| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 529 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 540 static bool AddHash(const std::string& type_and_base64, | 540 static bool AddHash(const std::string& type_and_base64, |
| 541 HashValueVector* out) { | 541 HashValueVector* out) { |
| 542 HashValue hash; | 542 HashValue hash; |
| 543 if (!hash.FromString(type_and_base64)) | 543 if (!hash.FromString(type_and_base64)) |
| 544 return false; | 544 return false; |
| 545 | 545 |
| 546 out->push_back(hash); | 546 out->push_back(hash); |
| 547 return true; | 547 return true; |
| 548 } | 548 } |
| 549 | 549 |
| 550 TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCerts) { | |
| 551 // kGoodPath is plus.google.com via Google Internet Authority. | |
| 552 static const char* kGoodPath[] = { | |
| 553 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", | |
| 554 "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=", | |
| 555 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", | |
| 556 NULL, | |
| 557 }; | |
| 558 | |
| 559 // kBadPath is plus.google.com via Trustcenter, which contains a required | |
| 560 // certificate (Equifax root), but also an excluded certificate | |
| 561 // (Trustcenter). | |
| 562 static const char* kBadPath[] = { | |
| 563 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", | |
| 564 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=", | |
| 565 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", | |
| 566 NULL, | |
| 567 }; | |
| 568 | |
| 569 HashValueVector good_hashes, bad_hashes; | |
| 570 | |
| 571 for (size_t i = 0; kGoodPath[i]; i++) { | |
| 572 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | |
| 573 } | |
| 574 for (size_t i = 0; kBadPath[i]; i++) { | |
| 575 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | |
| 576 } | |
| 577 | |
| 578 TransportSecurityState state; | |
| 579 TransportSecurityState::DomainState domain_state; | |
| 580 EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); | |
| 581 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | |
| 582 | |
| 583 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); | |
| 584 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); | |
| 585 } | |
| 586 | |
| 587 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { | 550 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { |
| 588 // kGoodPath is blog.torproject.org. | 551 // kGoodPath is blog.torproject.org. |
| 589 static const char* kGoodPath[] = { | 552 static const char* kGoodPath[] = { |
| 590 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", | 553 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", |
| 591 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=", | 554 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=", |
| 592 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=", | 555 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=", |
| 593 NULL, | 556 NULL, |
| 594 }; | 557 }; |
| 595 | 558 |
| 596 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for | 559 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for |
| (...skipping 16 matching lines...) Expand all Loading... |
| 613 | 576 |
| 614 TransportSecurityState state; | 577 TransportSecurityState state; |
| 615 TransportSecurityState::DomainState domain_state; | 578 TransportSecurityState::DomainState domain_state; |
| 616 EXPECT_TRUE(state.GetDomainState("blog.torproject.org", true, &domain_state)); | 579 EXPECT_TRUE(state.GetDomainState("blog.torproject.org", true, &domain_state)); |
| 617 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 580 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
| 618 | 581 |
| 619 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); | 582 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); |
| 620 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); | 583 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); |
| 621 } | 584 } |
| 622 | 585 |
| 623 TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { | |
| 624 static const char* ee_sha1 = "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU="; | |
| 625 static const char* ee_sha256 = | |
| 626 "sha256/sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I="; | |
| 627 static const char* google_1024_sha1 = "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0="; | |
| 628 static const char* google_1024_sha256 = | |
| 629 "sha256/trlUMquuV/4CDLK3T0+fkXPIxwivyecyrOIyeQR8bQU="; | |
| 630 static const char* equifax_sha1 = "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q="; | |
| 631 static const char* equifax_sha256 = | |
| 632 "sha256//1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY="; | |
| 633 static const char* trustcenter_sha1 = "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k="; | |
| 634 static const char* trustcenter_sha256 = | |
| 635 "sha256/Dq58KIA4NMLsboWMLU8/aTREzaAGEFW+EtUule8dd/M="; | |
| 636 | |
| 637 // Good chains for plus.google.com chain up through google_1024_sha{1,256} | |
| 638 // to equifax_sha{1,256}. Bad chains chain up to Equifax through | |
| 639 // trustcenter_sha{1,256}, which is a blacklisted key. Even though Equifax | |
| 640 // and Google1024 are known-good, the blacklistedness of Trustcenter | |
| 641 // should override and cause pin validation failure. | |
| 642 | |
| 643 TransportSecurityState state; | |
| 644 TransportSecurityState::DomainState domain_state; | |
| 645 EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); | |
| 646 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | |
| 647 | |
| 648 // The statically-defined pins are all SHA-1, so we add some SHA-256 pins | |
| 649 // manually: | |
| 650 EXPECT_TRUE(AddHash(google_1024_sha256, &domain_state.static_spki_hashes)); | |
| 651 EXPECT_TRUE(AddHash(trustcenter_sha256, | |
| 652 &domain_state.bad_static_spki_hashes)); | |
| 653 | |
| 654 // Try an all-good SHA1 chain. | |
| 655 HashValueVector validated_chain; | |
| 656 EXPECT_TRUE(AddHash(ee_sha1, &validated_chain)); | |
| 657 EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain)); | |
| 658 EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain)); | |
| 659 EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 660 | |
| 661 // Try an all-bad SHA1 chain. | |
| 662 validated_chain.clear(); | |
| 663 EXPECT_TRUE(AddHash(ee_sha1, &validated_chain)); | |
| 664 EXPECT_TRUE(AddHash(trustcenter_sha1, &validated_chain)); | |
| 665 EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain)); | |
| 666 EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 667 | |
| 668 // Try an all-good SHA-256 chain. | |
| 669 validated_chain.clear(); | |
| 670 EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); | |
| 671 EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain)); | |
| 672 EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); | |
| 673 EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 674 | |
| 675 // Try an all-bad SHA-256 chain. | |
| 676 validated_chain.clear(); | |
| 677 EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); | |
| 678 EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain)); | |
| 679 EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); | |
| 680 EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 681 | |
| 682 // Try a mixed-hash good chain. | |
| 683 validated_chain.clear(); | |
| 684 EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); | |
| 685 EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain)); | |
| 686 EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); | |
| 687 EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 688 | |
| 689 // Try a mixed-hash bad chain. | |
| 690 validated_chain.clear(); | |
| 691 EXPECT_TRUE(AddHash(ee_sha1, &validated_chain)); | |
| 692 EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain)); | |
| 693 EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain)); | |
| 694 EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 695 | |
| 696 // Try a chain with all good hashes. | |
| 697 validated_chain.clear(); | |
| 698 EXPECT_TRUE(AddHash(ee_sha1, &validated_chain)); | |
| 699 EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain)); | |
| 700 EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain)); | |
| 701 EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); | |
| 702 EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain)); | |
| 703 EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); | |
| 704 EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 705 | |
| 706 // Try a chain with all bad hashes. | |
| 707 validated_chain.clear(); | |
| 708 EXPECT_TRUE(AddHash(ee_sha1, &validated_chain)); | |
| 709 EXPECT_TRUE(AddHash(trustcenter_sha1, &validated_chain)); | |
| 710 EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain)); | |
| 711 EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); | |
| 712 EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain)); | |
| 713 EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); | |
| 714 EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain)); | |
| 715 } | |
| 716 | |
| 717 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { | 586 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { |
| 718 TransportSecurityState state; | 587 TransportSecurityState state; |
| 719 TransportSecurityState::DomainState domain_state; | 588 TransportSecurityState::DomainState domain_state; |
| 720 | 589 |
| 721 EXPECT_FALSE(ShouldRedirect("www.google-analytics.com")); | 590 EXPECT_FALSE(ShouldRedirect("www.google-analytics.com")); |
| 722 | 591 |
| 723 EXPECT_FALSE(HasPublicKeyPins("www.google-analytics.com", false)); | 592 EXPECT_FALSE(HasPublicKeyPins("www.google-analytics.com", false)); |
| 724 EXPECT_TRUE(HasPublicKeyPins("www.google-analytics.com")); | 593 EXPECT_TRUE(HasPublicKeyPins("www.google-analytics.com")); |
| 725 EXPECT_TRUE(HasPublicKeyPins("google.com")); | 594 EXPECT_TRUE(HasPublicKeyPins("google.com")); |
| 726 EXPECT_TRUE(HasPublicKeyPins("www.google.com")); | 595 EXPECT_TRUE(HasPublicKeyPins("www.google.com")); |
| (...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 814 // Expect to fail for SNI hosts when not searching the SNI list: | 683 // Expect to fail for SNI hosts when not searching the SNI list: |
| 815 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 684 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 816 "gmail.com", false)); | 685 "gmail.com", false)); |
| 817 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 686 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 818 "googlegroups.com", false)); | 687 "googlegroups.com", false)); |
| 819 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 688 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 820 "www.googlegroups.com", false)); | 689 "www.googlegroups.com", false)); |
| 821 } | 690 } |
| 822 | 691 |
| 823 } // namespace net | 692 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 55893003:
net: trim allowed Google pins now that we have switched to GIAG2. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src