1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/http/transport_security_state.h"
11 #include "base/base64.h"
12 #include "base/files/file_path.h"
13 #include "base/sha1.h"
14 #include "base/strings/string_piece.h"
15 #include "crypto/sha2.h"
16 #include "net/base/net_errors.h"
17 #include "net/base/net_log.h"
18 #include "net/base/test_completion_callback.h"
19 #include "net/base/test_data_directory.h"
20 #include "net/cert/asn1_util.h"
21 #include "net/cert/cert_verifier.h"
22 #include "net/cert/cert_verify_result.h"
23 #include "net/cert/test_root_certs.h"
24 #include "net/cert/x509_cert_types.h"
25 #include "net/cert/x509_certificate.h"
26 #include "net/http/http_util.h"
27 #include "net/ssl/ssl_info.h"
28 #include "net/test/cert_test_util.h"
29 #include "testing/gtest/include/gtest/gtest.h"
31 #if defined(USE_OPENSSL)
32 #include "crypto/openssl_util.h"
34 #include "crypto/nss_util.h"
39 class TransportSecurityStateTest
: public testing::Test
{
41 virtual void SetUp() {
42 #if defined(USE_OPENSSL)
43 crypto::EnsureOpenSSLInit();
45 crypto::EnsureNSSInit();
49 static void DisableStaticPins(TransportSecurityState
* state
) {
50 state
->enable_static_pins_
= false;
53 static void EnableStaticPins(TransportSecurityState
* state
) {
54 state
->enable_static_pins_
= true;
58 bool GetStaticDomainState(TransportSecurityState
* state
,
59 const std::string
& host
,
61 TransportSecurityState::DomainState
* result
) {
62 return state
->GetStaticDomainState(host
, sni_enabled
, result
);
65 void EnableHost(TransportSecurityState
* state
,
66 const std::string
& host
,
67 const TransportSecurityState::DomainState
& domain_state
) {
68 return state
->EnableHost(host
, domain_state
);
72 TEST_F(TransportSecurityStateTest
, SimpleMatches
) {
73 TransportSecurityState state
;
74 TransportSecurityState::DomainState domain_state
;
75 const base::Time
current_time(base::Time::Now());
76 const base::Time expiry
= current_time
+ base::TimeDelta::FromSeconds(1000);
78 EXPECT_FALSE(state
.GetDynamicDomainState("yahoo.com", &domain_state
));
79 bool include_subdomains
= false;
80 state
.AddHSTS("yahoo.com", expiry
, include_subdomains
);
81 EXPECT_TRUE(state
.GetDynamicDomainState("yahoo.com", &domain_state
));
84 TEST_F(TransportSecurityStateTest
, MatchesCase1
) {
85 TransportSecurityState state
;
86 TransportSecurityState::DomainState domain_state
;
87 const base::Time
current_time(base::Time::Now());
88 const base::Time expiry
= current_time
+ base::TimeDelta::FromSeconds(1000);
90 EXPECT_FALSE(state
.GetDynamicDomainState("yahoo.com", &domain_state
));
91 bool include_subdomains
= false;
92 state
.AddHSTS("YAhoo.coM", expiry
, include_subdomains
);
93 EXPECT_TRUE(state
.GetDynamicDomainState("yahoo.com", &domain_state
));
96 TEST_F(TransportSecurityStateTest
, MatchesCase2
) {
97 TransportSecurityState state
;
98 TransportSecurityState::DomainState domain_state
;
99 const base::Time
current_time(base::Time::Now());
100 const base::Time expiry
= current_time
+ base::TimeDelta::FromSeconds(1000);
102 EXPECT_FALSE(state
.GetDynamicDomainState("YAhoo.coM", &domain_state
));
103 bool include_subdomains
= false;
104 state
.AddHSTS("yahoo.com", expiry
, include_subdomains
);
105 EXPECT_TRUE(state
.GetDynamicDomainState("YAhoo.coM", &domain_state
));
108 TEST_F(TransportSecurityStateTest
, SubdomainMatches
) {
109 TransportSecurityState state
;
110 TransportSecurityState::DomainState domain_state
;
111 const base::Time
current_time(base::Time::Now());
112 const base::Time expiry
= current_time
+ base::TimeDelta::FromSeconds(1000);
114 EXPECT_FALSE(state
.GetDynamicDomainState("yahoo.com", &domain_state
));
115 bool include_subdomains
= true;
116 state
.AddHSTS("yahoo.com", expiry
, include_subdomains
);
117 EXPECT_TRUE(state
.GetDynamicDomainState("yahoo.com", &domain_state
));
118 EXPECT_TRUE(state
.GetDynamicDomainState("foo.yahoo.com", &domain_state
));
119 EXPECT_TRUE(state
.GetDynamicDomainState("foo.bar.yahoo.com", &domain_state
));
121 state
.GetDynamicDomainState("foo.bar.baz.yahoo.com", &domain_state
));
122 EXPECT_FALSE(state
.GetDynamicDomainState("com", &domain_state
));
125 TEST_F(TransportSecurityStateTest
, InvalidDomains
) {
126 TransportSecurityState state
;
127 TransportSecurityState::DomainState domain_state
;
128 const base::Time
current_time(base::Time::Now());
129 const base::Time expiry
= current_time
+ base::TimeDelta::FromSeconds(1000);
131 EXPECT_FALSE(state
.GetDynamicDomainState("yahoo.com", &domain_state
));
132 bool include_subdomains
= true;
133 state
.AddHSTS("yahoo.com", expiry
, include_subdomains
);
134 EXPECT_TRUE(state
.GetDynamicDomainState("www-.foo.yahoo.com", &domain_state
));
136 state
.GetDynamicDomainState("2\x01.foo.yahoo.com", &domain_state
));
139 TEST_F(TransportSecurityStateTest
, DeleteAllDynamicDataSince
) {
140 TransportSecurityState state
;
141 TransportSecurityState::DomainState domain_state
;
142 const base::Time
current_time(base::Time::Now());
143 const base::Time expiry
= current_time
+ base::TimeDelta::FromSeconds(1000);
144 const base::Time older
= current_time
- base::TimeDelta::FromSeconds(1000);
146 EXPECT_FALSE(state
.GetDynamicDomainState("yahoo.com", &domain_state
));
147 bool include_subdomains
= false;
148 state
.AddHSTS("yahoo.com", expiry
, include_subdomains
);
150 state
.DeleteAllDynamicDataSince(expiry
);
151 EXPECT_TRUE(state
.GetDynamicDomainState("yahoo.com", &domain_state
));
152 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS
,
153 domain_state
.sts
.upgrade_mode
);
154 state
.DeleteAllDynamicDataSince(older
);
155 EXPECT_TRUE(state
.GetDynamicDomainState("yahoo.com", &domain_state
));
156 EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT
,
157 domain_state
.sts
.upgrade_mode
);
160 TEST_F(TransportSecurityStateTest
, DeleteDynamicDataForHost
) {
161 TransportSecurityState state
;
162 TransportSecurityState::DomainState domain_state
;
163 const base::Time
current_time(base::Time::Now());
164 const base::Time expiry
= current_time
+ base::TimeDelta::FromSeconds(1000);
165 bool include_subdomains
= false;
166 state
.AddHSTS("yahoo.com", expiry
, include_subdomains
);
168 EXPECT_TRUE(state
.GetDynamicDomainState("yahoo.com", &domain_state
));
169 EXPECT_FALSE(state
.GetDynamicDomainState("example.com", &domain_state
));
170 EXPECT_TRUE(state
.DeleteDynamicDataForHost("yahoo.com"));
171 EXPECT_FALSE(state
.GetDynamicDomainState("yahoo.com", &domain_state
));
174 TEST_F(TransportSecurityStateTest
, EnableStaticPins
) {
175 TransportSecurityState state
;
176 TransportSecurityState::DomainState domain_state
;
178 EnableStaticPins(&state
);
181 state
.GetStaticDomainState("chrome.google.com", true, &domain_state
));
182 EXPECT_FALSE(domain_state
.pkp
.spki_hashes
.empty());
185 TEST_F(TransportSecurityStateTest
, DisableStaticPins
) {
186 TransportSecurityState state
;
187 TransportSecurityState::DomainState domain_state
;
189 DisableStaticPins(&state
);
191 state
.GetStaticDomainState("chrome.google.com", true, &domain_state
));
192 EXPECT_TRUE(domain_state
.pkp
.spki_hashes
.empty());
195 TEST_F(TransportSecurityStateTest
, IsPreloaded
) {
196 const std::string paypal
= "paypal.com";
197 const std::string www_paypal
= "www.paypal.com";
198 const std::string foo_paypal
= "foo.paypal.com";
199 const std::string a_www_paypal
= "a.www.paypal.com";
200 const std::string abc_paypal
= "a.b.c.paypal.com";
201 const std::string example
= "example.com";
202 const std::string aypal
= "aypal.com";
204 TransportSecurityState state
;
205 TransportSecurityState::DomainState domain_state
;
207 EXPECT_TRUE(GetStaticDomainState(&state
, paypal
, true, &domain_state
));
208 EXPECT_TRUE(GetStaticDomainState(&state
, www_paypal
, true, &domain_state
));
209 EXPECT_FALSE(domain_state
.sts
.include_subdomains
);
210 EXPECT_FALSE(GetStaticDomainState(&state
, a_www_paypal
, true, &domain_state
));
211 EXPECT_FALSE(GetStaticDomainState(&state
, abc_paypal
, true, &domain_state
));
212 EXPECT_FALSE(GetStaticDomainState(&state
, example
, true, &domain_state
));
213 EXPECT_FALSE(GetStaticDomainState(&state
, aypal
, true, &domain_state
));
216 TEST_F(TransportSecurityStateTest
, PreloadedDomainSet
) {
217 TransportSecurityState state
;
218 TransportSecurityState::DomainState domain_state
;
220 // The domain wasn't being set, leading to a blank string in the
221 // chrome://net-internals/#hsts UI. So test that.
223 state
.GetStaticDomainState("market.android.com", true, &domain_state
));
224 EXPECT_EQ(domain_state
.domain
, "market.android.com");
225 EXPECT_TRUE(state
.GetStaticDomainState(
226 "sub.market.android.com", true, &domain_state
));
227 EXPECT_EQ(domain_state
.domain
, "market.android.com");
230 static bool StaticShouldRedirect(const char* hostname
) {
231 TransportSecurityState state
;
232 TransportSecurityState::DomainState domain_state
;
233 return state
.GetStaticDomainState(
234 hostname
, true /* SNI ok */, &domain_state
) &&
235 domain_state
.ShouldUpgradeToSSL();
238 static bool HasStaticState(const char* hostname
) {
239 TransportSecurityState state
;
240 TransportSecurityState::DomainState domain_state
;
241 return state
.GetStaticDomainState(hostname
, true /* SNI ok */, &domain_state
);
244 static bool HasStaticPublicKeyPins(const char* hostname
, bool sni_enabled
) {
245 TransportSecurityState state
;
246 TransportSecurityStateTest::EnableStaticPins(&state
);
247 TransportSecurityState::DomainState domain_state
;
248 if (!state
.GetStaticDomainState(hostname
, sni_enabled
, &domain_state
))
251 return domain_state
.HasPublicKeyPins();
254 static bool HasStaticPublicKeyPins(const char* hostname
) {
255 return HasStaticPublicKeyPins(hostname
, true);
258 static bool OnlyPinningInStaticState(const char* hostname
) {
259 TransportSecurityState state
;
260 TransportSecurityStateTest::EnableStaticPins(&state
);
261 TransportSecurityState::DomainState domain_state
;
262 if (!state
.GetStaticDomainState(hostname
, true /* SNI ok */, &domain_state
))
265 return (domain_state
.pkp
.spki_hashes
.size() > 0 ||
266 domain_state
.pkp
.bad_spki_hashes
.size() > 0) &&
267 !domain_state
.ShouldUpgradeToSSL();
270 TEST_F(TransportSecurityStateTest
, Preloaded
) {
271 TransportSecurityState state
;
272 TransportSecurityState::DomainState domain_state
;
274 // We do more extensive checks for the first domain.
276 state
.GetStaticDomainState("www.paypal.com", true, &domain_state
));
277 EXPECT_EQ(domain_state
.sts
.upgrade_mode
,
278 TransportSecurityState::DomainState::MODE_FORCE_HTTPS
);
279 EXPECT_FALSE(domain_state
.sts
.include_subdomains
);
280 EXPECT_FALSE(domain_state
.pkp
.include_subdomains
);
282 EXPECT_TRUE(HasStaticState("paypal.com"));
283 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
284 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
288 EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
289 EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
290 EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
291 EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
292 EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
293 EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
294 EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
295 EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
296 EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
297 EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
298 EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
299 EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
300 EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
301 EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
302 EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
303 EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
304 EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
305 EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
306 EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
307 EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
308 EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
309 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
310 EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
311 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
312 EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
313 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
314 EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
315 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
316 EXPECT_FALSE(HasStaticState("m.gmail.com"));
317 EXPECT_FALSE(HasStaticState("m.googlemail.com"));
319 // Tests for domains that don't work without SNI.
320 EXPECT_FALSE(state
.GetStaticDomainState("gmail.com", false, &domain_state
));
322 state
.GetStaticDomainState("www.gmail.com", false, &domain_state
));
323 EXPECT_FALSE(state
.GetStaticDomainState("m.gmail.com", false, &domain_state
));
325 state
.GetStaticDomainState("googlemail.com", false, &domain_state
));
327 state
.GetStaticDomainState("www.googlemail.com", false, &domain_state
));
329 state
.GetStaticDomainState("m.googlemail.com", false, &domain_state
));
333 EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
335 EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
336 EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
338 EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
340 EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
341 EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
342 EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
344 EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
345 EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
347 EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
348 EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
349 EXPECT_FALSE(HasStaticState("foo.entropia.de"));
351 EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
352 EXPECT_FALSE(HasStaticState("elanex.biz"));
353 EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
355 EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
356 EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
357 EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
359 EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
360 EXPECT_FALSE(HasStaticState("noisebridge.net"));
361 EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
363 EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
364 EXPECT_FALSE(HasStaticState("www.neg9.org"));
366 EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
367 EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
369 EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
370 EXPECT_FALSE(HasStaticState("www.factor.cc"));
372 EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
373 EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
374 EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
375 EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
376 EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
378 EXPECT_TRUE(StaticShouldRedirect("romab.com"));
379 EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
380 EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
382 EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
383 EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
384 EXPECT_FALSE(HasStaticState("foo.logentries.com"));
386 EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
387 EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
389 EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
390 EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
392 EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
393 EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
395 EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
396 EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
398 EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
399 EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
401 EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
402 EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
404 EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
405 EXPECT_FALSE(HasStaticState("foo.squareup.com"));
407 EXPECT_TRUE(StaticShouldRedirect("cert.se"));
408 EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
410 EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
411 EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
413 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
414 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
416 EXPECT_TRUE(StaticShouldRedirect("linx.net"));
417 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
419 EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
420 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
421 EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
423 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
424 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
426 EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
427 EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
429 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
431 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
432 EXPECT_FALSE(HasStaticState("moneybookers.com"));
434 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
435 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
436 EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
438 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
439 EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
441 EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
442 EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
443 EXPECT_FALSE(HasStaticState("foo.greplin.com"));
445 EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
446 EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
448 EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
449 EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
451 EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
452 EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
454 EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
455 EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
457 EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
458 EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
459 EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
460 EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
461 EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
462 EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
463 EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
464 EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
465 EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
466 EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
467 EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
468 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
470 EXPECT_TRUE(StaticShouldRedirect("crypto.cat"));
471 EXPECT_FALSE(StaticShouldRedirect("foo.crypto.cat"));
473 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
474 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
476 EXPECT_TRUE(StaticShouldRedirect("crate.io"));
477 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
480 TEST_F(TransportSecurityStateTest
, PreloadedPins
) {
481 TransportSecurityState state
;
482 EnableStaticPins(&state
);
483 TransportSecurityState::DomainState domain_state
;
485 // We do more extensive checks for the first domain.
487 state
.GetStaticDomainState("www.paypal.com", true, &domain_state
));
488 EXPECT_EQ(domain_state
.sts
.upgrade_mode
,
489 TransportSecurityState::DomainState::MODE_FORCE_HTTPS
);
490 EXPECT_FALSE(domain_state
.sts
.include_subdomains
);
491 EXPECT_FALSE(domain_state
.pkp
.include_subdomains
);
493 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
494 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
495 EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
496 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
497 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
498 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
499 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
500 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
501 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
502 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
503 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
504 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
505 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
506 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
507 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
508 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
509 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
511 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
512 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
513 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
514 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
515 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
518 state
.GetStaticDomainState("torproject.org", false, &domain_state
));
519 EXPECT_FALSE(domain_state
.pkp
.spki_hashes
.empty());
521 state
.GetStaticDomainState("www.torproject.org", false, &domain_state
));
522 EXPECT_FALSE(domain_state
.pkp
.spki_hashes
.empty());
524 state
.GetStaticDomainState("check.torproject.org", false, &domain_state
));
525 EXPECT_FALSE(domain_state
.pkp
.spki_hashes
.empty());
527 state
.GetStaticDomainState("blog.torproject.org", false, &domain_state
));
528 EXPECT_FALSE(domain_state
.pkp
.spki_hashes
.empty());
530 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
533 TEST_F(TransportSecurityStateTest
, LongNames
) {
534 TransportSecurityState state
;
535 const char kLongName
[] =
536 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
537 "WaveletIdDomainAndBlipBlipid";
538 TransportSecurityState::DomainState domain_state
;
539 // Just checks that we don't hit a NOTREACHED.
540 EXPECT_FALSE(state
.GetStaticDomainState(kLongName
, true, &domain_state
));
541 EXPECT_FALSE(state
.GetDynamicDomainState(kLongName
, &domain_state
));
544 TEST_F(TransportSecurityStateTest
, BuiltinCertPins
) {
545 TransportSecurityState state
;
546 EnableStaticPins(&state
);
547 TransportSecurityState::DomainState domain_state
;
550 state
.GetStaticDomainState("chrome.google.com", true, &domain_state
));
551 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
553 HashValueVector hashes
;
554 std::string failure_log
;
555 // Checks that a built-in list does exist.
556 EXPECT_FALSE(domain_state
.CheckPublicKeyPins(hashes
, &failure_log
));
557 EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
559 EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
560 EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
561 EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
562 EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
563 EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
564 EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
565 EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
566 EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
567 EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
568 EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
569 EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
570 EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
571 EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
572 EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
573 EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
574 EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
575 EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
576 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
577 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
578 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
580 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
581 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
582 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
583 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
584 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
586 EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
587 EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
588 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
589 EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com"));
590 EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com"));
591 EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com"));
592 EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com"));
593 EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com"));
594 EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com"));
595 EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com"));
598 static bool AddHash(const std::string
& type_and_base64
,
599 HashValueVector
* out
) {
601 if (!hash
.FromString(type_and_base64
))
604 out
->push_back(hash
);
608 TEST_F(TransportSecurityStateTest
, PinValidationWithoutRejectedCerts
) {
609 // kGoodPath is blog.torproject.org.
610 static const char* kGoodPath
[] = {
611 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
612 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
613 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
617 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
619 static const char* kBadPath
[] = {
620 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
621 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
622 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
626 HashValueVector good_hashes
, bad_hashes
;
628 for (size_t i
= 0; kGoodPath
[i
]; i
++) {
629 EXPECT_TRUE(AddHash(kGoodPath
[i
], &good_hashes
));
631 for (size_t i
= 0; kBadPath
[i
]; i
++) {
632 EXPECT_TRUE(AddHash(kBadPath
[i
], &bad_hashes
));
635 TransportSecurityState state
;
636 EnableStaticPins(&state
);
638 TransportSecurityState::DomainState domain_state
;
640 state
.GetStaticDomainState("blog.torproject.org", true, &domain_state
));
641 EXPECT_TRUE(domain_state
.HasPublicKeyPins());
643 std::string failure_log
;
644 EXPECT_TRUE(domain_state
.CheckPublicKeyPins(good_hashes
, &failure_log
));
645 EXPECT_FALSE(domain_state
.CheckPublicKeyPins(bad_hashes
, &failure_log
));
648 TEST_F(TransportSecurityStateTest
, OptionalHSTSCertPins
) {
649 TransportSecurityState state
;
650 EnableStaticPins(&state
);
651 TransportSecurityState::DomainState domain_state
;
653 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
655 EXPECT_FALSE(HasStaticPublicKeyPins("www.google-analytics.com", false));
656 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
657 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
658 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
659 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
660 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
661 EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
662 EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
663 EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
664 EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
665 EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
666 EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
667 EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
668 EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
669 EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
670 EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
671 EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
672 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
673 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
674 EXPECT_FALSE(HasStaticPublicKeyPins("a.googlegroups.com", false));
677 TEST_F(TransportSecurityStateTest
, OverrideBuiltins
) {
678 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
679 EXPECT_FALSE(StaticShouldRedirect("google.com"));
680 EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
682 TransportSecurityState state
;
683 TransportSecurityState::DomainState domain_state
;
684 const base::Time
current_time(base::Time::Now());
685 const base::Time expiry
= current_time
+ base::TimeDelta::FromSeconds(1000);
686 domain_state
.sts
.expiry
= expiry
;
687 EnableHost(&state
, "www.google.com", domain_state
);
689 EXPECT_TRUE(state
.GetDynamicDomainState("www.google.com", &domain_state
));
692 TEST_F(TransportSecurityStateTest
, GooglePinnedProperties
) {
693 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
694 "www.example.com", true));
695 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
696 "www.paypal.com", true));
697 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
698 "mail.twitter.com", true));
699 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
700 "www.google.com.int", true));
701 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
702 "jottit.com", true));
703 // learn.doubleclick.net has a more specific match than
704 // *.doubleclick.com, and has 0 or NULL for its required certs.
705 // This test ensures that the exact-match-preferred behavior
707 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
708 "learn.doubleclick.net", true));
710 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
711 "encrypted.google.com", true));
712 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
713 "mail.google.com", true));
714 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
715 "accounts.google.com", true));
716 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
717 "doubleclick.net", true));
718 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
719 "ad.doubleclick.net", true));
720 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
721 "youtube.com", true));
722 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
723 "www.profiles.google.com", true));
724 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
725 "checkout.google.com", true));
726 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
727 "googleadservices.com", true));
729 // Test with sni_enabled false:
730 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
731 "www.example.com", false));
732 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
733 "www.paypal.com", false));
734 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
735 "checkout.google.com", false));
736 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
737 "googleadservices.com", false));
739 // Test some SNI hosts:
740 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
742 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
743 "googlegroups.com", true));
744 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
745 "www.googlegroups.com", true));
746 // Expect to fail for SNI hosts when not searching the SNI list:
747 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
748 "gmail.com", false));
749 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
750 "googlegroups.com", false));
751 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
752 "www.googlegroups.com", false));