |
176 TransportSecurityState::DomainState domain_state; | 175 TransportSecurityState::DomainState domain_state; |
177 | 176 |
178 // The domain wasn't being set, leading to a blank string in the | 177 // The domain wasn't being set, leading to a blank string in the |
179 // chrome://net-internals/#hsts UI. So test that. | 178 // chrome://net-internals/#hsts UI. So test that. |
180 EXPECT_TRUE( | 179 EXPECT_TRUE(state.GetDomainState("market.android.com", true, &domain_state)); |
181 state.GetDomainState("market.android.com", true, true, &domain_state)); | |
182 EXPECT_EQ(domain_state.domain, "market.android.com"); | 180 EXPECT_EQ(domain_state.domain, "market.android.com"); |
183 EXPECT_TRUE(state.GetDomainState( | 181 EXPECT_TRUE(state.GetDomainState("sub.market.android.com", true, |
184 "sub.market.android.com", true, true, &domain_state)); | 182 &domain_state)); |
185 EXPECT_EQ(domain_state.domain, "market.android.com"); | 183 EXPECT_EQ(domain_state.domain, "market.android.com"); |
186 } | 184 } |
187 | 185 |
188 static bool ShouldRedirect(const char* hostname) { | 186 static bool ShouldRedirect(const char* hostname) { |
189 TransportSecurityState state; | 187 TransportSecurityState state; |
190 TransportSecurityState::DomainState domain_state; | 188 TransportSecurityState::DomainState domain_state; |
191 return state.GetDomainState( | 189 return state.GetDomainState(hostname, true /* SNI ok */, &domain_state) && |
192 hostname, true /* SNI ok */, true, &domain_state) && | |
193 domain_state.ShouldUpgradeToSSL(); | 190 domain_state.ShouldUpgradeToSSL(); |
194 } | 191 } |
195 | 192 |
196 static bool HasState(const char* hostname) { | 193 static bool HasState(const char* hostname) { |
197 TransportSecurityState state; | 194 TransportSecurityState state; |
198 TransportSecurityState::DomainState domain_state; | 195 TransportSecurityState::DomainState domain_state; |
199 return state.GetDomainState(hostname, true /* SNI ok */, true, &domain_state); | 196 return state.GetDomainState(hostname, true /* SNI ok */, &domain_state); |
200 } | 197 } |
201 | 198 |
202 static bool HasPublicKeyPins(const char* hostname, bool sni_enabled) { | 199 static bool HasPublicKeyPins(const char* hostname, bool sni_enabled) { |
203 TransportSecurityState state; | 200 TransportSecurityState state; |
204 TransportSecurityState::DomainState domain_state; | 201 TransportSecurityState::DomainState domain_state; |
205 if (!state.GetDomainState(hostname, sni_enabled, true, &domain_state)) | 202 if (!state.GetDomainState(hostname, sni_enabled, &domain_state)) |
206 return false; | 203 return false; |
207 | 204 |
208 return domain_state.HasPublicKeyPins(); | 205 return domain_state.HasPublicKeyPins(); |
209 } | 206 } |
210 | 207 |
211 static bool HasPublicKeyPins(const char* hostname) { | 208 static bool HasPublicKeyPins(const char* hostname) { |
212 return HasPublicKeyPins(hostname, true); | 209 return HasPublicKeyPins(hostname, true); |
213 } | 210 } |
214 | 211 |
215 static bool OnlyPinning(const char *hostname) { | 212 static bool OnlyPinning(const char *hostname) { |
216 TransportSecurityState state; | 213 TransportSecurityState state; |
217 TransportSecurityState::DomainState domain_state; | 214 TransportSecurityState::DomainState domain_state; |
218 if (!state.GetDomainState(hostname, true /* SNI ok */, true, &domain_state)) | 215 if (!state.GetDomainState(hostname, true /* SNI ok */, &domain_state)) |
219 return false; | 216 return false; |
220 | 217 |
221 return (domain_state.static_spki_hashes.size() > 0 || | 218 return (domain_state.static_spki_hashes.size() > 0 || |
222 domain_state.bad_static_spki_hashes.size() > 0 || | 219 domain_state.bad_static_spki_hashes.size() > 0 || |
223 domain_state.dynamic_spki_hashes.size() > 0) && | 220 domain_state.dynamic_spki_hashes.size() > 0) && |
224 !domain_state.ShouldUpgradeToSSL(); | 221 !domain_state.ShouldUpgradeToSSL(); |
225 } | 222 } |
226 | 223 |
227 TEST_F(TransportSecurityStateTest, Preloaded) { | 224 TEST_F(TransportSecurityStateTest, Preloaded) { |
228 TransportSecurityState state; | 225 TransportSecurityState state; |
229 TransportSecurityState::DomainState domain_state; | 226 TransportSecurityState::DomainState domain_state; |
230 | 227 |
231 // We do more extensive checks for the first domain. | 228 // We do more extensive checks for the first domain. |
232 EXPECT_TRUE( | 229 EXPECT_TRUE(state.GetDomainState("www.paypal.com", true, &domain_state)); |
233 state.GetDomainState("www.paypal.com", true, true, &domain_state)); | |
234 EXPECT_EQ(domain_state.upgrade_mode, | 230 EXPECT_EQ(domain_state.upgrade_mode, |
235 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); | 231 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); |
236 EXPECT_FALSE(domain_state.sts_include_subdomains); | 232 EXPECT_FALSE(domain_state.sts_include_subdomains); |
237 EXPECT_FALSE(domain_state.pkp_include_subdomains); | 233 EXPECT_FALSE(domain_state.pkp_include_subdomains); |
238 | 234 |
239 EXPECT_TRUE(HasState("paypal.com")); | 235 EXPECT_TRUE(HasState("paypal.com")); |
240 EXPECT_FALSE(HasState("www2.paypal.com")); | 236 EXPECT_FALSE(HasState("www2.paypal.com")); |
241 EXPECT_FALSE(HasState("www2.paypal.com")); | 237 EXPECT_FALSE(HasState("www2.paypal.com")); |
242 | 238 |
243 // Google hosts: | 239 // Google hosts: |
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
285 EXPECT_TRUE(OnlyPinning("www.google-analytics.com")); | 281 EXPECT_TRUE(OnlyPinning("www.google-analytics.com")); |
286 EXPECT_TRUE(OnlyPinning("googleapis.com")); | 282 EXPECT_TRUE(OnlyPinning("googleapis.com")); |
287 EXPECT_TRUE(OnlyPinning("googleadservices.com")); | 283 EXPECT_TRUE(OnlyPinning("googleadservices.com")); |
288 EXPECT_TRUE(OnlyPinning("googlecode.com")); | 284 EXPECT_TRUE(OnlyPinning("googlecode.com")); |
289 EXPECT_TRUE(OnlyPinning("appspot.com")); | 285 EXPECT_TRUE(OnlyPinning("appspot.com")); |
290 EXPECT_TRUE(OnlyPinning("googlesyndication.com")); | 286 EXPECT_TRUE(OnlyPinning("googlesyndication.com")); |
291 EXPECT_TRUE(OnlyPinning("doubleclick.net")); | 287 EXPECT_TRUE(OnlyPinning("doubleclick.net")); |
292 EXPECT_TRUE(OnlyPinning("googlegroups.com")); | 288 EXPECT_TRUE(OnlyPinning("googlegroups.com")); |
293 | 289 |
294 // Tests for domains that don't work without SNI. | 290 // Tests for domains that don't work without SNI. |
295 EXPECT_FALSE(state.GetDomainState("gmail.com", false, true, &domain_state)); | 291 EXPECT_FALSE(state.GetDomainState("gmail.com", false, &domain_state)); |
296 EXPECT_FALSE( | 292 EXPECT_FALSE(state.GetDomainState("www.gmail.com", false, &domain_state)); |
297 state.GetDomainState("www.gmail.com", false, true, &domain_state)); | 293 EXPECT_FALSE(state.GetDomainState("m.gmail.com", false, &domain_state)); |
298 EXPECT_FALSE(state.GetDomainState("m.gmail.com", false, true, &domain_state)); | 294 EXPECT_FALSE(state.GetDomainState("googlemail.com", false, &domain_state)); |
299 EXPECT_FALSE( | 295 EXPECT_FALSE(state.GetDomainState("www.googlemail.com", false, |
300 state.GetDomainState("googlemail.com", false, true, &domain_state)); | 296 &domain_state)); |
301 EXPECT_FALSE( | 297 EXPECT_FALSE(state.GetDomainState("m.googlemail.com", false, &domain_state)); |
302 state.GetDomainState("www.googlemail.com", false, true, &domain_state)); | |
303 EXPECT_FALSE( | |
304 state.GetDomainState("m.googlemail.com", false, true, &domain_state)); | |
305 | 298 |
306 // Other hosts: | 299 // Other hosts: |
307 | 300 |
308 EXPECT_TRUE(ShouldRedirect("aladdinschools.appspot.com")); | 301 EXPECT_TRUE(ShouldRedirect("aladdinschools.appspot.com")); |
309 | 302 |
310 EXPECT_TRUE(ShouldRedirect("ottospora.nl")); | 303 EXPECT_TRUE(ShouldRedirect("ottospora.nl")); |
311 EXPECT_TRUE(ShouldRedirect("www.ottospora.nl")); | 304 EXPECT_TRUE(ShouldRedirect("www.ottospora.nl")); |
312 | 305 |
313 EXPECT_TRUE(ShouldRedirect("www.paycheckrecords.com")); | 306 EXPECT_TRUE(ShouldRedirect("www.paycheckrecords.com")); |
314 | 307 |
(...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
388 EXPECT_TRUE(ShouldRedirect("simon.butcher.name")); | 381 EXPECT_TRUE(ShouldRedirect("simon.butcher.name")); |
389 EXPECT_TRUE(ShouldRedirect("foo.simon.butcher.name")); | 382 EXPECT_TRUE(ShouldRedirect("foo.simon.butcher.name")); |
390 | 383 |
391 EXPECT_TRUE(ShouldRedirect("linx.net")); | 384 EXPECT_TRUE(ShouldRedirect("linx.net")); |
392 EXPECT_TRUE(ShouldRedirect("foo.linx.net")); | 385 EXPECT_TRUE(ShouldRedirect("foo.linx.net")); |
393 | 386 |
394 EXPECT_TRUE(ShouldRedirect("dropcam.com")); | 387 EXPECT_TRUE(ShouldRedirect("dropcam.com")); |
395 EXPECT_TRUE(ShouldRedirect("www.dropcam.com")); | 388 EXPECT_TRUE(ShouldRedirect("www.dropcam.com")); |
396 EXPECT_FALSE(HasState("foo.dropcam.com")); | 389 EXPECT_FALSE(HasState("foo.dropcam.com")); |
397 | 390 |
398 EXPECT_TRUE( | 391 EXPECT_TRUE(state.GetDomainState("torproject.org", false, &domain_state)); |
399 state.GetDomainState("torproject.org", false, true, &domain_state)); | |
400 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | 392 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); |
401 EXPECT_TRUE( | 393 EXPECT_TRUE(state.GetDomainState("www.torproject.org", false, |
402 state.GetDomainState("www.torproject.org", false, true, &domain_state)); | 394 &domain_state)); |
403 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | 395 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); |
404 EXPECT_TRUE( | 396 EXPECT_TRUE(state.GetDomainState("check.torproject.org", false, |
405 state.GetDomainState("check.torproject.org", false, true, &domain_state)); | 397 &domain_state)); |
406 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | 398 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); |
407 EXPECT_TRUE( | 399 EXPECT_TRUE(state.GetDomainState("blog.torproject.org", false, |
408 state.GetDomainState("blog.torproject.org", false, true, &domain_state)); | 400 &domain_state)); |
409 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | 401 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); |
410 EXPECT_TRUE(ShouldRedirect("ebanking.indovinabank.com.vn")); | 402 EXPECT_TRUE(ShouldRedirect("ebanking.indovinabank.com.vn")); |
411 EXPECT_TRUE(ShouldRedirect("foo.ebanking.indovinabank.com.vn")); | 403 EXPECT_TRUE(ShouldRedirect("foo.ebanking.indovinabank.com.vn")); |
412 | 404 |
413 EXPECT_TRUE(ShouldRedirect("epoxate.com")); | 405 EXPECT_TRUE(ShouldRedirect("epoxate.com")); |
414 EXPECT_FALSE(HasState("foo.epoxate.com")); | 406 EXPECT_FALSE(HasState("foo.epoxate.com")); |
415 | 407 |
416 EXPECT_TRUE(HasPublicKeyPins("torproject.org")); | 408 EXPECT_TRUE(HasPublicKeyPins("torproject.org")); |
417 EXPECT_TRUE(HasPublicKeyPins("www.torproject.org")); | 409 EXPECT_TRUE(HasPublicKeyPins("www.torproject.org")); |
418 EXPECT_TRUE(HasPublicKeyPins("check.torproject.org")); | 410 EXPECT_TRUE(HasPublicKeyPins("check.torproject.org")); |
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
470 EXPECT_TRUE(HasPublicKeyPins("www.twitter.com")); | 462 EXPECT_TRUE(HasPublicKeyPins("www.twitter.com")); |
471 } | 463 } |
472 | 464 |
473 TEST_F(TransportSecurityStateTest, LongNames) { | 465 TEST_F(TransportSecurityStateTest, LongNames) { |
474 TransportSecurityState state; | 466 TransportSecurityState state; |
475 const char kLongName[] = | 467 const char kLongName[] = |
476 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" | 468 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" |
477 "WaveletIdDomainAndBlipBlipid"; | 469 "WaveletIdDomainAndBlipBlipid"; |
478 TransportSecurityState::DomainState domain_state; | 470 TransportSecurityState::DomainState domain_state; |
479 // Just checks that we don't hit a NOTREACHED. | 471 // Just checks that we don't hit a NOTREACHED. |
480 EXPECT_FALSE(state.GetDomainState(kLongName, true, true, &domain_state)); | 472 EXPECT_FALSE(state.GetDomainState(kLongName, true, &domain_state)); |
481 } | 473 } |
482 | 474 |
483 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { | 475 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { |
484 TransportSecurityState state; | 476 TransportSecurityState state; |
485 TransportSecurityState::DomainState domain_state; | 477 TransportSecurityState::DomainState domain_state; |
486 | 478 |
487 EXPECT_TRUE( | 479 EXPECT_TRUE(state.GetDomainState("chrome.google.com", true, &domain_state)); |
488 state.GetDomainState("chrome.google.com", true, true, &domain_state)); | |
489 EXPECT_TRUE(HasPublicKeyPins("chrome.google.com")); | 480 EXPECT_TRUE(HasPublicKeyPins("chrome.google.com")); |
490 | 481 |
491 HashValueVector hashes; | 482 HashValueVector hashes; |
492 // Checks that a built-in list does exist. | 483 // Checks that a built-in list does exist. |
493 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes)); | 484 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes)); |
494 EXPECT_FALSE(HasPublicKeyPins("www.paypal.com")); | 485 EXPECT_FALSE(HasPublicKeyPins("www.paypal.com")); |
495 | 486 |
496 EXPECT_TRUE(HasPublicKeyPins("docs.google.com")); | 487 EXPECT_TRUE(HasPublicKeyPins("docs.google.com")); |
497 EXPECT_TRUE(HasPublicKeyPins("1.docs.google.com")); | 488 EXPECT_TRUE(HasPublicKeyPins("1.docs.google.com")); |
498 EXPECT_TRUE(HasPublicKeyPins("sites.google.com")); | 489 EXPECT_TRUE(HasPublicKeyPins("sites.google.com")); |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
566 | 557 |
567 for (size_t i = 0; kGoodPath[i]; i++) { | 558 for (size_t i = 0; kGoodPath[i]; i++) { |
568 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | 559 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
569 } | 560 } |
570 for (size_t i = 0; kBadPath[i]; i++) { | 561 for (size_t i = 0; kBadPath[i]; i++) { |
571 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | 562 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
572 } | 563 } |
573 | 564 |
574 TransportSecurityState state; | 565 TransportSecurityState state; |
575 TransportSecurityState::DomainState domain_state; | 566 TransportSecurityState::DomainState domain_state; |
576 EXPECT_TRUE( | 567 EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); |
577 state.GetDomainState("plus.google.com", true, true, &domain_state)); | |
578 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 568 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
579 | 569 |
580 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); | 570 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); |
581 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); | 571 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); |
582 } | 572 } |
583 | 573 |
584 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { | 574 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { |
585 // kGoodPath is blog.torproject.org. | 575 // kGoodPath is blog.torproject.org. |
586 static const char* kGoodPath[] = { | 576 static const char* kGoodPath[] = { |
587 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", | 577 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", |
(...skipping 15 matching lines...) Expand all Loading... |
603 | 593 |
604 for (size_t i = 0; kGoodPath[i]; i++) { | 594 for (size_t i = 0; kGoodPath[i]; i++) { |
605 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | 595 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
606 } | 596 } |
607 for (size_t i = 0; kBadPath[i]; i++) { | 597 for (size_t i = 0; kBadPath[i]; i++) { |
608 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | 598 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
609 } | 599 } |
610 | 600 |
611 TransportSecurityState state; | 601 TransportSecurityState state; |
612 TransportSecurityState::DomainState domain_state; | 602 TransportSecurityState::DomainState domain_state; |
613 EXPECT_TRUE( | 603 EXPECT_TRUE(state.GetDomainState("blog.torproject.org", true, &domain_state)); |
614 state.GetDomainState("blog.torproject.org", true, true, &domain_state)); | |
615 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 604 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
616 | 605 |
617 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); | 606 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); |
618 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); | 607 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); |
619 } | 608 } |
620 | 609 |
621 TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { | 610 TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { |
622 static const char* ee_sha1 = "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU="; | 611 static const char* ee_sha1 = "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU="; |
623 static const char* ee_sha256 = | 612 static const char* ee_sha256 = |
624 "sha256/sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I="; | 613 "sha256/sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I="; |
625 static const char* google_1024_sha1 = "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0="; | 614 static const char* google_1024_sha1 = "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0="; |
626 static const char* google_1024_sha256 = | 615 static const char* google_1024_sha256 = |
627 "sha256/trlUMquuV/4CDLK3T0+fkXPIxwivyecyrOIyeQR8bQU="; | 616 "sha256/trlUMquuV/4CDLK3T0+fkXPIxwivyecyrOIyeQR8bQU="; |
628 static const char* equifax_sha1 = "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q="; | 617 static const char* equifax_sha1 = "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q="; |
629 static const char* equifax_sha256 = | 618 static const char* equifax_sha256 = |
630 "sha256//1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY="; | 619 "sha256//1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY="; |
631 static const char* trustcenter_sha1 = "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k="; | 620 static const char* trustcenter_sha1 = "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k="; |
632 static const char* trustcenter_sha256 = | 621 static const char* trustcenter_sha256 = |
633 "sha256/Dq58KIA4NMLsboWMLU8/aTREzaAGEFW+EtUule8dd/M="; | 622 "sha256/Dq58KIA4NMLsboWMLU8/aTREzaAGEFW+EtUule8dd/M="; |
634 | 623 |
635 // Good chains for plus.google.com chain up through google_1024_sha{1,256} | 624 // Good chains for plus.google.com chain up through google_1024_sha{1,256} |
636 // to equifax_sha{1,256}. Bad chains chain up to Equifax through | 625 // to equifax_sha{1,256}. Bad chains chain up to Equifax through |
637 // trustcenter_sha{1,256}, which is a blacklisted key. Even though Equifax | 626 // trustcenter_sha{1,256}, which is a blacklisted key. Even though Equifax |
638 // and Google1024 are known-good, the blacklistedness of Trustcenter | 627 // and Google1024 are known-good, the blacklistedness of Trustcenter |
639 // should override and cause pin validation failure. | 628 // should override and cause pin validation failure. |
640 | 629 |
641 TransportSecurityState state; | 630 TransportSecurityState state; |
642 TransportSecurityState::DomainState domain_state; | 631 TransportSecurityState::DomainState domain_state; |
643 EXPECT_TRUE( | 632 EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); |
644 state.GetDomainState("plus.google.com", true, true, &domain_state)); | |
645 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 633 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
646 | 634 |
647 // The statically-defined pins are all SHA-1, so we add some SHA-256 pins | 635 // The statically-defined pins are all SHA-1, so we add some SHA-256 pins |
648 // manually: | 636 // manually: |
649 EXPECT_TRUE(AddHash(google_1024_sha256, &domain_state.static_spki_hashes)); | 637 EXPECT_TRUE(AddHash(google_1024_sha256, &domain_state.static_spki_hashes)); |
650 EXPECT_TRUE(AddHash(trustcenter_sha256, | 638 EXPECT_TRUE(AddHash(trustcenter_sha256, |
651 &domain_state.bad_static_spki_hashes)); | 639 &domain_state.bad_static_spki_hashes)); |
652 | 640 |
653 // Try an all-good SHA1 chain. | 641 // Try an all-good SHA1 chain. |
654 HashValueVector validated_chain; | 642 HashValueVector validated_chain; |
(...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
746 EXPECT_FALSE(ShouldRedirect("google.com")); | 734 EXPECT_FALSE(ShouldRedirect("google.com")); |
747 EXPECT_FALSE(ShouldRedirect("www.google.com")); | 735 EXPECT_FALSE(ShouldRedirect("www.google.com")); |
748 | 736 |
749 TransportSecurityState state; | 737 TransportSecurityState state; |
750 TransportSecurityState::DomainState domain_state; | 738 TransportSecurityState::DomainState domain_state; |
751 const base::Time current_time(base::Time::Now()); | 739 const base::Time current_time(base::Time::Now()); |
752 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 740 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
753 domain_state.upgrade_expiry = expiry; | 741 domain_state.upgrade_expiry = expiry; |
754 EnableHost(&state, "www.google.com", domain_state); | 742 EnableHost(&state, "www.google.com", domain_state); |
755 | 743 |
756 EXPECT_TRUE( | 744 EXPECT_TRUE(state.GetDomainState("www.google.com", true, &domain_state)); |
757 state.GetDomainState("www.google.com", true, true, &domain_state)); | |
758 } | 745 } |
759 | 746 |
760 static const uint8 kSidePinLeafSPKI[] = { | 747 static const uint8 kSidePinLeafSPKI[] = { |
761 0x30, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, | 748 0x30, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, |
762 0x01, 0x01, 0x05, 0x00, 0x03, 0x4b, 0x00, 0x30, 0x48, 0x02, 0x41, 0x00, 0xe4, | 749 0x01, 0x01, 0x05, 0x00, 0x03, 0x4b, 0x00, 0x30, 0x48, 0x02, 0x41, 0x00, 0xe4, |
763 0x1d, 0xcc, 0xf2, 0x92, 0xe7, 0x7a, 0xc6, 0x36, 0xf7, 0x1a, 0x62, 0x31, 0x7d, | 750 0x1d, 0xcc, 0xf2, 0x92, 0xe7, 0x7a, 0xc6, 0x36, 0xf7, 0x1a, 0x62, 0x31, 0x7d, |
764 0x37, 0xea, 0x0d, 0xa2, 0xa8, 0x12, 0x2b, 0xc2, 0x1c, 0x82, 0x3e, 0xa5, 0x70, | 751 0x37, 0xea, 0x0d, 0xa2, 0xa8, 0x12, 0x2b, 0xc2, 0x1c, 0x82, 0x3e, 0xa5, 0x70, |
765 0x4a, 0x83, 0x5d, 0x9b, 0x84, 0x82, 0x70, 0xa4, 0x88, 0x98, 0x98, 0x41, 0x29, | 752 0x4a, 0x83, 0x5d, 0x9b, 0x84, 0x82, 0x70, 0xa4, 0x88, 0x98, 0x98, 0x41, 0x29, |
766 0x31, 0xcb, 0x6e, 0x2a, 0x54, 0x65, 0x14, 0x60, 0xcc, 0x00, 0xe8, 0x10, 0x30, | 753 0x31, 0xcb, 0x6e, 0x2a, 0x54, 0x65, 0x14, 0x60, 0xcc, 0x00, 0xe8, 0x10, 0x30, |
767 0x0a, 0x4a, 0xd1, 0xa7, 0x52, 0xfe, 0x2d, 0x31, 0x2a, 0x1d, 0x0d, 0x02, 0x03, | 754 0x0a, 0x4a, 0xd1, 0xa7, 0x52, 0xfe, 0x2d, 0x31, 0x2a, 0x1d, 0x0d, 0x02, 0x03, |
(...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
846 // Expect to fail for SNI hosts when not searching the SNI list: | 833 // Expect to fail for SNI hosts when not searching the SNI list: |
847 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 834 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
848 "gmail.com", false)); | 835 "gmail.com", false)); |
849 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 836 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
850 "googlegroups.com", false)); | 837 "googlegroups.com", false)); |
851 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 838 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
852 "www.googlegroups.com", false)); | 839 "www.googlegroups.com", false)); |
853 } | 840 } |
854 | 841 |
855 } // namespace net | 842 } // namespace net |
OLD | NEW |