Handle max-age in HPKP.

net/http/http_security_headers_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <algorithm>
 
 #include "base/base64.h"
 #include "base/sha1.h"
 #include "base/strings/string_piece.h"
 #include "crypto/sha2.h"
@@ skipping 554 matching lines @@
                       new_dynamic_domain_state.pkp.spki_hashes.end(),
                       HashValuesEqual(good_hash));
   EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash);
 
   hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(),
                       new_dynamic_domain_state.pkp.spki_hashes.end(),
                       HashValuesEqual(backup_hash));
   EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash);
 }
 
+TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0) {
+  TransportSecurityState state;
+  TransportSecurityState::DomainState static_domain_state;
+
+  // docs.google.com has preloaded pins.
+  const bool sni_enabled = true;
+  std::string domain = "docs.google.com";
+  EXPECT_TRUE(
+      state.GetStaticDomainState(domain, sni_enabled, &static_domain_state));
+  EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL);
+  HashValueVector saved_hashes = static_domain_state.pkp.spki_hashes;
+
+  // Add a header, which should only update the dynamic state.
+  HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
+  std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1);
+  std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1);
+  std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin;
+
+  // Construct a fake SSLInfo that will pass AddHPKPHeader's checks.
+  SSLInfo ssl_info;
+  ssl_info.public_key_hashes.push_back(good_hash);
+  ssl_info.public_key_hashes.push_back(saved_hashes[0]);
+  EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info));
+
+  // Expect the static state to remain unchanged.
+  TransportSecurityState::DomainState new_static_domain_state;
+  EXPECT_TRUE(state.GetStaticDomainState(
+      domain, sni_enabled, &new_static_domain_state));
+  for (size_t i = 0; i < saved_hashes.size(); ++i) {
+    EXPECT_TRUE(HashValuesEqual(saved_hashes[i])(
+        new_static_domain_state.pkp.spki_hashes[i]));
+  }
+
+  // Expect the dynamic state to have pins.
+  TransportSecurityState::DomainState new_dynamic_domain_state;
+  EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state));
+  EXPECT_EQ(2UL, new_dynamic_domain_state.pkp.spki_hashes.size());
+  EXPECT_TRUE(new_dynamic_domain_state.HasPublicKeyPins());
+
+  // Now set another header with max-age=0, and check that the pins are
+  // cleared in the dynamic state only.
+  header = "max-age = 0; " + good_pin + "; " + backup_pin;
+  EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info));
+
+  // Expect the static state to remain unchanged.
+  TransportSecurityState::DomainState new_static_domain_state2;
+  EXPECT_TRUE(state.GetStaticDomainState(
+      domain, sni_enabled, &new_static_domain_state2));
+  for (size_t i = 0; i < saved_hashes.size(); ++i) {
+    EXPECT_TRUE(HashValuesEqual(saved_hashes[i])(
+        new_static_domain_state2.pkp.spki_hashes[i]));
+  }
+
+  // Expect the dynamic pins to be gone.
+  TransportSecurityState::DomainState new_dynamic_domain_state2;
+  EXPECT_FALSE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state2));
+}

[Ryan Sleevi, 2014/05/13 21:12:23]

More testing: Good that you test the static/dynamic state, but what's the
expected result for CheckPublicKeyPins and the like?

Expected: Disabled (that's what we said in the spec, right?)

+
 // Tests that when a static HSTS and a static HPKP entry are present, adding a
 // dynamic HSTS header does not clobber the static HPKP entry. Further, adding a
 // dynamic HPKP entry could not affect the HSTS entry for the site.
 TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
   TransportSecurityState state;
   TransportSecurityState::DomainState domain_state;
 
   // accounts.google.com has preloaded pins.
   std::string domain = "accounts.google.com";
 
@@ skipping 32 matching lines @@
   // HSTS should still be configured for this domain.
   EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());
   EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled));
   // The dynamic pins, which do not match |saved_hashes|, should take
   // precedence over the static pins and cause the check to fail.
   EXPECT_FALSE(state.CheckPublicKeyPins(
       domain, sni_enabled, saved_hashes, &failure_log));
 }
 
 };    // namespace net