OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
11 #include "base/base64.h" | 11 #include "base/base64.h" |
12 #include "base/files/file_path.h" | 12 #include "base/files/file_path.h" |
13 #include "base/json/json_reader.h" | 13 #include "base/json/json_reader.h" |
14 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
15 #include "base/metrics/field_trial.h" | 15 #include "base/metrics/field_trial.h" |
16 #include "base/rand_util.h" | 16 #include "base/rand_util.h" |
17 #include "base/sha1.h" | 17 #include "base/sha1.h" |
18 #include "base/strings/string_piece.h" | 18 #include "base/strings/string_piece.h" |
19 #include "base/test/histogram_tester.h" | 19 #include "base/test/histogram_tester.h" |
20 #include "base/test/mock_entropy_provider.h" | 20 #include "base/test/mock_entropy_provider.h" |
| 21 #include "base/test/scoped_feature_list.h" |
21 #include "base/values.h" | 22 #include "base/values.h" |
22 #include "crypto/openssl_util.h" | 23 #include "crypto/openssl_util.h" |
23 #include "crypto/sha2.h" | 24 #include "crypto/sha2.h" |
24 #include "net/base/host_port_pair.h" | 25 #include "net/base/host_port_pair.h" |
25 #include "net/base/net_errors.h" | 26 #include "net/base/net_errors.h" |
26 #include "net/base/test_completion_callback.h" | 27 #include "net/base/test_completion_callback.h" |
27 #include "net/cert/asn1_util.h" | 28 #include "net/cert/asn1_util.h" |
28 #include "net/cert/cert_verifier.h" | 29 #include "net/cert/cert_verifier.h" |
29 #include "net/cert/cert_verify_result.h" | 30 #include "net/cert/cert_verify_result.h" |
30 #include "net/cert/ct_policy_status.h" | 31 #include "net/cert/ct_policy_status.h" |
(...skipping 748 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
779 | 780 |
780 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3), | 781 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3), |
781 report_uri); | 782 report_uri); |
782 | 783 |
783 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 784 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
784 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 785 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
785 EXPECT_EQ(pkp_state.spki_hashes[0], hash3); | 786 EXPECT_EQ(pkp_state.spki_hashes[0], hash3); |
786 } | 787 } |
787 | 788 |
788 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | 789 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
| 790 base::test::ScopedFeatureList feature_list; |
| 791 feature_list.InitAndEnableFeature( |
| 792 TransportSecurityState::kDynamicExpectCTFeature); |
| 793 TransportSecurityState::ExpectCTState expect_ct_state; |
| 794 |
789 TransportSecurityState state; | 795 TransportSecurityState state; |
790 const base::Time current_time(base::Time::Now()); | 796 const base::Time current_time(base::Time::Now()); |
791 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 797 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
792 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 798 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
793 | 799 |
794 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 800 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
795 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 801 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
| 802 EXPECT_FALSE(state.GetDynamicExpectCTState("example.com", &expect_ct_state)); |
796 bool include_subdomains = false; | 803 bool include_subdomains = false; |
797 state.AddHSTS("example.com", expiry, include_subdomains); | 804 state.AddHSTS("example.com", expiry, include_subdomains); |
798 state.AddHPKP("example.com", expiry, include_subdomains, | 805 state.AddHPKP("example.com", expiry, include_subdomains, |
799 GetSampleSPKIHashes(), GURL()); | 806 GetSampleSPKIHashes(), GURL()); |
| 807 state.AddExpectCT("example.com", expiry, true, GURL()); |
800 | 808 |
801 state.DeleteAllDynamicDataSince(expiry); | 809 state.DeleteAllDynamicDataSince(expiry); |
802 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); | 810 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); |
803 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 811 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
| 812 EXPECT_TRUE(state.GetDynamicExpectCTState("example.com", &expect_ct_state)); |
804 state.DeleteAllDynamicDataSince(older); | 813 state.DeleteAllDynamicDataSince(older); |
805 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 814 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
806 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 815 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
| 816 EXPECT_FALSE(state.GetDynamicExpectCTState("example.com", &expect_ct_state)); |
807 | 817 |
808 // STS and PKP data in |state| should be empty now. | 818 // Dynamic data in |state| should be empty now. |
809 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 819 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
810 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 820 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 821 EXPECT_FALSE(TransportSecurityState::ExpectCTStateIterator(state).HasNext()); |
811 } | 822 } |
812 | 823 |
813 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | 824 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
| 825 base::test::ScopedFeatureList feature_list; |
| 826 feature_list.InitAndEnableFeature( |
| 827 TransportSecurityState::kDynamicExpectCTFeature); |
814 TransportSecurityState state; | 828 TransportSecurityState state; |
815 const base::Time current_time(base::Time::Now()); | 829 const base::Time current_time(base::Time::Now()); |
816 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 830 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
817 bool include_subdomains = false; | 831 bool include_subdomains = false; |
818 | 832 |
819 state.AddHSTS("example1.test", expiry, include_subdomains); | 833 state.AddHSTS("example1.test", expiry, include_subdomains); |
820 state.AddHPKP("example1.test", expiry, include_subdomains, | 834 state.AddHPKP("example1.test", expiry, include_subdomains, |
821 GetSampleSPKIHashes(), GURL()); | 835 GetSampleSPKIHashes(), GURL()); |
| 836 state.AddExpectCT("example1.test", expiry, true, GURL()); |
822 | 837 |
823 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 838 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
824 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 839 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
825 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); | 840 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); |
826 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); | 841 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); |
| 842 TransportSecurityState::ExpectCTState expect_ct_state; |
| 843 EXPECT_TRUE(state.GetDynamicExpectCTState("example1.test", &expect_ct_state)); |
| 844 EXPECT_FALSE( |
| 845 state.GetDynamicExpectCTState("example2.test", &expect_ct_state)); |
| 846 |
827 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); | 847 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); |
828 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 848 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
829 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 849 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 850 EXPECT_FALSE( |
| 851 state.GetDynamicExpectCTState("example1.test", &expect_ct_state)); |
830 } | 852 } |
831 | 853 |
832 TEST_F(TransportSecurityStateTest, EnableStaticPins) { | 854 TEST_F(TransportSecurityStateTest, EnableStaticPins) { |
833 TransportSecurityState state; | 855 TransportSecurityState state; |
834 TransportSecurityState::STSState sts_state; | 856 TransportSecurityState::STSState sts_state; |
835 TransportSecurityState::PKPState pkp_state; | 857 TransportSecurityState::PKPState pkp_state; |
836 | 858 |
837 EnableStaticPins(&state); | 859 EnableStaticPins(&state); |
838 | 860 |
839 EXPECT_TRUE( | 861 EXPECT_TRUE( |
(...skipping 1753 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2593 base::MakeUnique<base::MockEntropyProvider>()); | 2615 base::MakeUnique<base::MockEntropyProvider>()); |
2594 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", | 2616 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", |
2595 "disabled"); | 2617 "disabled"); |
2596 | 2618 |
2597 EXPECT_FALSE( | 2619 EXPECT_FALSE( |
2598 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); | 2620 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); |
2599 EXPECT_FALSE( | 2621 EXPECT_FALSE( |
2600 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); | 2622 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); |
2601 } | 2623 } |
2602 | 2624 |
| 2625 // Tests that dynamic Expect-CT state is cleared from ClearDynamicData(). |
| 2626 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) { |
| 2627 base::test::ScopedFeatureList feature_list; |
| 2628 feature_list.InitAndEnableFeature( |
| 2629 TransportSecurityState::kDynamicExpectCTFeature); |
| 2630 const std::string host("example.test"); |
| 2631 TransportSecurityState state; |
| 2632 TransportSecurityState::ExpectCTState expect_ct_state; |
| 2633 const base::Time current_time = base::Time::Now(); |
| 2634 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 2635 |
| 2636 state.AddExpectCT(host, expiry, true, GURL()); |
| 2637 EXPECT_TRUE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
| 2638 EXPECT_TRUE(expect_ct_state.enforce); |
| 2639 EXPECT_TRUE(expect_ct_state.report_uri.is_empty()); |
| 2640 EXPECT_EQ(expiry, expect_ct_state.expiry); |
| 2641 |
| 2642 state.ClearDynamicData(); |
| 2643 EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
| 2644 } |
| 2645 |
| 2646 // Tests that dynamic Expect-CT state can be added and retrieved. |
| 2647 TEST_F(TransportSecurityStateTest, DynamicExpectCTState) { |
| 2648 base::test::ScopedFeatureList feature_list; |
| 2649 feature_list.InitAndEnableFeature( |
| 2650 TransportSecurityState::kDynamicExpectCTFeature); |
| 2651 const std::string host("example.test"); |
| 2652 TransportSecurityState state; |
| 2653 TransportSecurityState::ExpectCTState expect_ct_state; |
| 2654 const base::Time current_time = base::Time::Now(); |
| 2655 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 2656 |
| 2657 // Test that Expect-CT state can be added and retrieved. |
| 2658 state.AddExpectCT(host, expiry, true, GURL()); |
| 2659 EXPECT_TRUE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
| 2660 EXPECT_TRUE(expect_ct_state.enforce); |
| 2661 EXPECT_TRUE(expect_ct_state.report_uri.is_empty()); |
| 2662 EXPECT_EQ(expiry, expect_ct_state.expiry); |
| 2663 |
| 2664 // Test that Expect-CT can be updated (e.g. by changing |enforce| to false and |
| 2665 // adding a report-uri). |
| 2666 const GURL report_uri("https://example-report.test"); |
| 2667 state.AddExpectCT(host, expiry, false, report_uri); |
| 2668 EXPECT_TRUE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
| 2669 EXPECT_FALSE(expect_ct_state.enforce); |
| 2670 EXPECT_EQ(report_uri, expect_ct_state.report_uri); |
| 2671 EXPECT_EQ(expiry, expect_ct_state.expiry); |
| 2672 |
| 2673 // Test that Expect-CT state is discarded when expired. |
| 2674 state.AddExpectCT(host, current_time - base::TimeDelta::FromSeconds(1000), |
| 2675 true, report_uri); |
| 2676 EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
| 2677 } |
| 2678 |
| 2679 // Tests that dynamic Expect-CT state cannot be added when the feature is not |
| 2680 // enabled. |
| 2681 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateDisabled) { |
| 2682 base::test::ScopedFeatureList feature_list; |
| 2683 feature_list.InitAndDisableFeature( |
| 2684 TransportSecurityState::kDynamicExpectCTFeature); |
| 2685 const std::string host("example.test"); |
| 2686 TransportSecurityState state; |
| 2687 TransportSecurityState::ExpectCTState expect_ct_state; |
| 2688 const base::Time current_time = base::Time::Now(); |
| 2689 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 2690 |
| 2691 state.AddExpectCT(host, expiry, true, GURL()); |
| 2692 EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
| 2693 } |
| 2694 |
2603 } // namespace net | 2695 } // namespace net |
OLD | NEW |