| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| 11 #include "base/base64.h" | 11 #include "base/base64.h" |
| 12 #include "base/files/file_path.h" | 12 #include "base/files/file_path.h" |
| 13 #include "base/json/json_reader.h" | 13 #include "base/json/json_reader.h" |
| 14 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
| 15 #include "base/metrics/field_trial.h" | 15 #include "base/metrics/field_trial.h" |
| 16 #include "base/rand_util.h" | 16 #include "base/rand_util.h" |
| 17 #include "base/sha1.h" | 17 #include "base/sha1.h" |
| 18 #include "base/strings/string_piece.h" | 18 #include "base/strings/string_piece.h" |
| 19 #include "base/test/histogram_tester.h" | 19 #include "base/test/histogram_tester.h" |
| 20 #include "base/test/mock_entropy_provider.h" | 20 #include "base/test/mock_entropy_provider.h" |
| 21 #include "base/test/scoped_feature_list.h" |
| 21 #include "base/values.h" | 22 #include "base/values.h" |
| 22 #include "crypto/openssl_util.h" | 23 #include "crypto/openssl_util.h" |
| 23 #include "crypto/sha2.h" | 24 #include "crypto/sha2.h" |
| 24 #include "net/base/host_port_pair.h" | 25 #include "net/base/host_port_pair.h" |
| 25 #include "net/base/net_errors.h" | 26 #include "net/base/net_errors.h" |
| 26 #include "net/base/test_completion_callback.h" | 27 #include "net/base/test_completion_callback.h" |
| 27 #include "net/cert/asn1_util.h" | 28 #include "net/cert/asn1_util.h" |
| 28 #include "net/cert/cert_verifier.h" | 29 #include "net/cert/cert_verifier.h" |
| 29 #include "net/cert/cert_verify_result.h" | 30 #include "net/cert/cert_verify_result.h" |
| 30 #include "net/cert/ct_policy_status.h" | 31 #include "net/cert/ct_policy_status.h" |
| (...skipping 748 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 779 | 780 |
| 780 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3), | 781 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3), |
| 781 report_uri); | 782 report_uri); |
| 782 | 783 |
| 783 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); | 784 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| 784 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); | 785 ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
| 785 EXPECT_EQ(pkp_state.spki_hashes[0], hash3); | 786 EXPECT_EQ(pkp_state.spki_hashes[0], hash3); |
| 786 } | 787 } |
| 787 | 788 |
| 788 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | 789 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
| 790 base::test::ScopedFeatureList feature_list; |
| 791 feature_list.InitAndEnableFeature( |
| 792 TransportSecurityState::kDynamicExpectCTFeature); |
| 793 TransportSecurityState::ExpectCTState expect_ct_state; |
| 794 |
| 789 TransportSecurityState state; | 795 TransportSecurityState state; |
| 790 const base::Time current_time(base::Time::Now()); | 796 const base::Time current_time(base::Time::Now()); |
| 791 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 797 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 792 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 798 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 793 | 799 |
| 794 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 800 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
| 795 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 801 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
| 802 EXPECT_FALSE(state.GetDynamicExpectCTState("example.com", &expect_ct_state)); |
| 796 bool include_subdomains = false; | 803 bool include_subdomains = false; |
| 797 state.AddHSTS("example.com", expiry, include_subdomains); | 804 state.AddHSTS("example.com", expiry, include_subdomains); |
| 798 state.AddHPKP("example.com", expiry, include_subdomains, | 805 state.AddHPKP("example.com", expiry, include_subdomains, |
| 799 GetSampleSPKIHashes(), GURL()); | 806 GetSampleSPKIHashes(), GURL()); |
| 807 state.AddExpectCT("example.com", expiry, true, GURL()); |
| 800 | 808 |
| 801 state.DeleteAllDynamicDataSince(expiry); | 809 state.DeleteAllDynamicDataSince(expiry); |
| 802 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); | 810 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); |
| 803 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); | 811 EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
| 812 EXPECT_TRUE(state.GetDynamicExpectCTState("example.com", &expect_ct_state)); |
| 804 state.DeleteAllDynamicDataSince(older); | 813 state.DeleteAllDynamicDataSince(older); |
| 805 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); | 814 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
| 806 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); | 815 EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
| 816 EXPECT_FALSE(state.GetDynamicExpectCTState("example.com", &expect_ct_state)); |
| 807 | 817 |
| 808 // STS and PKP data in |state| should be empty now. | 818 // Dynamic data in |state| should be empty now. |
| 809 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); | 819 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| 810 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); | 820 EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| 821 EXPECT_FALSE(TransportSecurityState::ExpectCTStateIterator(state).HasNext()); |
| 811 } | 822 } |
| 812 | 823 |
| 813 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | 824 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
| 825 base::test::ScopedFeatureList feature_list; |
| 826 feature_list.InitAndEnableFeature( |
| 827 TransportSecurityState::kDynamicExpectCTFeature); |
| 814 TransportSecurityState state; | 828 TransportSecurityState state; |
| 815 const base::Time current_time(base::Time::Now()); | 829 const base::Time current_time(base::Time::Now()); |
| 816 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 830 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 817 bool include_subdomains = false; | 831 bool include_subdomains = false; |
| 818 | 832 |
| 819 state.AddHSTS("example1.test", expiry, include_subdomains); | 833 state.AddHSTS("example1.test", expiry, include_subdomains); |
| 820 state.AddHPKP("example1.test", expiry, include_subdomains, | 834 state.AddHPKP("example1.test", expiry, include_subdomains, |
| 821 GetSampleSPKIHashes(), GURL()); | 835 GetSampleSPKIHashes(), GURL()); |
| 836 state.AddExpectCT("example1.test", expiry, true, GURL()); |
| 822 | 837 |
| 823 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); | 838 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| 824 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); | 839 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
| 825 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); | 840 EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); |
| 826 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); | 841 EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); |
| 842 TransportSecurityState::ExpectCTState expect_ct_state; |
| 843 EXPECT_TRUE(state.GetDynamicExpectCTState("example1.test", &expect_ct_state)); |
| 844 EXPECT_FALSE( |
| 845 state.GetDynamicExpectCTState("example2.test", &expect_ct_state)); |
| 846 |
| 827 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); | 847 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); |
| 828 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); | 848 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
| 829 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); | 849 EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| 850 EXPECT_FALSE( |
| 851 state.GetDynamicExpectCTState("example1.test", &expect_ct_state)); |
| 830 } | 852 } |
| 831 | 853 |
| 832 TEST_F(TransportSecurityStateTest, EnableStaticPins) { | 854 TEST_F(TransportSecurityStateTest, EnableStaticPins) { |
| 833 TransportSecurityState state; | 855 TransportSecurityState state; |
| 834 TransportSecurityState::STSState sts_state; | 856 TransportSecurityState::STSState sts_state; |
| 835 TransportSecurityState::PKPState pkp_state; | 857 TransportSecurityState::PKPState pkp_state; |
| 836 | 858 |
| 837 EnableStaticPins(&state); | 859 EnableStaticPins(&state); |
| 838 | 860 |
| 839 EXPECT_TRUE( | 861 EXPECT_TRUE( |
| (...skipping 1753 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2593 base::MakeUnique<base::MockEntropyProvider>()); | 2615 base::MakeUnique<base::MockEntropyProvider>()); |
| 2594 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", | 2616 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", |
| 2595 "disabled"); | 2617 "disabled"); |
| 2596 | 2618 |
| 2597 EXPECT_FALSE( | 2619 EXPECT_FALSE( |
| 2598 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); | 2620 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); |
| 2599 EXPECT_FALSE( | 2621 EXPECT_FALSE( |
| 2600 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); | 2622 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); |
| 2601 } | 2623 } |
| 2602 | 2624 |
| 2625 // Tests that dynamic Expect-CT state is cleared from ClearDynamicData(). |
| 2626 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) { |
| 2627 base::test::ScopedFeatureList feature_list; |
| 2628 feature_list.InitAndEnableFeature( |
| 2629 TransportSecurityState::kDynamicExpectCTFeature); |
| 2630 const std::string host("example.test"); |
| 2631 TransportSecurityState state; |
| 2632 TransportSecurityState::ExpectCTState expect_ct_state; |
| 2633 const base::Time current_time = base::Time::Now(); |
| 2634 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 2635 |
| 2636 state.AddExpectCT(host, expiry, true, GURL()); |
| 2637 EXPECT_TRUE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
| 2638 EXPECT_TRUE(expect_ct_state.enforce); |
| 2639 EXPECT_TRUE(expect_ct_state.report_uri.is_empty()); |
| 2640 EXPECT_EQ(expiry, expect_ct_state.expiry); |
| 2641 |
| 2642 state.ClearDynamicData(); |
| 2643 EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
| 2644 } |
| 2645 |
| 2646 // Tests that dynamic Expect-CT state can be added and retrieved. |
| 2647 TEST_F(TransportSecurityStateTest, DynamicExpectCTState) { |
| 2648 base::test::ScopedFeatureList feature_list; |
| 2649 feature_list.InitAndEnableFeature( |
| 2650 TransportSecurityState::kDynamicExpectCTFeature); |
| 2651 const std::string host("example.test"); |
| 2652 TransportSecurityState state; |
| 2653 TransportSecurityState::ExpectCTState expect_ct_state; |
| 2654 const base::Time current_time = base::Time::Now(); |
| 2655 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 2656 |
| 2657 // Test that Expect-CT state can be added and retrieved. |
| 2658 state.AddExpectCT(host, expiry, true, GURL()); |
| 2659 EXPECT_TRUE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
| 2660 EXPECT_TRUE(expect_ct_state.enforce); |
| 2661 EXPECT_TRUE(expect_ct_state.report_uri.is_empty()); |
| 2662 EXPECT_EQ(expiry, expect_ct_state.expiry); |
| 2663 |
| 2664 // Test that Expect-CT can be updated (e.g. by changing |enforce| to false and |
| 2665 // adding a report-uri). |
| 2666 const GURL report_uri("https://example-report.test"); |
| 2667 state.AddExpectCT(host, expiry, false, report_uri); |
| 2668 EXPECT_TRUE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
| 2669 EXPECT_FALSE(expect_ct_state.enforce); |
| 2670 EXPECT_EQ(report_uri, expect_ct_state.report_uri); |
| 2671 EXPECT_EQ(expiry, expect_ct_state.expiry); |
| 2672 |
| 2673 // Test that Expect-CT state is discarded when expired. |
| 2674 state.AddExpectCT(host, current_time - base::TimeDelta::FromSeconds(1000), |
| 2675 true, report_uri); |
| 2676 EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
| 2677 } |
| 2678 |
| 2679 // Tests that dynamic Expect-CT state cannot be added when the feature is not |
| 2680 // enabled. |
| 2681 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateDisabled) { |
| 2682 base::test::ScopedFeatureList feature_list; |
| 2683 feature_list.InitAndDisableFeature( |
| 2684 TransportSecurityState::kDynamicExpectCTFeature); |
| 2685 const std::string host("example.test"); |
| 2686 TransportSecurityState state; |
| 2687 TransportSecurityState::ExpectCTState expect_ct_state; |
| 2688 const base::Time current_time = base::Time::Now(); |
| 2689 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 2690 |
| 2691 state.AddExpectCT(host, expiry, true, GURL()); |
| 2692 EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
| 2693 } |
| 2694 |
| 2603 } // namespace net | 2695 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2747173005:
Store dynamic Expect-CT state (Closed)
