| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 19 matching lines...) Expand all Loading... |
| 30 | 30 |
| 31 #if defined(USE_OPENSSL) | 31 #if defined(USE_OPENSSL) |
| 32 #include "crypto/openssl_util.h" | 32 #include "crypto/openssl_util.h" |
| 33 #else | 33 #else |
| 34 #include "crypto/nss_util.h" | 34 #include "crypto/nss_util.h" |
| 35 #endif | 35 #endif |
| 36 | 36 |
| 37 namespace net { | 37 namespace net { |
| 38 | 38 |
| 39 class TransportSecurityStateTest : public testing::Test { | 39 class TransportSecurityStateTest : public testing::Test { |
| 40 public: |
| 40 virtual void SetUp() { | 41 virtual void SetUp() { |
| 41 #if defined(USE_OPENSSL) | 42 #if defined(USE_OPENSSL) |
| 42 crypto::EnsureOpenSSLInit(); | 43 crypto::EnsureOpenSSLInit(); |
| 43 #else | 44 #else |
| 44 crypto::EnsureNSSInit(); | 45 crypto::EnsureNSSInit(); |
| 45 #endif | 46 #endif |
| 46 } | 47 } |
| 47 | 48 |
| 49 static void DisableStaticPins(TransportSecurityState* state) { |
| 50 state->enable_static_pins_ = false; |
| 51 } |
| 52 |
| 53 static void EnableStaticPins(TransportSecurityState* state) { |
| 54 state->enable_static_pins_ = true; |
| 55 } |
| 56 |
| 48 protected: | 57 protected: |
| 49 bool GetStaticDomainState(TransportSecurityState* state, | 58 bool GetStaticDomainState(TransportSecurityState* state, |
| 50 const std::string& host, | 59 const std::string& host, |
| 51 bool sni_enabled, | 60 bool sni_enabled, |
| 52 TransportSecurityState::DomainState* result) { | 61 TransportSecurityState::DomainState* result) { |
| 53 return state->GetStaticDomainState(host, sni_enabled, result); | 62 return state->GetStaticDomainState(host, sni_enabled, result); |
| 54 } | 63 } |
| 55 | 64 |
| 56 void EnableHost(TransportSecurityState* state, | 65 void EnableHost(TransportSecurityState* state, |
| 57 const std::string& host, | 66 const std::string& host, |
| (...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 155 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 164 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 156 bool include_subdomains = false; | 165 bool include_subdomains = false; |
| 157 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 166 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 158 | 167 |
| 159 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 168 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); |
| 160 EXPECT_FALSE(state.GetDynamicDomainState("example.com", &domain_state)); | 169 EXPECT_FALSE(state.GetDynamicDomainState("example.com", &domain_state)); |
| 161 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); | 170 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); |
| 162 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 171 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); |
| 163 } | 172 } |
| 164 | 173 |
| 174 TEST_F(TransportSecurityStateTest, EnableStaticPins) { |
| 175 TransportSecurityState state; |
| 176 TransportSecurityState::DomainState domain_state; |
| 177 |
| 178 EnableStaticPins(&state); |
| 179 |
| 180 EXPECT_TRUE( |
| 181 state.GetStaticDomainState("chrome.google.com", true, &domain_state)); |
| 182 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); |
| 183 } |
| 184 |
| 185 TEST_F(TransportSecurityStateTest, DisableStaticPins) { |
| 186 TransportSecurityState state; |
| 187 TransportSecurityState::DomainState domain_state; |
| 188 |
| 189 DisableStaticPins(&state); |
| 190 EXPECT_TRUE( |
| 191 state.GetStaticDomainState("chrome.google.com", true, &domain_state)); |
| 192 EXPECT_TRUE(domain_state.pkp.spki_hashes.empty()); |
| 193 } |
| 194 |
| 165 TEST_F(TransportSecurityStateTest, IsPreloaded) { | 195 TEST_F(TransportSecurityStateTest, IsPreloaded) { |
| 166 const std::string paypal = "paypal.com"; | 196 const std::string paypal = "paypal.com"; |
| 167 const std::string www_paypal = "www.paypal.com"; | 197 const std::string www_paypal = "www.paypal.com"; |
| 168 const std::string foo_paypal = "foo.paypal.com"; | 198 const std::string foo_paypal = "foo.paypal.com"; |
| 169 const std::string a_www_paypal = "a.www.paypal.com"; | 199 const std::string a_www_paypal = "a.www.paypal.com"; |
| 170 const std::string abc_paypal = "a.b.c.paypal.com"; | 200 const std::string abc_paypal = "a.b.c.paypal.com"; |
| 171 const std::string example = "example.com"; | 201 const std::string example = "example.com"; |
| 172 const std::string aypal = "aypal.com"; | 202 const std::string aypal = "aypal.com"; |
| 173 | 203 |
| 174 TransportSecurityState state; | 204 TransportSecurityState state; |
| 175 TransportSecurityState::DomainState domain_state; | 205 TransportSecurityState::DomainState domain_state; |
| 176 | 206 |
| 177 EXPECT_TRUE(GetStaticDomainState(&state, paypal, true, &domain_state)); | 207 EXPECT_TRUE(GetStaticDomainState(&state, paypal, true, &domain_state)); |
| 178 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, true, &domain_state)); | 208 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, true, &domain_state)); |
| 179 EXPECT_FALSE(domain_state.sts.include_subdomains); | 209 EXPECT_FALSE(domain_state.sts.include_subdomains); |
| 180 EXPECT_FALSE(domain_state.pkp.include_subdomains); | |
| 181 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, true, &domain_state)); | 210 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, true, &domain_state)); |
| 182 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, true, &domain_state)); | 211 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, true, &domain_state)); |
| 183 EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state)); | 212 EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state)); |
| 184 EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state)); | 213 EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state)); |
| 185 } | 214 } |
| 186 | 215 |
| 187 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { | 216 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { |
| 188 TransportSecurityState state; | 217 TransportSecurityState state; |
| 189 TransportSecurityState::DomainState domain_state; | 218 TransportSecurityState::DomainState domain_state; |
| 190 | 219 |
| (...skipping 16 matching lines...) Expand all Loading... |
| 207 } | 236 } |
| 208 | 237 |
| 209 static bool HasStaticState(const char* hostname) { | 238 static bool HasStaticState(const char* hostname) { |
| 210 TransportSecurityState state; | 239 TransportSecurityState state; |
| 211 TransportSecurityState::DomainState domain_state; | 240 TransportSecurityState::DomainState domain_state; |
| 212 return state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state); | 241 return state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state); |
| 213 } | 242 } |
| 214 | 243 |
| 215 static bool HasStaticPublicKeyPins(const char* hostname, bool sni_enabled) { | 244 static bool HasStaticPublicKeyPins(const char* hostname, bool sni_enabled) { |
| 216 TransportSecurityState state; | 245 TransportSecurityState state; |
| 246 TransportSecurityStateTest::EnableStaticPins(&state); |
| 217 TransportSecurityState::DomainState domain_state; | 247 TransportSecurityState::DomainState domain_state; |
| 218 if (!state.GetStaticDomainState(hostname, sni_enabled, &domain_state)) | 248 if (!state.GetStaticDomainState(hostname, sni_enabled, &domain_state)) |
| 219 return false; | 249 return false; |
| 220 | 250 |
| 221 return domain_state.HasPublicKeyPins(); | 251 return domain_state.HasPublicKeyPins(); |
| 222 } | 252 } |
| 223 | 253 |
| 224 static bool HasStaticPublicKeyPins(const char* hostname) { | 254 static bool HasStaticPublicKeyPins(const char* hostname) { |
| 225 return HasStaticPublicKeyPins(hostname, true); | 255 return HasStaticPublicKeyPins(hostname, true); |
| 226 } | 256 } |
| 227 | 257 |
| 228 static bool OnlyPinningInStaticState(const char* hostname) { | 258 static bool OnlyPinningInStaticState(const char* hostname) { |
| 229 TransportSecurityState state; | 259 TransportSecurityState state; |
| 260 TransportSecurityStateTest::EnableStaticPins(&state); |
| 230 TransportSecurityState::DomainState domain_state; | 261 TransportSecurityState::DomainState domain_state; |
| 231 if (!state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state)) | 262 if (!state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state)) |
| 232 return false; | 263 return false; |
| 233 | 264 |
| 234 return (domain_state.pkp.spki_hashes.size() > 0 || | 265 return (domain_state.pkp.spki_hashes.size() > 0 || |
| 235 domain_state.pkp.bad_spki_hashes.size() > 0) && | 266 domain_state.pkp.bad_spki_hashes.size() > 0) && |
| 236 !domain_state.ShouldUpgradeToSSL(); | 267 !domain_state.ShouldUpgradeToSSL(); |
| 237 } | 268 } |
| 238 | 269 |
| 239 TEST_F(TransportSecurityStateTest, Preloaded) { | 270 TEST_F(TransportSecurityStateTest, Preloaded) { |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 278 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com")); | 309 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com")); |
| 279 EXPECT_TRUE(StaticShouldRedirect("gmail.com")); | 310 EXPECT_TRUE(StaticShouldRedirect("gmail.com")); |
| 280 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com")); | 311 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com")); |
| 281 EXPECT_TRUE(StaticShouldRedirect("googlemail.com")); | 312 EXPECT_TRUE(StaticShouldRedirect("googlemail.com")); |
| 282 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com")); | 313 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com")); |
| 283 EXPECT_TRUE(StaticShouldRedirect("googleplex.com")); | 314 EXPECT_TRUE(StaticShouldRedirect("googleplex.com")); |
| 284 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com")); | 315 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com")); |
| 285 EXPECT_FALSE(HasStaticState("m.gmail.com")); | 316 EXPECT_FALSE(HasStaticState("m.gmail.com")); |
| 286 EXPECT_FALSE(HasStaticState("m.googlemail.com")); | 317 EXPECT_FALSE(HasStaticState("m.googlemail.com")); |
| 287 | 318 |
| 288 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com")); | |
| 289 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com")); | |
| 290 EXPECT_TRUE(OnlyPinningInStaticState("google.com")); | |
| 291 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com")); | |
| 292 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com")); | |
| 293 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com")); | |
| 294 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com")); | |
| 295 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com")); | |
| 296 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com")); | |
| 297 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com")); | |
| 298 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com")); | |
| 299 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com")); | |
| 300 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com")); | |
| 301 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com")); | |
| 302 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com")); | |
| 303 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net")); | |
| 304 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com")); | |
| 305 | |
| 306 // Tests for domains that don't work without SNI. | 319 // Tests for domains that don't work without SNI. |
| 307 EXPECT_FALSE(state.GetStaticDomainState("gmail.com", false, &domain_state)); | 320 EXPECT_FALSE(state.GetStaticDomainState("gmail.com", false, &domain_state)); |
| 308 EXPECT_FALSE( | 321 EXPECT_FALSE( |
| 309 state.GetStaticDomainState("www.gmail.com", false, &domain_state)); | 322 state.GetStaticDomainState("www.gmail.com", false, &domain_state)); |
| 310 EXPECT_FALSE(state.GetStaticDomainState("m.gmail.com", false, &domain_state)); | 323 EXPECT_FALSE(state.GetStaticDomainState("m.gmail.com", false, &domain_state)); |
| 311 EXPECT_FALSE( | 324 EXPECT_FALSE( |
| 312 state.GetStaticDomainState("googlemail.com", false, &domain_state)); | 325 state.GetStaticDomainState("googlemail.com", false, &domain_state)); |
| 313 EXPECT_FALSE( | 326 EXPECT_FALSE( |
| 314 state.GetStaticDomainState("www.googlemail.com", false, &domain_state)); | 327 state.GetStaticDomainState("www.googlemail.com", false, &domain_state)); |
| 315 EXPECT_FALSE( | 328 EXPECT_FALSE( |
| (...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 400 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name")); | 413 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name")); |
| 401 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name")); | 414 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name")); |
| 402 | 415 |
| 403 EXPECT_TRUE(StaticShouldRedirect("linx.net")); | 416 EXPECT_TRUE(StaticShouldRedirect("linx.net")); |
| 404 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net")); | 417 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net")); |
| 405 | 418 |
| 406 EXPECT_TRUE(StaticShouldRedirect("dropcam.com")); | 419 EXPECT_TRUE(StaticShouldRedirect("dropcam.com")); |
| 407 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com")); | 420 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com")); |
| 408 EXPECT_FALSE(HasStaticState("foo.dropcam.com")); | 421 EXPECT_FALSE(HasStaticState("foo.dropcam.com")); |
| 409 | 422 |
| 410 EXPECT_TRUE( | |
| 411 state.GetStaticDomainState("torproject.org", false, &domain_state)); | |
| 412 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); | |
| 413 EXPECT_TRUE( | |
| 414 state.GetStaticDomainState("www.torproject.org", false, &domain_state)); | |
| 415 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); | |
| 416 EXPECT_TRUE( | |
| 417 state.GetStaticDomainState("check.torproject.org", false, &domain_state)); | |
| 418 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); | |
| 419 EXPECT_TRUE( | |
| 420 state.GetStaticDomainState("blog.torproject.org", false, &domain_state)); | |
| 421 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); | |
| 422 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn")); | 423 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn")); |
| 423 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn")); | 424 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn")); |
| 424 | 425 |
| 425 EXPECT_TRUE(StaticShouldRedirect("epoxate.com")); | 426 EXPECT_TRUE(StaticShouldRedirect("epoxate.com")); |
| 426 EXPECT_FALSE(HasStaticState("foo.epoxate.com")); | 427 EXPECT_FALSE(HasStaticState("foo.epoxate.com")); |
| 427 | 428 |
| 428 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org")); | |
| 429 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org")); | |
| 430 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org")); | |
| 431 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org")); | |
| 432 EXPECT_FALSE(HasStaticState("foo.torproject.org")); | 429 EXPECT_FALSE(HasStaticState("foo.torproject.org")); |
| 433 | 430 |
| 434 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com")); | 431 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com")); |
| 435 EXPECT_FALSE(HasStaticState("moneybookers.com")); | 432 EXPECT_FALSE(HasStaticState("moneybookers.com")); |
| 436 | 433 |
| 437 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net")); | 434 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net")); |
| 438 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net")); | 435 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net")); |
| 439 EXPECT_FALSE(HasStaticState("status.ledgerscope.net")); | 436 EXPECT_FALSE(HasStaticState("status.ledgerscope.net")); |
| 440 | 437 |
| 441 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com")); | 438 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com")); |
| (...skipping 29 matching lines...) Expand all Loading... |
| 471 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com")); | 468 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com")); |
| 472 | 469 |
| 473 EXPECT_TRUE(StaticShouldRedirect("crypto.cat")); | 470 EXPECT_TRUE(StaticShouldRedirect("crypto.cat")); |
| 474 EXPECT_FALSE(StaticShouldRedirect("foo.crypto.cat")); | 471 EXPECT_FALSE(StaticShouldRedirect("foo.crypto.cat")); |
| 475 | 472 |
| 476 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net")); | 473 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net")); |
| 477 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net")); | 474 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net")); |
| 478 | 475 |
| 479 EXPECT_TRUE(StaticShouldRedirect("crate.io")); | 476 EXPECT_TRUE(StaticShouldRedirect("crate.io")); |
| 480 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io")); | 477 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io")); |
| 478 } |
| 479 |
| 480 TEST_F(TransportSecurityStateTest, PreloadedPins) { |
| 481 TransportSecurityState state; |
| 482 EnableStaticPins(&state); |
| 483 TransportSecurityState::DomainState domain_state; |
| 484 |
| 485 // We do more extensive checks for the first domain. |
| 486 EXPECT_TRUE( |
| 487 state.GetStaticDomainState("www.paypal.com", true, &domain_state)); |
| 488 EXPECT_EQ(domain_state.sts.upgrade_mode, |
| 489 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); |
| 490 EXPECT_FALSE(domain_state.sts.include_subdomains); |
| 491 EXPECT_FALSE(domain_state.pkp.include_subdomains); |
| 492 |
| 493 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com")); |
| 494 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com")); |
| 495 EXPECT_TRUE(OnlyPinningInStaticState("google.com")); |
| 496 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com")); |
| 497 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com")); |
| 498 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com")); |
| 499 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com")); |
| 500 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com")); |
| 501 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com")); |
| 502 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com")); |
| 503 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com")); |
| 504 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com")); |
| 505 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com")); |
| 506 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com")); |
| 507 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com")); |
| 508 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net")); |
| 509 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com")); |
| 510 |
| 511 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org")); |
| 512 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org")); |
| 513 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org")); |
| 514 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org")); |
| 515 EXPECT_FALSE(HasStaticState("foo.torproject.org")); |
| 516 |
| 517 EXPECT_TRUE( |
| 518 state.GetStaticDomainState("torproject.org", false, &domain_state)); |
| 519 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); |
| 520 EXPECT_TRUE( |
| 521 state.GetStaticDomainState("www.torproject.org", false, &domain_state)); |
| 522 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); |
| 523 EXPECT_TRUE( |
| 524 state.GetStaticDomainState("check.torproject.org", false, &domain_state)); |
| 525 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); |
| 526 EXPECT_TRUE( |
| 527 state.GetStaticDomainState("blog.torproject.org", false, &domain_state)); |
| 528 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); |
| 481 | 529 |
| 482 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com")); | 530 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com")); |
| 483 } | 531 } |
| 484 | 532 |
| 485 TEST_F(TransportSecurityStateTest, LongNames) { | 533 TEST_F(TransportSecurityStateTest, LongNames) { |
| 486 TransportSecurityState state; | 534 TransportSecurityState state; |
| 487 const char kLongName[] = | 535 const char kLongName[] = |
| 488 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" | 536 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" |
| 489 "WaveletIdDomainAndBlipBlipid"; | 537 "WaveletIdDomainAndBlipBlipid"; |
| 490 TransportSecurityState::DomainState domain_state; | 538 TransportSecurityState::DomainState domain_state; |
| 491 // Just checks that we don't hit a NOTREACHED. | 539 // Just checks that we don't hit a NOTREACHED. |
| 492 EXPECT_FALSE(state.GetStaticDomainState(kLongName, true, &domain_state)); | 540 EXPECT_FALSE(state.GetStaticDomainState(kLongName, true, &domain_state)); |
| 493 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state)); | 541 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state)); |
| 494 } | 542 } |
| 495 | 543 |
| 496 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { | 544 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { |
| 497 TransportSecurityState state; | 545 TransportSecurityState state; |
| 546 EnableStaticPins(&state); |
| 498 TransportSecurityState::DomainState domain_state; | 547 TransportSecurityState::DomainState domain_state; |
| 499 | 548 |
| 500 EXPECT_TRUE( | 549 EXPECT_TRUE( |
| 501 state.GetStaticDomainState("chrome.google.com", true, &domain_state)); | 550 state.GetStaticDomainState("chrome.google.com", true, &domain_state)); |
| 502 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com")); | 551 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com")); |
| 503 | 552 |
| 504 HashValueVector hashes; | 553 HashValueVector hashes; |
| 505 std::string failure_log; | 554 std::string failure_log; |
| 506 // Checks that a built-in list does exist. | 555 // Checks that a built-in list does exist. |
| 507 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log)); | 556 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log)); |
| (...skipping 19 matching lines...) Expand all Loading... |
| 527 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com")); | 576 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com")); |
| 528 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com")); | 577 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com")); |
| 529 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com")); | 578 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com")); |
| 530 | 579 |
| 531 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com")); | 580 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com")); |
| 532 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com")); | 581 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com")); |
| 533 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com")); | 582 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com")); |
| 534 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com")); | 583 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com")); |
| 535 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com")); | 584 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com")); |
| 536 | 585 |
| 537 // Disabled in order to help track down pinning failures --agl | |
| 538 EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com")); | 586 EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com")); |
| 539 EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com")); | 587 EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com")); |
| 540 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com")); | 588 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com")); |
| 541 EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com")); | 589 EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com")); |
| 542 EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com")); | 590 EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com")); |
| 543 EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com")); | 591 EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com")); |
| 544 EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com")); | 592 EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com")); |
| 545 EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com")); | 593 EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com")); |
| 546 EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com")); | 594 EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com")); |
| 547 EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com")); | 595 EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com")); |
| (...skipping 30 matching lines...) Expand all Loading... |
| 578 HashValueVector good_hashes, bad_hashes; | 626 HashValueVector good_hashes, bad_hashes; |
| 579 | 627 |
| 580 for (size_t i = 0; kGoodPath[i]; i++) { | 628 for (size_t i = 0; kGoodPath[i]; i++) { |
| 581 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | 629 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
| 582 } | 630 } |
| 583 for (size_t i = 0; kBadPath[i]; i++) { | 631 for (size_t i = 0; kBadPath[i]; i++) { |
| 584 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | 632 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
| 585 } | 633 } |
| 586 | 634 |
| 587 TransportSecurityState state; | 635 TransportSecurityState state; |
| 636 EnableStaticPins(&state); |
| 637 |
| 588 TransportSecurityState::DomainState domain_state; | 638 TransportSecurityState::DomainState domain_state; |
| 589 EXPECT_TRUE( | 639 EXPECT_TRUE( |
| 590 state.GetStaticDomainState("blog.torproject.org", true, &domain_state)); | 640 state.GetStaticDomainState("blog.torproject.org", true, &domain_state)); |
| 591 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 641 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
| 592 | 642 |
| 593 std::string failure_log; | 643 std::string failure_log; |
| 594 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log)); | 644 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log)); |
| 595 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log)); | 645 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log)); |
| 596 } | 646 } |
| 597 | 647 |
| 598 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { | 648 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { |
| 599 TransportSecurityState state; | 649 TransportSecurityState state; |
| 650 EnableStaticPins(&state); |
| 600 TransportSecurityState::DomainState domain_state; | 651 TransportSecurityState::DomainState domain_state; |
| 601 | 652 |
| 602 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com")); | 653 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com")); |
| 603 | 654 |
| 604 EXPECT_FALSE(HasStaticPublicKeyPins("www.google-analytics.com", false)); | 655 EXPECT_FALSE(HasStaticPublicKeyPins("www.google-analytics.com", false)); |
| 605 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com")); | 656 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com")); |
| 606 EXPECT_TRUE(HasStaticPublicKeyPins("google.com")); | 657 EXPECT_TRUE(HasStaticPublicKeyPins("google.com")); |
| 607 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com")); | 658 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com")); |
| 608 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com")); | 659 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com")); |
| 609 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com")); | 660 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com")); |
| (...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 695 // Expect to fail for SNI hosts when not searching the SNI list: | 746 // Expect to fail for SNI hosts when not searching the SNI list: |
| 696 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 747 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 697 "gmail.com", false)); | 748 "gmail.com", false)); |
| 698 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 749 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 699 "googlegroups.com", false)); | 750 "googlegroups.com", false)); |
| 700 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 751 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 701 "www.googlegroups.com", false)); | 752 "www.googlegroups.com", false)); |
| 702 } | 753 } |
| 703 | 754 |
| 704 } // namespace net | 755 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 433123003:
Centralize the logic for checking public key pins (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src