| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/transport_security_state.h" | 5 #include "net/base/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/base64.h" | 10 #include "base/base64.h" |
| 11 #include "base/file_path.h" | 11 #include "base/file_path.h" |
| 12 #include "base/sha1.h" | 12 #include "base/sha1.h" |
| 13 #include "base/string_piece.h" | 13 #include "base/string_piece.h" |
| 14 #include "crypto/sha2.h" |
| 14 #include "net/base/asn1_util.h" | 15 #include "net/base/asn1_util.h" |
| 15 #include "net/base/cert_test_util.h" | 16 #include "net/base/cert_test_util.h" |
| 16 #include "net/base/cert_verifier.h" | 17 #include "net/base/cert_verifier.h" |
| 17 #include "net/base/cert_verify_result.h" | 18 #include "net/base/cert_verify_result.h" |
| 18 #include "net/base/net_errors.h" | 19 #include "net/base/net_errors.h" |
| 19 #include "net/base/net_log.h" | 20 #include "net/base/net_log.h" |
| 20 #include "net/base/ssl_info.h" | 21 #include "net/base/ssl_info.h" |
| 21 #include "net/base/test_completion_callback.h" | 22 #include "net/base/test_completion_callback.h" |
| 22 #include "net/base/test_root_certs.h" | 23 #include "net/base/test_root_certs.h" |
| 24 #include "net/base/x509_cert_types.h" |
| 23 #include "net/base/x509_certificate.h" | 25 #include "net/base/x509_certificate.h" |
| 24 #include "net/http/http_util.h" | 26 #include "net/http/http_util.h" |
| 25 #include "testing/gtest/include/gtest/gtest.h" | 27 #include "testing/gtest/include/gtest/gtest.h" |
| 26 | 28 |
| 27 #if defined(USE_OPENSSL) | 29 #if defined(USE_OPENSSL) |
| 28 #include "crypto/openssl_util.h" | 30 #include "crypto/openssl_util.h" |
| 29 #else | 31 #else |
| 30 #include "crypto/nss_util.h" | 32 #include "crypto/nss_util.h" |
| 31 #endif | 33 #endif |
| 32 | 34 |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 84 EXPECT_FALSE(state.ParseSTSHeader(now, "max-age=34889 includesubdomains")); | 86 EXPECT_FALSE(state.ParseSTSHeader(now, "max-age=34889 includesubdomains")); |
| 85 | 87 |
| 86 // Check that |state| was not updated by expecting the default | 88 // Check that |state| was not updated by expecting the default |
| 87 // values for its predictable fields. | 89 // values for its predictable fields. |
| 88 EXPECT_EQ(state.upgrade_mode, | 90 EXPECT_EQ(state.upgrade_mode, |
| 89 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); | 91 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); |
| 90 EXPECT_FALSE(state.include_subdomains); | 92 EXPECT_FALSE(state.include_subdomains); |
| 91 } | 93 } |
| 92 | 94 |
| 93 static bool GetPublicKeyHash(const net::X509Certificate::OSCertHandle& cert, | 95 static bool GetPublicKeyHash(const net::X509Certificate::OSCertHandle& cert, |
| 94 SHA1Fingerprint* fingerprint) { | 96 HashValue* fingerprint, |
| 97 HashValueTag tag) { |
| 95 std::string der_bytes; | 98 std::string der_bytes; |
| 96 if (!net::X509Certificate::GetDEREncoded(cert, &der_bytes)) | 99 if (!net::X509Certificate::GetDEREncoded(cert, &der_bytes)) |
| 97 return false; | 100 return false; |
| 98 | 101 |
| 99 base::StringPiece spki; | 102 base::StringPiece spki; |
| 100 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki)) | 103 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki)) |
| 101 return false; | 104 return false; |
| 102 | 105 |
| 103 base::SHA1HashBytes(reinterpret_cast<const unsigned char*>(spki.data()), | 106 fingerprint->tag = tag; |
| 104 spki.size(), fingerprint->data); | 107 switch (tag) { |
| 108 case HASH_VALUE_SHA1: |
| 109 base::SHA1HashBytes(reinterpret_cast<const unsigned char*>(spki.data()), |
| 110 spki.size(), fingerprint->data()); |
| 111 break; |
| 112 case HASH_VALUE_SHA256: |
| 113 crypto::SHA256HashString(spki, fingerprint->data(), |
| 114 crypto::kSHA256Length); |
| 115 break; |
| 116 default: |
| 117 NOTREACHED() << "Unknown HashValueTag " << tag; |
| 118 } |
| 119 |
| 105 return true; | 120 return true; |
| 106 } | 121 } |
| 107 | 122 |
| 108 static std::string GetPinFromCert(X509Certificate* cert) { | 123 static std::string GetPinFromCert(X509Certificate* cert, HashValueTag tag) { |
| 109 SHA1Fingerprint spki_hash; | 124 HashValue spki_hash; |
| 110 EXPECT_TRUE(GetPublicKeyHash(cert->os_cert_handle(), &spki_hash)); | 125 EXPECT_TRUE(GetPublicKeyHash(cert->os_cert_handle(), &spki_hash, tag)); |
| 111 | 126 |
| 112 std::string base64; | 127 std::string base64; |
| 113 base::Base64Encode(base::StringPiece(reinterpret_cast<char*>(spki_hash.data), | 128 base::Base64Encode(base::StringPiece( |
| 114 sizeof(spki_hash.data)), | 129 reinterpret_cast<char*>(spki_hash.data()), spki_hash.size()), &base64); |
| 115 &base64); | 130 |
| 116 return "pin-sha1=" + HttpUtil::Quote(base64); | 131 std::string label; |
| 132 switch (tag) { |
| 133 case HASH_VALUE_SHA1: |
| 134 label = "pin-sha1="; |
| 135 break; |
| 136 case HASH_VALUE_SHA256: |
| 137 label = "pin-sha256="; |
| 138 break; |
| 139 default: |
| 140 NOTREACHED() << "Unknown HashValueTag " << tag; |
| 141 } |
| 142 |
| 143 return label + HttpUtil::Quote(base64); |
| 117 } | 144 } |
| 118 | 145 |
| 119 TEST_F(TransportSecurityStateTest, BogusPinsHeaders) { | 146 static void TestBogusPinsHeaders(HashValueTag tag) { |
| 120 TransportSecurityState::DomainState state; | 147 TransportSecurityState::DomainState state; |
| 121 SSLInfo ssl_info; | 148 SSLInfo ssl_info; |
| 122 ssl_info.cert = | 149 ssl_info.cert = |
| 123 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | 150 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 124 std::string good_pin = GetPinFromCert(ssl_info.cert); | 151 std::string good_pin = GetPinFromCert(ssl_info.cert, tag); |
| 125 base::Time now = base::Time::Now(); | 152 base::Time now = base::Time::Now(); |
| 126 | 153 |
| 127 // The backup pin is fake --- it just has to not be in the chain. | 154 // The backup pin is fake --- it just has to not be in the chain. |
| 128 std::string backup_pin = "pin-sha1=" + | 155 std::string backup_pin = "pin-sha1=" + |
| 129 HttpUtil::Quote("6dcfXufJLW3J6S/9rRe4vUlBj5g="); | 156 HttpUtil::Quote("6dcfXufJLW3J6S/9rRe4vUlBj5g="); |
| 130 | 157 |
| 131 EXPECT_FALSE(state.ParsePinsHeader(now, "", ssl_info)); | 158 EXPECT_FALSE(state.ParsePinsHeader(now, "", ssl_info)); |
| 132 EXPECT_FALSE(state.ParsePinsHeader(now, " ", ssl_info)); | 159 EXPECT_FALSE(state.ParsePinsHeader(now, " ", ssl_info)); |
| 133 EXPECT_FALSE(state.ParsePinsHeader(now, "abc", ssl_info)); | 160 EXPECT_FALSE(state.ParsePinsHeader(now, "abc", ssl_info)); |
| 134 EXPECT_FALSE(state.ParsePinsHeader(now, " abc", ssl_info)); | 161 EXPECT_FALSE(state.ParsePinsHeader(now, " abc", ssl_info)); |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 173 ssl_info)); | 200 ssl_info)); |
| 174 EXPECT_FALSE(state.ParsePinsHeader(now, "max-age=34889.23", ssl_info)); | 201 EXPECT_FALSE(state.ParsePinsHeader(now, "max-age=34889.23", ssl_info)); |
| 175 | 202 |
| 176 // Check that |state| was not updated by expecting the default | 203 // Check that |state| was not updated by expecting the default |
| 177 // values for its predictable fields. | 204 // values for its predictable fields. |
| 178 EXPECT_EQ(state.upgrade_mode, | 205 EXPECT_EQ(state.upgrade_mode, |
| 179 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); | 206 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); |
| 180 EXPECT_FALSE(state.include_subdomains); | 207 EXPECT_FALSE(state.include_subdomains); |
| 181 } | 208 } |
| 182 | 209 |
| 210 TEST_F(TransportSecurityStateTest, BogusPinsHeadersSHA1) { |
| 211 TestBogusPinsHeaders(HASH_VALUE_SHA1); |
| 212 } |
| 213 |
| 214 TEST_F(TransportSecurityStateTest, BogusPinsHeadersSHA256) { |
| 215 TestBogusPinsHeaders(HASH_VALUE_SHA256); |
| 216 } |
| 217 |
| 183 TEST_F(TransportSecurityStateTest, ValidSTSHeaders) { | 218 TEST_F(TransportSecurityStateTest, ValidSTSHeaders) { |
| 184 TransportSecurityState::DomainState state; | 219 TransportSecurityState::DomainState state; |
| 185 base::Time expiry; | 220 base::Time expiry; |
| 186 base::Time now = base::Time::Now(); | 221 base::Time now = base::Time::Now(); |
| 187 | 222 |
| 188 EXPECT_TRUE(state.ParseSTSHeader(now, "max-age=243")); | 223 EXPECT_TRUE(state.ParseSTSHeader(now, "max-age=243")); |
| 189 expiry = now + base::TimeDelta::FromSeconds(243); | 224 expiry = now + base::TimeDelta::FromSeconds(243); |
| 190 EXPECT_EQ(expiry, state.upgrade_expiry); | 225 EXPECT_EQ(expiry, state.upgrade_expiry); |
| 191 EXPECT_FALSE(state.include_subdomains); | 226 EXPECT_FALSE(state.include_subdomains); |
| 192 | 227 |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 233 EXPECT_TRUE(state.ParseSTSHeader( | 268 EXPECT_TRUE(state.ParseSTSHeader( |
| 234 now, | 269 now, |
| 235 " max-age=999999999999999999999999999999999999999999999 ;" | 270 " max-age=999999999999999999999999999999999999999999999 ;" |
| 236 " incLudesUbdOmains ")); | 271 " incLudesUbdOmains ")); |
| 237 expiry = now + base::TimeDelta::FromSeconds( | 272 expiry = now + base::TimeDelta::FromSeconds( |
| 238 TransportSecurityState::kMaxHSTSAgeSecs); | 273 TransportSecurityState::kMaxHSTSAgeSecs); |
| 239 EXPECT_EQ(expiry, state.upgrade_expiry); | 274 EXPECT_EQ(expiry, state.upgrade_expiry); |
| 240 EXPECT_TRUE(state.include_subdomains); | 275 EXPECT_TRUE(state.include_subdomains); |
| 241 } | 276 } |
| 242 | 277 |
| 243 TEST_F(TransportSecurityStateTest, ValidPinsHeaders) { | 278 static void TestValidPinsHeaders(HashValueTag tag) { |
| 244 TransportSecurityState::DomainState state; | 279 TransportSecurityState::DomainState state; |
| 245 base::Time expiry; | 280 base::Time expiry; |
| 246 base::Time now = base::Time::Now(); | 281 base::Time now = base::Time::Now(); |
| 247 | 282 |
| 248 // Set up a realistic SSLInfo with a realistic cert chain. | 283 // Set up a realistic SSLInfo with a realistic cert chain. |
| 249 FilePath certs_dir = GetTestCertsDirectory(); | 284 FilePath certs_dir = GetTestCertsDirectory(); |
| 250 scoped_refptr<X509Certificate> ee_cert = | 285 scoped_refptr<X509Certificate> ee_cert = |
| 251 ImportCertFromFile(certs_dir, "2048-rsa-ee-by-2048-rsa-intermediate.pem"); | 286 ImportCertFromFile(certs_dir, "2048-rsa-ee-by-2048-rsa-intermediate.pem"); |
| 252 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); | 287 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); |
| 253 scoped_refptr<X509Certificate> intermediate = | 288 scoped_refptr<X509Certificate> intermediate = |
| (...skipping 19 matching lines...) Expand all Loading... |
| 273 scoped_ptr<CertVerifier> verifier(CertVerifier::CreateDefault()); | 308 scoped_ptr<CertVerifier> verifier(CertVerifier::CreateDefault()); |
| 274 TestCompletionCallback callback; | 309 TestCompletionCallback callback; |
| 275 CertVerifier::RequestHandle handle = NULL; | 310 CertVerifier::RequestHandle handle = NULL; |
| 276 rv = verifier->Verify(ssl_info.cert, "127.0.0.1", 0, NULL, &result, | 311 rv = verifier->Verify(ssl_info.cert, "127.0.0.1", 0, NULL, &result, |
| 277 callback.callback(), &handle, BoundNetLog()); | 312 callback.callback(), &handle, BoundNetLog()); |
| 278 rv = callback.GetResult(rv); | 313 rv = callback.GetResult(rv); |
| 279 ASSERT_EQ(OK, rv); | 314 ASSERT_EQ(OK, rv); |
| 280 // Normally, ssl_client_socket_nss would do this, but for a unit test we | 315 // Normally, ssl_client_socket_nss would do this, but for a unit test we |
| 281 // fake it. | 316 // fake it. |
| 282 ssl_info.public_key_hashes = result.public_key_hashes; | 317 ssl_info.public_key_hashes = result.public_key_hashes; |
| 283 std::string good_pin = GetPinFromCert(ssl_info.cert); | 318 std::string good_pin = GetPinFromCert(ssl_info.cert, /*tag*/HASH_VALUE_SHA1); |
| 319 DLOG(WARNING) << "good pin: " << good_pin; |
| 284 | 320 |
| 285 // The backup pin is fake --- we just need an SPKI hash that does not match | 321 // The backup pin is fake --- we just need an SPKI hash that does not match |
| 286 // the hash of any SPKI in the certificate chain. | 322 // the hash of any SPKI in the certificate chain. |
| 287 std::string backup_pin = "pin-sha1=" + | 323 std::string backup_pin = "pin-sha1=" + |
| 288 HttpUtil::Quote("6dcfXufJLW3J6S/9rRe4vUlBj5g="); | 324 HttpUtil::Quote("6dcfXufJLW3J6S/9rRe4vUlBj5g="); |
| 289 | 325 |
| 290 EXPECT_TRUE(state.ParsePinsHeader( | 326 EXPECT_TRUE(state.ParsePinsHeader( |
| 291 now, | 327 now, |
| 292 "max-age=243; " + good_pin + ";" + backup_pin, | 328 "max-age=243; " + good_pin + ";" + backup_pin, |
| 293 ssl_info)); | 329 ssl_info)); |
| (...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 349 EXPECT_TRUE(state.ParsePinsHeader( | 385 EXPECT_TRUE(state.ParsePinsHeader( |
| 350 now, | 386 now, |
| 351 " max-age=999999999999999999999999999999999999999999999 ; " + | 387 " max-age=999999999999999999999999999999999999999999999 ; " + |
| 352 backup_pin + ";" + good_pin + "; ", | 388 backup_pin + ";" + good_pin + "; ", |
| 353 ssl_info)); | 389 ssl_info)); |
| 354 expiry = now + | 390 expiry = now + |
| 355 base::TimeDelta::FromSeconds(TransportSecurityState::kMaxHSTSAgeSecs); | 391 base::TimeDelta::FromSeconds(TransportSecurityState::kMaxHSTSAgeSecs); |
| 356 EXPECT_EQ(expiry, state.dynamic_spki_hashes_expiry); | 392 EXPECT_EQ(expiry, state.dynamic_spki_hashes_expiry); |
| 357 } | 393 } |
| 358 | 394 |
| 395 TEST_F(TransportSecurityStateTest, ValidPinsHeadersSHA1) { |
| 396 TestValidPinsHeaders(HASH_VALUE_SHA1); |
| 397 } |
| 398 |
| 399 TEST_F(TransportSecurityStateTest, ValidPinsHeadersSHA256) { |
| 400 TestValidPinsHeaders(HASH_VALUE_SHA256); |
| 401 } |
| 402 |
| 359 TEST_F(TransportSecurityStateTest, SimpleMatches) { | 403 TEST_F(TransportSecurityStateTest, SimpleMatches) { |
| 360 TransportSecurityState state; | 404 TransportSecurityState state; |
| 361 TransportSecurityState::DomainState domain_state; | 405 TransportSecurityState::DomainState domain_state; |
| 362 const base::Time current_time(base::Time::Now()); | 406 const base::Time current_time(base::Time::Now()); |
| 363 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 407 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 364 | 408 |
| 365 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); | 409 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); |
| 366 domain_state.upgrade_expiry = expiry; | 410 domain_state.upgrade_expiry = expiry; |
| 367 state.EnableHost("yahoo.com", domain_state); | 411 state.EnableHost("yahoo.com", domain_state); |
| 368 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); | 412 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); |
| (...skipping 407 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 776 EXPECT_FALSE(state.GetDomainState(kLongName, true, &domain_state)); | 820 EXPECT_FALSE(state.GetDomainState(kLongName, true, &domain_state)); |
| 777 } | 821 } |
| 778 | 822 |
| 779 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { | 823 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { |
| 780 TransportSecurityState state; | 824 TransportSecurityState state; |
| 781 TransportSecurityState::DomainState domain_state; | 825 TransportSecurityState::DomainState domain_state; |
| 782 | 826 |
| 783 EXPECT_TRUE(state.GetDomainState("chrome.google.com", true, &domain_state)); | 827 EXPECT_TRUE(state.GetDomainState("chrome.google.com", true, &domain_state)); |
| 784 EXPECT_TRUE(HasPins("chrome.google.com")); | 828 EXPECT_TRUE(HasPins("chrome.google.com")); |
| 785 | 829 |
| 786 FingerprintVector hashes; | 830 HashValueVector hashes; |
| 787 // Checks that a built-in list does exist. | 831 // Checks that a built-in list does exist. |
| 788 EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes)); | 832 EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes)); |
| 789 EXPECT_FALSE(HasPins("www.paypal.com")); | 833 EXPECT_FALSE(HasPins("www.paypal.com")); |
| 790 | 834 |
| 791 EXPECT_TRUE(HasPins("docs.google.com")); | 835 EXPECT_TRUE(HasPins("docs.google.com")); |
| 792 EXPECT_TRUE(HasPins("1.docs.google.com")); | 836 EXPECT_TRUE(HasPins("1.docs.google.com")); |
| 793 EXPECT_TRUE(HasPins("sites.google.com")); | 837 EXPECT_TRUE(HasPins("sites.google.com")); |
| 794 EXPECT_TRUE(HasPins("drive.google.com")); | 838 EXPECT_TRUE(HasPins("drive.google.com")); |
| 795 EXPECT_TRUE(HasPins("spreadsheets.google.com")); | 839 EXPECT_TRUE(HasPins("spreadsheets.google.com")); |
| 796 EXPECT_TRUE(HasPins("health.google.com")); | 840 EXPECT_TRUE(HasPins("health.google.com")); |
| (...skipping 25 matching lines...) Expand all Loading... |
| 822 EXPECT_TRUE(HasPins("oauth.twitter.com")); | 866 EXPECT_TRUE(HasPins("oauth.twitter.com")); |
| 823 EXPECT_TRUE(HasPins("mobile.twitter.com")); | 867 EXPECT_TRUE(HasPins("mobile.twitter.com")); |
| 824 EXPECT_TRUE(HasPins("dev.twitter.com")); | 868 EXPECT_TRUE(HasPins("dev.twitter.com")); |
| 825 EXPECT_TRUE(HasPins("business.twitter.com")); | 869 EXPECT_TRUE(HasPins("business.twitter.com")); |
| 826 EXPECT_TRUE(HasPins("platform.twitter.com")); | 870 EXPECT_TRUE(HasPins("platform.twitter.com")); |
| 827 EXPECT_TRUE(HasPins("si0.twimg.com")); | 871 EXPECT_TRUE(HasPins("si0.twimg.com")); |
| 828 EXPECT_TRUE(HasPins("twimg0-a.akamaihd.net")); | 872 EXPECT_TRUE(HasPins("twimg0-a.akamaihd.net")); |
| 829 } | 873 } |
| 830 | 874 |
| 831 static bool AddHash(const std::string& type_and_base64, | 875 static bool AddHash(const std::string& type_and_base64, |
| 832 FingerprintVector* out) { | 876 HashValueVector* out) { |
| 833 std::string hash_str; | 877 HashValue hash; |
| 834 if (type_and_base64.find("sha1/") == 0 && | 878 |
| 835 base::Base64Decode(type_and_base64.substr(5, type_and_base64.size() - 5), | 879 if (!TransportSecurityState::ParsePin(type_and_base64, &hash)) |
| 836 &hash_str) && | 880 return false; |
| 837 hash_str.size() == base::kSHA1Length) { | 881 |
| 838 SHA1Fingerprint hash; | 882 out->push_back(hash); |
| 839 memcpy(hash.data, hash_str.data(), sizeof(hash.data)); | 883 return true; |
| 840 out->push_back(hash); | |
| 841 return true; | |
| 842 } | |
| 843 return false; | |
| 844 } | 884 } |
| 845 | 885 |
| 886 |
| 846 TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCerts) { | 887 TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCerts) { |
| 847 // kGoodPath is plus.google.com via Google Internet Authority. | 888 // kGoodPath is plus.google.com via Google Internet Authority. |
| 848 static const char* kGoodPath[] = { | 889 static const char* kGoodPath[] = { |
| 849 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", | 890 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", |
| 850 "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=", | 891 "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=", |
| 851 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", | 892 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", |
| 852 NULL, | 893 NULL, |
| 853 }; | 894 }; |
| 854 | 895 |
| 855 // kBadPath is plus.google.com via Trustcenter, which contains a required | 896 // kBadPath is plus.google.com via Trustcenter, which contains a required |
| 856 // certificate (Equifax root), but also an excluded certificate | 897 // certificate (Equifax root), but also an excluded certificate |
| 857 // (Trustcenter). | 898 // (Trustcenter). |
| 858 static const char* kBadPath[] = { | 899 static const char* kBadPath[] = { |
| 859 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", | 900 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", |
| 860 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=", | 901 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=", |
| 861 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", | 902 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", |
| 862 NULL, | 903 NULL, |
| 863 }; | 904 }; |
| 864 | 905 |
| 865 std::vector<net::SHA1Fingerprint> good_hashes, bad_hashes; | 906 HashValueVector good_hashes, bad_hashes; |
| 866 | 907 |
| 867 for (size_t i = 0; kGoodPath[i]; i++) { | 908 for (size_t i = 0; kGoodPath[i]; i++) { |
| 868 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | 909 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
| 869 } | 910 } |
| 870 for (size_t i = 0; kBadPath[i]; i++) { | 911 for (size_t i = 0; kBadPath[i]; i++) { |
| 871 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | 912 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
| 872 } | 913 } |
| 873 | 914 |
| 874 TransportSecurityState state; | 915 TransportSecurityState state; |
| 875 TransportSecurityState::DomainState domain_state; | 916 TransportSecurityState::DomainState domain_state; |
| (...skipping 15 matching lines...) Expand all Loading... |
| 891 | 932 |
| 892 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for | 933 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for |
| 893 // torproject.org. | 934 // torproject.org. |
| 894 static const char* kBadPath[] = { | 935 static const char* kBadPath[] = { |
| 895 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", | 936 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=", |
| 896 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=", | 937 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=", |
| 897 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", | 938 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=", |
| 898 NULL, | 939 NULL, |
| 899 }; | 940 }; |
| 900 | 941 |
| 901 std::vector<net::SHA1Fingerprint> good_hashes, bad_hashes; | 942 HashValueVector good_hashes, bad_hashes; |
| 902 | 943 |
| 903 for (size_t i = 0; kGoodPath[i]; i++) { | 944 for (size_t i = 0; kGoodPath[i]; i++) { |
| 904 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | 945 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
| 905 } | 946 } |
| 906 for (size_t i = 0; kBadPath[i]; i++) { | 947 for (size_t i = 0; kBadPath[i]; i++) { |
| 907 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | 948 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
| 908 } | 949 } |
| 909 | 950 |
| 910 TransportSecurityState state; | 951 TransportSecurityState state; |
| 911 TransportSecurityState::DomainState domain_state; | 952 TransportSecurityState::DomainState domain_state; |
| (...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1048 // Expect to fail for SNI hosts when not searching the SNI list: | 1089 // Expect to fail for SNI hosts when not searching the SNI list: |
| 1049 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 1090 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 1050 "gmail.com", false)); | 1091 "gmail.com", false)); |
| 1051 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 1092 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 1052 "googlegroups.com", false)); | 1093 "googlegroups.com", false)); |
| 1053 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 1094 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 1054 "www.googlegroups.com", false)); | 1095 "www.googlegroups.com", false)); |
| 1055 } | 1096 } |
| 1056 | 1097 |
| 1057 } // namespace net | 1098 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10545166:
Support SHA-256 in public key pins for HTTPS. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/