| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 63 return state->EnableHost(host, domain_state); | 63 return state->EnableHost(host, domain_state); |
| 64 } | 64 } |
| 65 }; | 65 }; |
| 66 | 66 |
| 67 TEST_F(TransportSecurityStateTest, SimpleMatches) { | 67 TEST_F(TransportSecurityStateTest, SimpleMatches) { |
| 68 TransportSecurityState state; | 68 TransportSecurityState state; |
| 69 TransportSecurityState::DomainState domain_state; | 69 TransportSecurityState::DomainState domain_state; |
| 70 const base::Time current_time(base::Time::Now()); | 70 const base::Time current_time(base::Time::Now()); |
| 71 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 71 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 72 | 72 |
| 73 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); | 73 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); |
| 74 bool include_subdomains = false; | 74 bool include_subdomains = false; |
| 75 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 75 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 76 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); | 76 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); |
| 77 } | 77 } |
| 78 | 78 |
| 79 TEST_F(TransportSecurityStateTest, MatchesCase1) { | 79 TEST_F(TransportSecurityStateTest, MatchesCase1) { |
| 80 TransportSecurityState state; | 80 TransportSecurityState state; |
| 81 TransportSecurityState::DomainState domain_state; | 81 TransportSecurityState::DomainState domain_state; |
| 82 const base::Time current_time(base::Time::Now()); | 82 const base::Time current_time(base::Time::Now()); |
| 83 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 83 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 84 | 84 |
| 85 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); | 85 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); |
| 86 bool include_subdomains = false; | 86 bool include_subdomains = false; |
| 87 state.AddHSTS("YAhoo.coM", expiry, include_subdomains); | 87 state.AddHSTS("YAhoo.coM", expiry, include_subdomains); |
| 88 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); | 88 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); |
| 89 } | 89 } |
| 90 | 90 |
| 91 TEST_F(TransportSecurityStateTest, MatchesCase2) { | 91 TEST_F(TransportSecurityStateTest, MatchesCase2) { |
| 92 TransportSecurityState state; | 92 TransportSecurityState state; |
| 93 TransportSecurityState::DomainState domain_state; | 93 TransportSecurityState::DomainState domain_state; |
| 94 const base::Time current_time(base::Time::Now()); | 94 const base::Time current_time(base::Time::Now()); |
| 95 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 95 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 96 | 96 |
| 97 EXPECT_FALSE(state.GetDomainState("YAhoo.coM", true, &domain_state)); | 97 EXPECT_FALSE(state.GetDomainState("YAhoo.coM", true, true, &domain_state)); |
| 98 bool include_subdomains = false; | 98 bool include_subdomains = false; |
| 99 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 99 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 100 EXPECT_TRUE(state.GetDomainState("YAhoo.coM", true, &domain_state)); | 100 EXPECT_TRUE(state.GetDomainState("YAhoo.coM", true, true, &domain_state)); |
| 101 } | 101 } |
| 102 | 102 |
| 103 TEST_F(TransportSecurityStateTest, SubdomainMatches) { | 103 TEST_F(TransportSecurityStateTest, SubdomainMatches) { |
| 104 TransportSecurityState state; | 104 TransportSecurityState state; |
| 105 TransportSecurityState::DomainState domain_state; | 105 TransportSecurityState::DomainState domain_state; |
| 106 const base::Time current_time(base::Time::Now()); | 106 const base::Time current_time(base::Time::Now()); |
| 107 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 107 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 108 | 108 |
| 109 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); | 109 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); |
| 110 bool include_subdomains = true; | 110 bool include_subdomains = true; |
| 111 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 111 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 112 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); | 112 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); |
| 113 EXPECT_TRUE(state.GetDomainState("foo.yahoo.com", true, &domain_state)); | 113 EXPECT_TRUE(state.GetDomainState("foo.yahoo.com", true, true, &domain_state)); |
| 114 EXPECT_TRUE(state.GetDomainState("foo.bar.yahoo.com", true, &domain_state)); | 114 EXPECT_TRUE( |
| 115 EXPECT_TRUE(state.GetDomainState("foo.bar.baz.yahoo.com", true, | 115 state.GetDomainState("foo.bar.yahoo.com", true, true, &domain_state)); |
| 116 &domain_state)); | 116 EXPECT_TRUE( |
| 117 EXPECT_FALSE(state.GetDomainState("com", true, &domain_state)); | 117 state.GetDomainState("foo.bar.baz.yahoo.com", true, true, &domain_state)); |
| 118 EXPECT_FALSE(state.GetDomainState("com", true, true, &domain_state)); |
| 118 } | 119 } |
| 119 | 120 |
| 120 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | 121 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
| 121 TransportSecurityState state; | 122 TransportSecurityState state; |
| 122 TransportSecurityState::DomainState domain_state; | 123 TransportSecurityState::DomainState domain_state; |
| 123 const base::Time current_time(base::Time::Now()); | 124 const base::Time current_time(base::Time::Now()); |
| 124 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 125 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 125 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 126 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 126 | 127 |
| 127 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); | 128 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); |
| 128 bool include_subdomains = false; | 129 bool include_subdomains = false; |
| 129 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 130 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 130 | 131 |
| 131 state.DeleteAllDynamicDataSince(expiry); | 132 state.DeleteAllDynamicDataSince(expiry); |
| 132 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); | 133 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); |
| 133 state.DeleteAllDynamicDataSince(older); | 134 state.DeleteAllDynamicDataSince(older); |
| 134 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); | 135 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); |
| 135 } | 136 } |
| 136 | 137 |
| 137 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | 138 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
| 138 TransportSecurityState state; | 139 TransportSecurityState state; |
| 139 TransportSecurityState::DomainState domain_state; | 140 TransportSecurityState::DomainState domain_state; |
| 140 const base::Time current_time(base::Time::Now()); | 141 const base::Time current_time(base::Time::Now()); |
| 141 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 142 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 142 bool include_subdomains = false; | 143 bool include_subdomains = false; |
| 143 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 144 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 144 | 145 |
| 145 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); | 146 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); |
| 146 EXPECT_FALSE(state.GetDomainState("example.com", true, &domain_state)); | 147 EXPECT_FALSE(state.GetDomainState("example.com", true, true, &domain_state)); |
| 147 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); | 148 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); |
| 148 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); | 149 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); |
| 149 } | 150 } |
| 150 | 151 |
| 151 TEST_F(TransportSecurityStateTest, IsPreloaded) { | 152 TEST_F(TransportSecurityStateTest, IsPreloaded) { |
| 152 const std::string paypal = CanonicalizeHost("paypal.com"); | 153 const std::string paypal = CanonicalizeHost("paypal.com"); |
| 153 const std::string www_paypal = CanonicalizeHost("www.paypal.com"); | 154 const std::string www_paypal = CanonicalizeHost("www.paypal.com"); |
| 154 const std::string foo_paypal = CanonicalizeHost("foo.paypal.com"); | 155 const std::string foo_paypal = CanonicalizeHost("foo.paypal.com"); |
| 155 const std::string a_www_paypal = CanonicalizeHost("a.www.paypal.com"); | 156 const std::string a_www_paypal = CanonicalizeHost("a.www.paypal.com"); |
| 156 const std::string abc_paypal = CanonicalizeHost("a.b.c.paypal.com"); | 157 const std::string abc_paypal = CanonicalizeHost("a.b.c.paypal.com"); |
| 157 const std::string example = CanonicalizeHost("example.com"); | 158 const std::string example = CanonicalizeHost("example.com"); |
| 158 const std::string aypal = CanonicalizeHost("aypal.com"); | 159 const std::string aypal = CanonicalizeHost("aypal.com"); |
| (...skipping 10 matching lines...) Expand all Loading... |
| 169 EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state)); | 170 EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state)); |
| 170 EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state)); | 171 EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state)); |
| 171 } | 172 } |
| 172 | 173 |
| 173 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { | 174 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { |
| 174 TransportSecurityState state; | 175 TransportSecurityState state; |
| 175 TransportSecurityState::DomainState domain_state; | 176 TransportSecurityState::DomainState domain_state; |
| 176 | 177 |
| 177 // The domain wasn't being set, leading to a blank string in the | 178 // The domain wasn't being set, leading to a blank string in the |
| 178 // chrome://net-internals/#hsts UI. So test that. | 179 // chrome://net-internals/#hsts UI. So test that. |
| 179 EXPECT_TRUE(state.GetDomainState("market.android.com", true, &domain_state)); | 180 EXPECT_TRUE( |
| 181 state.GetDomainState("market.android.com", true, true, &domain_state)); |
| 180 EXPECT_EQ(domain_state.domain, "market.android.com"); | 182 EXPECT_EQ(domain_state.domain, "market.android.com"); |
| 181 EXPECT_TRUE(state.GetDomainState("sub.market.android.com", true, | 183 EXPECT_TRUE(state.GetDomainState( |
| 182 &domain_state)); | 184 "sub.market.android.com", true, true, &domain_state)); |
| 183 EXPECT_EQ(domain_state.domain, "market.android.com"); | 185 EXPECT_EQ(domain_state.domain, "market.android.com"); |
| 184 } | 186 } |
| 185 | 187 |
| 186 static bool ShouldRedirect(const char* hostname) { | 188 static bool ShouldRedirect(const char* hostname) { |
| 187 TransportSecurityState state; | 189 TransportSecurityState state; |
| 188 TransportSecurityState::DomainState domain_state; | 190 TransportSecurityState::DomainState domain_state; |
| 189 return state.GetDomainState(hostname, true /* SNI ok */, &domain_state) && | 191 return state.GetDomainState( |
| 192 hostname, true /* SNI ok */, true, &domain_state) && |
| 190 domain_state.ShouldUpgradeToSSL(); | 193 domain_state.ShouldUpgradeToSSL(); |
| 191 } | 194 } |
| 192 | 195 |
| 193 static bool HasState(const char* hostname) { | 196 static bool HasState(const char* hostname) { |
| 194 TransportSecurityState state; | 197 TransportSecurityState state; |
| 195 TransportSecurityState::DomainState domain_state; | 198 TransportSecurityState::DomainState domain_state; |
| 196 return state.GetDomainState(hostname, true /* SNI ok */, &domain_state); | 199 return state.GetDomainState(hostname, true /* SNI ok */, true, &domain_state); |
| 197 } | 200 } |
| 198 | 201 |
| 199 static bool HasPublicKeyPins(const char* hostname, bool sni_enabled) { | 202 static bool HasPublicKeyPins(const char* hostname, bool sni_enabled) { |
| 200 TransportSecurityState state; | 203 TransportSecurityState state; |
| 201 TransportSecurityState::DomainState domain_state; | 204 TransportSecurityState::DomainState domain_state; |
| 202 if (!state.GetDomainState(hostname, sni_enabled, &domain_state)) | 205 if (!state.GetDomainState(hostname, sni_enabled, true, &domain_state)) |
| 203 return false; | 206 return false; |
| 204 | 207 |
| 205 return domain_state.HasPublicKeyPins(); | 208 return domain_state.HasPublicKeyPins(); |
| 206 } | 209 } |
| 207 | 210 |
| 208 static bool HasPublicKeyPins(const char* hostname) { | 211 static bool HasPublicKeyPins(const char* hostname) { |
| 209 return HasPublicKeyPins(hostname, true); | 212 return HasPublicKeyPins(hostname, true); |
| 210 } | 213 } |
| 211 | 214 |
| 212 static bool OnlyPinning(const char *hostname) { | 215 static bool OnlyPinning(const char *hostname) { |
| 213 TransportSecurityState state; | 216 TransportSecurityState state; |
| 214 TransportSecurityState::DomainState domain_state; | 217 TransportSecurityState::DomainState domain_state; |
| 215 if (!state.GetDomainState(hostname, true /* SNI ok */, &domain_state)) | 218 if (!state.GetDomainState(hostname, true /* SNI ok */, true, &domain_state)) |
| 216 return false; | 219 return false; |
| 217 | 220 |
| 218 return (domain_state.static_spki_hashes.size() > 0 || | 221 return (domain_state.static_spki_hashes.size() > 0 || |
| 219 domain_state.bad_static_spki_hashes.size() > 0 || | 222 domain_state.bad_static_spki_hashes.size() > 0 || |
| 220 domain_state.dynamic_spki_hashes.size() > 0) && | 223 domain_state.dynamic_spki_hashes.size() > 0) && |
| 221 !domain_state.ShouldUpgradeToSSL(); | 224 !domain_state.ShouldUpgradeToSSL(); |
| 222 } | 225 } |
| 223 | 226 |
| 224 TEST_F(TransportSecurityStateTest, Preloaded) { | 227 TEST_F(TransportSecurityStateTest, Preloaded) { |
| 225 TransportSecurityState state; | 228 TransportSecurityState state; |
| 226 TransportSecurityState::DomainState domain_state; | 229 TransportSecurityState::DomainState domain_state; |
| 227 | 230 |
| 228 // We do more extensive checks for the first domain. | 231 // We do more extensive checks for the first domain. |
| 229 EXPECT_TRUE(state.GetDomainState("www.paypal.com", true, &domain_state)); | 232 EXPECT_TRUE( |
| 233 state.GetDomainState("www.paypal.com", true, true, &domain_state)); |
| 230 EXPECT_EQ(domain_state.upgrade_mode, | 234 EXPECT_EQ(domain_state.upgrade_mode, |
| 231 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); | 235 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); |
| 232 EXPECT_FALSE(domain_state.sts_include_subdomains); | 236 EXPECT_FALSE(domain_state.sts_include_subdomains); |
| 233 EXPECT_FALSE(domain_state.pkp_include_subdomains); | 237 EXPECT_FALSE(domain_state.pkp_include_subdomains); |
| 234 | 238 |
| 235 EXPECT_TRUE(HasState("paypal.com")); | 239 EXPECT_TRUE(HasState("paypal.com")); |
| 236 EXPECT_FALSE(HasState("www2.paypal.com")); | 240 EXPECT_FALSE(HasState("www2.paypal.com")); |
| 237 EXPECT_FALSE(HasState("www2.paypal.com")); | 241 EXPECT_FALSE(HasState("www2.paypal.com")); |
| 238 | 242 |
| 239 // Google hosts: | 243 // Google hosts: |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 281 EXPECT_TRUE(OnlyPinning("www.google-analytics.com")); | 285 EXPECT_TRUE(OnlyPinning("www.google-analytics.com")); |
| 282 EXPECT_TRUE(OnlyPinning("googleapis.com")); | 286 EXPECT_TRUE(OnlyPinning("googleapis.com")); |
| 283 EXPECT_TRUE(OnlyPinning("googleadservices.com")); | 287 EXPECT_TRUE(OnlyPinning("googleadservices.com")); |
| 284 EXPECT_TRUE(OnlyPinning("googlecode.com")); | 288 EXPECT_TRUE(OnlyPinning("googlecode.com")); |
| 285 EXPECT_TRUE(OnlyPinning("appspot.com")); | 289 EXPECT_TRUE(OnlyPinning("appspot.com")); |
| 286 EXPECT_TRUE(OnlyPinning("googlesyndication.com")); | 290 EXPECT_TRUE(OnlyPinning("googlesyndication.com")); |
| 287 EXPECT_TRUE(OnlyPinning("doubleclick.net")); | 291 EXPECT_TRUE(OnlyPinning("doubleclick.net")); |
| 288 EXPECT_TRUE(OnlyPinning("googlegroups.com")); | 292 EXPECT_TRUE(OnlyPinning("googlegroups.com")); |
| 289 | 293 |
| 290 // Tests for domains that don't work without SNI. | 294 // Tests for domains that don't work without SNI. |
| 291 EXPECT_FALSE(state.GetDomainState("gmail.com", false, &domain_state)); | 295 EXPECT_FALSE(state.GetDomainState("gmail.com", false, true, &domain_state)); |
| 292 EXPECT_FALSE(state.GetDomainState("www.gmail.com", false, &domain_state)); | 296 EXPECT_FALSE( |
| 293 EXPECT_FALSE(state.GetDomainState("m.gmail.com", false, &domain_state)); | 297 state.GetDomainState("www.gmail.com", false, true, &domain_state)); |
| 294 EXPECT_FALSE(state.GetDomainState("googlemail.com", false, &domain_state)); | 298 EXPECT_FALSE(state.GetDomainState("m.gmail.com", false, true, &domain_state)); |
| 295 EXPECT_FALSE(state.GetDomainState("www.googlemail.com", false, | 299 EXPECT_FALSE( |
| 296 &domain_state)); | 300 state.GetDomainState("googlemail.com", false, true, &domain_state)); |
| 297 EXPECT_FALSE(state.GetDomainState("m.googlemail.com", false, &domain_state)); | 301 EXPECT_FALSE( |
| 302 state.GetDomainState("www.googlemail.com", false, true, &domain_state)); |
| 303 EXPECT_FALSE( |
| 304 state.GetDomainState("m.googlemail.com", false, true, &domain_state)); |
| 298 | 305 |
| 299 // Other hosts: | 306 // Other hosts: |
| 300 | 307 |
| 301 EXPECT_TRUE(ShouldRedirect("aladdinschools.appspot.com")); | 308 EXPECT_TRUE(ShouldRedirect("aladdinschools.appspot.com")); |
| 302 | 309 |
| 303 EXPECT_TRUE(ShouldRedirect("ottospora.nl")); | 310 EXPECT_TRUE(ShouldRedirect("ottospora.nl")); |
| 304 EXPECT_TRUE(ShouldRedirect("www.ottospora.nl")); | 311 EXPECT_TRUE(ShouldRedirect("www.ottospora.nl")); |
| 305 | 312 |
| 306 EXPECT_TRUE(ShouldRedirect("www.paycheckrecords.com")); | 313 EXPECT_TRUE(ShouldRedirect("www.paycheckrecords.com")); |
| 307 | 314 |
| (...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 381 EXPECT_TRUE(ShouldRedirect("simon.butcher.name")); | 388 EXPECT_TRUE(ShouldRedirect("simon.butcher.name")); |
| 382 EXPECT_TRUE(ShouldRedirect("foo.simon.butcher.name")); | 389 EXPECT_TRUE(ShouldRedirect("foo.simon.butcher.name")); |
| 383 | 390 |
| 384 EXPECT_TRUE(ShouldRedirect("linx.net")); | 391 EXPECT_TRUE(ShouldRedirect("linx.net")); |
| 385 EXPECT_TRUE(ShouldRedirect("foo.linx.net")); | 392 EXPECT_TRUE(ShouldRedirect("foo.linx.net")); |
| 386 | 393 |
| 387 EXPECT_TRUE(ShouldRedirect("dropcam.com")); | 394 EXPECT_TRUE(ShouldRedirect("dropcam.com")); |
| 388 EXPECT_TRUE(ShouldRedirect("www.dropcam.com")); | 395 EXPECT_TRUE(ShouldRedirect("www.dropcam.com")); |
| 389 EXPECT_FALSE(HasState("foo.dropcam.com")); | 396 EXPECT_FALSE(HasState("foo.dropcam.com")); |
| 390 | 397 |
| 391 EXPECT_TRUE(state.GetDomainState("torproject.org", false, &domain_state)); | 398 EXPECT_TRUE( |
| 399 state.GetDomainState("torproject.org", false, true, &domain_state)); |
| 392 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | 400 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); |
| 393 EXPECT_TRUE(state.GetDomainState("www.torproject.org", false, | 401 EXPECT_TRUE( |
| 394 &domain_state)); | 402 state.GetDomainState("www.torproject.org", false, true, &domain_state)); |
| 395 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | 403 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); |
| 396 EXPECT_TRUE(state.GetDomainState("check.torproject.org", false, | 404 EXPECT_TRUE( |
| 397 &domain_state)); | 405 state.GetDomainState("check.torproject.org", false, true, &domain_state)); |
| 398 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | 406 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); |
| 399 EXPECT_TRUE(state.GetDomainState("blog.torproject.org", false, | 407 EXPECT_TRUE( |
| 400 &domain_state)); | 408 state.GetDomainState("blog.torproject.org", false, true, &domain_state)); |
| 401 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | 409 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); |
| 402 EXPECT_TRUE(ShouldRedirect("ebanking.indovinabank.com.vn")); | 410 EXPECT_TRUE(ShouldRedirect("ebanking.indovinabank.com.vn")); |
| 403 EXPECT_TRUE(ShouldRedirect("foo.ebanking.indovinabank.com.vn")); | 411 EXPECT_TRUE(ShouldRedirect("foo.ebanking.indovinabank.com.vn")); |
| 404 | 412 |
| 405 EXPECT_TRUE(ShouldRedirect("epoxate.com")); | 413 EXPECT_TRUE(ShouldRedirect("epoxate.com")); |
| 406 EXPECT_FALSE(HasState("foo.epoxate.com")); | 414 EXPECT_FALSE(HasState("foo.epoxate.com")); |
| 407 | 415 |
| 408 EXPECT_TRUE(HasPublicKeyPins("torproject.org")); | 416 EXPECT_TRUE(HasPublicKeyPins("torproject.org")); |
| 409 EXPECT_TRUE(HasPublicKeyPins("www.torproject.org")); | 417 EXPECT_TRUE(HasPublicKeyPins("www.torproject.org")); |
| 410 EXPECT_TRUE(HasPublicKeyPins("check.torproject.org")); | 418 EXPECT_TRUE(HasPublicKeyPins("check.torproject.org")); |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 462 EXPECT_TRUE(HasPublicKeyPins("www.twitter.com")); | 470 EXPECT_TRUE(HasPublicKeyPins("www.twitter.com")); |
| 463 } | 471 } |
| 464 | 472 |
| 465 TEST_F(TransportSecurityStateTest, LongNames) { | 473 TEST_F(TransportSecurityStateTest, LongNames) { |
| 466 TransportSecurityState state; | 474 TransportSecurityState state; |
| 467 const char kLongName[] = | 475 const char kLongName[] = |
| 468 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" | 476 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" |
| 469 "WaveletIdDomainAndBlipBlipid"; | 477 "WaveletIdDomainAndBlipBlipid"; |
| 470 TransportSecurityState::DomainState domain_state; | 478 TransportSecurityState::DomainState domain_state; |
| 471 // Just checks that we don't hit a NOTREACHED. | 479 // Just checks that we don't hit a NOTREACHED. |
| 472 EXPECT_FALSE(state.GetDomainState(kLongName, true, &domain_state)); | 480 EXPECT_FALSE(state.GetDomainState(kLongName, true, true, &domain_state)); |
| 473 } | 481 } |
| 474 | 482 |
| 475 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { | 483 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { |
| 476 TransportSecurityState state; | 484 TransportSecurityState state; |
| 477 TransportSecurityState::DomainState domain_state; | 485 TransportSecurityState::DomainState domain_state; |
| 478 | 486 |
| 479 EXPECT_TRUE(state.GetDomainState("chrome.google.com", true, &domain_state)); | 487 EXPECT_TRUE( |
| 488 state.GetDomainState("chrome.google.com", true, true, &domain_state)); |
| 480 EXPECT_TRUE(HasPublicKeyPins("chrome.google.com")); | 489 EXPECT_TRUE(HasPublicKeyPins("chrome.google.com")); |
| 481 | 490 |
| 482 HashValueVector hashes; | 491 HashValueVector hashes; |
| 483 // Checks that a built-in list does exist. | 492 // Checks that a built-in list does exist. |
| 484 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes)); | 493 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes)); |
| 485 EXPECT_FALSE(HasPublicKeyPins("www.paypal.com")); | 494 EXPECT_FALSE(HasPublicKeyPins("www.paypal.com")); |
| 486 | 495 |
| 487 EXPECT_TRUE(HasPublicKeyPins("docs.google.com")); | 496 EXPECT_TRUE(HasPublicKeyPins("docs.google.com")); |
| 488 EXPECT_TRUE(HasPublicKeyPins("1.docs.google.com")); | 497 EXPECT_TRUE(HasPublicKeyPins("1.docs.google.com")); |
| 489 EXPECT_TRUE(HasPublicKeyPins("sites.google.com")); | 498 EXPECT_TRUE(HasPublicKeyPins("sites.google.com")); |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 557 | 566 |
| 558 for (size_t i = 0; kGoodPath[i]; i++) { | 567 for (size_t i = 0; kGoodPath[i]; i++) { |
| 559 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | 568 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
| 560 } | 569 } |
| 561 for (size_t i = 0; kBadPath[i]; i++) { | 570 for (size_t i = 0; kBadPath[i]; i++) { |
| 562 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | 571 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
| 563 } | 572 } |
| 564 | 573 |
| 565 TransportSecurityState state; | 574 TransportSecurityState state; |
| 566 TransportSecurityState::DomainState domain_state; | 575 TransportSecurityState::DomainState domain_state; |
| 567 EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); | 576 EXPECT_TRUE( |
| 577 state.GetDomainState("plus.google.com", true, true, &domain_state)); |
| 568 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 578 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
| 569 | 579 |
| 570 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); | 580 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); |
| 571 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); | 581 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); |
| 572 } | 582 } |
| 573 | 583 |
| 574 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { | 584 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { |
| 575 // kGoodPath is blog.torproject.org. | 585 // kGoodPath is blog.torproject.org. |
| 576 static const char* kGoodPath[] = { | 586 static const char* kGoodPath[] = { |
| 577 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", | 587 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", |
| (...skipping 15 matching lines...) Expand all Loading... |
| 593 | 603 |
| 594 for (size_t i = 0; kGoodPath[i]; i++) { | 604 for (size_t i = 0; kGoodPath[i]; i++) { |
| 595 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | 605 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
| 596 } | 606 } |
| 597 for (size_t i = 0; kBadPath[i]; i++) { | 607 for (size_t i = 0; kBadPath[i]; i++) { |
| 598 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | 608 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
| 599 } | 609 } |
| 600 | 610 |
| 601 TransportSecurityState state; | 611 TransportSecurityState state; |
| 602 TransportSecurityState::DomainState domain_state; | 612 TransportSecurityState::DomainState domain_state; |
| 603 EXPECT_TRUE(state.GetDomainState("blog.torproject.org", true, &domain_state)); | 613 EXPECT_TRUE( |
| 614 state.GetDomainState("blog.torproject.org", true, true, &domain_state)); |
| 604 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 615 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
| 605 | 616 |
| 606 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); | 617 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); |
| 607 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); | 618 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); |
| 608 } | 619 } |
| 609 | 620 |
| 610 TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { | 621 TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { |
| 611 static const char* ee_sha1 = "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU="; | 622 static const char* ee_sha1 = "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU="; |
| 612 static const char* ee_sha256 = | 623 static const char* ee_sha256 = |
| 613 "sha256/sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I="; | 624 "sha256/sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I="; |
| 614 static const char* google_1024_sha1 = "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0="; | 625 static const char* google_1024_sha1 = "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0="; |
| 615 static const char* google_1024_sha256 = | 626 static const char* google_1024_sha256 = |
| 616 "sha256/trlUMquuV/4CDLK3T0+fkXPIxwivyecyrOIyeQR8bQU="; | 627 "sha256/trlUMquuV/4CDLK3T0+fkXPIxwivyecyrOIyeQR8bQU="; |
| 617 static const char* equifax_sha1 = "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q="; | 628 static const char* equifax_sha1 = "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q="; |
| 618 static const char* equifax_sha256 = | 629 static const char* equifax_sha256 = |
| 619 "sha256//1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY="; | 630 "sha256//1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY="; |
| 620 static const char* trustcenter_sha1 = "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k="; | 631 static const char* trustcenter_sha1 = "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k="; |
| 621 static const char* trustcenter_sha256 = | 632 static const char* trustcenter_sha256 = |
| 622 "sha256/Dq58KIA4NMLsboWMLU8/aTREzaAGEFW+EtUule8dd/M="; | 633 "sha256/Dq58KIA4NMLsboWMLU8/aTREzaAGEFW+EtUule8dd/M="; |
| 623 | 634 |
| 624 // Good chains for plus.google.com chain up through google_1024_sha{1,256} | 635 // Good chains for plus.google.com chain up through google_1024_sha{1,256} |
| 625 // to equifax_sha{1,256}. Bad chains chain up to Equifax through | 636 // to equifax_sha{1,256}. Bad chains chain up to Equifax through |
| 626 // trustcenter_sha{1,256}, which is a blacklisted key. Even though Equifax | 637 // trustcenter_sha{1,256}, which is a blacklisted key. Even though Equifax |
| 627 // and Google1024 are known-good, the blacklistedness of Trustcenter | 638 // and Google1024 are known-good, the blacklistedness of Trustcenter |
| 628 // should override and cause pin validation failure. | 639 // should override and cause pin validation failure. |
| 629 | 640 |
| 630 TransportSecurityState state; | 641 TransportSecurityState state; |
| 631 TransportSecurityState::DomainState domain_state; | 642 TransportSecurityState::DomainState domain_state; |
| 632 EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); | 643 EXPECT_TRUE( |
| 644 state.GetDomainState("plus.google.com", true, true, &domain_state)); |
| 633 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 645 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
| 634 | 646 |
| 635 // The statically-defined pins are all SHA-1, so we add some SHA-256 pins | 647 // The statically-defined pins are all SHA-1, so we add some SHA-256 pins |
| 636 // manually: | 648 // manually: |
| 637 EXPECT_TRUE(AddHash(google_1024_sha256, &domain_state.static_spki_hashes)); | 649 EXPECT_TRUE(AddHash(google_1024_sha256, &domain_state.static_spki_hashes)); |
| 638 EXPECT_TRUE(AddHash(trustcenter_sha256, | 650 EXPECT_TRUE(AddHash(trustcenter_sha256, |
| 639 &domain_state.bad_static_spki_hashes)); | 651 &domain_state.bad_static_spki_hashes)); |
| 640 | 652 |
| 641 // Try an all-good SHA1 chain. | 653 // Try an all-good SHA1 chain. |
| 642 HashValueVector validated_chain; | 654 HashValueVector validated_chain; |
| (...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 734 EXPECT_FALSE(ShouldRedirect("google.com")); | 746 EXPECT_FALSE(ShouldRedirect("google.com")); |
| 735 EXPECT_FALSE(ShouldRedirect("www.google.com")); | 747 EXPECT_FALSE(ShouldRedirect("www.google.com")); |
| 736 | 748 |
| 737 TransportSecurityState state; | 749 TransportSecurityState state; |
| 738 TransportSecurityState::DomainState domain_state; | 750 TransportSecurityState::DomainState domain_state; |
| 739 const base::Time current_time(base::Time::Now()); | 751 const base::Time current_time(base::Time::Now()); |
| 740 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 752 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 741 domain_state.upgrade_expiry = expiry; | 753 domain_state.upgrade_expiry = expiry; |
| 742 EnableHost(&state, "www.google.com", domain_state); | 754 EnableHost(&state, "www.google.com", domain_state); |
| 743 | 755 |
| 744 EXPECT_TRUE(state.GetDomainState("www.google.com", true, &domain_state)); | 756 EXPECT_TRUE( |
| 757 state.GetDomainState("www.google.com", true, true, &domain_state)); |
| 745 } | 758 } |
| 746 | 759 |
| 747 static const uint8 kSidePinLeafSPKI[] = { | 760 static const uint8 kSidePinLeafSPKI[] = { |
| 748 0x30, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, | 761 0x30, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, |
| 749 0x01, 0x01, 0x05, 0x00, 0x03, 0x4b, 0x00, 0x30, 0x48, 0x02, 0x41, 0x00, 0xe4, | 762 0x01, 0x01, 0x05, 0x00, 0x03, 0x4b, 0x00, 0x30, 0x48, 0x02, 0x41, 0x00, 0xe4, |
| 750 0x1d, 0xcc, 0xf2, 0x92, 0xe7, 0x7a, 0xc6, 0x36, 0xf7, 0x1a, 0x62, 0x31, 0x7d, | 763 0x1d, 0xcc, 0xf2, 0x92, 0xe7, 0x7a, 0xc6, 0x36, 0xf7, 0x1a, 0x62, 0x31, 0x7d, |
| 751 0x37, 0xea, 0x0d, 0xa2, 0xa8, 0x12, 0x2b, 0xc2, 0x1c, 0x82, 0x3e, 0xa5, 0x70, | 764 0x37, 0xea, 0x0d, 0xa2, 0xa8, 0x12, 0x2b, 0xc2, 0x1c, 0x82, 0x3e, 0xa5, 0x70, |
| 752 0x4a, 0x83, 0x5d, 0x9b, 0x84, 0x82, 0x70, 0xa4, 0x88, 0x98, 0x98, 0x41, 0x29, | 765 0x4a, 0x83, 0x5d, 0x9b, 0x84, 0x82, 0x70, 0xa4, 0x88, 0x98, 0x98, 0x41, 0x29, |
| 753 0x31, 0xcb, 0x6e, 0x2a, 0x54, 0x65, 0x14, 0x60, 0xcc, 0x00, 0xe8, 0x10, 0x30, | 766 0x31, 0xcb, 0x6e, 0x2a, 0x54, 0x65, 0x14, 0x60, 0xcc, 0x00, 0xe8, 0x10, 0x30, |
| 754 0x0a, 0x4a, 0xd1, 0xa7, 0x52, 0xfe, 0x2d, 0x31, 0x2a, 0x1d, 0x0d, 0x02, 0x03, | 767 0x0a, 0x4a, 0xd1, 0xa7, 0x52, 0xfe, 0x2d, 0x31, 0x2a, 0x1d, 0x0d, 0x02, 0x03, |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 833 // Expect to fail for SNI hosts when not searching the SNI list: | 846 // Expect to fail for SNI hosts when not searching the SNI list: |
| 834 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 847 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 835 "gmail.com", false)); | 848 "gmail.com", false)); |
| 836 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 849 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 837 "googlegroups.com", false)); | 850 "googlegroups.com", false)); |
| 838 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 851 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 839 "www.googlegroups.com", false)); | 852 "www.googlegroups.com", false)); |
| 840 } | 853 } |
| 841 | 854 |
| 842 } // namespace net | 855 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 19269012:
Don't persist HPKP if PrivacyMode is enabled. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src