| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/net/transport_security_persister.h" | 5 #include "chrome/browser/net/transport_security_persister.h" |
| 6 | 6 |
| 7 #include <map> | 7 #include <map> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | |
| 10 | 9 |
| 11 #include "base/file_path.h" | 10 #include "base/file_path.h" |
| 12 #include "base/file_util.h" | 11 #include "base/file_util.h" |
| 13 #include "base/message_loop.h" | 12 #include "base/message_loop.h" |
| 14 #include "base/scoped_temp_dir.h" | 13 #include "base/scoped_temp_dir.h" |
| 15 #include "content/public/test/test_browser_thread.h" | 14 #include "content/public/test/test_browser_thread.h" |
| 16 #include "net/base/transport_security_state.h" | 15 #include "net/base/transport_security_state.h" |
| 17 #include "testing/gtest/include/gtest/gtest.h" | 16 #include "testing/gtest/include/gtest/gtest.h" |
| 18 | 17 |
| 19 using net::TransportSecurityState; | 18 using net::TransportSecurityState; |
| (...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 90 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); | 89 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); |
| 91 EXPECT_TRUE(state_.GetDomainState("foo.bar.baz.yahoo.com", true, | 90 EXPECT_TRUE(state_.GetDomainState("foo.bar.baz.yahoo.com", true, |
| 92 &domain_state)); | 91 &domain_state)); |
| 93 EXPECT_EQ(domain_state.upgrade_mode, | 92 EXPECT_EQ(domain_state.upgrade_mode, |
| 94 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); | 93 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); |
| 95 EXPECT_FALSE(state_.GetDomainState("com", true, &domain_state)); | 94 EXPECT_FALSE(state_.GetDomainState("com", true, &domain_state)); |
| 96 } | 95 } |
| 97 | 96 |
| 98 TEST_F(TransportSecurityPersisterTest, SerializeData3) { | 97 TEST_F(TransportSecurityPersisterTest, SerializeData3) { |
| 99 // Add an entry. | 98 // Add an entry. |
| 100 net::HashValue fp1; | 99 net::SHA1Fingerprint fp1; |
| 101 fp1.tag = net::HASH_VALUE_SHA1; | 100 memset(fp1.data, 0, sizeof(fp1.data)); |
| 102 memset(fp1.data(), 0, fp1.size()); | 101 net::SHA1Fingerprint fp2; |
| 103 net::HashValue fp2; | 102 memset(fp2.data, 1, sizeof(fp2.data)); |
| 104 fp2.tag = net::HASH_VALUE_SHA1; | |
| 105 memset(fp2.data(), 1, fp2.size()); | |
| 106 TransportSecurityState::DomainState example_state; | 103 TransportSecurityState::DomainState example_state; |
| 107 example_state.upgrade_expiry = | 104 example_state.upgrade_expiry = |
| 108 base::Time::Now() + base::TimeDelta::FromSeconds(1000); | 105 base::Time::Now() + base::TimeDelta::FromSeconds(1000); |
| 109 example_state.upgrade_mode = | 106 example_state.upgrade_mode = |
| 110 TransportSecurityState::DomainState::MODE_FORCE_HTTPS; | 107 TransportSecurityState::DomainState::MODE_FORCE_HTTPS; |
| 111 example_state.dynamic_spki_hashes_expiry = example_state.upgrade_expiry; | 108 example_state.dynamic_spki_hashes_expiry = example_state.upgrade_expiry; |
| 112 example_state.dynamic_spki_hashes.push_back(fp1); | 109 example_state.dynamic_spki_hashes.push_back(fp1); |
| 113 example_state.dynamic_spki_hashes.push_back(fp2); | 110 example_state.dynamic_spki_hashes.push_back(fp2); |
| 114 state_.EnableHost("www.example.com", example_state); | 111 state_.EnableHost("www.example.com", example_state); |
| 115 | 112 |
| 116 // Add another entry. | 113 // Add another entry. |
| 117 memset(fp1.data(), 2, fp1.size()); | 114 memset(fp1.data, 2, sizeof(fp1.data)); |
| 118 memset(fp2.data(), 3, fp2.size()); | 115 memset(fp2.data, 3, sizeof(fp2.data)); |
| 119 example_state.upgrade_expiry = | 116 example_state.upgrade_expiry = |
| 120 base::Time::Now() + base::TimeDelta::FromSeconds(3000); | 117 base::Time::Now() + base::TimeDelta::FromSeconds(3000); |
| 121 example_state.upgrade_mode = | 118 example_state.upgrade_mode = |
| 122 TransportSecurityState::DomainState::MODE_DEFAULT; | 119 TransportSecurityState::DomainState::MODE_DEFAULT; |
| 123 example_state.dynamic_spki_hashes_expiry = example_state.upgrade_expiry; | 120 example_state.dynamic_spki_hashes_expiry = example_state.upgrade_expiry; |
| 124 example_state.dynamic_spki_hashes.push_back(fp1); | 121 example_state.dynamic_spki_hashes.push_back(fp1); |
| 125 example_state.dynamic_spki_hashes.push_back(fp2); | 122 example_state.dynamic_spki_hashes.push_back(fp2); |
| 126 state_.EnableHost("www.example.net", example_state); | 123 state_.EnableHost("www.example.net", example_state); |
| 127 | 124 |
| 128 // Save a copy of everything. | 125 // Save a copy of everything. |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 177 "}"; | 174 "}"; |
| 178 bool dirty; | 175 bool dirty; |
| 179 EXPECT_TRUE(persister_->LoadEntries(output, &dirty)); | 176 EXPECT_TRUE(persister_->LoadEntries(output, &dirty)); |
| 180 EXPECT_TRUE(dirty); | 177 EXPECT_TRUE(dirty); |
| 181 } | 178 } |
| 182 | 179 |
| 183 TEST_F(TransportSecurityPersisterTest, PublicKeyHashes) { | 180 TEST_F(TransportSecurityPersisterTest, PublicKeyHashes) { |
| 184 TransportSecurityState::DomainState domain_state; | 181 TransportSecurityState::DomainState domain_state; |
| 185 static const char kTestDomain[] = "example.com"; | 182 static const char kTestDomain[] = "example.com"; |
| 186 EXPECT_FALSE(state_.GetDomainState(kTestDomain, false, &domain_state)); | 183 EXPECT_FALSE(state_.GetDomainState(kTestDomain, false, &domain_state)); |
| 187 std::vector<net::HashValueVector> hashes; | 184 net::FingerprintVector hashes; |
| 188 for (size_t i = 0; i < net::HASH_VALUE_TAGS_COUNT; ++i) { | 185 EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(hashes)); |
| 189 net::HashValueVector v; | |
| 190 hashes.push_back(v); | |
| 191 } | |
| 192 EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes)); | |
| 193 | 186 |
| 194 net::HashValue sha1; | 187 net::SHA1Fingerprint hash; |
| 195 sha1.tag = net::HASH_VALUE_SHA1; | 188 memset(hash.data, '1', sizeof(hash.data)); |
| 196 memset(sha1.data(), '1', sha1.size()); | 189 domain_state.static_spki_hashes.push_back(hash); |
| 197 domain_state.static_spki_hashes.push_back(sha1); | |
| 198 | 190 |
| 199 EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes)); | 191 EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes)); |
| 200 | 192 hashes.push_back(hash); |
| 201 hashes[net::HASH_VALUE_SHA1].push_back(sha1); | |
| 202 EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(hashes)); | 193 EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(hashes)); |
| 203 | 194 hashes[0].data[0] = '2'; |
| 204 hashes[net::HASH_VALUE_SHA1][0].data()[0] = '2'; | |
| 205 EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes)); | 195 EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes)); |
| 206 | 196 |
| 207 const base::Time current_time(base::Time::Now()); | 197 const base::Time current_time(base::Time::Now()); |
| 208 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 198 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 209 domain_state.upgrade_expiry = expiry; | 199 domain_state.upgrade_expiry = expiry; |
| 210 state_.EnableHost(kTestDomain, domain_state); | 200 state_.EnableHost(kTestDomain, domain_state); |
| 211 std::string ser; | 201 std::string ser; |
| 212 EXPECT_TRUE(persister_->SerializeData(&ser)); | 202 EXPECT_TRUE(persister_->SerializeData(&ser)); |
| 213 bool dirty; | 203 bool dirty; |
| 214 EXPECT_TRUE(persister_->LoadEntries(ser, &dirty)); | 204 EXPECT_TRUE(persister_->LoadEntries(ser, &dirty)); |
| 215 EXPECT_TRUE(state_.GetDomainState(kTestDomain, false, &domain_state)); | 205 EXPECT_TRUE(state_.GetDomainState(kTestDomain, false, &domain_state)); |
| 216 EXPECT_EQ(1u, domain_state.static_spki_hashes.size()); | 206 EXPECT_EQ(1u, domain_state.static_spki_hashes.size()); |
| 217 EXPECT_EQ(sha1.tag, domain_state.static_spki_hashes[0].tag); | 207 EXPECT_EQ(0, memcmp(domain_state.static_spki_hashes[0].data, hash.data, |
| 218 EXPECT_EQ(0, memcmp(domain_state.static_spki_hashes[0].data(), sha1.data(), | 208 sizeof(hash.data))); |
| 219 sha1.size())); | |
| 220 } | 209 } |
| 221 | 210 |
| 222 TEST_F(TransportSecurityPersisterTest, ForcePreloads) { | 211 TEST_F(TransportSecurityPersisterTest, ForcePreloads) { |
| 223 // The static state for docs.google.com, defined in | 212 // The static state for docs.google.com, defined in |
| 224 // net/base/transport_security_state_static.h, has pins and mode strict. | 213 // net/base/transport_security_state_static.h, has pins and mode strict. |
| 225 // This new policy overrides that with no pins and a weaker mode. We apply | 214 // This new policy overrides that with no pins and a weaker mode. We apply |
| 226 // this new policy with |DeserializeFromCommandLine| and expect that the | 215 // this new policy with |DeserializeFromCommandLine| and expect that the |
| 227 // new policy is in effect, overriding the static policy. | 216 // new policy is in effect, overriding the static policy. |
| 228 std::string preload("{" | 217 std::string preload("{" |
| 229 "\"4AGT3lHihuMSd5rUj7B4u6At0jlSH3HFePovjPR+oLE=\": {" | 218 "\"4AGT3lHihuMSd5rUj7B4u6At0jlSH3HFePovjPR+oLE=\": {" |
| 230 "\"created\": 0.0," | 219 "\"created\": 0.0," |
| 231 "\"expiry\": 2000000000.0," | 220 "\"expiry\": 2000000000.0," |
| 232 "\"include_subdomains\": false," | 221 "\"include_subdomains\": false," |
| 233 "\"mode\": \"pinning-only\"" | 222 "\"mode\": \"pinning-only\"" |
| 234 "}}"); | 223 "}}"); |
| 235 | 224 |
| 236 EXPECT_TRUE(persister_->DeserializeFromCommandLine(preload)); | 225 EXPECT_TRUE(persister_->DeserializeFromCommandLine(preload)); |
| 237 | 226 |
| 238 TransportSecurityState::DomainState domain_state; | 227 TransportSecurityState::DomainState domain_state; |
| 239 EXPECT_TRUE(state_.GetDomainState("docs.google.com", true, &domain_state)); | 228 EXPECT_TRUE(state_.GetDomainState("docs.google.com", true, &domain_state)); |
| 240 EXPECT_FALSE(domain_state.HasPins()); | 229 EXPECT_FALSE(domain_state.HasPins()); |
| 241 EXPECT_FALSE(domain_state.ShouldRedirectHTTPToHTTPS()); | 230 EXPECT_FALSE(domain_state.ShouldRedirectHTTPToHTTPS()); |
| 242 } | 231 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10836150:
Revert 150375 - Implement SHA-256 fingerprint support (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/