Updating trunk VERSION from 2139.0 to 2140.0
[chromium-blink-merge.git] / net / http / transport_security_state_unittest.cc
blobdfbc7539e1a098000a64cb09b94b18ab117e0ce3
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/http/transport_security_state.h"
7 #include <algorithm>
8 #include <string>
9 #include <vector>
11 #include "base/base64.h"
12 #include "base/files/file_path.h"
13 #include "base/sha1.h"
14 #include "base/strings/string_piece.h"
15 #include "crypto/sha2.h"
16 #include "net/base/net_errors.h"
17 #include "net/base/net_log.h"
18 #include "net/base/test_completion_callback.h"
19 #include "net/base/test_data_directory.h"
20 #include "net/cert/asn1_util.h"
21 #include "net/cert/cert_verifier.h"
22 #include "net/cert/cert_verify_result.h"
23 #include "net/cert/test_root_certs.h"
24 #include "net/cert/x509_cert_types.h"
25 #include "net/cert/x509_certificate.h"
26 #include "net/http/http_util.h"
27 #include "net/ssl/ssl_info.h"
28 #include "net/test/cert_test_util.h"
29 #include "testing/gtest/include/gtest/gtest.h"
31 #if defined(USE_OPENSSL)
32 #include "crypto/openssl_util.h"
33 #else
34 #include "crypto/nss_util.h"
35 #endif
37 namespace net {
39 class TransportSecurityStateTest : public testing::Test {
40 public:
41 virtual void SetUp() {
42 #if defined(USE_OPENSSL)
43 crypto::EnsureOpenSSLInit();
44 #else
45 crypto::EnsureNSSInit();
46 #endif
49 static void DisableStaticPins(TransportSecurityState* state) {
50 state->enable_static_pins_ = false;
53 static void EnableStaticPins(TransportSecurityState* state) {
54 state->enable_static_pins_ = true;
57 protected:
58 bool GetStaticDomainState(TransportSecurityState* state,
59 const std::string& host,
60 bool sni_enabled,
61 TransportSecurityState::DomainState* result) {
62 return state->GetStaticDomainState(host, sni_enabled, result);
65 void EnableHost(TransportSecurityState* state,
66 const std::string& host,
67 const TransportSecurityState::DomainState& domain_state) {
68 return state->EnableHost(host, domain_state);
72 TEST_F(TransportSecurityStateTest, SimpleMatches) {
73 TransportSecurityState state;
74 TransportSecurityState::DomainState domain_state;
75 const base::Time current_time(base::Time::Now());
76 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
78 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
79 bool include_subdomains = false;
80 state.AddHSTS("yahoo.com", expiry, include_subdomains);
81 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
84 TEST_F(TransportSecurityStateTest, MatchesCase1) {
85 TransportSecurityState state;
86 TransportSecurityState::DomainState domain_state;
87 const base::Time current_time(base::Time::Now());
88 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
90 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
91 bool include_subdomains = false;
92 state.AddHSTS("YAhoo.coM", expiry, include_subdomains);
93 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
96 TEST_F(TransportSecurityStateTest, MatchesCase2) {
97 TransportSecurityState state;
98 TransportSecurityState::DomainState domain_state;
99 const base::Time current_time(base::Time::Now());
100 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
102 EXPECT_FALSE(state.GetDynamicDomainState("YAhoo.coM", &domain_state));
103 bool include_subdomains = false;
104 state.AddHSTS("yahoo.com", expiry, include_subdomains);
105 EXPECT_TRUE(state.GetDynamicDomainState("YAhoo.coM", &domain_state));
108 TEST_F(TransportSecurityStateTest, SubdomainMatches) {
109 TransportSecurityState state;
110 TransportSecurityState::DomainState domain_state;
111 const base::Time current_time(base::Time::Now());
112 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
114 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
115 bool include_subdomains = true;
116 state.AddHSTS("yahoo.com", expiry, include_subdomains);
117 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
118 EXPECT_TRUE(state.GetDynamicDomainState("foo.yahoo.com", &domain_state));
119 EXPECT_TRUE(state.GetDynamicDomainState("foo.bar.yahoo.com", &domain_state));
120 EXPECT_TRUE(
121 state.GetDynamicDomainState("foo.bar.baz.yahoo.com", &domain_state));
122 EXPECT_FALSE(state.GetDynamicDomainState("com", &domain_state));
125 TEST_F(TransportSecurityStateTest, InvalidDomains) {
126 TransportSecurityState state;
127 TransportSecurityState::DomainState domain_state;
128 const base::Time current_time(base::Time::Now());
129 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
131 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
132 bool include_subdomains = true;
133 state.AddHSTS("yahoo.com", expiry, include_subdomains);
134 EXPECT_TRUE(state.GetDynamicDomainState("www-.foo.yahoo.com", &domain_state));
135 EXPECT_TRUE(
136 state.GetDynamicDomainState("2\x01.foo.yahoo.com", &domain_state));
139 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) {
140 TransportSecurityState state;
141 TransportSecurityState::DomainState domain_state;
142 const base::Time current_time(base::Time::Now());
143 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
144 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
146 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
147 bool include_subdomains = false;
148 state.AddHSTS("yahoo.com", expiry, include_subdomains);
150 state.DeleteAllDynamicDataSince(expiry);
151 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
152 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS,
153 domain_state.sts.upgrade_mode);
154 state.DeleteAllDynamicDataSince(older);
155 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
156 EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT,
157 domain_state.sts.upgrade_mode);
160 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
161 TransportSecurityState state;
162 TransportSecurityState::DomainState domain_state;
163 const base::Time current_time(base::Time::Now());
164 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
165 bool include_subdomains = false;
166 state.AddHSTS("yahoo.com", expiry, include_subdomains);
168 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
169 EXPECT_FALSE(state.GetDynamicDomainState("example.com", &domain_state));
170 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com"));
171 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
174 TEST_F(TransportSecurityStateTest, EnableStaticPins) {
175 TransportSecurityState state;
176 TransportSecurityState::DomainState domain_state;
178 EnableStaticPins(&state);
180 EXPECT_TRUE(
181 state.GetStaticDomainState("chrome.google.com", true, &domain_state));
182 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
185 TEST_F(TransportSecurityStateTest, DisableStaticPins) {
186 TransportSecurityState state;
187 TransportSecurityState::DomainState domain_state;
189 DisableStaticPins(&state);
190 EXPECT_TRUE(
191 state.GetStaticDomainState("chrome.google.com", true, &domain_state));
192 EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
195 TEST_F(TransportSecurityStateTest, IsPreloaded) {
196 const std::string paypal = "paypal.com";
197 const std::string www_paypal = "www.paypal.com";
198 const std::string foo_paypal = "foo.paypal.com";
199 const std::string a_www_paypal = "a.www.paypal.com";
200 const std::string abc_paypal = "a.b.c.paypal.com";
201 const std::string example = "example.com";
202 const std::string aypal = "aypal.com";
204 TransportSecurityState state;
205 TransportSecurityState::DomainState domain_state;
207 EXPECT_TRUE(GetStaticDomainState(&state, paypal, true, &domain_state));
208 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, true, &domain_state));
209 EXPECT_FALSE(domain_state.sts.include_subdomains);
210 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, true, &domain_state));
211 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, true, &domain_state));
212 EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state));
213 EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state));
216 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
217 TransportSecurityState state;
218 TransportSecurityState::DomainState domain_state;
220 // The domain wasn't being set, leading to a blank string in the
221 // chrome://net-internals/#hsts UI. So test that.
222 EXPECT_TRUE(
223 state.GetStaticDomainState("market.android.com", true, &domain_state));
224 EXPECT_EQ(domain_state.domain, "market.android.com");
225 EXPECT_TRUE(state.GetStaticDomainState(
226 "sub.market.android.com", true, &domain_state));
227 EXPECT_EQ(domain_state.domain, "market.android.com");
230 static bool StaticShouldRedirect(const char* hostname) {
231 TransportSecurityState state;
232 TransportSecurityState::DomainState domain_state;
233 return state.GetStaticDomainState(
234 hostname, true /* SNI ok */, &domain_state) &&
235 domain_state.ShouldUpgradeToSSL();
238 static bool HasStaticState(const char* hostname) {
239 TransportSecurityState state;
240 TransportSecurityState::DomainState domain_state;
241 return state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state);
244 static bool HasStaticPublicKeyPins(const char* hostname, bool sni_enabled) {
245 TransportSecurityState state;
246 TransportSecurityStateTest::EnableStaticPins(&state);
247 TransportSecurityState::DomainState domain_state;
248 if (!state.GetStaticDomainState(hostname, sni_enabled, &domain_state))
249 return false;
251 return domain_state.HasPublicKeyPins();
254 static bool HasStaticPublicKeyPins(const char* hostname) {
255 return HasStaticPublicKeyPins(hostname, true);
258 static bool OnlyPinningInStaticState(const char* hostname) {
259 TransportSecurityState state;
260 TransportSecurityStateTest::EnableStaticPins(&state);
261 TransportSecurityState::DomainState domain_state;
262 if (!state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state))
263 return false;
265 return (domain_state.pkp.spki_hashes.size() > 0 ||
266 domain_state.pkp.bad_spki_hashes.size() > 0) &&
267 !domain_state.ShouldUpgradeToSSL();
270 TEST_F(TransportSecurityStateTest, Preloaded) {
271 TransportSecurityState state;
272 TransportSecurityState::DomainState domain_state;
274 // We do more extensive checks for the first domain.
275 EXPECT_TRUE(
276 state.GetStaticDomainState("www.paypal.com", true, &domain_state));
277 EXPECT_EQ(domain_state.sts.upgrade_mode,
278 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
279 EXPECT_FALSE(domain_state.sts.include_subdomains);
280 EXPECT_FALSE(domain_state.pkp.include_subdomains);
282 EXPECT_TRUE(HasStaticState("paypal.com"));
283 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
284 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
286 // Google hosts:
288 EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
289 EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
290 EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
291 EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
292 EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
293 EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
294 EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
295 EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
296 EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
297 EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
298 EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
299 EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
300 EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
301 EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
302 EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
303 EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
304 EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
305 EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
306 EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
307 EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
308 EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
309 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
310 EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
311 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
312 EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
313 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
314 EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
315 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
316 EXPECT_FALSE(HasStaticState("m.gmail.com"));
317 EXPECT_FALSE(HasStaticState("m.googlemail.com"));
319 // Tests for domains that don't work without SNI.
320 EXPECT_FALSE(state.GetStaticDomainState("gmail.com", false, &domain_state));
321 EXPECT_FALSE(
322 state.GetStaticDomainState("www.gmail.com", false, &domain_state));
323 EXPECT_FALSE(state.GetStaticDomainState("m.gmail.com", false, &domain_state));
324 EXPECT_FALSE(
325 state.GetStaticDomainState("googlemail.com", false, &domain_state));
326 EXPECT_FALSE(
327 state.GetStaticDomainState("www.googlemail.com", false, &domain_state));
328 EXPECT_FALSE(
329 state.GetStaticDomainState("m.googlemail.com", false, &domain_state));
331 // Other hosts:
333 EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
335 EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
336 EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
338 EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
340 EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
341 EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
342 EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
344 EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
345 EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
347 EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
348 EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
349 EXPECT_FALSE(HasStaticState("foo.entropia.de"));
351 EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
352 EXPECT_FALSE(HasStaticState("elanex.biz"));
353 EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
355 EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
356 EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
357 EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
359 EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
360 EXPECT_FALSE(HasStaticState("noisebridge.net"));
361 EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
363 EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
364 EXPECT_FALSE(HasStaticState("www.neg9.org"));
366 EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
367 EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
369 EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
370 EXPECT_FALSE(HasStaticState("www.factor.cc"));
372 EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
373 EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
374 EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
375 EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
376 EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
378 EXPECT_TRUE(StaticShouldRedirect("romab.com"));
379 EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
380 EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
382 EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
383 EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
384 EXPECT_FALSE(HasStaticState("foo.logentries.com"));
386 EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
387 EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
389 EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
390 EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
392 EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
393 EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
395 EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
396 EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
398 EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
399 EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
401 EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
402 EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
404 EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
405 EXPECT_FALSE(HasStaticState("foo.squareup.com"));
407 EXPECT_TRUE(StaticShouldRedirect("cert.se"));
408 EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
410 EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
411 EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
413 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
414 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
416 EXPECT_TRUE(StaticShouldRedirect("linx.net"));
417 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
419 EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
420 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
421 EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
423 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
424 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
426 EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
427 EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
429 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
431 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
432 EXPECT_FALSE(HasStaticState("moneybookers.com"));
434 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
435 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
436 EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
438 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
439 EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
441 EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
442 EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
443 EXPECT_FALSE(HasStaticState("foo.greplin.com"));
445 EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
446 EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
448 EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
449 EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
451 EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
452 EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
454 EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
455 EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
457 EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
458 EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
459 EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
460 EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
461 EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
462 EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
463 EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
464 EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
465 EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
466 EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
467 EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
468 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
470 EXPECT_TRUE(StaticShouldRedirect("crypto.cat"));
471 EXPECT_FALSE(StaticShouldRedirect("foo.crypto.cat"));
473 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
474 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
476 EXPECT_TRUE(StaticShouldRedirect("crate.io"));
477 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
480 TEST_F(TransportSecurityStateTest, PreloadedPins) {
481 TransportSecurityState state;
482 EnableStaticPins(&state);
483 TransportSecurityState::DomainState domain_state;
485 // We do more extensive checks for the first domain.
486 EXPECT_TRUE(
487 state.GetStaticDomainState("www.paypal.com", true, &domain_state));
488 EXPECT_EQ(domain_state.sts.upgrade_mode,
489 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
490 EXPECT_FALSE(domain_state.sts.include_subdomains);
491 EXPECT_FALSE(domain_state.pkp.include_subdomains);
493 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
494 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
495 EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
496 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
497 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
498 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
499 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
500 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
501 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
502 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
503 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
504 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
505 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
506 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
507 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
508 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
509 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
511 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
512 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
513 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
514 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
515 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
517 EXPECT_TRUE(
518 state.GetStaticDomainState("torproject.org", false, &domain_state));
519 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
520 EXPECT_TRUE(
521 state.GetStaticDomainState("www.torproject.org", false, &domain_state));
522 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
523 EXPECT_TRUE(
524 state.GetStaticDomainState("check.torproject.org", false, &domain_state));
525 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
526 EXPECT_TRUE(
527 state.GetStaticDomainState("blog.torproject.org", false, &domain_state));
528 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
530 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
533 TEST_F(TransportSecurityStateTest, LongNames) {
534 TransportSecurityState state;
535 const char kLongName[] =
536 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
537 "WaveletIdDomainAndBlipBlipid";
538 TransportSecurityState::DomainState domain_state;
539 // Just checks that we don't hit a NOTREACHED.
540 EXPECT_FALSE(state.GetStaticDomainState(kLongName, true, &domain_state));
541 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state));
544 TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
545 TransportSecurityState state;
546 EnableStaticPins(&state);
547 TransportSecurityState::DomainState domain_state;
549 EXPECT_TRUE(
550 state.GetStaticDomainState("chrome.google.com", true, &domain_state));
551 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
553 HashValueVector hashes;
554 std::string failure_log;
555 // Checks that a built-in list does exist.
556 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log));
557 EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
559 EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
560 EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
561 EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
562 EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
563 EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
564 EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
565 EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
566 EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
567 EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
568 EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
569 EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
570 EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
571 EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
572 EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
573 EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
574 EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
575 EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
576 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
577 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
578 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
580 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
581 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
582 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
583 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
584 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
586 EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
587 EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
588 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
589 EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com"));
590 EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com"));
591 EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com"));
592 EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com"));
593 EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com"));
594 EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com"));
595 EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com"));
598 static bool AddHash(const std::string& type_and_base64,
599 HashValueVector* out) {
600 HashValue hash;
601 if (!hash.FromString(type_and_base64))
602 return false;
604 out->push_back(hash);
605 return true;
608 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
609 // kGoodPath is blog.torproject.org.
610 static const char* kGoodPath[] = {
611 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
612 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
613 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
614 NULL,
617 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
618 // torproject.org.
619 static const char* kBadPath[] = {
620 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
621 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
622 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
623 NULL,
626 HashValueVector good_hashes, bad_hashes;
628 for (size_t i = 0; kGoodPath[i]; i++) {
629 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
631 for (size_t i = 0; kBadPath[i]; i++) {
632 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
635 TransportSecurityState state;
636 EnableStaticPins(&state);
638 TransportSecurityState::DomainState domain_state;
639 EXPECT_TRUE(
640 state.GetStaticDomainState("blog.torproject.org", true, &domain_state));
641 EXPECT_TRUE(domain_state.HasPublicKeyPins());
643 std::string failure_log;
644 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log));
645 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log));
648 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
649 TransportSecurityState state;
650 EnableStaticPins(&state);
651 TransportSecurityState::DomainState domain_state;
653 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
655 EXPECT_FALSE(HasStaticPublicKeyPins("www.google-analytics.com", false));
656 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
657 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
658 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
659 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
660 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
661 EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
662 EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
663 EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
664 EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
665 EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
666 EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
667 EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
668 EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
669 EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
670 EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
671 EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
672 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
673 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
674 EXPECT_FALSE(HasStaticPublicKeyPins("a.googlegroups.com", false));
677 TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
678 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
679 EXPECT_FALSE(StaticShouldRedirect("google.com"));
680 EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
682 TransportSecurityState state;
683 TransportSecurityState::DomainState domain_state;
684 const base::Time current_time(base::Time::Now());
685 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
686 domain_state.sts.expiry = expiry;
687 EnableHost(&state, "www.google.com", domain_state);
689 EXPECT_TRUE(state.GetDynamicDomainState("www.google.com", &domain_state));
692 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
693 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
694 "www.example.com", true));
695 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
696 "www.paypal.com", true));
697 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
698 "mail.twitter.com", true));
699 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
700 "www.google.com.int", true));
701 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
702 "jottit.com", true));
703 // learn.doubleclick.net has a more specific match than
704 // *.doubleclick.com, and has 0 or NULL for its required certs.
705 // This test ensures that the exact-match-preferred behavior
706 // works.
707 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
708 "learn.doubleclick.net", true));
710 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
711 "encrypted.google.com", true));
712 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
713 "mail.google.com", true));
714 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
715 "accounts.google.com", true));
716 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
717 "doubleclick.net", true));
718 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
719 "ad.doubleclick.net", true));
720 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
721 "youtube.com", true));
722 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
723 "www.profiles.google.com", true));
724 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
725 "checkout.google.com", true));
726 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
727 "googleadservices.com", true));
729 // Test with sni_enabled false:
730 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
731 "www.example.com", false));
732 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
733 "www.paypal.com", false));
734 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
735 "checkout.google.com", false));
736 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
737 "googleadservices.com", false));
739 // Test some SNI hosts:
740 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
741 "gmail.com", true));
742 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
743 "googlegroups.com", true));
744 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
745 "www.googlegroups.com", true));
746 // Expect to fail for SNI hosts when not searching the SNI list:
747 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
748 "gmail.com", false));
749 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
750 "googlegroups.com", false));
751 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
752 "www.googlegroups.com", false));
755 } // namespace net