Google Git
Sign in
chromium / chromium / src / 5f15ed66e1fe23353024d25ba92e38d56bdc83a8 / . / net / base / transport_security_state_unittest.cc
blob: 05ea015accd5ee37e386c35426e1359c18f56f74 [file] [log] [blame]
[email protected]b7f9fb22011-04-09 20:28:47[diff] [blame]1// Copyright (c) 2011 The Chromium Authors. All rights reserved.
[email protected]326e6792009-12-11 21:04:42[diff] [blame]2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "net/base/transport_security_state.h"
[email protected]5f15ed62011-11-02 15:07:08[diff] [blame^]6
7#include "base/base64.h"
8#include "base/sha1.h"
9#include "base/string_piece.h"
[email protected]326e6792009-12-11 21:04:42[diff] [blame]10#include "testing/gtest/include/gtest/gtest.h"
11
[email protected]06256e52011-09-29 15:08:48[diff] [blame]12#if defined(USE_OPENSSL)
13#include "crypto/openssl_util.h"
14#else
15#include "crypto/nss_util.h"
16#endif
17
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]18namespace net {
19
[email protected]326e6792009-12-11 21:04:42[diff] [blame]20class TransportSecurityStateTest : public testing::Test {
[email protected]06256e52011-09-29 15:08:48[diff] [blame]21 virtual void SetUp() {
[email protected]54356432011-10-05 21:49:42[diff] [blame]22#if defined(USE_OPENSSL)
[email protected]06256e52011-09-29 15:08:48[diff] [blame]23 crypto::EnsureOpenSSLInit();
[email protected]54356432011-10-05 21:49:42[diff] [blame]24#else
25 crypto::EnsureNSSInit();
[email protected]06256e52011-09-29 15:08:48[diff] [blame]26#endif
27 }
[email protected]326e6792009-12-11 21:04:42[diff] [blame]28};
29
30TEST_F(TransportSecurityStateTest, BogusHeaders) {
31 int max_age = 42;
32 bool include_subdomains = false;
33
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]34 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]35 "", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]36 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]37 " ", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]38 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]39 "abc", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]40 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]41 " abc", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]42 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]43 " abc ", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]44 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]45 "max-age", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]46 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]47 " max-age", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]48 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]49 " max-age ", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]50 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]51 "max-age=", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]52 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]53 " max-age=", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]54 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]55 " max-age =", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]56 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]57 " max-age= ", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]58 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]59 " max-age = ", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]60 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]61 " max-age = xy", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]62 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]63 " max-age = 3488a923", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]64 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]65 "max-age=3488a923 ", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]66 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]67 "max-ag=3488923", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]68 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]69 "max-aged=3488923", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]70 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]71 "max-age==3488923", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]72 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]73 "amax-age=3488923", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]74 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]75 "max-age=-3488923", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]76 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]77 "max-age=3488923;", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]78 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]79 "max-age=3488923 e", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]80 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]81 "max-age=3488923 includesubdomain", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]82 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]83 "max-age=3488923includesubdomains", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]84 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]85 "max-age=3488923=includesubdomains", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]86 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]87 "max-age=3488923 includesubdomainx", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]88 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]89 "max-age=3488923 includesubdomain=", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]90 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]91 "max-age=3488923 includesubdomain=true", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]92 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]93 "max-age=3488923 includesubdomainsx", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]94 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]95 "max-age=3488923 includesubdomains x", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]96 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]97 "max-age=34889.23 includesubdomains", &max_age, &include_subdomains));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]98 EXPECT_FALSE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]99 "max-age=34889 includesubdomains", &max_age, &include_subdomains));
100
101 EXPECT_EQ(max_age, 42);
102 EXPECT_FALSE(include_subdomains);
103}
104
105TEST_F(TransportSecurityStateTest, ValidHeaders) {
106 int max_age = 42;
107 bool include_subdomains = true;
108
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]109 EXPECT_TRUE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]110 "max-age=243", &max_age, &include_subdomains));
111 EXPECT_EQ(max_age, 243);
112 EXPECT_FALSE(include_subdomains);
113
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]114 EXPECT_TRUE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]115 " Max-agE = 567", &max_age, &include_subdomains));
116 EXPECT_EQ(max_age, 567);
117 EXPECT_FALSE(include_subdomains);
118
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]119 EXPECT_TRUE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]120 " mAx-aGe = 890 ", &max_age, &include_subdomains));
121 EXPECT_EQ(max_age, 890);
122 EXPECT_FALSE(include_subdomains);
123
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]124 EXPECT_TRUE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]125 "max-age=123;incLudesUbdOmains", &max_age, &include_subdomains));
126 EXPECT_EQ(max_age, 123);
127 EXPECT_TRUE(include_subdomains);
128
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]129 EXPECT_TRUE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]130 "max-age=394082; incLudesUbdOmains", &max_age, &include_subdomains));
131 EXPECT_EQ(max_age, 394082);
132 EXPECT_TRUE(include_subdomains);
133
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]134 EXPECT_TRUE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]135 "max-age=39408299 ;incLudesUbdOmains", &max_age, &include_subdomains));
[email protected]337a4052010-11-30 15:09:33[diff] [blame]136 EXPECT_EQ(max_age,
137 std::min(TransportSecurityState::kMaxHSTSAgeSecs, 39408299l));
[email protected]326e6792009-12-11 21:04:42[diff] [blame]138 EXPECT_TRUE(include_subdomains);
139
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]140 EXPECT_TRUE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]141 "max-age=394082038 ; incLudesUbdOmains", &max_age, &include_subdomains));
[email protected]337a4052010-11-30 15:09:33[diff] [blame]142 EXPECT_EQ(max_age,
143 std::min(TransportSecurityState::kMaxHSTSAgeSecs, 394082038l));
[email protected]326e6792009-12-11 21:04:42[diff] [blame]144 EXPECT_TRUE(include_subdomains);
145
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]146 EXPECT_TRUE(TransportSecurityState::ParseHeader(
[email protected]326e6792009-12-11 21:04:42[diff] [blame]147 " max-age=0 ; incLudesUbdOmains ", &max_age, &include_subdomains));
148 EXPECT_EQ(max_age, 0);
149 EXPECT_TRUE(include_subdomains);
[email protected]337a4052010-11-30 15:09:33[diff] [blame]150
151 EXPECT_TRUE(TransportSecurityState::ParseHeader(
152 " max-age=999999999999999999999999999999999999999999999 ;"
153 " incLudesUbdOmains ",
154 &max_age, &include_subdomains));
155 EXPECT_EQ(max_age, TransportSecurityState::kMaxHSTSAgeSecs);
156 EXPECT_TRUE(include_subdomains);
[email protected]326e6792009-12-11 21:04:42[diff] [blame]157}
158
159TEST_F(TransportSecurityStateTest, SimpleMatches) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]160 TransportSecurityState state("");
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]161 TransportSecurityState::DomainState domain_state;
[email protected]326e6792009-12-11 21:04:42[diff] [blame]162 const base::Time current_time(base::Time::Now());
163 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
164
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]165 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "yahoo.com", true));
[email protected]326e6792009-12-11 21:04:42[diff] [blame]166 domain_state.expiry = expiry;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]167 state.EnableHost("yahoo.com", domain_state);
168 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "yahoo.com", true));
[email protected]326e6792009-12-11 21:04:42[diff] [blame]169}
170
171TEST_F(TransportSecurityStateTest, MatchesCase1) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]172 TransportSecurityState state("");
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]173 TransportSecurityState::DomainState domain_state;
[email protected]326e6792009-12-11 21:04:42[diff] [blame]174 const base::Time current_time(base::Time::Now());
175 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
176
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]177 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "yahoo.com", true));
[email protected]326e6792009-12-11 21:04:42[diff] [blame]178 domain_state.expiry = expiry;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]179 state.EnableHost("YAhoo.coM", domain_state);
180 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "yahoo.com", true));
[email protected]326e6792009-12-11 21:04:42[diff] [blame]181}
182
183TEST_F(TransportSecurityStateTest, MatchesCase2) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]184 TransportSecurityState state("");
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]185 TransportSecurityState::DomainState domain_state;
[email protected]326e6792009-12-11 21:04:42[diff] [blame]186 const base::Time current_time(base::Time::Now());
187 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
188
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]189 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "YAhoo.coM", true));
[email protected]326e6792009-12-11 21:04:42[diff] [blame]190 domain_state.expiry = expiry;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]191 state.EnableHost("yahoo.com", domain_state);
192 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "YAhoo.coM", true));
[email protected]326e6792009-12-11 21:04:42[diff] [blame]193}
194
195TEST_F(TransportSecurityStateTest, SubdomainMatches) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]196 TransportSecurityState state("");
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]197 TransportSecurityState::DomainState domain_state;
[email protected]326e6792009-12-11 21:04:42[diff] [blame]198 const base::Time current_time(base::Time::Now());
199 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
200
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]201 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "yahoo.com", true));
[email protected]326e6792009-12-11 21:04:42[diff] [blame]202 domain_state.expiry = expiry;
203 domain_state.include_subdomains = true;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]204 state.EnableHost("yahoo.com", domain_state);
205 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "yahoo.com", true));
206 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "foo.yahoo.com", true));
207 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
208 "foo.bar.yahoo.com",
209 true));
210 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
211 "foo.bar.baz.yahoo.com",
212 true));
213 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "com", true));
[email protected]326e6792009-12-11 21:04:42[diff] [blame]214}
215
216TEST_F(TransportSecurityStateTest, Serialise1) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]217 TransportSecurityState state("");
[email protected]326e6792009-12-11 21:04:42[diff] [blame]218 std::string output;
[email protected]4d0d8082010-02-23 01:03:10[diff] [blame]219 bool dirty;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]220 state.Serialise(&output);
221 EXPECT_TRUE(state.LoadEntries(output, &dirty));
[email protected]4d0d8082010-02-23 01:03:10[diff] [blame]222 EXPECT_FALSE(dirty);
[email protected]326e6792009-12-11 21:04:42[diff] [blame]223}
224
225TEST_F(TransportSecurityStateTest, Serialise2) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]226 TransportSecurityState state("");
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]227 TransportSecurityState::DomainState domain_state;
[email protected]326e6792009-12-11 21:04:42[diff] [blame]228 const base::Time current_time(base::Time::Now());
229 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
230
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]231 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "yahoo.com", true));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]232 domain_state.mode = TransportSecurityState::DomainState::MODE_STRICT;
[email protected]326e6792009-12-11 21:04:42[diff] [blame]233 domain_state.expiry = expiry;
234 domain_state.include_subdomains = true;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]235 state.EnableHost("yahoo.com", domain_state);
[email protected]326e6792009-12-11 21:04:42[diff] [blame]236
237 std::string output;
[email protected]4d0d8082010-02-23 01:03:10[diff] [blame]238 bool dirty;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]239 state.Serialise(&output);
240 EXPECT_TRUE(state.LoadEntries(output, &dirty));
[email protected]326e6792009-12-11 21:04:42[diff] [blame]241
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]242 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "yahoo.com", true));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]243 EXPECT_EQ(domain_state.mode, TransportSecurityState::DomainState::MODE_STRICT);
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]244 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "foo.yahoo.com", true));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]245 EXPECT_EQ(domain_state.mode, TransportSecurityState::DomainState::MODE_STRICT);
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]246 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
247 "foo.bar.yahoo.com",
248 true));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]249 EXPECT_EQ(domain_state.mode, TransportSecurityState::DomainState::MODE_STRICT);
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]250 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
251 "foo.bar.baz.yahoo.com",
252 true));
[email protected]b7f9fb22011-04-09 20:28:47[diff] [blame]253 EXPECT_EQ(domain_state.mode, TransportSecurityState::DomainState::MODE_STRICT);
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]254 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "com", true));
[email protected]326e6792009-12-11 21:04:42[diff] [blame]255}
256
[email protected]4d0d8082010-02-23 01:03:10[diff] [blame]257TEST_F(TransportSecurityStateTest, DeleteSince) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]258 TransportSecurityState state("");
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]259 TransportSecurityState::DomainState domain_state;
[email protected]4d0d8082010-02-23 01:03:10[diff] [blame]260 const base::Time current_time(base::Time::Now());
261 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
262 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
263
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]264 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "yahoo.com", true));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]265 domain_state.mode = TransportSecurityState::DomainState::MODE_STRICT;
[email protected]4d0d8082010-02-23 01:03:10[diff] [blame]266 domain_state.expiry = expiry;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]267 state.EnableHost("yahoo.com", domain_state);
[email protected]4d0d8082010-02-23 01:03:10[diff] [blame]268
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]269 state.DeleteSince(expiry);
270 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "yahoo.com", true));
271 state.DeleteSince(older);
272 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "yahoo.com", true));
[email protected]4d0d8082010-02-23 01:03:10[diff] [blame]273}
274
[email protected]f060be32011-02-17 17:20:28[diff] [blame]275TEST_F(TransportSecurityStateTest, DeleteHost) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]276 TransportSecurityState state("");
[email protected]f060be32011-02-17 17:20:28[diff] [blame]277 TransportSecurityState::DomainState domain_state;
278 const base::Time current_time(base::Time::Now());
279 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
280 domain_state.mode = TransportSecurityState::DomainState::MODE_STRICT;
281 domain_state.expiry = expiry;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]282 state.EnableHost("yahoo.com", domain_state);
[email protected]f060be32011-02-17 17:20:28[diff] [blame]283
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]284 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "yahoo.com", true));
285 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "example.com", true));
286 EXPECT_TRUE(state.DeleteHost("yahoo.com"));
287 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "yahoo.com", true));
[email protected]f060be32011-02-17 17:20:28[diff] [blame]288}
289
[email protected]4d0d8082010-02-23 01:03:10[diff] [blame]290TEST_F(TransportSecurityStateTest, SerialiseOld) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]291 TransportSecurityState state("");
[email protected]4d0d8082010-02-23 01:03:10[diff] [blame]292 // This is an old-style piece of transport state JSON, which has no creation
293 // date.
294 std::string output =
295 "{ "
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]296 "\"NiyD+3J1r6z1wjl2n1ALBu94Zj9OsEAMo0kCN8js0Uk=\": {"
297 "\"expiry\": 1266815027.983453, "
298 "\"include_subdomains\": false, "
299 "\"mode\": \"strict\" "
300 "}"
[email protected]4d0d8082010-02-23 01:03:10[diff] [blame]301 "}";
302 bool dirty;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]303 EXPECT_TRUE(state.LoadEntries(output, &dirty));
[email protected]4d0d8082010-02-23 01:03:10[diff] [blame]304 EXPECT_TRUE(dirty);
305}
306
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]307TEST_F(TransportSecurityStateTest, IsPreloaded) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]308 TransportSecurityState state("");
[email protected]d7cf831a2011-05-02 22:18:48[diff] [blame]309
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]310 const std::string paypal =
[email protected]f060be32011-02-17 17:20:28[diff] [blame]311 TransportSecurityState::CanonicalizeHost("paypal.com");
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]312 const std::string www_paypal =
[email protected]f060be32011-02-17 17:20:28[diff] [blame]313 TransportSecurityState::CanonicalizeHost("www.paypal.com");
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]314 const std::string a_www_paypal =
[email protected]f060be32011-02-17 17:20:28[diff] [blame]315 TransportSecurityState::CanonicalizeHost("a.www.paypal.com");
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]316 const std::string abc_paypal =
[email protected]f060be32011-02-17 17:20:28[diff] [blame]317 TransportSecurityState::CanonicalizeHost("a.b.c.paypal.com");
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]318 const std::string example =
[email protected]f060be32011-02-17 17:20:28[diff] [blame]319 TransportSecurityState::CanonicalizeHost("example.com");
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]320 const std::string aypal =
[email protected]f060be32011-02-17 17:20:28[diff] [blame]321 TransportSecurityState::CanonicalizeHost("aypal.com");
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]322
[email protected]aa904432011-04-21 00:07:16[diff] [blame]323 TransportSecurityState::DomainState domain_state;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]324 EXPECT_FALSE(state.IsPreloadedSTS(paypal, true, &domain_state));
325 EXPECT_TRUE(state.IsPreloadedSTS(www_paypal, true, &domain_state));
[email protected]aa904432011-04-21 00:07:16[diff] [blame]326 EXPECT_FALSE(domain_state.include_subdomains);
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]327 EXPECT_FALSE(state.IsPreloadedSTS(a_www_paypal, true, &domain_state));
328 EXPECT_FALSE(state.IsPreloadedSTS(abc_paypal, true, &domain_state));
329 EXPECT_FALSE(state.IsPreloadedSTS(example, true, &domain_state));
330 EXPECT_FALSE(state.IsPreloadedSTS(aypal, true, &domain_state));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]331}
332
333TEST_F(TransportSecurityStateTest, Preloaded) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]334 TransportSecurityState state("");
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]335 TransportSecurityState::DomainState domain_state;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]336 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "paypal.com", true));
337 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "www.paypal.com", true));
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]338 EXPECT_EQ(domain_state.mode,
339 TransportSecurityState::DomainState::MODE_STRICT);
[email protected]f060be32011-02-17 17:20:28[diff] [blame]340 EXPECT_TRUE(domain_state.preloaded);
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]341 EXPECT_FALSE(domain_state.include_subdomains);
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]342 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "www2.paypal.com", true));
343 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
344 "a.www.paypal.com",
345 true));
[email protected]f091469f2010-05-05 21:05:28[diff] [blame]346
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]347 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "elanex.biz", true));
348 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "www.elanex.biz", true));
[email protected]f091469f2010-05-05 21:05:28[diff] [blame]349 EXPECT_EQ(domain_state.mode,
350 TransportSecurityState::DomainState::MODE_STRICT);
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]351 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "foo.elanex.biz", true));
352 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
353 "a.foo.elanex.biz",
[email protected]b7f9fb22011-04-09 20:28:47[diff] [blame]354 true));
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]355
356 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
357 "sunshinepress.org",
358 true));
[email protected]0ae0f3e2010-07-26 18:16:31[diff] [blame]359 EXPECT_EQ(domain_state.mode,
360 TransportSecurityState::DomainState::MODE_STRICT);
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]361 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
362 "www.sunshinepress.org",
363 true));
364 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
365 "a.b.sunshinepress.org",
366 true));
367
368 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
369 "www.noisebridge.net",
370 true));
371 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
372 "noisebridge.net",
[email protected]b7f9fb22011-04-09 20:28:47[diff] [blame]373 true));
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]374 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
375 "foo.noisebridge.net",
[email protected]b7f9fb22011-04-09 20:28:47[diff] [blame]376 true));
[email protected]bee76312011-03-17 18:35:35[diff] [blame]377
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]378 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "neg9.org", true));
379 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "www.neg9.org", true));
[email protected]b4adfdf02011-03-18 20:54:43[diff] [blame]380
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]381 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "riseup.net", true));
382 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "foo.riseup.net", true));
[email protected]abaeacb2011-03-21 13:43:17[diff] [blame]383
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]384 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "factor.cc", true));
385 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "www.factor.cc", true));
[email protected]88ec4442011-03-21 13:49:14[diff] [blame]386
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]387 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
388 "members.mayfirst.org",
389 true));
390 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
391 "support.mayfirst.org",
392 true));
393 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "id.mayfirst.org", true));
394 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
395 "lists.mayfirst.org",
396 true));
397 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
398 "www.mayfirst.org",
[email protected]b7f9fb22011-04-09 20:28:47[diff] [blame]399 true));
400
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]401 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
402 "splendidbacon.com",
403 true));
404 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
405 "www.splendidbacon.com",
406 true));
407 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
408 "foo.splendidbacon.com",
409 true));
[email protected]b7f9fb22011-04-09 20:28:47[diff] [blame]410
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]411 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
412 "chrome.google.com",
413 true));
414 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
415 "checkout.google.com",
416 true));
417 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
418 "health.google.com",
419 true));
420 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
421 "aladdinschools.appspot.com",
422 true));
423 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "ottospora.nl", true));
424 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "www.ottospora.nl", true));
[email protected]b7f9fb22011-04-09 20:28:47[diff] [blame]425
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]426 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "docs.google.com", true));
427 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "sites.google.com", true));
428 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "drive.google.com", true));
429 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
430 "spreadsheets.google.com",
431 true));
432 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
433 "appengine.google.com",
434 true));
435
436 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
437 "www.paycheckrecords.com",
438 true));
439 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
440 "market.android.com",
441 true));
[email protected]aa904432011-04-21 00:07:16[diff] [blame]442 // The domain wasn't being set, leading to a blank string in the
443 // chrome://net-internals/#hsts UI. So test that.
444 EXPECT_EQ(domain_state.domain, "market.android.com");
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]445 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
446 "sub.market.android.com",
447 true));
[email protected]aa904432011-04-21 00:07:16[diff] [blame]448 EXPECT_EQ(domain_state.domain, "market.android.com");
[email protected]b7f9fb22011-04-09 20:28:47[diff] [blame]449
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]450 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "lastpass.com", true));
451 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "www.lastpass.com", true));
452 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
453 "blog.lastpass.com",
[email protected]6a571112011-04-28 23:00:03[diff] [blame]454 true));
455
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]456 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "keyerror.com", true));
457 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "www.keyerror.com", true));
[email protected]6a571112011-04-28 23:00:03[diff] [blame]458
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]459 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
460 "encrypted.google.com",
461 true));
462 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
463 "accounts.google.com",
464 true));
465 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
466 "profiles.google.com",
467 true));
468 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "mail.google.com", true));
469 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
470 "chatenabled.mail.google.com",
471 true));
472 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
473 "talkgadget.google.com",
474 true));
475 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
476 "hostedtalkgadget.google.com",
477 true));
478 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "talk.google.com", true));
479 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "plus.google.com", true));
[email protected]627d03cc2011-10-19 18:36:22[diff] [blame]480 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "groups.google.com", true));
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]481
482 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "entropia.de", true));
483 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "www.entropia.de", true));
484 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "foo.entropia.de", true));
485
486 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
487 "ssl.google-analytics.com",
488 true));
489
490 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "www.google.com", true));
491 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "google.com", true));
492 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "www.youtube.com", true));
493 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "youtube.com", true));
494 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "i.ytimg.com", true));
495 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "ytimg.com", true));
496 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
497 "googleusercontent.com",
498 true));
499 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
500 "www.googleusercontent.com",
501 true));
502 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
503 "www.google-analytics.com",
504 true));
505 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
506 "google-analytics.com",
507 true));
508 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "googleapis.com", true));
509 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
510 "googleadservices.com",
511 true));
512 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "googlecode.com", true));
513 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "appspot.com", true));
514 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
515 "googlesyndication.com",
516 true));
517 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "doubleclick.net", true));
518 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
519 "googlegroups.com",
520 true));
521
522 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "gmail.com", true));
523 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "www.gmail.com", true));
524 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "m.gmail.com", true));
525 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "googlemail.com", true));
526 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
527 "www.googlemail.com",
528 true));
529 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
530 "m.googlemail.com",
531 true));
532 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "gmail.com", false));
533 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "www.gmail.com", false));
534 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "m.gmail.com", false));
535 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "googlemail.com", false));
536 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
[email protected]b7f9fb22011-04-09 20:28:47[diff] [blame]537 "www.googlemail.com",
[email protected]229f8fda2011-05-04 21:03:05[diff] [blame]538 false));
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]539 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
540 "m.googlemail.com",
[email protected]c6bf6512011-05-05 15:00:13[diff] [blame]541 false));
[email protected]0a86afa2011-10-14 00:54:51[diff] [blame]542 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
543 "www.googleplex.com",
544 true));
[email protected]bef90f32011-05-13 19:25:25[diff] [blame]545
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]546 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "romab.com", false));
547 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "www.romab.com", false));
548 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "foo.romab.com", false));
549
550 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "logentries.com", false));
551 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
552 "www.logentries.com",
553 false));
554 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
555 "foo.logentries.com",
[email protected]bef90f32011-05-13 19:25:25[diff] [blame]556 false));
[email protected]4e7075a2011-05-16 17:44:06[diff] [blame]557
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]558 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "stripe.com", false));
559 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "foo.stripe.com", false));
560
561 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
562 "cloudsecurityalliance.org",
563 false));
564 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
565 "foo.cloudsecurityalliance.org",
566 false));
567
568 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
569 "login.sapo.pt",
570 false));
571 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
572 "foo.login.sapo.pt",
573 false));
574
575 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
576 "mattmccutchen.net",
577 false));
578 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
579 "foo.mattmccutchen.net",
580 false));
581
582 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
583 "betnet.fr",
584 false));
585 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
586 "foo.betnet.fr",
587 false));
588
589 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
590 "uprotect.it",
591 false));
592 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
593 "foo.uprotect.it",
594 false));
595
596 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
597 "squareup.com",
598 false));
599 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
600 "foo.squareup.com",
[email protected]4e7075a2011-05-16 17:44:06[diff] [blame]601 false));
[email protected]0526e7a2011-05-19 16:49:40[diff] [blame]602
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]603 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
604 "cert.se",
605 false));
606 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
607 "foo.cert.se",
608 false));
609
610 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
611 "crypto.is",
612 false));
613 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
614 "foo.crypto.is",
615 false));
616
617 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
618 "simon.butcher.name",
619 false));
620 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
621 "foo.simon.butcher.name",
622 false));
623
624 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
625 "linx.net",
626 false));
627 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
628 "foo.linx.net",
629 false));
630
631 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
632 "dropcam.com",
633 false));
634 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
[email protected]da0e0252011-10-12 16:52:53[diff] [blame]635 "www.dropcam.com",
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]636 false));
[email protected]da0e0252011-10-12 16:52:53[diff] [blame]637 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
638 "foo.dropcam.com",
639 false));
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]640
641 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
642 "ebanking.indovinabank.com.vn",
643 false));
644 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
645 "foo.ebanking.indovinabank.com.vn",
646 false));
647
648 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
649 "epoxate.com",
650 false));
651 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
652 "foo.epoxate.com",
[email protected]0526e7a2011-05-19 16:49:40[diff] [blame]653 false));
[email protected]5287d0092011-05-30 19:19:36[diff] [blame]654
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]655 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
656 "torproject.org",
657 false));
[email protected]7179d2f42011-09-07 21:08:40[diff] [blame]658 EXPECT_TRUE(domain_state.public_key_hashes.size() != 0);
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]659 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
660 "www.torproject.org",
661 false));
[email protected]7179d2f42011-09-07 21:08:40[diff] [blame]662 EXPECT_TRUE(domain_state.public_key_hashes.size() != 0);
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]663 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
664 "check.torproject.org",
665 false));
[email protected]7179d2f42011-09-07 21:08:40[diff] [blame]666 EXPECT_TRUE(domain_state.public_key_hashes.size() != 0);
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]667 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
668 "blog.torproject.org",
669 false));
[email protected]7179d2f42011-09-07 21:08:40[diff] [blame]670 EXPECT_TRUE(domain_state.public_key_hashes.size() != 0);
671
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]672 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
673 "foo.torproject.org",
[email protected]d43846e2011-09-09 19:21:23[diff] [blame]674 false));
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]675
676 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
677 "www.moneybookers.com",
678 false));
679 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
[email protected]d43846e2011-09-09 19:21:23[diff] [blame]680 "moneybookers.com",
681 false));
682
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]683 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
684 "ledgerscope.net",
685 false));
686 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
687 "www.ledgerscope.net",
688 false));
689 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
690 "status.ledgerscope.net",
[email protected]e59d0fa2011-09-16 13:19:08[diff] [blame]691 false));
692
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]693 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
694 "kyps.net",
695 false));
696 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
697 "www.kyps.net",
698 false));
699 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
700 "foo.kyps.net",
[email protected]e59d0fa2011-09-16 13:19:08[diff] [blame]701 false));
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]702
703 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
704 "foo.app.recurly.com",
705 false));
706 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
707 "foo.api.recurly.com",
708 false));
709
710 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
711 "greplin.com",
712 false));
713 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
714 "www.greplin.com",
715 false));
716 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
717 "foo.greplin.com",
[email protected]e59d0fa2011-09-16 13:19:08[diff] [blame]718 false));
[email protected]94fb7aec2011-09-29 22:20:19[diff] [blame]719 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
720 "luneta.nearbuysystems.com",
721 false));
722 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
723 "foo.luneta.nearbuysystems.com",
724 false));
[email protected]e0a18fe2011-10-12 14:26:05[diff] [blame]725 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
726 "ubertt.org",
727 false));
728 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
729 "foo.ubertt.org",
730 false));
731
[email protected]7ccf34e2011-10-04 18:29:29[diff] [blame]732
733#if defined(OS_CHROMEOS)
734 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
735 "twitter.com",
736 false));
737#else
738 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
739 "twitter.com",
740 false));
741#endif
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]742}
743
[email protected]442845a2010-09-01 16:57:33[diff] [blame]744TEST_F(TransportSecurityStateTest, LongNames) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]745 TransportSecurityState state("");
[email protected]442845a2010-09-01 16:57:33[diff] [blame]746 const char kLongName[] =
747 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
748 "WaveletIdDomainAndBlipBlipid";
749 TransportSecurityState::DomainState domain_state;
750 // Just checks that we don't hit a NOTREACHED.
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]751 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, kLongName, true));
[email protected]442845a2010-09-01 16:57:33[diff] [blame]752}
753
[email protected]381e8852011-04-14 14:30:58[diff] [blame]754TEST_F(TransportSecurityStateTest, PublicKeyHashes) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]755 TransportSecurityState state("");
[email protected]381e8852011-04-14 14:30:58[diff] [blame]756 TransportSecurityState::DomainState domain_state;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]757 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "example.com", false));
[email protected]381e8852011-04-14 14:30:58[diff] [blame]758 std::vector<SHA1Fingerprint> hashes;
759 EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(hashes));
760
761 SHA1Fingerprint hash;
762 memset(hash.data, '1', sizeof(hash.data));
763 domain_state.public_key_hashes.push_back(hash);
764
765 EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes));
766 hashes.push_back(hash);
767 EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(hashes));
768 hashes[0].data[0] = '2';
769 EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes));
770
771 const base::Time current_time(base::Time::Now());
772 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
773 domain_state.expiry = expiry;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]774 state.EnableHost("example.com", domain_state);
[email protected]381e8852011-04-14 14:30:58[diff] [blame]775 std::string ser;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]776 EXPECT_TRUE(state.Serialise(&ser));
[email protected]381e8852011-04-14 14:30:58[diff] [blame]777 bool dirty;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]778 EXPECT_TRUE(state.LoadEntries(ser, &dirty));
779 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "example.com", false));
[email protected]381e8852011-04-14 14:30:58[diff] [blame]780 EXPECT_EQ(1u, domain_state.public_key_hashes.size());
781 EXPECT_TRUE(0 == memcmp(domain_state.public_key_hashes[0].data, hash.data,
782 sizeof(hash.data)));
783}
784
[email protected]938d6a32011-04-25 21:09:38[diff] [blame]785TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]786 TransportSecurityState state("");
[email protected]938d6a32011-04-25 21:09:38[diff] [blame]787 TransportSecurityState::DomainState domain_state;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]788 EXPECT_TRUE(state.IsEnabledForHost(&domain_state,
789 "chrome.google.com",
790 true));
791 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "chrome.google.com", true));
[email protected]938d6a32011-04-25 21:09:38[diff] [blame]792 std::vector<SHA1Fingerprint> hashes;
793 // This essential checks that a built-in list does exist.
794 EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes));
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]795 EXPECT_FALSE(state.HasPinsForHost(&domain_state, "www.paypal.com", true));
[email protected]6a571112011-04-28 23:00:03[diff] [blame]796
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]797 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "docs.google.com", true));
798 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "1.docs.google.com", true));
799 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "sites.google.com", true));
800 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "drive.google.com", true));
801 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
802 "spreadsheets.google.com",
803 true));
804 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "health.google.com", true));
805 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
806 "checkout.google.com",
807 true));
808 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
809 "appengine.google.com",
810 true));
811 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "market.android.com", true));
812 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
813 "encrypted.google.com",
814 true));
815 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
816 "accounts.google.com",
817 true));
818 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
819 "profiles.google.com",
820 true));
821 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "mail.google.com", true));
822 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
823 "chatenabled.mail.google.com",
824 true));
825 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
826 "talkgadget.google.com",
827 true));
828 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
829 "hostedtalkgadget.google.com",
830 true));
831 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "talk.google.com", true));
832 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "plus.google.com", true));
[email protected]627d03cc2011-10-19 18:36:22[diff] [blame]833 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "groups.google.com", true));
834
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]835 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "ssl.gstatic.com", true));
836 EXPECT_FALSE(state.HasPinsForHost(&domain_state, "www.gstatic.com", true));
837 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
838 "ssl.google-analytics.com",
839 true));
[email protected]0a86afa2011-10-14 00:54:51[diff] [blame]840 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "www.googleplex.com", true));
[email protected]7ccf34e2011-10-04 18:29:29[diff] [blame]841
842 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "twitter.com", true));
843 EXPECT_FALSE(state.HasPinsForHost(&domain_state, "foo.twitter.com", true));
844 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "www.twitter.com", true));
845 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "api.twitter.com", true));
846 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "oauth.twitter.com", true));
847 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "mobile.twitter.com", true));
848 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "dev.twitter.com", true));
849 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "business.twitter.com", true));
[email protected]8f8146f2011-10-12 16:36:09[diff] [blame]850#if 0
851 // Disabled in order to help track down pinning failures --agl
[email protected]7ccf34e2011-10-04 18:29:29[diff] [blame]852 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "platform.twitter.com", true));
853 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "si0.twimg.com", true));
854 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "twimg0-a.akamaihd.net", true));
[email protected]8f8146f2011-10-12 16:36:09[diff] [blame]855#endif
[email protected]dee9ae92011-04-26 03:58:30[diff] [blame]856}
857
[email protected]5f15ed62011-11-02 15:07:08[diff] [blame^]858static bool AddHash(const std::string& type_and_base64,
859 std::vector<SHA1Fingerprint>* out) {
860 std::string hash_str;
861 if (type_and_base64.find("sha1/") == 0 &&
862 base::Base64Decode(type_and_base64.substr(5, type_and_base64.size() - 5),
863 &hash_str) &&
864 hash_str.size() == base::kSHA1Length) {
865 SHA1Fingerprint hash;
866 memcpy(hash.data, hash_str.data(), sizeof(hash.data));
867 out->push_back(hash);
868 return true;
869 }
870 return false;
871}
872
873TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCerts) {
874 // kGoodPath is plus.google.com via Google Internet Authority.
875 static const char* kGoodPath[] = {
876 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
877 "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=",
878 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
879 NULL,
880 };
881
882 // kBadPath is plus.google.com via Trustcenter, which contains a required
883 // certificate (Equifax root), but also an excluded certificate
884 // (Trustcenter).
885 static const char* kBadPath[] = {
886 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
887 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
888 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
889 NULL,
890 };
891
892 std::vector<net::SHA1Fingerprint> good_hashes, bad_hashes;
893
894 for (size_t i = 0; kGoodPath[i]; i++) {
895 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
896 }
897 for (size_t i = 0; kBadPath[i]; i++) {
898 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
899 }
900
901 TransportSecurityState state("");
902 TransportSecurityState::DomainState domain_state;
903 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "plus.google.com", true));
904
905 EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(good_hashes));
906 EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(bad_hashes));
907}
908
909TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
910 // kGoodPath is blog.torproject.org.
911 static const char* kGoodPath[] = {
912 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
913 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
914 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
915 NULL,
916 };
917
918 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
919 // torproject.org.
920 static const char* kBadPath[] = {
921 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
922 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
923 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
924 NULL,
925 };
926
927 std::vector<net::SHA1Fingerprint> good_hashes, bad_hashes;
928
929 for (size_t i = 0; kGoodPath[i]; i++) {
930 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
931 }
932 for (size_t i = 0; kBadPath[i]; i++) {
933 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
934 }
935
936 TransportSecurityState state("");
937 TransportSecurityState::DomainState domain_state;
938 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "blog.torproject.org", true));
939
940 EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(good_hashes));
941 EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(bad_hashes));
942}
943
[email protected]dee9ae92011-04-26 03:58:30[diff] [blame]944TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]945 TransportSecurityState state("");
[email protected]dee9ae92011-04-26 03:58:30[diff] [blame]946 TransportSecurityState::DomainState domain_state;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]947 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
948 "www.google-analytics.com",
949 false));
950 EXPECT_FALSE(state.IsEnabledForHost(&domain_state,
951 "www.google-analytics.com",
952 true));
953 EXPECT_FALSE(state.HasPinsForHost(&domain_state,
[email protected]dee9ae92011-04-26 03:58:30[diff] [blame]954 "www.google-analytics.com",
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]955 false));
956 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
957 "www.google-analytics.com",
958 true));
959 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "google.com", true));
960 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "www.google.com", true));
961 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
962 "mail-attachment.googleusercontent.com",
963 true));
964 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "www.youtube.com", true));
965 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "i.ytimg.com", true));
966 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "googleapis.com", true));
967 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
968 "ajax.googleapis.com",
969 true));
970 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
971 "googleadservices.com",
972 true));
973 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
974 "pagead2.googleadservices.com",
975 true));
976 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "googlecode.com", true));
977 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
978 "kibbles.googlecode.com",
979 true));
980 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "appspot.com", true));
981 EXPECT_TRUE(state.HasPinsForHost(&domain_state,
982 "googlesyndication.com",
983 true));
984 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "doubleclick.net", true));
985 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "ad.doubleclick.net", true));
986 EXPECT_FALSE(state.HasPinsForHost(&domain_state,
987 "learn.doubleclick.net",
[email protected]dee9ae92011-04-26 03:58:30[diff] [blame]988 true));
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]989 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "a.googlegroups.com", true));
990 EXPECT_FALSE(state.HasPinsForHost(&domain_state,
991 "a.googlegroups.com",
992 false));
[email protected]938d6a32011-04-25 21:09:38[diff] [blame]993}
994
[email protected]d7cf831a2011-05-02 22:18:48[diff] [blame]995TEST_F(TransportSecurityStateTest, ForcePreloads) {
996 // This is a docs.google.com override.
997 std::string preload("{"
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]998 "\"4AGT3lHihuMSd5rUj7B4u6At0jlSH3HFePovjPR+oLE=\": {"
999 "\"created\": 0.0,"
1000 "\"expiry\": 2000000000.0,"
1001 "\"include_subdomains\": false,"
1002 "\"mode\": \"none\""
1003 "}}");
[email protected]d7cf831a2011-05-02 22:18:48[diff] [blame]1004
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]1005 TransportSecurityState state(preload);
[email protected]d7cf831a2011-05-02 22:18:48[diff] [blame]1006 TransportSecurityState::DomainState domain_state;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]1007 EXPECT_FALSE(state.HasPinsForHost(&domain_state, "docs.google.com", true));
1008 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "docs.google.com", true));
[email protected]d7cf831a2011-05-02 22:18:48[diff] [blame]1009}
1010
[email protected]55cb21182011-05-09 19:55:00[diff] [blame]1011TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]1012 TransportSecurityState state("");
[email protected]55cb21182011-05-09 19:55:00[diff] [blame]1013 TransportSecurityState::DomainState domain_state;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]1014 EXPECT_TRUE(state.HasPinsForHost(&domain_state, "google.com", true));
1015 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "google.com", true));
1016 EXPECT_FALSE(state.IsEnabledForHost(&domain_state, "www.google.com", true));
[email protected]55cb21182011-05-09 19:55:00[diff] [blame]1017
1018 domain_state = TransportSecurityState::DomainState();
1019 const base::Time current_time(base::Time::Now());
1020 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
1021 domain_state.expiry = expiry;
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]1022 state.EnableHost("www.google.com", domain_state);
[email protected]55cb21182011-05-09 19:55:00[diff] [blame]1023
[email protected]edbc4f92011-09-27 21:04:49[diff] [blame]1024 EXPECT_TRUE(state.IsEnabledForHost(&domain_state, "www.google.com", true));
[email protected]55cb21182011-05-09 19:55:00[diff] [blame]1025}
1026
[email protected]ae780c82011-09-20 19:39:06[diff] [blame]1027static const uint8 kSidePinLeafSPKI[] = {
1028 0x30, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
1029 0x01, 0x01, 0x05, 0x00, 0x03, 0x4b, 0x00, 0x30, 0x48, 0x02, 0x41, 0x00, 0xe4,
1030 0x1d, 0xcc, 0xf2, 0x92, 0xe7, 0x7a, 0xc6, 0x36, 0xf7, 0x1a, 0x62, 0x31, 0x7d,
1031 0x37, 0xea, 0x0d, 0xa2, 0xa8, 0x12, 0x2b, 0xc2, 0x1c, 0x82, 0x3e, 0xa5, 0x70,
1032 0x4a, 0x83, 0x5d, 0x9b, 0x84, 0x82, 0x70, 0xa4, 0x88, 0x98, 0x98, 0x41, 0x29,
1033 0x31, 0xcb, 0x6e, 0x2a, 0x54, 0x65, 0x14, 0x60, 0xcc, 0x00, 0xe8, 0x10, 0x30,
1034 0x0a, 0x4a, 0xd1, 0xa7, 0x52, 0xfe, 0x2d, 0x31, 0x2a, 0x1d, 0x0d, 0x02, 0x03,
1035 0x01, 0x00, 0x01,
1036};
1037
1038static const uint8 kSidePinInfo[] = {
1039 0x01, 0x00, 0x53, 0x50, 0x49, 0x4e, 0xa0, 0x00, 0x03, 0x00, 0x53, 0x49, 0x47,
1040 0x00, 0x50, 0x55, 0x42, 0x4b, 0x41, 0x4c, 0x47, 0x4f, 0x47, 0x00, 0x41, 0x00,
1041 0x04, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0xfb, 0x26, 0xd5, 0xe8, 0x76, 0x35,
1042 0x96, 0x6d, 0x91, 0x9b, 0x5b, 0x27, 0xe6, 0x09, 0x1c, 0x7b, 0x6c, 0xcd, 0xc8,
1043 0x10, 0x25, 0x95, 0xc0, 0xa5, 0xf6, 0x6c, 0x6f, 0xfb, 0x59, 0x1e, 0x2d, 0xf4,
1044 0x02, 0x20, 0x33, 0x0a, 0xf8, 0x8b, 0x3e, 0xc4, 0xca, 0x75, 0x28, 0xdf, 0x5f,
1045 0xab, 0xe4, 0x46, 0xa0, 0xdd, 0x2d, 0xe5, 0xad, 0xc3, 0x81, 0x44, 0x70, 0xb2,
1046 0x10, 0x87, 0xe8, 0xc3, 0xd6, 0x6e, 0x12, 0x5d, 0x04, 0x67, 0x0b, 0x7d, 0xf2,
1047 0x99, 0x75, 0x57, 0x99, 0x3a, 0x98, 0xf8, 0xe4, 0xdf, 0x79, 0xdf, 0x8e, 0x02,
1048 0x2c, 0xbe, 0xd8, 0xfd, 0x75, 0x80, 0x18, 0xb1, 0x6f, 0x43, 0xd9, 0x8a, 0x79,
1049 0xc3, 0x6e, 0x18, 0xdf, 0x79, 0xc0, 0x59, 0xab, 0xd6, 0x77, 0x37, 0x6a, 0x94,
1050 0x5a, 0x7e, 0xfb, 0xa9, 0xc5, 0x54, 0x14, 0x3a, 0x7b, 0x97, 0x17, 0x2a, 0xb6,
1051 0x1e, 0x59, 0x4f, 0x2f, 0xb1, 0x15, 0x1a, 0x34, 0x50, 0x32, 0x35, 0x36,
1052};
1053
1054static const uint8 kSidePinExpectedHash[20] = {
1055 0xb5, 0x91, 0x66, 0x47, 0x43, 0x16, 0x62, 0x86, 0xd4, 0x1e, 0x5d, 0x36, 0xe1,
1056 0xc4, 0x09, 0x3d, 0x2d, 0x1d, 0xea, 0x1e,
1057};
1058
1059TEST_F(TransportSecurityStateTest, ParseSidePins) {
[email protected]ae780c82011-09-20 19:39:06[diff] [blame]1060
1061 base::StringPiece leaf_spki(reinterpret_cast<const char*>(kSidePinLeafSPKI),
1062 sizeof(kSidePinLeafSPKI));
1063 base::StringPiece side_info(reinterpret_cast<const char*>(kSidePinInfo),
1064 sizeof(kSidePinInfo));
1065
1066 std::vector<SHA1Fingerprint> pub_key_hashes;
1067 EXPECT_TRUE(TransportSecurityState::ParseSidePin(
1068 leaf_spki, side_info, &pub_key_hashes));
1069 ASSERT_EQ(1u, pub_key_hashes.size());
1070 EXPECT_TRUE(0 == memcmp(pub_key_hashes[0].data, kSidePinExpectedHash,
1071 sizeof(kSidePinExpectedHash)));
1072}
1073
1074TEST_F(TransportSecurityStateTest, ParseSidePinsFailsWithBadData) {
[email protected]ae780c82011-09-20 19:39:06[diff] [blame]1075
1076 uint8 leaf_spki_copy[sizeof(kSidePinLeafSPKI)];
1077 memcpy(leaf_spki_copy, kSidePinLeafSPKI, sizeof(leaf_spki_copy));
1078
1079 uint8 side_info_copy[sizeof(kSidePinInfo)];
1080 memcpy(side_info_copy, kSidePinInfo, sizeof(kSidePinInfo));
1081
1082 base::StringPiece leaf_spki(reinterpret_cast<const char*>(leaf_spki_copy),
1083 sizeof(leaf_spki_copy));
1084 base::StringPiece side_info(reinterpret_cast<const char*>(side_info_copy),
1085 sizeof(side_info_copy));
1086 std::vector<SHA1Fingerprint> pub_key_hashes;
1087
1088 // Tweak |leaf_spki| and expect a failure.
1089 leaf_spki_copy[10] ^= 1;
1090 EXPECT_FALSE(TransportSecurityState::ParseSidePin(
1091 leaf_spki, side_info, &pub_key_hashes));
1092 ASSERT_EQ(0u, pub_key_hashes.size());
1093
1094 // Undo the change to |leaf_spki| and tweak |side_info|.
1095 leaf_spki_copy[10] ^= 1;
1096 side_info_copy[30] ^= 1;
1097 EXPECT_FALSE(TransportSecurityState::ParseSidePin(
1098 leaf_spki, side_info, &pub_key_hashes));
1099 ASSERT_EQ(0u, pub_key_hashes.size());
1100}
1101
1102TEST_F(TransportSecurityStateTest, DISABLED_ParseSidePinsFuzz) {
1103 // Disabled because it's too slow for normal tests. Run manually when
1104 // changing the underlying code.
1105
[email protected]ae780c82011-09-20 19:39:06[diff] [blame]1106 base::StringPiece leaf_spki(reinterpret_cast<const char*>(kSidePinLeafSPKI),
1107 sizeof(kSidePinLeafSPKI));
1108 uint8 side_info_copy[sizeof(kSidePinInfo)];
1109 base::StringPiece side_info(reinterpret_cast<const char*>(side_info_copy),
1110 sizeof(side_info_copy));
1111 std::vector<SHA1Fingerprint> pub_key_hashes;
1112 static const size_t bit_length = sizeof(kSidePinInfo) * 8;
1113
1114 for (size_t bit_to_flip = 0; bit_to_flip < bit_length; bit_to_flip++) {
1115 memcpy(side_info_copy, kSidePinInfo, sizeof(kSidePinInfo));
1116
1117 size_t byte = bit_to_flip >> 3;
1118 size_t bit = bit_to_flip & 7;
1119 side_info_copy[byte] ^= (1 << bit);
1120
1121 EXPECT_FALSE(TransportSecurityState::ParseSidePin(
1122 leaf_spki, side_info, &pub_key_hashes));
1123 ASSERT_EQ(0u, pub_key_hashes.size());
1124 }
1125}
1126
[email protected]cb8d2812011-10-15 05:07:07[diff] [blame]1127TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
1128 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1129 "www.example.com", true));
1130 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1131 "www.paypal.com", true));
1132 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1133 "mail.twitter.com", true));
1134 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1135 "www.google.com.int", true));
1136 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1137 "jottit.com", true));
1138 // learn.doubleclick.net has a more specific match than
1139 // *.doubleclick.com, and has 0 or NULL for its required certs.
1140 // This test ensures that the exact-match-preferred behavior
1141 // works.
1142 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1143 "learn.doubleclick.net", true));
1144
1145 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1146 "encrypted.google.com", true));
1147 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1148 "mail.google.com", true));
1149 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1150 "accounts.google.com", true));
1151 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1152 "doubleclick.net", true));
1153 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1154 "ad.doubleclick.net", true));
1155 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1156 "youtube.com", true));
1157 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1158 "www.profiles.google.com", true));
1159 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1160 "checkout.google.com", true));
1161 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1162 "googleadservices.com", true));
1163
1164 // Test with sni_enabled false:
1165 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1166 "www.example.com", false));
1167 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1168 "www.paypal.com", false));
1169 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1170 "checkout.google.com", false));
1171 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1172 "googleadservices.com", false));
1173
1174 // Test some SNI hosts:
1175 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1176 "gmail.com", true));
1177 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1178 "googlegroups.com", true));
1179 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1180 "www.googlegroups.com", true));
1181 // Expect to fail for SNI hosts when not searching the SNI list:
1182 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1183 "gmail.com", false));
1184 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1185 "googlegroups.com", false));
1186 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1187 "www.googlegroups.com", false));
1188}
1189
[email protected]2fc4c212010-03-10 18:59:06[diff] [blame]1190} // namespace net