| Index: net/http/transport_security_state_unittest.cc
|
| diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc
|
| index 14cfb7d33e786524c33d77144bad338407e42239..599bfb2b92c08e11327e6f50e4d17d671f6a2618 100644
|
| --- a/net/http/transport_security_state_unittest.cc
|
| +++ b/net/http/transport_security_state_unittest.cc
|
| @@ -547,43 +547,6 @@ static bool AddHash(const std::string& type_and_base64,
|
| return true;
|
| }
|
|
|
| -TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCerts) {
|
| - // kGoodPath is plus.google.com via Google Internet Authority.
|
| - static const char* kGoodPath[] = {
|
| - "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
|
| - "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=",
|
| - "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
|
| - NULL,
|
| - };
|
| -
|
| - // kBadPath is plus.google.com via Trustcenter, which contains a required
|
| - // certificate (Equifax root), but also an excluded certificate
|
| - // (Trustcenter).
|
| - static const char* kBadPath[] = {
|
| - "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
|
| - "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
|
| - "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
|
| - NULL,
|
| - };
|
| -
|
| - HashValueVector good_hashes, bad_hashes;
|
| -
|
| - for (size_t i = 0; kGoodPath[i]; i++) {
|
| - EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
|
| - }
|
| - for (size_t i = 0; kBadPath[i]; i++) {
|
| - EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
|
| - }
|
| -
|
| - TransportSecurityState state;
|
| - TransportSecurityState::DomainState domain_state;
|
| - EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state));
|
| - EXPECT_TRUE(domain_state.HasPublicKeyPins());
|
| -
|
| - EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes));
|
| - EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes));
|
| -}
|
| -
|
| TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
|
| // kGoodPath is blog.torproject.org.
|
| static const char* kGoodPath[] = {
|
| @@ -620,100 +583,6 @@ TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
|
| EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes));
|
| }
|
|
|
| -TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) {
|
| - static const char* ee_sha1 = "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=";
|
| - static const char* ee_sha256 =
|
| - "sha256/sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I=";
|
| - static const char* google_1024_sha1 = "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=";
|
| - static const char* google_1024_sha256 =
|
| - "sha256/trlUMquuV/4CDLK3T0+fkXPIxwivyecyrOIyeQR8bQU=";
|
| - static const char* equifax_sha1 = "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=";
|
| - static const char* equifax_sha256 =
|
| - "sha256//1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY=";
|
| - static const char* trustcenter_sha1 = "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=";
|
| - static const char* trustcenter_sha256 =
|
| - "sha256/Dq58KIA4NMLsboWMLU8/aTREzaAGEFW+EtUule8dd/M=";
|
| -
|
| - // Good chains for plus.google.com chain up through google_1024_sha{1,256}
|
| - // to equifax_sha{1,256}. Bad chains chain up to Equifax through
|
| - // trustcenter_sha{1,256}, which is a blacklisted key. Even though Equifax
|
| - // and Google1024 are known-good, the blacklistedness of Trustcenter
|
| - // should override and cause pin validation failure.
|
| -
|
| - TransportSecurityState state;
|
| - TransportSecurityState::DomainState domain_state;
|
| - EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state));
|
| - EXPECT_TRUE(domain_state.HasPublicKeyPins());
|
| -
|
| - // The statically-defined pins are all SHA-1, so we add some SHA-256 pins
|
| - // manually:
|
| - EXPECT_TRUE(AddHash(google_1024_sha256, &domain_state.static_spki_hashes));
|
| - EXPECT_TRUE(AddHash(trustcenter_sha256,
|
| - &domain_state.bad_static_spki_hashes));
|
| -
|
| - // Try an all-good SHA1 chain.
|
| - HashValueVector validated_chain;
|
| - EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
|
| - EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain));
|
| - EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
|
| - EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain));
|
| -
|
| - // Try an all-bad SHA1 chain.
|
| - validated_chain.clear();
|
| - EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
|
| - EXPECT_TRUE(AddHash(trustcenter_sha1, &validated_chain));
|
| - EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
|
| - EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain));
|
| -
|
| - // Try an all-good SHA-256 chain.
|
| - validated_chain.clear();
|
| - EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
|
| - EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain));
|
| - EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
|
| - EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain));
|
| -
|
| - // Try an all-bad SHA-256 chain.
|
| - validated_chain.clear();
|
| - EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
|
| - EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain));
|
| - EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
|
| - EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain));
|
| -
|
| - // Try a mixed-hash good chain.
|
| - validated_chain.clear();
|
| - EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
|
| - EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain));
|
| - EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
|
| - EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain));
|
| -
|
| - // Try a mixed-hash bad chain.
|
| - validated_chain.clear();
|
| - EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
|
| - EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain));
|
| - EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
|
| - EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain));
|
| -
|
| - // Try a chain with all good hashes.
|
| - validated_chain.clear();
|
| - EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
|
| - EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain));
|
| - EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
|
| - EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
|
| - EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain));
|
| - EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
|
| - EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain));
|
| -
|
| - // Try a chain with all bad hashes.
|
| - validated_chain.clear();
|
| - EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
|
| - EXPECT_TRUE(AddHash(trustcenter_sha1, &validated_chain));
|
| - EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
|
| - EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
|
| - EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain));
|
| - EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
|
| - EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain));
|
| -}
|
| -
|
| TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
|
| TransportSecurityState state;
|
| TransportSecurityState::DomainState domain_state;
|
|
|
Chromium Code Reviews
Issue 55893003:
net: trim allowed Google pins now that we have switched to GIAG2. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src