| Index: net/http/http_security_headers_unittest.cc
|
| diff --git a/net/http/http_security_headers_unittest.cc b/net/http/http_security_headers_unittest.cc
|
| index d09f6fd308d49ab6dc5c207f6b8d91b72aad52ad..a6bb81e7ab1ef0a8c4302ada3798905e85f17ddc 100644
|
| --- a/net/http/http_security_headers_unittest.cc
|
| +++ b/net/http/http_security_headers_unittest.cc
|
| @@ -391,6 +391,7 @@ static void TestValidPKPHeaders(HashValueTag tag) {
|
|
|
| // The good pin must be in the chain, the backup pin must not be
|
| std::string good_pin = GetTestPin(2, tag);
|
| + std::string good_pin2 = GetTestPin(3, tag);
|
| std::string backup_pin = GetTestPin(4, tag);
|
|
|
| EXPECT_TRUE(ParseHPKPHeader(
|
| @@ -468,8 +469,7 @@ static void TestValidPKPHeaders(HashValueTag tag) {
|
| EXPECT_EQ(expect_max_age, max_age);
|
| EXPECT_FALSE(include_subdomains);
|
|
|
| - // Test that parsing the same header twice doesn't duplicate the recorded
|
| - // hashes.
|
| + // Test that parsing a different header resets the hashes.
|
| hashes.clear();
|
| EXPECT_TRUE(ParseHPKPHeader(
|
| " max-age=999; " +
|
| @@ -477,9 +477,8 @@ static void TestValidPKPHeaders(HashValueTag tag) {
|
| chain_hashes, &max_age, &include_subdomains, &hashes));
|
| EXPECT_EQ(2u, hashes.size());
|
| EXPECT_TRUE(ParseHPKPHeader(
|
| - " max-age=999; " +
|
| - backup_pin + ";" + good_pin + "; ",
|
| - chain_hashes, &max_age, &include_subdomains, &hashes));
|
| + " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes,
|
| + &max_age, &include_subdomains, &hashes));
|
| EXPECT_EQ(2u, hashes.size());
|
| }
|
|
|
| @@ -715,4 +714,41 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
|
| &failure_log));
|
| }
|
|
|
| +// Tests that seeing an invalid HPKP header leaves the existing one alone.
|
| +TEST_F(HttpSecurityHeadersTest, IgnoreInvalidHeaders) {
|
| + TransportSecurityState state;
|
| +
|
| + HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA256);
|
| + std::string good_pin = GetTestPin(1, HASH_VALUE_SHA256);
|
| + std::string bad_pin = GetTestPin(2, HASH_VALUE_SHA256);
|
| + std::string backup_pin = GetTestPin(3, HASH_VALUE_SHA256);
|
| +
|
| + SSLInfo ssl_info;
|
| + ssl_info.public_key_hashes.push_back(good_hash);
|
| +
|
| + // Add a valid HPKP header.
|
| + EXPECT_TRUE(state.AddHPKPHeader(
|
| + "example.com", "max-age = 10000; " + good_pin + "; " + backup_pin,
|
| + ssl_info));
|
| +
|
| + // Check the insertion was valid.
|
| + EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
|
| + std::string failure_log;
|
| + bool is_issued_by_known_root = true;
|
| + EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root,
|
| + ssl_info.public_key_hashes,
|
| + &failure_log));
|
| +
|
| + // Now assert an invalid one. This should fail.
|
| + EXPECT_FALSE(state.AddHPKPHeader(
|
| + "example.com", "max-age = 10000; " + bad_pin + "; " + backup_pin,
|
| + ssl_info));
|
| +
|
| + // The old pins must still exist.
|
| + EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
|
| + EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root,
|
| + ssl_info.public_key_hashes,
|
| + &failure_log));
|
| +}
|
| +
|
| }; // namespace net
|
|
|
Chromium Code Reviews
Issue 826423009:
Treat HSTS and HPKP state independently. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master