OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <algorithm> | 5 #include <algorithm> |
6 | 6 |
7 #include "base/base64.h" | 7 #include "base/base64.h" |
8 #include "base/sha1.h" | 8 #include "base/sha1.h" |
9 #include "base/strings/string_piece.h" | 9 #include "base/strings/string_piece.h" |
10 #include "crypto/sha2.h" | 10 #include "crypto/sha2.h" |
(...skipping 373 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
384 HashValueVector hashes; | 384 HashValueVector hashes; |
385 HashValueVector chain_hashes; | 385 HashValueVector chain_hashes; |
386 | 386 |
387 // Set some fake "chain" hashes into chain_hashes | 387 // Set some fake "chain" hashes into chain_hashes |
388 chain_hashes.push_back(GetTestHashValue(1, tag)); | 388 chain_hashes.push_back(GetTestHashValue(1, tag)); |
389 chain_hashes.push_back(GetTestHashValue(2, tag)); | 389 chain_hashes.push_back(GetTestHashValue(2, tag)); |
390 chain_hashes.push_back(GetTestHashValue(3, tag)); | 390 chain_hashes.push_back(GetTestHashValue(3, tag)); |
391 | 391 |
392 // The good pin must be in the chain, the backup pin must not be | 392 // The good pin must be in the chain, the backup pin must not be |
393 std::string good_pin = GetTestPin(2, tag); | 393 std::string good_pin = GetTestPin(2, tag); |
394 std::string good_pin2 = GetTestPin(3, tag); | |
394 std::string backup_pin = GetTestPin(4, tag); | 395 std::string backup_pin = GetTestPin(4, tag); |
395 | 396 |
396 EXPECT_TRUE(ParseHPKPHeader( | 397 EXPECT_TRUE(ParseHPKPHeader( |
397 "max-age=243; " + good_pin + ";" + backup_pin, | 398 "max-age=243; " + good_pin + ";" + backup_pin, |
398 chain_hashes, &max_age, &include_subdomains, &hashes)); | 399 chain_hashes, &max_age, &include_subdomains, &hashes)); |
399 expect_max_age = base::TimeDelta::FromSeconds(243); | 400 expect_max_age = base::TimeDelta::FromSeconds(243); |
400 EXPECT_EQ(expect_max_age, max_age); | 401 EXPECT_EQ(expect_max_age, max_age); |
401 EXPECT_FALSE(include_subdomains); | 402 EXPECT_FALSE(include_subdomains); |
402 | 403 |
403 EXPECT_TRUE(ParseHPKPHeader( | 404 EXPECT_TRUE(ParseHPKPHeader( |
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
461 EXPECT_TRUE(include_subdomains); | 462 EXPECT_TRUE(include_subdomains); |
462 | 463 |
463 EXPECT_TRUE(ParseHPKPHeader( | 464 EXPECT_TRUE(ParseHPKPHeader( |
464 " max-age=999999999999999999999999999999999999999999999 ; " + | 465 " max-age=999999999999999999999999999999999999999999999 ; " + |
465 backup_pin + ";" + good_pin + "; ", | 466 backup_pin + ";" + good_pin + "; ", |
466 chain_hashes, &max_age, &include_subdomains, &hashes)); | 467 chain_hashes, &max_age, &include_subdomains, &hashes)); |
467 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); | 468 expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs); |
468 EXPECT_EQ(expect_max_age, max_age); | 469 EXPECT_EQ(expect_max_age, max_age); |
469 EXPECT_FALSE(include_subdomains); | 470 EXPECT_FALSE(include_subdomains); |
470 | 471 |
471 // Test that parsing the same header twice doesn't duplicate the recorded | 472 // Test that parsing a different header resets the hashes. |
Ryan Sleevi
2015/01/13 21:56:40
Is there any test for when we have one pin header,
davidben
2015/01/13 23:30:47
Added one. (Although it wasn't a bug in the old ve
| |
472 // hashes. | |
473 hashes.clear(); | 473 hashes.clear(); |
474 EXPECT_TRUE(ParseHPKPHeader( | 474 EXPECT_TRUE(ParseHPKPHeader( |
475 " max-age=999; " + | 475 " max-age=999; " + |
476 backup_pin + ";" + good_pin + "; ", | 476 backup_pin + ";" + good_pin + "; ", |
477 chain_hashes, &max_age, &include_subdomains, &hashes)); | 477 chain_hashes, &max_age, &include_subdomains, &hashes)); |
478 EXPECT_EQ(2u, hashes.size()); | 478 EXPECT_EQ(2u, hashes.size()); |
479 EXPECT_TRUE(ParseHPKPHeader( | 479 EXPECT_TRUE(ParseHPKPHeader( |
480 " max-age=999; " + | 480 " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, |
481 backup_pin + ";" + good_pin + "; ", | 481 &max_age, &include_subdomains, &hashes)); |
482 chain_hashes, &max_age, &include_subdomains, &hashes)); | |
483 EXPECT_EQ(2u, hashes.size()); | 482 EXPECT_EQ(2u, hashes.size()); |
484 } | 483 } |
485 | 484 |
486 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { | 485 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) { |
487 TestBogusPinsHeaders(HASH_VALUE_SHA1); | 486 TestBogusPinsHeaders(HASH_VALUE_SHA1); |
488 } | 487 } |
489 | 488 |
490 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { | 489 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { |
491 TestBogusPinsHeaders(HASH_VALUE_SHA256); | 490 TestBogusPinsHeaders(HASH_VALUE_SHA256); |
492 } | 491 } |
(...skipping 216 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
709 EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); | 708 EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); |
710 // The dynamic pins, which do not match |saved_hashes|, should take | 709 // The dynamic pins, which do not match |saved_hashes|, should take |
711 // precedence over the static pins and cause the check to fail. | 710 // precedence over the static pins and cause the check to fail. |
712 EXPECT_FALSE(state.CheckPublicKeyPins(domain, | 711 EXPECT_FALSE(state.CheckPublicKeyPins(domain, |
713 is_issued_by_known_root, | 712 is_issued_by_known_root, |
714 saved_hashes, | 713 saved_hashes, |
715 &failure_log)); | 714 &failure_log)); |
716 } | 715 } |
717 | 716 |
718 }; // namespace net | 717 }; // namespace net |
OLD | NEW |