| Index: net/base/transport_security_state_unittest.cc
|
| ===================================================================
|
| --- net/base/transport_security_state_unittest.cc (revision 152095)
|
| +++ net/base/transport_security_state_unittest.cc (working copy)
|
| @@ -6,11 +6,13 @@
|
|
|
| #include <algorithm>
|
| #include <string>
|
| +#include <vector>
|
|
|
| #include "base/base64.h"
|
| #include "base/file_path.h"
|
| #include "base/sha1.h"
|
| #include "base/string_piece.h"
|
| +#include "crypto/sha2.h"
|
| #include "net/base/asn1_util.h"
|
| #include "net/base/cert_test_util.h"
|
| #include "net/base/cert_verifier.h"
|
| @@ -20,6 +22,7 @@
|
| #include "net/base/ssl_info.h"
|
| #include "net/base/test_completion_callback.h"
|
| #include "net/base/test_root_certs.h"
|
| +#include "net/base/x509_cert_types.h"
|
| #include "net/base/x509_certificate.h"
|
| #include "net/http/http_util.h"
|
| #include "testing/gtest/include/gtest/gtest.h"
|
| @@ -91,7 +94,8 @@
|
| }
|
|
|
| static bool GetPublicKeyHash(const net::X509Certificate::OSCertHandle& cert,
|
| - SHA1Fingerprint* fingerprint) {
|
| + HashValue* fingerprint,
|
| + HashValueTag tag) {
|
| std::string der_bytes;
|
| if (!net::X509Certificate::GetDEREncoded(cert, &der_bytes))
|
| return false;
|
| @@ -100,28 +104,52 @@
|
| if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki))
|
| return false;
|
|
|
| - base::SHA1HashBytes(reinterpret_cast<const unsigned char*>(spki.data()),
|
| - spki.size(), fingerprint->data);
|
| + fingerprint->tag = tag;
|
| + switch (tag) {
|
| + case HASH_VALUE_SHA1:
|
| + base::SHA1HashBytes(reinterpret_cast<const unsigned char*>(spki.data()),
|
| + spki.size(), fingerprint->data());
|
| + break;
|
| + case HASH_VALUE_SHA256:
|
| + crypto::SHA256HashString(spki, fingerprint->data(),
|
| + crypto::kSHA256Length);
|
| + break;
|
| + default:
|
| + NOTREACHED() << "Unknown HashValueTag " << tag;
|
| + }
|
| +
|
| return true;
|
| }
|
|
|
| -static std::string GetPinFromCert(X509Certificate* cert) {
|
| - SHA1Fingerprint spki_hash;
|
| - EXPECT_TRUE(GetPublicKeyHash(cert->os_cert_handle(), &spki_hash));
|
| +static std::string GetPinFromCert(X509Certificate* cert, HashValueTag tag) {
|
| + HashValue spki_hash;
|
| + EXPECT_TRUE(GetPublicKeyHash(cert->os_cert_handle(), &spki_hash, tag));
|
|
|
| std::string base64;
|
| - base::Base64Encode(base::StringPiece(reinterpret_cast<char*>(spki_hash.data),
|
| - sizeof(spki_hash.data)),
|
| - &base64);
|
| - return "pin-sha1=" + HttpUtil::Quote(base64);
|
| + base::Base64Encode(base::StringPiece(
|
| + reinterpret_cast<char*>(spki_hash.data()), spki_hash.size()), &base64);
|
| +
|
| + std::string label;
|
| + switch (tag) {
|
| + case HASH_VALUE_SHA1:
|
| + label = "pin-sha1=";
|
| + break;
|
| + case HASH_VALUE_SHA256:
|
| + label = "pin-sha256=";
|
| + break;
|
| + default:
|
| + NOTREACHED() << "Unknown HashValueTag " << tag;
|
| + }
|
| +
|
| + return label + HttpUtil::Quote(base64);
|
| }
|
|
|
| -TEST_F(TransportSecurityStateTest, BogusPinsHeaders) {
|
| +static void TestBogusPinsHeaders(HashValueTag tag) {
|
| TransportSecurityState::DomainState state;
|
| SSLInfo ssl_info;
|
| ssl_info.cert =
|
| ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
|
| - std::string good_pin = GetPinFromCert(ssl_info.cert);
|
| + std::string good_pin = GetPinFromCert(ssl_info.cert, tag);
|
| base::Time now = base::Time::Now();
|
|
|
| // The backup pin is fake --- it just has to not be in the chain.
|
| @@ -180,6 +208,14 @@
|
| EXPECT_FALSE(state.include_subdomains);
|
| }
|
|
|
| +TEST_F(TransportSecurityStateTest, BogusPinsHeadersSHA1) {
|
| + TestBogusPinsHeaders(HASH_VALUE_SHA1);
|
| +}
|
| +
|
| +TEST_F(TransportSecurityStateTest, BogusPinsHeadersSHA256) {
|
| + TestBogusPinsHeaders(HASH_VALUE_SHA256);
|
| +}
|
| +
|
| TEST_F(TransportSecurityStateTest, ValidSTSHeaders) {
|
| TransportSecurityState::DomainState state;
|
| base::Time expiry;
|
| @@ -240,7 +276,7 @@
|
| EXPECT_TRUE(state.include_subdomains);
|
| }
|
|
|
| -TEST_F(TransportSecurityStateTest, ValidPinsHeaders) {
|
| +static void TestValidPinsHeaders(HashValueTag tag) {
|
| TransportSecurityState::DomainState state;
|
| base::Time expiry;
|
| base::Time now = base::Time::Now();
|
| @@ -280,7 +316,8 @@
|
| // Normally, ssl_client_socket_nss would do this, but for a unit test we
|
| // fake it.
|
| ssl_info.public_key_hashes = result.public_key_hashes;
|
| - std::string good_pin = GetPinFromCert(ssl_info.cert);
|
| + std::string good_pin = GetPinFromCert(ssl_info.cert, /*tag*/HASH_VALUE_SHA1);
|
| + DLOG(WARNING) << "good pin: " << good_pin;
|
|
|
| // The backup pin is fake --- we just need an SPKI hash that does not match
|
| // the hash of any SPKI in the certificate chain.
|
| @@ -356,6 +393,14 @@
|
| EXPECT_EQ(expiry, state.dynamic_spki_hashes_expiry);
|
| }
|
|
|
| +TEST_F(TransportSecurityStateTest, ValidPinsHeadersSHA1) {
|
| + TestValidPinsHeaders(HASH_VALUE_SHA1);
|
| +}
|
| +
|
| +TEST_F(TransportSecurityStateTest, ValidPinsHeadersSHA256) {
|
| + TestValidPinsHeaders(HASH_VALUE_SHA256);
|
| +}
|
| +
|
| TEST_F(TransportSecurityStateTest, SimpleMatches) {
|
| TransportSecurityState state;
|
| TransportSecurityState::DomainState domain_state;
|
| @@ -783,7 +828,7 @@
|
| EXPECT_TRUE(state.GetDomainState("chrome.google.com", true, &domain_state));
|
| EXPECT_TRUE(HasPins("chrome.google.com"));
|
|
|
| - FingerprintVector hashes;
|
| + HashValueVector hashes;
|
| // Checks that a built-in list does exist.
|
| EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes));
|
| EXPECT_FALSE(HasPins("www.paypal.com"));
|
| @@ -829,18 +874,14 @@
|
| }
|
|
|
| static bool AddHash(const std::string& type_and_base64,
|
| - FingerprintVector* out) {
|
| - std::string hash_str;
|
| - if (type_and_base64.find("sha1/") == 0 &&
|
| - base::Base64Decode(type_and_base64.substr(5, type_and_base64.size() - 5),
|
| - &hash_str) &&
|
| - hash_str.size() == base::kSHA1Length) {
|
| - SHA1Fingerprint hash;
|
| - memcpy(hash.data, hash_str.data(), sizeof(hash.data));
|
| - out->push_back(hash);
|
| - return true;
|
| - }
|
| - return false;
|
| + HashValueVector* out) {
|
| + HashValue hash;
|
| +
|
| + if (!TransportSecurityState::ParsePin(type_and_base64, &hash))
|
| + return false;
|
| +
|
| + out->push_back(hash);
|
| + return true;
|
| }
|
|
|
| TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCerts) {
|
| @@ -862,7 +903,7 @@
|
| NULL,
|
| };
|
|
|
| - std::vector<net::SHA1Fingerprint> good_hashes, bad_hashes;
|
| + HashValueVector good_hashes, bad_hashes;
|
|
|
| for (size_t i = 0; kGoodPath[i]; i++) {
|
| EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
|
| @@ -898,7 +939,7 @@
|
| NULL,
|
| };
|
|
|
| - std::vector<net::SHA1Fingerprint> good_hashes, bad_hashes;
|
| + HashValueVector good_hashes, bad_hashes;
|
|
|
| for (size_t i = 0; kGoodPath[i]; i++) {
|
| EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
|
| @@ -916,6 +957,100 @@
|
| EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(bad_hashes));
|
| }
|
|
|
| +TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) {
|
| + static const char* ee_sha1 = "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=";
|
| + static const char* ee_sha256 =
|
| + "sha256/sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I=";
|
| + static const char* google_1024_sha1 = "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=";
|
| + static const char* google_1024_sha256 =
|
| + "sha256/trlUMquuV/4CDLK3T0+fkXPIxwivyecyrOIyeQR8bQU=";
|
| + static const char* equifax_sha1 = "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=";
|
| + static const char* equifax_sha256 =
|
| + "sha256//1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY=";
|
| + static const char* trustcenter_sha1 = "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=";
|
| + static const char* trustcenter_sha256 =
|
| + "sha256/Dq58KIA4NMLsboWMLU8/aTREzaAGEFW+EtUule8dd/M=";
|
| +
|
| + // Good chains for plus.google.com chain up through google_1024_sha{1,256}
|
| + // to equifax_sha{1,256}. Bad chains chain up to equifa through
|
| + // trustcenter_sha{1,256}, which is a blacklisted key. Even though Equifax
|
| + // and Google1024 are known-good, the blacklistedness of Trustcenter
|
| + // should override and cause pin validation failure.
|
| +
|
| + TransportSecurityState state;
|
| + TransportSecurityState::DomainState domain_state;
|
| + EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state));
|
| + EXPECT_TRUE(domain_state.HasPins());
|
| +
|
| + // The statically-defined pins are all SHA-1, so we add some SHA-256 pins
|
| + // manually:
|
| + EXPECT_TRUE(AddHash(google_1024_sha256, &domain_state.static_spki_hashes));
|
| + EXPECT_TRUE(AddHash(trustcenter_sha256,
|
| + &domain_state.bad_static_spki_hashes));
|
| +
|
| + // Try an all-good SHA1 chain.
|
| + HashValueVector validated_chain;
|
| + EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
|
| + EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain));
|
| + EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
|
| + EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));
|
| +
|
| + // Try an all-bad SHA1 chain.
|
| + validated_chain.clear();
|
| + EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
|
| + EXPECT_TRUE(AddHash(trustcenter_sha1, &validated_chain));
|
| + EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
|
| + EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));
|
| +
|
| + // Try an all-good SHA-256 chain.
|
| + validated_chain.clear();
|
| + EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
|
| + EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain));
|
| + EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
|
| + EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));
|
| +
|
| + // Try an all-bad SHA-256 chain.
|
| + validated_chain.clear();
|
| + EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
|
| + EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain));
|
| + EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
|
| + EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));
|
| +
|
| + // Try a mixed-hash good chain.
|
| + validated_chain.clear();
|
| + EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
|
| + EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain));
|
| + EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
|
| + EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));
|
| +
|
| + // Try a mixed-hash bad chain.
|
| + validated_chain.clear();
|
| + EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
|
| + EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain));
|
| + EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
|
| + EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));
|
| +
|
| + // Try a chain with all good hashes.
|
| + validated_chain.clear();
|
| + EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
|
| + EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain));
|
| + EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
|
| + EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
|
| + EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain));
|
| + EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
|
| + EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));
|
| +
|
| + // Try a chain with all bad hashes.
|
| + validated_chain.clear();
|
| + EXPECT_TRUE(AddHash(ee_sha1, &validated_chain));
|
| + EXPECT_TRUE(AddHash(trustcenter_sha1, &validated_chain));
|
| + EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain));
|
| + EXPECT_TRUE(AddHash(ee_sha256, &validated_chain));
|
| + EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain));
|
| + EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain));
|
| + EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(validated_chain));
|
| +}
|
| +
|
| TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
|
| TransportSecurityState state;
|
| TransportSecurityState::DomainState domain_state;
|
|
|
Chromium Code Reviews
Issue 10826257:
Implement SHA-256 fingerprint support (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/