Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(422)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/http_security_headers_unittest.cc

Issue 433123003: Centralize the logic for checking public key pins (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: make IsBuildTimely and ReportUMAOnPinFailure static, as per wtc Created 6 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | net/http/transport_security_state.h » ('j') | net/http/transport_security_state.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/http_security_headers_unittest.cc
diff --git a/net/http/http_security_headers_unittest.cc b/net/http/http_security_headers_unittest.cc
index ce919ff81f39455739be69855779f1f2f5f96bed..4ed515597a1270e7ac7eea5ed72a29e4834dff42 100644
--- a/net/http/http_security_headers_unittest.cc
+++ b/net/http/http_security_headers_unittest.cc
@@ -506,6 +506,7 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
// docs.google.com has preloaded pins.
const bool sni_enabled = true;
std::string domain = "docs.google.com";
+ state.enable_static_pinning_ = true;
EXPECT_TRUE(
state.GetStaticDomainState(domain, sni_enabled, &static_domain_state));
EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL);
@@ -554,8 +555,10 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
HashValueVector hashes;
hashes.push_back(good_hash);
std::string failure_log;
+ const bool is_issued_by_known_root = true;
EXPECT_TRUE(
- state.CheckPublicKeyPins(domain, sni_enabled, hashes, &failure_log));
+ state.CheckPublicKeyPins(domain, sni_enabled, is_issued_by_known_root,
+ hashes, &failure_log));
TransportSecurityState::DomainState new_dynamic_domain_state;
EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state));
@@ -585,6 +588,7 @@ TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) {
// docs.google.com has preloaded pins.
const bool sni_enabled = true;
std::string domain = "docs.google.com";
+ state.enable_static_pinning_ = true;
ASSERT_TRUE(
state.GetStaticDomainState(domain, sni_enabled, &static_domain_state));
EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL);
@@ -648,8 +652,10 @@ TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) {
// Damage the hashes to cause a pin validation failure.
new_static_domain_state2.pkp.spki_hashes[0].data()[0] ^= 0x80;
new_static_domain_state2.pkp.spki_hashes[1].data()[0] ^= 0x80;
+ const bool is_issued_by_known_root = true;
EXPECT_FALSE(state.CheckPublicKeyPins(
- domain, true, new_static_domain_state2.pkp.spki_hashes, &failure_log));
+ domain, true, is_issued_by_known_root,
+ new_static_domain_state2.pkp.spki_hashes, &failure_log));
EXPECT_NE(0UL, failure_log.length());
}
#undef MAYBE_UpdateDynamicPKPMaxAge0
@@ -667,6 +673,7 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
// Retrieve the DomainState as it is by default, including its known good
// pins.
const bool sni_enabled = true;
+ state.enable_static_pinning_ = true;
wtc 2014/08/07 23:39:12 Move this to line 671 to stay close to the comment
Ryan Hamilton 2014/08/08 00:54:00 Done.
EXPECT_TRUE(state.GetStaticDomainState(domain, sni_enabled, &domain_state));
HashValueVector saved_hashes = domain_state.pkp.spki_hashes;
EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());
@@ -680,8 +687,10 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
EXPECT_TRUE(state.AddHSTSHeader(domain, "includesubdomains; max-age=10000"));
EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled));
std::string failure_log;
+ const bool is_issued_by_known_root = true;
EXPECT_TRUE(state.CheckPublicKeyPins(
- domain, sni_enabled, saved_hashes, &failure_log));
+ domain, sni_enabled, is_issued_by_known_root, saved_hashes,
+ &failure_log));
// Add an HPKP header, which should only update the dynamic state.
HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
@@ -702,7 +711,8 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
// The dynamic pins, which do not match |saved_hashes|, should take
// precedence over the static pins and cause the check to fail.
EXPECT_FALSE(state.CheckPublicKeyPins(
- domain, sni_enabled, saved_hashes, &failure_log));
+ domain, sni_enabled, is_issued_by_known_root, saved_hashes,
+ &failure_log));
}
}; // namespace net
« no previous file with comments | « no previous file | net/http/transport_security_state.h » ('j') | net/http/transport_security_state.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698