Split up transport security state related tests.
All transport security state tests currently depend on the real preload
list. This has caused issues when the preload list is updated. This CL
splits up the tests in two categories:
1: tests that test functionality related to the static transport
security state implementation.
2: tests that assert the correctness of the real preload list.
The tests that fall under (1) no longer depend on entries in the real
preload list but use a test-only preload list. The entries in (2) use
the real preload list but are disabled when the preload list is not
used.
Bug: 767108
Change-Id: I71ad58670d0e2366d76602b5a6d799e3c48269a4
Reviewed-on: https://chromium-review.googlesource.com/706786
Reviewed-by: Lucas Garron <[email protected]>
Reviewed-by: Helen Li <[email protected]>
Commit-Queue: Martijn Croonen <[email protected]>
Cr-Commit-Position: refs/heads/master@{#507954}diff --git a/net/BUILD.gn b/net/BUILD.gn
index 66ef4e8..a1e74cfe 100644
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -5220,6 +5220,7 @@
"//net/base/registry_controlled_domains",
"//net/data/ssl/certificate_transparency:ct_log_list",
"//net/http:transport_security_state_unittest_data",
+ "//net/http:transport_security_state_unittest_data_default",
"//testing/gmock",
"//testing/gtest",
"//third_party/protobuf:protobuf_lite",
diff --git a/net/http/BUILD.gn b/net/http/BUILD.gn
index 8699aeff..d00da41d 100644
--- a/net/http/BUILD.gn
+++ b/net/http/BUILD.gn
@@ -4,6 +4,7 @@
import("//build/compiled_action.gni")
+# Generates a header file based on the real preload list.
compiled_action("generate_transport_security_state") {
tool = "//net/tools/transport_security_state_generator"
@@ -20,10 +21,28 @@
rebase_path(inputs, root_build_dir) + rebase_path(outputs, root_build_dir)
}
+# Generates a header file for use in unittests.
+compiled_action("transport_security_state_unittest_data_default") {
+ tool = "//net/tools/transport_security_state_generator"
+
+ # Inputs in order expected by the command line of the tool.
+ inputs = [
+ "transport_security_state_static_unittest_default.json",
+ "transport_security_state_static_unittest_default.pins",
+ "transport_security_state_static_unittest.template",
+ ]
+ outputs = [
+ "$target_gen_dir/transport_security_state_static_unittest_default.h",
+ ]
+ args =
+ rebase_path(inputs, root_build_dir) + rebase_path(outputs, root_build_dir)
+}
+
+# Generates a number of header files that are used by integration tests for the
+# generation process and preload format.
compiled_action_foreach("transport_security_state_unittest_data") {
tool = "//net/tools/transport_security_state_generator"
sources = [
- "transport_security_state_static_unittest0.json",
"transport_security_state_static_unittest1.json",
"transport_security_state_static_unittest2.json",
"transport_security_state_static_unittest3.json",
diff --git a/net/http/http_security_headers_unittest.cc b/net/http/http_security_headers_unittest.cc
index 2ea5d0a..1171e33 100644
--- a/net/http/http_security_headers_unittest.cc
+++ b/net/http/http_security_headers_unittest.cc
@@ -20,6 +20,10 @@
namespace {
+namespace test_default {
+#include "net/http/transport_security_state_static_unittest_default.h"
+}
+
HashValue GetTestHashValue(uint8_t label, HashValueTag tag) {
HashValue hash_value(tag);
memset(hash_value.data(), label, hash_value.size());
@@ -88,6 +92,10 @@
}
class HttpSecurityHeadersTest : public testing::Test {
+ public:
+ ~HttpSecurityHeadersTest() override {
+ SetTransportSecurityStateSourceForTesting(nullptr);
+ }
};
@@ -652,19 +660,14 @@
TestValidPKPHeaders(HASH_VALUE_SHA256);
}
-#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
-#define MAYBE_UpdateDynamicPKPOnly DISABLED_UpdateDynamicPKPOnly
-#else
-#define MAYBE_UpdateDynamicPKPOnly UpdateDynamicPKPOnly
-#endif
+TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
+ SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
-TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPOnly) {
TransportSecurityState state;
TransportSecurityState::STSState static_sts_state;
TransportSecurityState::PKPState static_pkp_state;
- // docs.google.com has preloaded pins.
- std::string domain = "docs.google.com";
+ std::string domain = "no-rejected-pins-pkp.preloaded.test";
state.enable_static_pins_ = true;
EXPECT_TRUE(
state.GetStaticDomainState(domain, &static_sts_state, &static_pkp_state));
@@ -676,7 +679,7 @@
HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA256);
std::string good_pin = GetTestPin(1, HASH_VALUE_SHA256);
std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA256);
- GURL report_uri("http://google.com");
+ GURL report_uri("http://report-uri.test/pkp");
std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin +
";report-uri=\"" + report_uri.spec() + "\"";
@@ -727,19 +730,14 @@
base::ContainsValue(new_dynamic_pkp_state.spki_hashes, backup_hash));
}
-#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
-#define MAYBE_UpdateDynamicPKPMaxAge0 DISABLED_UpdateDynamicPKPMaxAge0
-#else
-#define MAYBE_UpdateDynamicPKPMaxAge0 UpdateDynamicPKPMaxAge0
-#endif
+TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0) {
+ SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
-TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) {
TransportSecurityState state;
TransportSecurityState::STSState static_sts_state;
TransportSecurityState::PKPState static_pkp_state;
- // docs.google.com has preloaded pins.
- std::string domain = "docs.google.com";
+ std::string domain = "no-rejected-pins-pkp.preloaded.test";
state.enable_static_pins_ = true;
ASSERT_TRUE(
state.GetStaticDomainState(domain, &static_sts_state, &static_pkp_state));
@@ -811,19 +809,14 @@
// Tests that when a static HSTS and a static HPKP entry are present, adding a
// dynamic HSTS header does not clobber the static HPKP entry. Further, adding a
// dynamic HPKP entry could not affect the HSTS entry for the site.
-#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
-#define MAYBE_NoClobberPins DISABLED_NoClobberPins
-#else
-#define MAYBE_NoClobberPins NoClobberPins
-#endif
+TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
+ SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
-TEST_F(HttpSecurityHeadersTest, MAYBE_NoClobberPins) {
TransportSecurityState state;
TransportSecurityState::STSState sts_state;
TransportSecurityState::PKPState pkp_state;
- // accounts.google.com has preloaded pins.
- std::string domain = "accounts.google.com";
+ std::string domain = "hsts-hpkp-preloaded.test";
state.enable_static_pins_ = true;
// Retrieve the static STS and PKP states as it is by default, including its
diff --git a/net/http/transport_security_state_static_unittest0.json b/net/http/transport_security_state_static_unittest0.json
deleted file mode 100644
index e5aabf0..0000000
--- a/net/http/transport_security_state_static_unittest0.json
+++ /dev/null
@@ -1,177 +0,0 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This is a HSTS preloaded list used by the unittests to supply a custom
-// preload list when the default one isn't available. For more information on
-// the content and format see the comments in
-// transport_security_state_static.json.
-
-{
- "pinsets": [
- {
- "name": "test",
- "static_spki_hashes": [
- "TestSPKI1"
- ]
- },
- {
- "name": "google",
- "static_spki_hashes": [
- "TestSPKI1"
- ],
- "report_uri": "http://clients3.google.com/cert_upload_json"
- },
- {
- "name": "tor",
- "static_spki_hashes": [
- "TestSPKI1"
- ]
- },
- {
- "name": "twitterCom",
- "static_spki_hashes": [
- "TestSPKI1"
- ],
- "report_uri": "http://l.twimg.com/i/hpkp_report"
- },
- {
- "name": "twitterCDN",
- "static_spki_hashes": [
- "TestSPKI1"
- ],
- "report_uri": "http://l.twimg.com/i/hpkp_report"
- },
- {
- "name": "facebook",
- "static_spki_hashes": [
- "TestSPKI2"
- ]
- }
- ],
-
- "entries": [
- { "name": "pinningtest.appspot.com", "include_subdomains": true, "pins": "test" },
- { "name": "pinning-test.badssl.com", "include_subdomains": true, "pins": "test" },
- { "name": "preloaded-expect-ct.badssl.com", "expect_ct": true, "expect_ct_report_uri": "https://clients3.google.com/ct_upload" },
- { "name": "preloaded-expect-staple.badssl.com", "expect_staple": true, "expect_staple_report_uri": "https://report.badssl.com/expect-staple" },
- { "name": "preloaded-expect-staple-include-subdomains.badssl.com", "expect_staple": true, "expect_staple_report_uri": "https://report.badssl.com/expect-staple", "include_subdomains_for_expect_staple": true },
- { "name": "google", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "dev", "include_subdomains": true, "mode": "force-https" },
- { "name": "foo", "include_subdomains": true, "mode": "force-https" },
- { "name": "mail.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google", "expect_ct": true, "expect_ct_report_uri": "https://clients3.google.com/ct_upload" },
- { "name": "accounts.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "appengine.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "checkout.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "chrome.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "docs.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "encrypted.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "hostedtalkgadget.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "play.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "plus.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "profiles.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "sites.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "spreadsheets.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "talkgadget.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "talk.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "wallet.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "apis.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "drive.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "gmail.com", "mode": "force-https", "pins": "google" },
- { "name": "googlecode.com", "include_subdomains": true, "pins": "google" },
- { "name": "googlemail.com", "mode": "force-https", "pins": "google" },
- { "name": "googleplex.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "groups.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "market.android.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "www.gmail.com", "mode": "force-https", "pins": "google" },
- { "name": "www.googlemail.com", "mode": "force-https", "pins": "google" },
- { "name": "google-analytics.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
- { "name": "chart.apis.google.com", "include_subdomains": true, "pins": "google" },
- { "name": "appspot.com", "include_subdomains": true, "pins": "google" },
- { "name": "doubleclick.net", "include_subdomains": true, "pins": "google" },
- { "name": "googleadservices.com", "include_subdomains": true, "pins": "google" },
- { "name": "googleapis.com", "include_subdomains": true, "pins": "google" },
- { "name": "google.com", "include_subdomains": true, "pins": "google" },
- { "name": "googlegroups.com", "include_subdomains": true, "pins": "google", "expect_ct": true, "expect_ct_report_uri": "https://clients3.google.com/ct_upload" },
- { "name": "googlesyndication.com", "include_subdomains": true, "pins": "google" },
- { "name": "googleusercontent.com", "include_subdomains": true, "pins": "google" },
- { "name": "gstatic.com", "include_subdomains": true, "pins": "google" },
- { "name": "youtube.com", "include_subdomains": true, "pins": "google" },
- { "name": "ytimg.com", "include_subdomains": true, "pins": "google" },
- { "name": "learn.doubleclick.net", "include_subdomains": true },
- { "name": "www.paypal.com", "mode": "force-https" },
- { "name": "paypal.com", "mode": "force-https" },
- { "name": "www.elanex.biz", "mode": "force-https" },
- { "name": "sunshinepress.org", "include_subdomains": true, "mode": "force-https" },
- { "name": "www.noisebridge.net", "mode": "force-https" },
- { "name": "neg9.org", "mode": "force-https" },
- { "name": "riseup.net", "include_subdomains": true, "mode": "force-https" },
- { "name": "factor.cc", "mode": "force-https" },
- { "name": "members.mayfirst.org", "include_subdomains": true, "mode": "force-https" },
- { "name": "support.mayfirst.org", "include_subdomains": true, "mode": "force-https" },
- { "name": "id.mayfirst.org", "include_subdomains": true, "mode": "force-https" },
- { "name": "lists.mayfirst.org", "include_subdomains": true, "mode": "force-https" },
- { "name": "aladdinschools.appspot.com", "mode": "force-https" },
- { "name": "ottospora.nl", "include_subdomains": true, "mode": "force-https" },
- { "name": "www.paycheckrecords.com", "mode": "force-https" },
- { "name": "lastpass.com", "mode": "force-https" },
- { "name": "www.lastpass.com", "mode": "force-https" },
- { "name": "keyerror.com", "include_subdomains": true, "mode": "force-https" },
- { "name": "entropia.de", "mode": "force-https" },
- { "name": "www.entropia.de", "mode": "force-https" },
- { "name": "romab.com", "include_subdomains": true, "mode": "force-https" },
- { "name": "logentries.com", "mode": "force-https" },
- { "name": "www.logentries.com", "mode": "force-https" },
- { "name": "stripe.com", "include_subdomains": true, "mode": "force-https" },
- { "name": "cloudsecurityalliance.org", "include_subdomains": true, "mode": "force-https" },
- { "name": "login.sapo.pt", "include_subdomains": true, "mode": "force-https" },
- { "name": "mattmccutchen.net", "include_subdomains": true, "mode": "force-https" },
- { "name": "betnet.fr", "include_subdomains": true, "mode": "force-https" },
- { "name": "uprotect.it", "include_subdomains": true, "mode": "force-https" },
- { "name": "squareup.com", "mode": "force-https" },
- { "name": "cert.se", "include_subdomains": true, "mode": "force-https" },
- { "name": "simon.butcher.name", "include_subdomains": true, "mode": "force-https" },
- { "name": "linx.net", "include_subdomains": true, "mode": "force-https" },
- { "name": "dropcam.com", "mode": "force-https" },
- { "name": "www.dropcam.com", "mode": "force-https" },
- { "name": "ebanking.indovinabank.com.vn", "include_subdomains": true, "mode": "force-https" },
- { "name": "epoxate.com", "mode": "force-https" },
- { "name": "torproject.org", "mode": "force-https", "pins": "tor" },
- { "name": "blog.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" },
- { "name": "check.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" },
- { "name": "www.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" },
- { "name": "www.moneybookers.com", "include_subdomains": true, "mode": "force-https" },
- { "name": "ledgerscope.net", "mode": "force-https" },
- { "name": "www.ledgerscope.net", "mode": "force-https" },
- { "name": "app.recurly.com", "include_subdomains": true, "mode": "force-https" },
- { "name": "api.recurly.com", "include_subdomains": true, "mode": "force-https" },
- { "name": "greplin.com", "mode": "force-https" },
- { "name": "www.greplin.com", "mode": "force-https" },
- { "name": "luneta.nearbuysystems.com", "include_subdomains": true, "mode": "force-https" },
- { "name": "ubertt.org", "include_subdomains": true, "mode": "force-https" },
- { "name": "pixi.me", "include_subdomains": true, "mode": "force-https" },
- { "name": "grepular.com", "include_subdomains": true, "mode": "force-https" },
- { "name": "mydigipass.com", "mode": "force-https" },
- { "name": "www.mydigipass.com", "mode": "force-https" },
- { "name": "developer.mydigipass.com", "mode": "force-https" },
- { "name": "www.developer.mydigipass.com", "mode": "force-https" },
- { "name": "sandbox.mydigipass.com", "mode": "force-https" },
- { "name": "www.sandbox.mydigipass.com", "mode": "force-https" },
- { "name": "bigshinylock.minazo.net", "include_subdomains": true, "mode": "force-https" },
- { "name": "crate.io", "include_subdomains": true, "mode": "force-https" },
- { "name": "twitter.com", "mode": "force-https", "pins": "twitterCom" },
- { "name": "www.twitter.com", "include_subdomains": true, "mode": "force-https", "pins": "twitterCom" },
- { "name": "api.twitter.com", "include_subdomains": true, "pins": "twitterCDN" },
- { "name": "oauth.twitter.com", "include_subdomains": true, "pins": "twitterCom" },
- { "name": "mobile.twitter.com", "include_subdomains": true, "pins": "twitterCom" },
- { "name": "dev.twitter.com", "include_subdomains": true, "pins": "twitterCom" },
- { "name": "business.twitter.com", "include_subdomains": true, "pins": "twitterCom" },
- { "name": "platform.twitter.com", "include_subdomains": true, "pins": "twitterCDN" },
- { "name": "twimg.com", "include_subdomains": true, "pins": "twitterCDN" },
- { "name": "facebook.com", "mode": "force-https", "include_subdomains_for_pinning": true, "pins": "facebook" },
- { "name": "www.facebook.com", "include_subdomains": true, "mode": "force-https", "pins": "facebook" },
- { "name": "recurly.com", "include_subdomains": true, "mode": "force-https" },
- { "name": "crypto.is", "include_subdomains": true, "mode": "force-https", "expect_ct": true, "expect_ct_report_uri": "https://clients3.google.com/ct_upload" }
- ]
-}
-
diff --git a/net/http/transport_security_state_static_unittest_default.json b/net/http/transport_security_state_static_unittest_default.json
new file mode 100644
index 0000000..e8a50ce
--- /dev/null
+++ b/net/http/transport_security_state_static_unittest_default.json
@@ -0,0 +1,51 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// This is a HSTS preload list for net_unittests. Use or add entries in this
+// file when you need to write a test that has expectations that depend on
+// static transport security state. Tests should never depend on the real
+// preload list. The format of this file is identical to
+// transport_security_state_static.json.
+
+{
+ "pinsets": [
+ {
+ "name": "withoutRejectedPins",
+ "static_spki_hashes": [
+ "TestSPKI1",
+ "GoodPin1"
+ ]
+ }, {
+ "name": "withRejectedPins",
+ "static_spki_hashes": [
+ "GoodPin1"
+ ],
+ "bad_static_spki_hashes": [
+ "TestSPKI1"
+ ]
+ }, {
+ "name": "withReportUri",
+ "static_spki_hashes": [
+ "GoodPin1"
+ ],
+ "report_uri": "http://report-uri.preloaded.test/pkp"
+ }
+ ],
+
+ "entries": [
+ { "name": "hsts-preloaded.test", "mode": "force-https" },
+ { "name": "include-subdomains-hsts-preloaded.test", "mode": "force-https", "include_subdomains": true },
+
+ { "name": "no-rejected-pins-pkp.preloaded.test", "pins": "withoutRejectedPins" },
+ { "name": "with-report-uri-pkp.preloaded.test", "pins": "withReportUri" },
+
+ { "name": "hsts-hpkp-preloaded.test", "mode": "force-https", "pins": "withoutRejectedPins" },
+
+ { "name": "expect-ct.preloaded.test", "expect_ct": true, "expect_ct_report_uri": "http://report-uri.preloaded.test/expect-ct" },
+
+ { "name": "expect-staple.preloaded.test", "expect_staple": true, "expect_staple_report_uri": "http://report-uri.preloaded.test/expect-staple" },
+ { "name": "include-subdomains-expect-staple.preloaded.test", "expect_staple": true, "include_subdomains_for_expect_staple": true, "expect_staple_report_uri": "http://report-uri.preloaded.test/expect-staple" }
+ ]
+}
+
diff --git a/net/http/transport_security_state_static_unittest_default.pins b/net/http/transport_security_state_static_unittest_default.pins
new file mode 100644
index 0000000..900b7fd
--- /dev/null
+++ b/net/http/transport_security_state_static_unittest_default.pins
@@ -0,0 +1,12 @@
+# Copyright 2017 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# For use with transport_security_state_static_unittest_default.json.
+# The format of this file is identical to transport_security_state_static.pins.
+
+TestSPKI1
+sha256/w3y7Yg3RzkAyhCeBoLHm71YRnuuUW87AAR/DVpLMTw4=
+
+GoodPin1
+sha256/Nn8jk5By4Vkq6BeOVZ7R7AC6XUUBZsWmUbJR1f1Y5FY=
diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc
index a712303..930b045e 100644
--- a/net/http/transport_security_state_unittest.cc
+++ b/net/http/transport_security_state_unittest.cc
@@ -19,6 +19,7 @@
#include "base/test/mock_entropy_provider.h"
#include "base/test/scoped_feature_list.h"
#include "base/values.h"
+#include "build/build_config.h"
#include "crypto/openssl_util.h"
#include "crypto/sha2.h"
#include "net/base/host_port_pair.h"
@@ -44,10 +45,9 @@
namespace {
-namespace test0 {
-#include "net/http/transport_security_state_static_unittest0.h"
+namespace test_default {
+#include "net/http/transport_security_state_static_unittest_default.h"
}
-
namespace test1 {
#include "net/http/transport_security_state_static_unittest1.h"
}
@@ -62,28 +62,25 @@
const char kSubdomain[] = "foo.example.test";
const uint16_t kPort = 443;
const char kReportUri[] = "http://report-example.test/test";
-const char kExpectCTStaticHostname[] = "preloaded-expect-ct.badssl.com";
-const char kExpectCTStaticReportURI[] = "https://clients3.google.com/ct_upload";
-const char kExpectStapleStaticHostname[] = "preloaded-expect-staple.badssl.com";
+const char kExpectCTStaticHostname[] = "expect-ct.preloaded.test";
+const char kExpectCTStaticReportURI[] =
+ "http://report-uri.preloaded.test/expect-ct";
+const char kExpectStapleStaticHostname[] = "expect-staple.preloaded.test";
const char kExpectStapleStaticReportURI[] =
- "https://report.badssl.com/expect-staple";
+ "http://report-uri.preloaded.test/expect-staple";
const char kExpectStapleStaticIncludeSubdomainsHostname[] =
- "preloaded-expect-staple-include-subdomains.badssl.com";
+ "include-subdomains-expect-staple.preloaded.test";
-// kGoodPath is blog.torproject.org.
+const char kGoodPin1[] = "fzP+pVAbH0hRoUphJKenIP8+2tD/d2QH9J+kQNieM6Q=";
+const char kGoodPin2[] = "9vRUVdjloCa4wXUKfDWotV5eUXYD7vu0v0z9SRzQdzg=";
+const char kGoodPin3[] = "Nn8jk5By4Vkq6BeOVZ7R7AC6XUUBZsWmUbJR1f1Y5FY=";
+
const char* const kGoodPath[] = {
- "sha256/4osU79hfY3P2+WJGlT2mxmSL+5FIwLEVxTQcavyBNgQ=",
- "sha256/k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws=",
- "sha256/WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=",
- nullptr,
+ "sha256/fzP+pVAbH0hRoUphJKenIP8+2tD/d2QH9J+kQNieM6Q=",
+ "sha256/9vRUVdjloCa4wXUKfDWotV5eUXYD7vu0v0z9SRzQdzg=",
+ "sha256/Nn8jk5By4Vkq6BeOVZ7R7AC6XUUBZsWmUbJR1f1Y5FY=", nullptr,
};
-const char kGoodPin1[] = "4osU79hfY3P2+WJGlT2mxmSL+5FIwLEVxTQcavyBNgQ=";
-const char kGoodPin2[] = "k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws=";
-const char kGoodPin3[] = "WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=";
-
-// kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
-// torproject.org.
const char* const kBadPath[] = {
"sha256/1111111111111111111111111111111111111111111=",
"sha256/2222222222222222222222222222222222222222222=",
@@ -404,9 +401,7 @@
class TransportSecurityStateTest : public testing::Test {
public:
TransportSecurityStateTest() {
-#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
- SetTransportSecurityStateSourceForTesting(&test0::kHSTSSource);
-#endif
+ SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
}
~TransportSecurityStateTest() override {
@@ -521,10 +516,10 @@
// Now do the same for preloaded entries
TransportSecurityState state5;
- EXPECT_TRUE(state5.ShouldUpgradeToSSL("accounts.google.com"));
- EXPECT_TRUE(state5.ShouldUpgradeToSSL("accounts.google.com."));
- EXPECT_FALSE(state5.ShouldUpgradeToSSL("accounts..google.com"));
- EXPECT_FALSE(state5.ShouldUpgradeToSSL("accounts..google.com."));
+ EXPECT_TRUE(state5.ShouldUpgradeToSSL("hsts-preloaded.test"));
+ EXPECT_TRUE(state5.ShouldUpgradeToSSL("hsts-preloaded.test."));
+ EXPECT_FALSE(state5.ShouldUpgradeToSSL("hsts-preloaded..test"));
+ EXPECT_FALSE(state5.ShouldUpgradeToSSL("hsts-preloaded..test."));
}
TEST_F(TransportSecurityStateTest, SimpleMatches) {
@@ -564,8 +559,9 @@
EXPECT_TRUE(state.ShouldUpgradeToSSL("EXample.coM"));
// Check static entries
- EXPECT_TRUE(state.ShouldUpgradeToSSL("AccounTs.GooGle.com"));
- EXPECT_TRUE(state.ShouldUpgradeToSSL("mail.google.COM"));
+ EXPECT_TRUE(state.ShouldUpgradeToSSL("hStS-prelOAded.tEsT"));
+ EXPECT_TRUE(
+ state.ShouldUpgradeToSSL("inClude-subDOmaIns-hsts-prEloaDed.TesT"));
}
TEST_F(TransportSecurityStateTest, SubdomainMatches) {
@@ -884,402 +880,6 @@
state.GetDynamicExpectCTState("example1.test", &expect_ct_state));
}
-TEST_F(TransportSecurityStateTest, EnableStaticPins) {
- TransportSecurityState state;
- TransportSecurityState::STSState sts_state;
- TransportSecurityState::PKPState pkp_state;
-
- EnableStaticPins(&state);
-
- EXPECT_TRUE(
- state.GetStaticDomainState("chrome.google.com", &sts_state, &pkp_state));
- EXPECT_FALSE(pkp_state.spki_hashes.empty());
-}
-
-TEST_F(TransportSecurityStateTest, DisableStaticPins) {
- TransportSecurityState state;
- TransportSecurityState::STSState sts_state;
- TransportSecurityState::PKPState pkp_state;
-
- DisableStaticPins(&state);
- EXPECT_TRUE(
- state.GetStaticDomainState("chrome.google.com", &sts_state, &pkp_state));
- EXPECT_TRUE(pkp_state.spki_hashes.empty());
-}
-
-TEST_F(TransportSecurityStateTest, IsPreloaded) {
- const std::string paypal = "paypal.com";
- const std::string www_paypal = "www.paypal.com";
- const std::string foo_paypal = "foo.paypal.com";
- const std::string a_www_paypal = "a.www.paypal.com";
- const std::string abc_paypal = "a.b.c.paypal.com";
- const std::string example = "example.com";
- const std::string aypal = "aypal.com";
- const std::string google = "google";
- const std::string www_google = "www.google";
- const std::string foo = "foo";
-
- TransportSecurityState state;
- TransportSecurityState::STSState sts_state;
- TransportSecurityState::PKPState pkp_state;
-
- EXPECT_TRUE(GetStaticDomainState(&state, paypal, &sts_state, &pkp_state));
- EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &sts_state, &pkp_state));
- EXPECT_FALSE(sts_state.include_subdomains);
- EXPECT_TRUE(GetStaticDomainState(&state, google, &sts_state, &pkp_state));
- EXPECT_TRUE(GetStaticDomainState(&state, www_google, &sts_state, &pkp_state));
- EXPECT_TRUE(GetStaticDomainState(&state, foo, &sts_state, &pkp_state));
- EXPECT_FALSE(
- GetStaticDomainState(&state, a_www_paypal, &sts_state, &pkp_state));
- EXPECT_FALSE(
- GetStaticDomainState(&state, abc_paypal, &sts_state, &pkp_state));
- EXPECT_FALSE(GetStaticDomainState(&state, example, &sts_state, &pkp_state));
- EXPECT_FALSE(GetStaticDomainState(&state, aypal, &sts_state, &pkp_state));
-}
-
-TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
- TransportSecurityState state;
- TransportSecurityState::STSState sts_state;
- TransportSecurityState::PKPState pkp_state;
-
- // The domain wasn't being set, leading to a blank string in the
- // chrome://net-internals/#hsts UI. So test that.
- EXPECT_TRUE(
- state.GetStaticDomainState("market.android.com", &sts_state, &pkp_state));
- EXPECT_EQ(sts_state.domain, "market.android.com");
- EXPECT_EQ(pkp_state.domain, "market.android.com");
- EXPECT_TRUE(state.GetStaticDomainState("sub.market.android.com", &sts_state,
- &pkp_state));
- EXPECT_EQ(sts_state.domain, "market.android.com");
- EXPECT_EQ(pkp_state.domain, "market.android.com");
-}
-
-static bool StaticShouldRedirect(const char* hostname) {
- TransportSecurityState state;
- TransportSecurityState::STSState sts_state;
- TransportSecurityState::PKPState pkp_state;
- return state.GetStaticDomainState(hostname, &sts_state, &pkp_state) &&
- sts_state.ShouldUpgradeToSSL();
-}
-
-static bool HasStaticState(const char* hostname) {
- TransportSecurityState state;
- TransportSecurityState::STSState sts_state;
- TransportSecurityState::PKPState pkp_state;
- return state.GetStaticDomainState(hostname, &sts_state, &pkp_state);
-}
-
-static bool HasStaticPublicKeyPins(const char* hostname) {
- TransportSecurityState state;
- TransportSecurityStateTest::EnableStaticPins(&state);
- TransportSecurityState::STSState sts_state;
- TransportSecurityState::PKPState pkp_state;
- if (!state.GetStaticDomainState(hostname, &sts_state, &pkp_state))
- return false;
-
- return pkp_state.HasPublicKeyPins();
-}
-
-static bool OnlyPinningInStaticState(const char* hostname) {
- TransportSecurityState state;
- TransportSecurityStateTest::EnableStaticPins(&state);
- TransportSecurityState::STSState sts_state;
- TransportSecurityState::PKPState pkp_state;
- if (!state.GetStaticDomainState(hostname, &sts_state, &pkp_state))
- return false;
-
- return (pkp_state.spki_hashes.size() > 0 ||
- pkp_state.bad_spki_hashes.size() > 0) &&
- !sts_state.ShouldUpgradeToSSL();
-}
-
-TEST_F(TransportSecurityStateTest, Preloaded) {
- TransportSecurityState state;
- TransportSecurityState::STSState sts_state;
- TransportSecurityState::PKPState pkp_state;
-
- // We do more extensive checks for the first domain.
- EXPECT_TRUE(
- state.GetStaticDomainState("www.paypal.com", &sts_state, &pkp_state));
- EXPECT_EQ(sts_state.upgrade_mode,
- TransportSecurityState::STSState::MODE_FORCE_HTTPS);
- EXPECT_FALSE(sts_state.include_subdomains);
- EXPECT_FALSE(pkp_state.include_subdomains);
-
- EXPECT_TRUE(HasStaticState("paypal.com"));
- EXPECT_FALSE(HasStaticState("www2.paypal.com"));
-
- // Google hosts:
-
- EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
- EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
- EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
- EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
- EXPECT_TRUE(StaticShouldRedirect("google"));
- EXPECT_TRUE(StaticShouldRedirect("foo.google"));
- EXPECT_TRUE(StaticShouldRedirect("foo"));
- EXPECT_TRUE(StaticShouldRedirect("domaintest.foo"));
- EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
- EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
- EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.google-analytics.com"));
-
- // These domains used to be only HSTS when SNI was available.
- EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &sts_state, &pkp_state));
- EXPECT_TRUE(
- state.GetStaticDomainState("www.gmail.com", &sts_state, &pkp_state));
- EXPECT_TRUE(
- state.GetStaticDomainState("googlemail.com", &sts_state, &pkp_state));
- EXPECT_TRUE(
- state.GetStaticDomainState("www.googlemail.com", &sts_state, &pkp_state));
-
- // Other hosts:
-
- EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
- EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
-
- EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
- EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
- EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
- EXPECT_FALSE(HasStaticState("foo.entropia.de"));
-
- EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
- EXPECT_FALSE(HasStaticState("elanex.biz"));
- EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
-
- EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
- EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
- EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
-
- EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
- EXPECT_FALSE(HasStaticState("noisebridge.net"));
- EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
-
- EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
- EXPECT_FALSE(HasStaticState("www.neg9.org"));
-
- EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
- EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
-
- EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
- EXPECT_FALSE(HasStaticState("www.factor.cc"));
-
- EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
- EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
- EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
- EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
- EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
-
- EXPECT_TRUE(StaticShouldRedirect("romab.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
- EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
- EXPECT_FALSE(HasStaticState("foo.logentries.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
- EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
- EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
-
- EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
- EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
-
- EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
- EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
-
- EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
- EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
-
- EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
- EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
-
- EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
- EXPECT_FALSE(HasStaticState("foo.squareup.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("cert.se"));
- EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
-
- EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
- EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
-
- EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
- EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
-
- EXPECT_TRUE(StaticShouldRedirect("linx.net"));
- EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
-
- EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
- EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
- EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
-
- EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
- EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
-
- EXPECT_FALSE(HasStaticState("foo.torproject.org"));
-
- EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
- EXPECT_FALSE(HasStaticState("moneybookers.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
- EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
- EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
-
- EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
- EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
- EXPECT_FALSE(HasStaticState("foo.greplin.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
- EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
- EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
-
- EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
- EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
-
- EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
- EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
- EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
- EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
- EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
- EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
- EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
- EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
- EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
- EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
-
- EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
- EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
-
- EXPECT_TRUE(StaticShouldRedirect("crate.io"));
- EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
-}
-
-// http://crbug.com/624946
-#if defined(OS_IOS)
-#define MAYBE_PreloadedPins DISABLED_PreloadedPins
-#else
-#define MAYBE_PreloadedPins PreloadedPins
-#endif
-TEST_F(TransportSecurityStateTest, MAYBE_PreloadedPins) {
- TransportSecurityState state;
- EnableStaticPins(&state);
- TransportSecurityState::STSState sts_state;
- TransportSecurityState::PKPState pkp_state;
-
- // We do more extensive checks for the first domain.
- EXPECT_TRUE(
- state.GetStaticDomainState("www.paypal.com", &sts_state, &pkp_state));
- EXPECT_EQ(sts_state.upgrade_mode,
- TransportSecurityState::STSState::MODE_FORCE_HTTPS);
- EXPECT_FALSE(sts_state.include_subdomains);
- EXPECT_FALSE(pkp_state.include_subdomains);
-
- EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
- EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
-
- EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
- EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
- EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
- EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
- EXPECT_FALSE(HasStaticState("foo.torproject.org"));
-
- EXPECT_TRUE(
- state.GetStaticDomainState("torproject.org", &sts_state, &pkp_state));
- EXPECT_FALSE(pkp_state.spki_hashes.empty());
- EXPECT_TRUE(
- state.GetStaticDomainState("www.torproject.org", &sts_state, &pkp_state));
- EXPECT_FALSE(pkp_state.spki_hashes.empty());
- EXPECT_TRUE(state.GetStaticDomainState("check.torproject.org", &sts_state,
- &pkp_state));
- EXPECT_FALSE(pkp_state.spki_hashes.empty());
- EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &sts_state,
- &pkp_state));
- EXPECT_FALSE(pkp_state.spki_hashes.empty());
-
- EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
-
- // Check that Facebook subdomains have pinning but not HSTS.
- EXPECT_TRUE(
- state.GetStaticDomainState("facebook.com", &sts_state, &pkp_state));
- EXPECT_FALSE(pkp_state.spki_hashes.empty());
- EXPECT_TRUE(StaticShouldRedirect("facebook.com"));
-
- EXPECT_TRUE(
- state.GetStaticDomainState("foo.facebook.com", &sts_state, &pkp_state));
- EXPECT_FALSE(pkp_state.spki_hashes.empty());
- EXPECT_FALSE(StaticShouldRedirect("foo.facebook.com"));
-
- EXPECT_TRUE(
- state.GetStaticDomainState("www.facebook.com", &sts_state, &pkp_state));
- EXPECT_FALSE(pkp_state.spki_hashes.empty());
- EXPECT_TRUE(StaticShouldRedirect("www.facebook.com"));
-
- EXPECT_TRUE(state.GetStaticDomainState("foo.www.facebook.com", &sts_state,
- &pkp_state));
- EXPECT_FALSE(pkp_state.spki_hashes.empty());
- EXPECT_TRUE(StaticShouldRedirect("foo.www.facebook.com"));
-}
-
TEST_F(TransportSecurityStateTest, LongNames) {
TransportSecurityState state;
const char kLongName[] =
@@ -1293,64 +893,7 @@
EXPECT_FALSE(state.GetDynamicPKPState(kLongName, &pkp_state));
}
-TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
- TransportSecurityState state;
- EnableStaticPins(&state);
- TransportSecurityState::STSState sts_state;
- TransportSecurityState::PKPState pkp_state;
-
- EXPECT_TRUE(
- state.GetStaticDomainState("chrome.google.com", &sts_state, &pkp_state));
- EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
-
- HashValueVector hashes;
- std::string failure_log;
- // Checks that a built-in list does exist.
- EXPECT_FALSE(pkp_state.CheckPublicKeyPins(hashes, &failure_log));
- EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
-
- EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
-
- EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
-
- EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
- EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com"));
-}
-
-static bool AddHash(const std::string& type_and_base64,
- HashValueVector* out) {
+static bool AddHash(const std::string& type_and_base64, HashValueVector* out) {
HashValue hash;
if (!hash.FromString(type_and_base64))
return false;
@@ -1359,15 +902,7 @@
return true;
}
-// This test depends on the pinset of tor.
-#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
-#define MAYBE_PinValidationWithoutRejectedCerts \
- DISABLED_PinValidationWithoutRejectedCerts
-#else
-#define MAYBE_PinValidationWithoutRejectedCerts \
- PinValidationWithoutRejectedCerts
-#endif
-TEST_F(TransportSecurityStateTest, MAYBE_PinValidationWithoutRejectedCerts) {
+TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
HashValueVector good_hashes, bad_hashes;
for (size_t i = 0; kGoodPath[i]; i++) {
@@ -1382,8 +917,8 @@
TransportSecurityState::STSState sts_state;
TransportSecurityState::PKPState pkp_state;
- EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &sts_state,
- &pkp_state));
+ EXPECT_TRUE(state.GetStaticDomainState("no-rejected-pins-pkp.preloaded.test",
+ &sts_state, &pkp_state));
EXPECT_TRUE(pkp_state.HasPublicKeyPins());
std::string failure_log;
@@ -1391,48 +926,6 @@
EXPECT_FALSE(pkp_state.CheckPublicKeyPins(bad_hashes, &failure_log));
}
-// http://crbug.com/624946
-#if defined(OS_IOS)
-#define MAYBE_OptionalHSTSCertPins DISABLED_OptionalHSTSCertPins
-#else
-#define MAYBE_OptionalHSTSCertPins OptionalHSTSCertPins
-#endif
-TEST_F(TransportSecurityStateTest, MAYBE_OptionalHSTSCertPins) {
- TransportSecurityState state;
- EnableStaticPins(&state);
-
- EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
- EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
- EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
- EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
-}
-
-TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
- EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
- EXPECT_FALSE(StaticShouldRedirect("google.com"));
- EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
-
- TransportSecurityState state;
- const base::Time current_time(base::Time::Now());
- const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
- state.AddHSTS("www.google.com", expiry, true);
-
- EXPECT_TRUE(state.ShouldUpgradeToSSL("www.google.com"));
-}
-
TEST_F(TransportSecurityStateTest, HPKPReporting) {
HostPortPair host_port_pair(kHost, kPort);
HostPortPair subdomain_host_port_pair(kSubdomain, kPort);
@@ -1726,7 +1219,7 @@
// Tests that pinning violations on preloaded pins trigger reports when
// the preloaded pin contains a report URI.
TEST_F(TransportSecurityStateTest, PreloadedPKPReportUri) {
- const char kPreloadedPinDomain[] = "www.google.com";
+ const char kPreloadedPinDomain[] = "with-report-uri-pkp.preloaded.test";
const uint16_t kPort = 443;
HostPortPair host_port_pair(kPreloadedPinDomain, kPort);
@@ -1795,8 +1288,7 @@
EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
// Two dummy certs to use as the server-sent and validated chains. The
- // contents don't matter, as long as they are not the real google.com
- // certs in the pins.
+ // contents don't matter, as long as they don't match the certs in the pins.
scoped_refptr<X509Certificate> cert1 =
ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
ASSERT_TRUE(cert1);
@@ -1914,7 +1406,7 @@
EXPECT_EQ(kExpectCTStaticHostname, expect_ct_state.domain);
EXPECT_EQ(GURL(kExpectCTStaticReportURI), expect_ct_state.report_uri);
EXPECT_FALSE(
- GetExpectCTState(&state, "pinning-test.badssl.com", &expect_ct_state));
+ GetExpectCTState(&state, "hsts-preloaded.test", &expect_ct_state));
}
// Tests that static (preloaded) expect staple state is read correctly.
@@ -1930,7 +1422,7 @@
EXPECT_EQ(kExpectStapleStaticHostname, expect_staple_state.domain);
EXPECT_EQ(GURL(kExpectStapleStaticReportURI), expect_staple_state.report_uri);
EXPECT_FALSE(expect_staple_state.include_subdomains);
- EXPECT_FALSE(GetExpectStapleState(&state, "pinning-test.badssl.com",
+ EXPECT_FALSE(GetExpectStapleState(&state, "hsts-preloaded.test",
&expect_staple_state));
std::string subdomain = "subdomain.";
subdomain += kExpectStapleStaticHostname;
@@ -3441,4 +2933,507 @@
}
}
-} // namespace net
+#if BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
+class TransportSecurityStateStaticTest : public TransportSecurityStateTest {
+ public:
+ TransportSecurityStateStaticTest() {
+ SetTransportSecurityStateSourceForTesting(nullptr);
+ }
+};
+
+static bool StaticShouldRedirect(const char* hostname) {
+ TransportSecurityState state;
+ TransportSecurityState::STSState sts_state;
+ TransportSecurityState::PKPState pkp_state;
+ return state.GetStaticDomainState(hostname, &sts_state, &pkp_state) &&
+ sts_state.ShouldUpgradeToSSL();
+}
+
+static bool HasStaticState(const char* hostname) {
+ TransportSecurityState state;
+ TransportSecurityState::STSState sts_state;
+ TransportSecurityState::PKPState pkp_state;
+ return state.GetStaticDomainState(hostname, &sts_state, &pkp_state);
+}
+
+static bool HasStaticPublicKeyPins(const char* hostname) {
+ TransportSecurityState state;
+ TransportSecurityStateTest::EnableStaticPins(&state);
+ TransportSecurityState::STSState sts_state;
+ TransportSecurityState::PKPState pkp_state;
+ if (!state.GetStaticDomainState(hostname, &sts_state, &pkp_state))
+ return false;
+
+ return pkp_state.HasPublicKeyPins();
+}
+
+static bool OnlyPinningInStaticState(const char* hostname) {
+ TransportSecurityState state;
+ TransportSecurityStateTest::EnableStaticPins(&state);
+ TransportSecurityState::STSState sts_state;
+ TransportSecurityState::PKPState pkp_state;
+ if (!state.GetStaticDomainState(hostname, &sts_state, &pkp_state))
+ return false;
+
+ return (pkp_state.spki_hashes.size() > 0 ||
+ pkp_state.bad_spki_hashes.size() > 0) &&
+ !sts_state.ShouldUpgradeToSSL();
+}
+
+TEST_F(TransportSecurityStateStaticTest, EnableStaticPins) {
+ TransportSecurityState state;
+ TransportSecurityState::STSState sts_state;
+ TransportSecurityState::PKPState pkp_state;
+
+ EnableStaticPins(&state);
+
+ EXPECT_TRUE(
+ state.GetStaticDomainState("chrome.google.com", &sts_state, &pkp_state));
+ EXPECT_FALSE(pkp_state.spki_hashes.empty());
+}
+
+TEST_F(TransportSecurityStateStaticTest, DisableStaticPins) {
+ TransportSecurityState state;
+ TransportSecurityState::STSState sts_state;
+ TransportSecurityState::PKPState pkp_state;
+
+ DisableStaticPins(&state);
+ EXPECT_TRUE(
+ state.GetStaticDomainState("chrome.google.com", &sts_state, &pkp_state));
+ EXPECT_TRUE(pkp_state.spki_hashes.empty());
+}
+
+TEST_F(TransportSecurityStateStaticTest, IsPreloaded) {
+ const std::string paypal = "paypal.com";
+ const std::string www_paypal = "www.paypal.com";
+ const std::string foo_paypal = "foo.paypal.com";
+ const std::string a_www_paypal = "a.www.paypal.com";
+ const std::string abc_paypal = "a.b.c.paypal.com";
+ const std::string example = "example.com";
+ const std::string aypal = "aypal.com";
+ const std::string google = "google";
+ const std::string www_google = "www.google";
+ const std::string foo = "foo";
+
+ TransportSecurityState state;
+ TransportSecurityState::STSState sts_state;
+ TransportSecurityState::PKPState pkp_state;
+
+ EXPECT_TRUE(GetStaticDomainState(&state, paypal, &sts_state, &pkp_state));
+ EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &sts_state, &pkp_state));
+ EXPECT_FALSE(sts_state.include_subdomains);
+ EXPECT_TRUE(GetStaticDomainState(&state, google, &sts_state, &pkp_state));
+ EXPECT_TRUE(GetStaticDomainState(&state, www_google, &sts_state, &pkp_state));
+ EXPECT_TRUE(GetStaticDomainState(&state, foo, &sts_state, &pkp_state));
+ EXPECT_FALSE(
+ GetStaticDomainState(&state, a_www_paypal, &sts_state, &pkp_state));
+ EXPECT_FALSE(
+ GetStaticDomainState(&state, abc_paypal, &sts_state, &pkp_state));
+ EXPECT_FALSE(GetStaticDomainState(&state, example, &sts_state, &pkp_state));
+ EXPECT_FALSE(GetStaticDomainState(&state, aypal, &sts_state, &pkp_state));
+}
+
+TEST_F(TransportSecurityStateStaticTest, PreloadedDomainSet) {
+ TransportSecurityState state;
+ TransportSecurityState::STSState sts_state;
+ TransportSecurityState::PKPState pkp_state;
+
+ // The domain wasn't being set, leading to a blank string in the
+ // chrome://net-internals/#hsts UI. So test that.
+ EXPECT_TRUE(
+ state.GetStaticDomainState("market.android.com", &sts_state, &pkp_state));
+ EXPECT_EQ(sts_state.domain, "market.android.com");
+ EXPECT_EQ(pkp_state.domain, "market.android.com");
+ EXPECT_TRUE(state.GetStaticDomainState("sub.market.android.com", &sts_state,
+ &pkp_state));
+ EXPECT_EQ(sts_state.domain, "market.android.com");
+ EXPECT_EQ(pkp_state.domain, "market.android.com");
+}
+
+TEST_F(TransportSecurityStateStaticTest, Preloaded) {
+ TransportSecurityState state;
+ TransportSecurityState::STSState sts_state;
+ TransportSecurityState::PKPState pkp_state;
+
+ // We do more extensive checks for the first domain.
+ EXPECT_TRUE(
+ state.GetStaticDomainState("www.paypal.com", &sts_state, &pkp_state));
+ EXPECT_EQ(sts_state.upgrade_mode,
+ TransportSecurityState::STSState::MODE_FORCE_HTTPS);
+ EXPECT_FALSE(sts_state.include_subdomains);
+ EXPECT_FALSE(pkp_state.include_subdomains);
+
+ EXPECT_TRUE(HasStaticState("paypal.com"));
+ EXPECT_FALSE(HasStaticState("www2.paypal.com"));
+
+ // Google hosts:
+
+ EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
+ EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
+ EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
+ EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
+ EXPECT_TRUE(StaticShouldRedirect("google"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.google"));
+ EXPECT_TRUE(StaticShouldRedirect("foo"));
+ EXPECT_TRUE(StaticShouldRedirect("domaintest.foo"));
+ EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
+ EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
+ EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.google-analytics.com"));
+
+ // These domains used to be only HSTS when SNI was available.
+ EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &sts_state, &pkp_state));
+ EXPECT_TRUE(
+ state.GetStaticDomainState("www.gmail.com", &sts_state, &pkp_state));
+ EXPECT_TRUE(
+ state.GetStaticDomainState("googlemail.com", &sts_state, &pkp_state));
+ EXPECT_TRUE(
+ state.GetStaticDomainState("www.googlemail.com", &sts_state, &pkp_state));
+
+ // Other hosts:
+
+ EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
+ EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
+
+ EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
+ EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
+ EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
+ EXPECT_FALSE(HasStaticState("foo.entropia.de"));
+
+ EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
+ EXPECT_FALSE(HasStaticState("elanex.biz"));
+ EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
+
+ EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
+ EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
+ EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
+
+ EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
+ EXPECT_FALSE(HasStaticState("noisebridge.net"));
+ EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
+
+ EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
+ EXPECT_FALSE(HasStaticState("www.neg9.org"));
+
+ EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
+
+ EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
+ EXPECT_FALSE(HasStaticState("www.factor.cc"));
+
+ EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
+ EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
+ EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
+ EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
+ EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
+
+ EXPECT_TRUE(StaticShouldRedirect("romab.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
+ EXPECT_FALSE(HasStaticState("foo.logentries.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
+
+ EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
+
+ EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
+
+ EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
+
+ EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
+
+ EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
+ EXPECT_FALSE(HasStaticState("foo.squareup.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("cert.se"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
+
+ EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
+
+ EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
+
+ EXPECT_TRUE(StaticShouldRedirect("linx.net"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
+
+ EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
+ EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
+
+ EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
+ EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
+
+ EXPECT_FALSE(HasStaticState("foo.torproject.org"));
+
+ EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
+ EXPECT_FALSE(HasStaticState("moneybookers.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
+ EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
+ EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
+
+ EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
+ EXPECT_FALSE(HasStaticState("foo.greplin.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
+
+ EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
+ EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
+
+ EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
+ EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
+ EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
+ EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
+ EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
+ EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
+ EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
+ EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
+ EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
+ EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
+
+ EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
+
+ EXPECT_TRUE(StaticShouldRedirect("crate.io"));
+ EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
+}
+
+// http://crbug.com/624946
+#if defined(OS_IOS)
+#define MAYBE_PreloadedPins DISABLED_PreloadedPins
+#else
+#define MAYBE_PreloadedPins PreloadedPins
+#endif
+TEST_F(TransportSecurityStateStaticTest, MAYBE_PreloadedPins) {
+ TransportSecurityState state;
+ EnableStaticPins(&state);
+ TransportSecurityState::STSState sts_state;
+ TransportSecurityState::PKPState pkp_state;
+
+ // We do more extensive checks for the first domain.
+ EXPECT_TRUE(
+ state.GetStaticDomainState("www.paypal.com", &sts_state, &pkp_state));
+ EXPECT_EQ(sts_state.upgrade_mode,
+ TransportSecurityState::STSState::MODE_FORCE_HTTPS);
+ EXPECT_FALSE(sts_state.include_subdomains);
+ EXPECT_FALSE(pkp_state.include_subdomains);
+
+ EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
+ EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
+
+ EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
+ EXPECT_FALSE(HasStaticState("foo.torproject.org"));
+
+ EXPECT_TRUE(
+ state.GetStaticDomainState("torproject.org", &sts_state, &pkp_state));
+ EXPECT_FALSE(pkp_state.spki_hashes.empty());
+ EXPECT_TRUE(
+ state.GetStaticDomainState("www.torproject.org", &sts_state, &pkp_state));
+ EXPECT_FALSE(pkp_state.spki_hashes.empty());
+ EXPECT_TRUE(state.GetStaticDomainState("check.torproject.org", &sts_state,
+ &pkp_state));
+ EXPECT_FALSE(pkp_state.spki_hashes.empty());
+ EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &sts_state,
+ &pkp_state));
+ EXPECT_FALSE(pkp_state.spki_hashes.empty());
+
+ EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
+
+ // Check that Facebook subdomains have pinning but not HSTS.
+ EXPECT_TRUE(
+ state.GetStaticDomainState("facebook.com", &sts_state, &pkp_state));
+ EXPECT_FALSE(pkp_state.spki_hashes.empty());
+ EXPECT_TRUE(StaticShouldRedirect("facebook.com"));
+
+ EXPECT_TRUE(
+ state.GetStaticDomainState("foo.facebook.com", &sts_state, &pkp_state));
+ EXPECT_FALSE(pkp_state.spki_hashes.empty());
+ EXPECT_FALSE(StaticShouldRedirect("foo.facebook.com"));
+
+ EXPECT_TRUE(
+ state.GetStaticDomainState("www.facebook.com", &sts_state, &pkp_state));
+ EXPECT_FALSE(pkp_state.spki_hashes.empty());
+ EXPECT_TRUE(StaticShouldRedirect("www.facebook.com"));
+
+ EXPECT_TRUE(state.GetStaticDomainState("foo.www.facebook.com", &sts_state,
+ &pkp_state));
+ EXPECT_FALSE(pkp_state.spki_hashes.empty());
+ EXPECT_TRUE(StaticShouldRedirect("foo.www.facebook.com"));
+}
+
+TEST_F(TransportSecurityStateStaticTest, BuiltinCertPins) {
+ TransportSecurityState state;
+ EnableStaticPins(&state);
+ TransportSecurityState::STSState sts_state;
+ TransportSecurityState::PKPState pkp_state;
+
+ EXPECT_TRUE(
+ state.GetStaticDomainState("chrome.google.com", &sts_state, &pkp_state));
+ EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
+
+ HashValueVector hashes;
+ std::string failure_log;
+ // Checks that a built-in list does exist.
+ EXPECT_FALSE(pkp_state.CheckPublicKeyPins(hashes, &failure_log));
+ EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
+
+ EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
+
+ EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
+
+ EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
+ EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com"));
+}
+
+// http://crbug.com/624946
+#if defined(OS_IOS)
+#define MAYBE_OptionalHSTSCertPins DISABLED_OptionalHSTSCertPins
+#else
+#define MAYBE_OptionalHSTSCertPins OptionalHSTSCertPins
+#endif
+TEST_F(TransportSecurityStateStaticTest, MAYBE_OptionalHSTSCertPins) {
+ TransportSecurityState state;
+ EnableStaticPins(&state);
+
+ EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
+ EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
+}
+
+TEST_F(TransportSecurityStateStaticTest, OverrideBuiltins) {
+ EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
+ EXPECT_FALSE(StaticShouldRedirect("google.com"));
+ EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
+
+ TransportSecurityState state;
+ const base::Time current_time(base::Time::Now());
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+ state.AddHSTS("www.google.com", expiry, true);
+
+ EXPECT_TRUE(state.ShouldUpgradeToSSL("www.google.com"));
+}
+#endif // BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
+
+} // namespace net
\ No newline at end of file
diff --git a/net/tools/transport_security_state_generator/README.md b/net/tools/transport_security_state_generator/README.md
index 70d63b6..190bf800 100644
--- a/net/tools/transport_security_state_generator/README.md
+++ b/net/tools/transport_security_state_generator/README.md
@@ -227,6 +227,15 @@
All these tests are part of the `net_unittests` target.
+#### Writing tests that depend on static transport security state
+
+Tests in `net_unittests` (except for `TransportSecurityStateStaticTest`) should
+not depend on the real preload list. If you are writing tests that require a
+static transport security state use
+`transport_security_state_static_unittest_default.json` instead. Tests can
+override the active preload list by calling
+`SetTransportSecurityStateSourceForTesting`.
+
## See also
* <https://hstspreload.org/>
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index 5e05736c..04fee52c 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -168,8 +168,8 @@
namespace {
-namespace test0 {
-#include "net/http/transport_security_state_static_unittest0.h"
+namespace test_default {
+#include "net/http/transport_security_state_static_unittest_default.h"
}
const base::string16 kChrome(ASCIIToUTF16("chrome"));
@@ -812,6 +812,8 @@
~URLRequestTest() override {
// URLRequestJobs may post clean-up tasks on destruction.
base::RunLoop().RunUntilIdle();
+
+ SetTransportSecurityStateSourceForTesting(nullptr);
}
void SetUp() override {
@@ -6351,9 +6353,10 @@
}
namespace {
-const char kExpectCTStaticHostname[] = "preloaded-expect-ct.badssl.com";
-const char kExpectStapleStaticHostname[] = "preloaded-expect-staple.badssl.com";
-const char kExpectStapleReportURI[] = "https://report.badssl.com/expect-staple";
+const char kExpectCTStaticHostname[] = "expect-ct.preloaded.test";
+const char kExpectStapleStaticHostname[] = "expect-staple.preloaded.test";
+const char kExpectStapleReportURI[] =
+ "http://report-uri.preloaded.test/expect-staple";
const char kHPKPReportUri[] = "https://hpkp-report.test";
} // namespace
@@ -6820,9 +6823,8 @@
// Tests that Expect CT headers for the preload list are processed correctly.
TEST_F(URLRequestTestHTTP, PreloadExpectCTHeader) {
-#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
- SetTransportSecurityStateSourceForTesting(&test0::kHSTSSource);
-#endif
+ SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
+
EmbeddedTestServer https_test_server(net::EmbeddedTestServer::TYPE_HTTPS);
https_test_server.SetSSLConfig(
net::EmbeddedTestServer::CERT_COMMON_NAME_IS_DOMAIN);
@@ -9464,7 +9466,9 @@
default_context_.set_network_delegate(&default_network_delegate_);
default_context_.Init();
}
- ~HTTPSRequestTest() override {}
+ ~HTTPSRequestTest() override {
+ SetTransportSecurityStateSourceForTesting(nullptr);
+ }
protected:
TestNetworkDelegate default_network_delegate_; // Must outlive URLRequest.
@@ -9571,22 +9575,22 @@
// TODO(svaldez): iOS tests are flaky with EmbeddedTestServer and transport
// security state. (see http://crbug.com/550977).
#if !defined(OS_IOS)
-// This tests that a load of www.google.com with a certificate error sets
-// the |certificate_errors_are_fatal| flag correctly. This flag will cause
-// the interstitial to be fatal.
+// This tests that a load of a domain with preloaded HSTS and HPKP with a
+// certificate error sets the |certificate_errors_are_fatal| flag correctly.
+// This flag will cause the interstitial to be fatal.
TEST_F(HTTPSRequestTest, HTTPSPreloadedHSTSTest) {
-#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
- SetTransportSecurityStateSourceForTesting(&test0::kHSTSSource);
-#endif
+ SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
+
EmbeddedTestServer test_server(net::EmbeddedTestServer::TYPE_HTTPS);
test_server.SetSSLConfig(net::EmbeddedTestServer::CERT_MISMATCHED_NAME);
test_server.ServeFilesFromSourceDirectory("net/data/ssl");
ASSERT_TRUE(test_server.Start());
- // We require that the URL be www.google.com in order to pick up the
- // preloaded HSTS entries in the TransportSecurityState. This means that we
- // have to use a MockHostResolver in order to direct www.google.com to the
- // testserver. By default, MockHostResolver maps all hosts to 127.0.0.1.
+ // We require that the URL be hsts-hpkp-preloaded.test. This is a test domain
+ // that has a preloaded HSTS+HPKP entry in the TransportSecurityState. This
+ // means that we have to use a MockHostResolver in order to direct
+ // hsts-hpkp-preloaded.test to the testserver. By default, MockHostResolver
+ // maps all hosts to 127.0.0.1.
MockHostResolver host_resolver;
TestNetworkDelegate network_delegate; // Must outlive URLRequest.
@@ -9599,7 +9603,7 @@
TestDelegate d;
std::unique_ptr<URLRequest> r(context.CreateRequest(
- GURL(base::StringPrintf("https://www.google.com:%d",
+ GURL(base::StringPrintf("https://hsts-hpkp-preloaded.test:%d",
test_server.host_port_pair().port())),
DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
@@ -9617,9 +9621,8 @@
// This tests that cached HTTPS page loads do not cause any updates to the
// TransportSecurityState.
TEST_F(HTTPSRequestTest, HTTPSErrorsNoClobberTSSTest) {
-#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
- SetTransportSecurityStateSourceForTesting(&test0::kHSTSSource);
-#endif
+ SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
+
// The actual problem -- CERT_MISMATCHED_NAME in this case -- doesn't
// matter. It just has to be any error.
EmbeddedTestServer test_server(net::EmbeddedTestServer::TYPE_HTTPS);
@@ -9627,10 +9630,11 @@
test_server.ServeFilesFromSourceDirectory("net/data/ssl");
ASSERT_TRUE(test_server.Start());
- // We require that the URL be www.google.com in order to pick up the static
- // and dynamic STS and PKP entries in the TransportSecurityState. This means
- // that we have to use a MockHostResolver in order to direct www.google.com to
- // the testserver. By default, MockHostResolver maps all hosts to 127.0.0.1.
+ // We require that the URL be hsts-hpkp-preloaded.test. This is a test domain
+ // that has a preloaded HSTS+HPKP entry in the TransportSecurityState. This
+ // means that we have to use a MockHostResolver in order to direct
+ // hsts-hpkp-preloaded.test to the testserver. By default, MockHostResolver
+ // maps all hosts to 127.0.0.1.
MockHostResolver host_resolver;
TestNetworkDelegate network_delegate; // Must outlive URLRequest.
@@ -9642,20 +9646,20 @@
TransportSecurityState::STSState static_sts_state;
TransportSecurityState::PKPState static_pkp_state;
EXPECT_TRUE(transport_security_state.GetStaticDomainState(
- "www.google.com", &static_sts_state, &static_pkp_state));
+ "hsts-hpkp-preloaded.test", &static_sts_state, &static_pkp_state));
context.set_transport_security_state(&transport_security_state);
context.Init();
TransportSecurityState::STSState dynamic_sts_state;
TransportSecurityState::PKPState dynamic_pkp_state;
- EXPECT_FALSE(transport_security_state.GetDynamicSTSState("www.google.com",
- &dynamic_sts_state));
- EXPECT_FALSE(transport_security_state.GetDynamicPKPState("www.google.com",
- &dynamic_pkp_state));
+ EXPECT_FALSE(transport_security_state.GetDynamicSTSState(
+ "hsts-hpkp-preloaded.test", &dynamic_sts_state));
+ EXPECT_FALSE(transport_security_state.GetDynamicPKPState(
+ "hsts-hpkp-preloaded.test", &dynamic_pkp_state));
TestDelegate d;
std::unique_ptr<URLRequest> r(context.CreateRequest(
- GURL(base::StringPrintf("https://www.google.com:%d",
+ GURL(base::StringPrintf("https://hsts-hpkp-preloaded.test:%d",
test_server.host_port_pair().port())),
DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
@@ -9673,13 +9677,14 @@
TransportSecurityState::STSState new_static_sts_state;
TransportSecurityState::PKPState new_static_pkp_state;
EXPECT_TRUE(transport_security_state.GetStaticDomainState(
- "www.google.com", &new_static_sts_state, &new_static_pkp_state));
+ "hsts-hpkp-preloaded.test", &new_static_sts_state,
+ &new_static_pkp_state));
TransportSecurityState::STSState new_dynamic_sts_state;
TransportSecurityState::PKPState new_dynamic_pkp_state;
EXPECT_FALSE(transport_security_state.GetDynamicSTSState(
- "www.google.com", &new_dynamic_sts_state));
+ "hsts-hpkp-preloaded.test", &new_dynamic_sts_state));
EXPECT_FALSE(transport_security_state.GetDynamicPKPState(
- "www.google.com", &new_dynamic_pkp_state));
+ "hsts-hpkp-preloaded.test", &new_dynamic_pkp_state));
EXPECT_EQ(new_static_sts_state.upgrade_mode, static_sts_state.upgrade_mode);
EXPECT_EQ(new_static_sts_state.include_subdomains,
@@ -10535,9 +10540,8 @@
}
TEST_F(HTTPSOCSPTest, ExpectStapleReportSentOnMissing) {
-#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
- SetTransportSecurityStateSourceForTesting(&test0::kHSTSSource);
-#endif
+ SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
+
EmbeddedTestServer https_test_server(net::EmbeddedTestServer::TYPE_HTTPS);
https_test_server.SetSSLConfig(
net::EmbeddedTestServer::CERT_COMMON_NAME_IS_DOMAIN);
