| Index: net/http/transport_security_state_unittest.cc
|
| diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc
|
| index 476ae94bd681cfcae362f53dcac998dea95dd9b5..dfbc7539e1a098000a64cb09b94b18ab117e0ce3 100644
|
| --- a/net/http/transport_security_state_unittest.cc
|
| +++ b/net/http/transport_security_state_unittest.cc
|
| @@ -37,6 +37,7 @@
|
| namespace net {
|
|
|
| class TransportSecurityStateTest : public testing::Test {
|
| + public:
|
| virtual void SetUp() {
|
| #if defined(USE_OPENSSL)
|
| crypto::EnsureOpenSSLInit();
|
| @@ -45,6 +46,14 @@ class TransportSecurityStateTest : public testing::Test {
|
| #endif
|
| }
|
|
|
| + static void DisableStaticPins(TransportSecurityState* state) {
|
| + state->enable_static_pins_ = false;
|
| + }
|
| +
|
| + static void EnableStaticPins(TransportSecurityState* state) {
|
| + state->enable_static_pins_ = true;
|
| + }
|
| +
|
| protected:
|
| bool GetStaticDomainState(TransportSecurityState* state,
|
| const std::string& host,
|
| @@ -162,6 +171,27 @@ TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
|
| EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
|
| }
|
|
|
| +TEST_F(TransportSecurityStateTest, EnableStaticPins) {
|
| + TransportSecurityState state;
|
| + TransportSecurityState::DomainState domain_state;
|
| +
|
| + EnableStaticPins(&state);
|
| +
|
| + EXPECT_TRUE(
|
| + state.GetStaticDomainState("chrome.google.com", true, &domain_state));
|
| + EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
| +}
|
| +
|
| +TEST_F(TransportSecurityStateTest, DisableStaticPins) {
|
| + TransportSecurityState state;
|
| + TransportSecurityState::DomainState domain_state;
|
| +
|
| + DisableStaticPins(&state);
|
| + EXPECT_TRUE(
|
| + state.GetStaticDomainState("chrome.google.com", true, &domain_state));
|
| + EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
|
| +}
|
| +
|
| TEST_F(TransportSecurityStateTest, IsPreloaded) {
|
| const std::string paypal = "paypal.com";
|
| const std::string www_paypal = "www.paypal.com";
|
| @@ -177,7 +207,6 @@ TEST_F(TransportSecurityStateTest, IsPreloaded) {
|
| EXPECT_TRUE(GetStaticDomainState(&state, paypal, true, &domain_state));
|
| EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, true, &domain_state));
|
| EXPECT_FALSE(domain_state.sts.include_subdomains);
|
| - EXPECT_FALSE(domain_state.pkp.include_subdomains);
|
| EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, true, &domain_state));
|
| EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, true, &domain_state));
|
| EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state));
|
| @@ -214,6 +243,7 @@ static bool HasStaticState(const char* hostname) {
|
|
|
| static bool HasStaticPublicKeyPins(const char* hostname, bool sni_enabled) {
|
| TransportSecurityState state;
|
| + TransportSecurityStateTest::EnableStaticPins(&state);
|
| TransportSecurityState::DomainState domain_state;
|
| if (!state.GetStaticDomainState(hostname, sni_enabled, &domain_state))
|
| return false;
|
| @@ -227,6 +257,7 @@ static bool HasStaticPublicKeyPins(const char* hostname) {
|
|
|
| static bool OnlyPinningInStaticState(const char* hostname) {
|
| TransportSecurityState state;
|
| + TransportSecurityStateTest::EnableStaticPins(&state);
|
| TransportSecurityState::DomainState domain_state;
|
| if (!state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state))
|
| return false;
|
| @@ -285,24 +316,6 @@ TEST_F(TransportSecurityStateTest, Preloaded) {
|
| EXPECT_FALSE(HasStaticState("m.gmail.com"));
|
| EXPECT_FALSE(HasStaticState("m.googlemail.com"));
|
|
|
| - EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
|
| - EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
|
| -
|
| // Tests for domains that don't work without SNI.
|
| EXPECT_FALSE(state.GetStaticDomainState("gmail.com", false, &domain_state));
|
| EXPECT_FALSE(
|
| @@ -407,28 +420,12 @@ TEST_F(TransportSecurityStateTest, Preloaded) {
|
| EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
|
| EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
|
|
|
| - EXPECT_TRUE(
|
| - state.GetStaticDomainState("torproject.org", false, &domain_state));
|
| - EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
| - EXPECT_TRUE(
|
| - state.GetStaticDomainState("www.torproject.org", false, &domain_state));
|
| - EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
| - EXPECT_TRUE(
|
| - state.GetStaticDomainState("check.torproject.org", false, &domain_state));
|
| - EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
| - EXPECT_TRUE(
|
| - state.GetStaticDomainState("blog.torproject.org", false, &domain_state));
|
| - EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
| EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
|
| EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
|
|
|
| EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
|
| EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
|
|
|
| - EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
|
| - EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
|
| - EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
|
| - EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
|
| EXPECT_FALSE(HasStaticState("foo.torproject.org"));
|
|
|
| EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
|
| @@ -478,6 +475,57 @@ TEST_F(TransportSecurityStateTest, Preloaded) {
|
|
|
| EXPECT_TRUE(StaticShouldRedirect("crate.io"));
|
| EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
|
| +}
|
| +
|
| +TEST_F(TransportSecurityStateTest, PreloadedPins) {
|
| + TransportSecurityState state;
|
| + EnableStaticPins(&state);
|
| + TransportSecurityState::DomainState domain_state;
|
| +
|
| + // We do more extensive checks for the first domain.
|
| + EXPECT_TRUE(
|
| + state.GetStaticDomainState("www.paypal.com", true, &domain_state));
|
| + EXPECT_EQ(domain_state.sts.upgrade_mode,
|
| + TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
|
| + EXPECT_FALSE(domain_state.sts.include_subdomains);
|
| + EXPECT_FALSE(domain_state.pkp.include_subdomains);
|
| +
|
| + EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
|
| + EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
|
| +
|
| + EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
|
| + EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
|
| + EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
|
| + EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
|
| + EXPECT_FALSE(HasStaticState("foo.torproject.org"));
|
| +
|
| + EXPECT_TRUE(
|
| + state.GetStaticDomainState("torproject.org", false, &domain_state));
|
| + EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
| + EXPECT_TRUE(
|
| + state.GetStaticDomainState("www.torproject.org", false, &domain_state));
|
| + EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
| + EXPECT_TRUE(
|
| + state.GetStaticDomainState("check.torproject.org", false, &domain_state));
|
| + EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
| + EXPECT_TRUE(
|
| + state.GetStaticDomainState("blog.torproject.org", false, &domain_state));
|
| + EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
|
|
| EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
|
| }
|
| @@ -495,6 +543,7 @@ TEST_F(TransportSecurityStateTest, LongNames) {
|
|
|
| TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
|
| TransportSecurityState state;
|
| + EnableStaticPins(&state);
|
| TransportSecurityState::DomainState domain_state;
|
|
|
| EXPECT_TRUE(
|
| @@ -534,7 +583,6 @@ TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
|
| EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
|
| EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
|
|
|
| - // Disabled in order to help track down pinning failures --agl
|
| EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
|
| EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
|
| EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
|
| @@ -585,6 +633,8 @@ TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
|
| }
|
|
|
| TransportSecurityState state;
|
| + EnableStaticPins(&state);
|
| +
|
| TransportSecurityState::DomainState domain_state;
|
| EXPECT_TRUE(
|
| state.GetStaticDomainState("blog.torproject.org", true, &domain_state));
|
| @@ -597,6 +647,7 @@ TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
|
|
|
| TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
|
| TransportSecurityState state;
|
| + EnableStaticPins(&state);
|
| TransportSecurityState::DomainState domain_state;
|
|
|
| EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
|
|
|
Chromium Code Reviews
Issue 433123003:
Centralize the logic for checking public key pins (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src