Centralize the logic for checking public key pins

net/http/http_security_headers_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <algorithm>
 
 #include "base/base64.h"
 #include "base/sha1.h"
 #include "base/strings/string_piece.h"
 #include "crypto/sha2.h"
@@ skipping 488 matching lines @@
   TestValidPKPHeaders(HASH_VALUE_SHA256);
 }
 
 TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
   TransportSecurityState state;
   TransportSecurityState::DomainState static_domain_state;
 
   // docs.google.com has preloaded pins.
   const bool sni_enabled = true;
   std::string domain = "docs.google.com";
+  state.enable_static_pinning_ = true;
   EXPECT_TRUE(
       state.GetStaticDomainState(domain, sni_enabled, &static_domain_state));
   EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL);
   HashValueVector saved_hashes = static_domain_state.pkp.spki_hashes;
 
   // Add a header, which should only update the dynamic state.
   HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
   HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA1);
   std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1);
   std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1);
@@ skipping 28 matching lines @@
   hash = std::find_if(dynamic_domain_state.pkp.spki_hashes.begin(),
                       dynamic_domain_state.pkp.spki_hashes.end(),
                       HashValuesEqual(backup_hash));
   EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash);
 
   // Expect the overall state to reflect the header, too.
   EXPECT_TRUE(state.HasPublicKeyPins(domain, sni_enabled));
   HashValueVector hashes;
   hashes.push_back(good_hash);
   std::string failure_log;
+  const bool is_issued_by_known_root = true;
   EXPECT_TRUE(
-      state.CheckPublicKeyPins(domain, sni_enabled, hashes, &failure_log));
+      state.CheckPublicKeyPins(domain, sni_enabled, is_issued_by_known_root,
+                               hashes, &failure_log));
 
   TransportSecurityState::DomainState new_dynamic_domain_state;
   EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state));
   EXPECT_EQ(2UL, new_dynamic_domain_state.pkp.spki_hashes.size());
 
   hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(),
                       new_dynamic_domain_state.pkp.spki_hashes.end(),
                       HashValuesEqual(good_hash));
   EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash);
 
   hash = std::find_if(new_dynamic_domain_state.pkp.spki_hashes.begin(),
                       new_dynamic_domain_state.pkp.spki_hashes.end(),
                       HashValuesEqual(backup_hash));
   EXPECT_NE(new_dynamic_domain_state.pkp.spki_hashes.end(), hash);
 }
 
 // Failing on win_chromium_rel. crbug.com/375538
 #if defined(OS_WIN)
 #define MAYBE_UpdateDynamicPKPMaxAge0 DISABLED_UpdateDynamicPKPMaxAge0
 #else
 #define MAYBE_UpdateDynamicPKPMaxAge0 UpdateDynamicPKPMaxAge0
 #endif
 TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) {
   TransportSecurityState state;
   TransportSecurityState::DomainState static_domain_state;
 
   // docs.google.com has preloaded pins.
   const bool sni_enabled = true;
   std::string domain = "docs.google.com";
+  state.enable_static_pinning_ = true;
   ASSERT_TRUE(
       state.GetStaticDomainState(domain, sni_enabled, &static_domain_state));
   EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL);
   HashValueVector saved_hashes = static_domain_state.pkp.spki_hashes;
 
   // Add a header, which should only update the dynamic state.
   HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
   std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1);
   std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1);
   std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin;
@@ skipping 43 matching lines @@
 
   // Expect the exact-matching static policy to continue to apply, even
   // though dynamic policy has been removed. (This policy may change in the
   // future, in which case this test must be updated.)
   EXPECT_TRUE(state.HasPublicKeyPins(domain, true));
   EXPECT_TRUE(state.ShouldSSLErrorsBeFatal(domain, true));
   std::string failure_log;
   // Damage the hashes to cause a pin validation failure.
   new_static_domain_state2.pkp.spki_hashes[0].data()[0] ^= 0x80;
   new_static_domain_state2.pkp.spki_hashes[1].data()[0] ^= 0x80;
+  const bool is_issued_by_known_root = true;
   EXPECT_FALSE(state.CheckPublicKeyPins(
-      domain, true, new_static_domain_state2.pkp.spki_hashes, &failure_log));
+      domain, true, is_issued_by_known_root,
+      new_static_domain_state2.pkp.spki_hashes, &failure_log));
   EXPECT_NE(0UL, failure_log.length());
 }
 #undef MAYBE_UpdateDynamicPKPMaxAge0
 
 // Tests that when a static HSTS and a static HPKP entry are present, adding a
 // dynamic HSTS header does not clobber the static HPKP entry. Further, adding a
 // dynamic HPKP entry could not affect the HSTS entry for the site.
 TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
   TransportSecurityState state;
   TransportSecurityState::DomainState domain_state;
 
   // accounts.google.com has preloaded pins.
   std::string domain = "accounts.google.com";
 
   // Retrieve the DomainState as it is by default, including its known good
   // pins.
   const bool sni_enabled = true;
+  state.enable_static_pinning_ = true;

[wtc, 2014/08/07 23:39:12]

Move this to line 671 to stay close to the comment "xxx has preloaded pins."

[Ryan Hamilton, 2014/08/08 00:54:00]

Done.

   EXPECT_TRUE(state.GetStaticDomainState(domain, sni_enabled, &domain_state));
   HashValueVector saved_hashes = domain_state.pkp.spki_hashes;
   EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());
   EXPECT_TRUE(domain_state.HasPublicKeyPins());
   EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled));
   EXPECT_TRUE(state.HasPublicKeyPins(domain, sni_enabled));
 
   // Add a dynamic HSTS header. CheckPublicKeyPins should still pass when given
   // the original |saved_hashes|, indicating that the static PKP data is still
   // configured for the domain.
   EXPECT_TRUE(state.AddHSTSHeader(domain, "includesubdomains; max-age=10000"));
   EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled));
   std::string failure_log;
+  const bool is_issued_by_known_root = true;
   EXPECT_TRUE(state.CheckPublicKeyPins(
-      domain, sni_enabled, saved_hashes, &failure_log));
+      domain, sni_enabled, is_issued_by_known_root, saved_hashes,
+      &failure_log));
 
   // Add an HPKP header, which should only update the dynamic state.
   HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
   std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1);
   std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1);
   std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin;
 
   // Construct a fake SSLInfo that will pass AddHPKPHeader's checks.
   SSLInfo ssl_info;
   ssl_info.public_key_hashes.push_back(good_hash);
   ssl_info.public_key_hashes.push_back(saved_hashes[0]);
   EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info));
 
   EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info));
   // HSTS should still be configured for this domain.
   EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());
   EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled));
   // The dynamic pins, which do not match |saved_hashes|, should take
   // precedence over the static pins and cause the check to fail.
   EXPECT_FALSE(state.CheckPublicKeyPins(
-      domain, sni_enabled, saved_hashes, &failure_log));
+      domain, sni_enabled, is_issued_by_known_root, saved_hashes,
+      &failure_log));
 }
 
 };    // namespace net