Index: net/http/http_security_headers_unittest.cc |
diff --git a/net/http/http_security_headers_unittest.cc b/net/http/http_security_headers_unittest.cc |
index ce919ff81f39455739be69855779f1f2f5f96bed..4ed515597a1270e7ac7eea5ed72a29e4834dff42 100644 |
--- a/net/http/http_security_headers_unittest.cc |
+++ b/net/http/http_security_headers_unittest.cc |
@@ -506,6 +506,7 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) { |
// docs.google.com has preloaded pins. |
const bool sni_enabled = true; |
std::string domain = "docs.google.com"; |
+ state.enable_static_pinning_ = true; |
EXPECT_TRUE( |
state.GetStaticDomainState(domain, sni_enabled, &static_domain_state)); |
EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL); |
@@ -554,8 +555,10 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) { |
HashValueVector hashes; |
hashes.push_back(good_hash); |
std::string failure_log; |
+ const bool is_issued_by_known_root = true; |
EXPECT_TRUE( |
- state.CheckPublicKeyPins(domain, sni_enabled, hashes, &failure_log)); |
+ state.CheckPublicKeyPins(domain, sni_enabled, is_issued_by_known_root, |
+ hashes, &failure_log)); |
TransportSecurityState::DomainState new_dynamic_domain_state; |
EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state)); |
@@ -585,6 +588,7 @@ TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) { |
// docs.google.com has preloaded pins. |
const bool sni_enabled = true; |
std::string domain = "docs.google.com"; |
+ state.enable_static_pinning_ = true; |
ASSERT_TRUE( |
state.GetStaticDomainState(domain, sni_enabled, &static_domain_state)); |
EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL); |
@@ -648,8 +652,10 @@ TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) { |
// Damage the hashes to cause a pin validation failure. |
new_static_domain_state2.pkp.spki_hashes[0].data()[0] ^= 0x80; |
new_static_domain_state2.pkp.spki_hashes[1].data()[0] ^= 0x80; |
+ const bool is_issued_by_known_root = true; |
EXPECT_FALSE(state.CheckPublicKeyPins( |
- domain, true, new_static_domain_state2.pkp.spki_hashes, &failure_log)); |
+ domain, true, is_issued_by_known_root, |
+ new_static_domain_state2.pkp.spki_hashes, &failure_log)); |
EXPECT_NE(0UL, failure_log.length()); |
} |
#undef MAYBE_UpdateDynamicPKPMaxAge0 |
@@ -667,6 +673,7 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) { |
// Retrieve the DomainState as it is by default, including its known good |
// pins. |
const bool sni_enabled = true; |
+ state.enable_static_pinning_ = true; |
wtc
2014/08/07 23:39:12
Move this to line 671 to stay close to the comment
Ryan Hamilton
2014/08/08 00:54:00
Done.
|
EXPECT_TRUE(state.GetStaticDomainState(domain, sni_enabled, &domain_state)); |
HashValueVector saved_hashes = domain_state.pkp.spki_hashes; |
EXPECT_TRUE(domain_state.ShouldUpgradeToSSL()); |
@@ -680,8 +687,10 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) { |
EXPECT_TRUE(state.AddHSTSHeader(domain, "includesubdomains; max-age=10000")); |
EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled)); |
std::string failure_log; |
+ const bool is_issued_by_known_root = true; |
EXPECT_TRUE(state.CheckPublicKeyPins( |
- domain, sni_enabled, saved_hashes, &failure_log)); |
+ domain, sni_enabled, is_issued_by_known_root, saved_hashes, |
+ &failure_log)); |
// Add an HPKP header, which should only update the dynamic state. |
HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1); |
@@ -702,7 +711,8 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) { |
// The dynamic pins, which do not match |saved_hashes|, should take |
// precedence over the static pins and cause the check to fail. |
EXPECT_FALSE(state.CheckPublicKeyPins( |
- domain, sni_enabled, saved_hashes, &failure_log)); |
+ domain, sni_enabled, is_issued_by_known_root, saved_hashes, |
+ &failure_log)); |
} |
}; // namespace net |