search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[SyncFS] Use variadic template in callback_tracker_internal.h
[chromium-blink-merge.git] / net / http / transport_security_state_unittest.cc
blob67e6f9118524f84885a13bf2d4d6c4c2f944bb4c
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/transport_security_state.h"
6
7 #include <algorithm>
8 #include <string>
9 #include <vector>
10
11 #include "base/base64.h"
12 #include "base/files/file_path.h"
13 #include "base/sha1.h"
14 #include "base/strings/string_piece.h"
15 #include "crypto/sha2.h"
16 #include "net/base/net_errors.h"
17 #include "net/base/net_log.h"
18 #include "net/base/test_completion_callback.h"
19 #include "net/base/test_data_directory.h"
20 #include "net/cert/asn1_util.h"
21 #include "net/cert/cert_verifier.h"
22 #include "net/cert/cert_verify_result.h"
23 #include "net/cert/test_root_certs.h"
24 #include "net/cert/x509_cert_types.h"
25 #include "net/cert/x509_certificate.h"
26 #include "net/http/http_util.h"
27 #include "net/ssl/ssl_info.h"
28 #include "net/test/cert_test_util.h"
29 #include "testing/gtest/include/gtest/gtest.h"
30
31 #if defined(USE_OPENSSL)
32 #include "crypto/openssl_util.h"
33 #else
34 #include "crypto/nss_util.h"
35 #endif
36
37 namespace net {
38
39 class TransportSecurityStateTest : public testing::Test {
40 public:
41 virtual void SetUp() {
42 #if defined(USE_OPENSSL)
43 crypto::EnsureOpenSSLInit();
44 #else
45 crypto::EnsureNSSInit();
46 #endif
47 }
48
49 static void DisableStaticPins(TransportSecurityState* state) {
50 state->enable_static_pins_ = false;
51 }
52
53 static void EnableStaticPins(TransportSecurityState* state) {
54 state->enable_static_pins_ = true;
55 }
56
57 protected:
58 bool GetStaticDomainState(TransportSecurityState* state,
59 const std::string& host,
60 TransportSecurityState::DomainState* result) {
61 return state->GetStaticDomainState(host, result);
62 }
63
64 void EnableHost(TransportSecurityState* state,
65 const std::string& host,
66 const TransportSecurityState::DomainState& domain_state) {
67 return state->EnableHost(host, domain_state);
68 }
69 };
70
71 TEST_F(TransportSecurityStateTest, SimpleMatches) {
72 TransportSecurityState state;
73 TransportSecurityState::DomainState domain_state;
74 const base::Time current_time(base::Time::Now());
75 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
76
77 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
78 bool include_subdomains = false;
79 state.AddHSTS("yahoo.com", expiry, include_subdomains);
80 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
81 }
82
83 TEST_F(TransportSecurityStateTest, MatchesCase1) {
84 TransportSecurityState state;
85 TransportSecurityState::DomainState domain_state;
86 const base::Time current_time(base::Time::Now());
87 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
88
89 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
90 bool include_subdomains = false;
91 state.AddHSTS("YAhoo.coM", expiry, include_subdomains);
92 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
93 }
94
95 TEST_F(TransportSecurityStateTest, MatchesCase2) {
96 TransportSecurityState state;
97 TransportSecurityState::DomainState domain_state;
98 const base::Time current_time(base::Time::Now());
99 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
100
101 EXPECT_FALSE(state.GetDynamicDomainState("YAhoo.coM", &domain_state));
102 bool include_subdomains = false;
103 state.AddHSTS("yahoo.com", expiry, include_subdomains);
104 EXPECT_TRUE(state.GetDynamicDomainState("YAhoo.coM", &domain_state));
105 }
106
107 TEST_F(TransportSecurityStateTest, SubdomainMatches) {
108 TransportSecurityState state;
109 TransportSecurityState::DomainState domain_state;
110 const base::Time current_time(base::Time::Now());
111 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
112
113 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
114 bool include_subdomains = true;
115 state.AddHSTS("yahoo.com", expiry, include_subdomains);
116 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
117 EXPECT_TRUE(state.GetDynamicDomainState("foo.yahoo.com", &domain_state));
118 EXPECT_TRUE(state.GetDynamicDomainState("foo.bar.yahoo.com", &domain_state));
119 EXPECT_TRUE(
120 state.GetDynamicDomainState("foo.bar.baz.yahoo.com", &domain_state));
121 EXPECT_FALSE(state.GetDynamicDomainState("com", &domain_state));
122 }
123
124 TEST_F(TransportSecurityStateTest, InvalidDomains) {
125 TransportSecurityState state;
126 TransportSecurityState::DomainState domain_state;
127 const base::Time current_time(base::Time::Now());
128 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
129
130 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
131 bool include_subdomains = true;
132 state.AddHSTS("yahoo.com", expiry, include_subdomains);
133 EXPECT_TRUE(state.GetDynamicDomainState("www-.foo.yahoo.com", &domain_state));
134 EXPECT_TRUE(
135 state.GetDynamicDomainState("2\x01.foo.yahoo.com", &domain_state));
136 }
137
138 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) {
139 TransportSecurityState state;
140 TransportSecurityState::DomainState domain_state;
141 const base::Time current_time(base::Time::Now());
142 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
143 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
144
145 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
146 bool include_subdomains = false;
147 state.AddHSTS("yahoo.com", expiry, include_subdomains);
148
149 state.DeleteAllDynamicDataSince(expiry);
150 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
151 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS,
152 domain_state.sts.upgrade_mode);
153 state.DeleteAllDynamicDataSince(older);
154 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
155 EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT,
156 domain_state.sts.upgrade_mode);
157 }
158
159 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
160 TransportSecurityState state;
161 TransportSecurityState::DomainState domain_state;
162 const base::Time current_time(base::Time::Now());
163 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
164 bool include_subdomains = false;
165 state.AddHSTS("yahoo.com", expiry, include_subdomains);
166
167 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
168 EXPECT_FALSE(state.GetDynamicDomainState("example.com", &domain_state));
169 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com"));
170 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
171 }
172
173 TEST_F(TransportSecurityStateTest, EnableStaticPins) {
174 TransportSecurityState state;
175 TransportSecurityState::DomainState domain_state;
176
177 EnableStaticPins(&state);
178
179 EXPECT_TRUE(
180 state.GetStaticDomainState("chrome.google.com", &domain_state));
181 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
182 }
183
184 TEST_F(TransportSecurityStateTest, DisableStaticPins) {
185 TransportSecurityState state;
186 TransportSecurityState::DomainState domain_state;
187
188 DisableStaticPins(&state);
189 EXPECT_TRUE(
190 state.GetStaticDomainState("chrome.google.com", &domain_state));
191 EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
192 }
193
194 TEST_F(TransportSecurityStateTest, IsPreloaded) {
195 const std::string paypal = "paypal.com";
196 const std::string www_paypal = "www.paypal.com";
197 const std::string foo_paypal = "foo.paypal.com";
198 const std::string a_www_paypal = "a.www.paypal.com";
199 const std::string abc_paypal = "a.b.c.paypal.com";
200 const std::string example = "example.com";
201 const std::string aypal = "aypal.com";
202
203 TransportSecurityState state;
204 TransportSecurityState::DomainState domain_state;
205
206 EXPECT_TRUE(GetStaticDomainState(&state, paypal, &domain_state));
207 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &domain_state));
208 EXPECT_FALSE(domain_state.sts.include_subdomains);
209 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, &domain_state));
210 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, &domain_state));
211 EXPECT_FALSE(GetStaticDomainState(&state, example, &domain_state));
212 EXPECT_FALSE(GetStaticDomainState(&state, aypal, &domain_state));
213 }
214
215 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
216 TransportSecurityState state;
217 TransportSecurityState::DomainState domain_state;
218
219 // The domain wasn't being set, leading to a blank string in the
220 // chrome://net-internals/#hsts UI. So test that.
221 EXPECT_TRUE(
222 state.GetStaticDomainState("market.android.com", &domain_state));
223 EXPECT_EQ(domain_state.domain, "market.android.com");
224 EXPECT_TRUE(state.GetStaticDomainState(
225 "sub.market.android.com", &domain_state));
226 EXPECT_EQ(domain_state.domain, "market.android.com");
227 }
228
229 static bool StaticShouldRedirect(const char* hostname) {
230 TransportSecurityState state;
231 TransportSecurityState::DomainState domain_state;
232 return state.GetStaticDomainState(
233 hostname, &domain_state) &&
234 domain_state.ShouldUpgradeToSSL();
235 }
236
237 static bool HasStaticState(const char* hostname) {
238 TransportSecurityState state;
239 TransportSecurityState::DomainState domain_state;
240 return state.GetStaticDomainState(hostname, &domain_state);
241 }
242
243 static bool HasStaticPublicKeyPins(const char* hostname) {
244 TransportSecurityState state;
245 TransportSecurityStateTest::EnableStaticPins(&state);
246 TransportSecurityState::DomainState domain_state;
247 if (!state.GetStaticDomainState(hostname, &domain_state))
248 return false;
249
250 return domain_state.HasPublicKeyPins();
251 }
252
253 static bool OnlyPinningInStaticState(const char* hostname) {
254 TransportSecurityState state;
255 TransportSecurityStateTest::EnableStaticPins(&state);
256 TransportSecurityState::DomainState domain_state;
257 if (!state.GetStaticDomainState(hostname, &domain_state))
258 return false;
259
260 return (domain_state.pkp.spki_hashes.size() > 0 ||
261 domain_state.pkp.bad_spki_hashes.size() > 0) &&
262 !domain_state.ShouldUpgradeToSSL();
263 }
264
265 TEST_F(TransportSecurityStateTest, Preloaded) {
266 TransportSecurityState state;
267 TransportSecurityState::DomainState domain_state;
268
269 // We do more extensive checks for the first domain.
270 EXPECT_TRUE(
271 state.GetStaticDomainState("www.paypal.com", &domain_state));
272 EXPECT_EQ(domain_state.sts.upgrade_mode,
273 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
274 EXPECT_FALSE(domain_state.sts.include_subdomains);
275 EXPECT_FALSE(domain_state.pkp.include_subdomains);
276
277 EXPECT_TRUE(HasStaticState("paypal.com"));
278 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
279 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
280
281 // Google hosts:
282
283 EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
284 EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
285 EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
286 EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
287 EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
288 EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
289 EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
290 EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
291 EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
292 EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
293 EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
294 EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
295 EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
296 EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
297 EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
298 EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
299 EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
300 EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
301 EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
302 EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
303 EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
304 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
305 EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
306 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
307 EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
308 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
309 EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
310 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
311
312 // These domains used to be only HSTS when SNI was available.
313 EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &domain_state));
314 EXPECT_TRUE(state.GetStaticDomainState("www.gmail.com", &domain_state));
315 EXPECT_TRUE(state.GetStaticDomainState("googlemail.com", &domain_state));
316 EXPECT_TRUE(state.GetStaticDomainState("www.googlemail.com", &domain_state));
317
318 // Other hosts:
319
320 EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
321
322 EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
323 EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
324
325 EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
326
327 EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
328 EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
329 EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
330
331 EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
332 EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
333
334 EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
335 EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
336 EXPECT_FALSE(HasStaticState("foo.entropia.de"));
337
338 EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
339 EXPECT_FALSE(HasStaticState("elanex.biz"));
340 EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
341
342 EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
343 EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
344 EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
345
346 EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
347 EXPECT_FALSE(HasStaticState("noisebridge.net"));
348 EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
349
350 EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
351 EXPECT_FALSE(HasStaticState("www.neg9.org"));
352
353 EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
354 EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
355
356 EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
357 EXPECT_FALSE(HasStaticState("www.factor.cc"));
358
359 EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
360 EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
361 EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
362 EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
363 EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
364
365 EXPECT_TRUE(StaticShouldRedirect("romab.com"));
366 EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
367 EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
368
369 EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
370 EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
371 EXPECT_FALSE(HasStaticState("foo.logentries.com"));
372
373 EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
374 EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
375
376 EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
377 EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
378
379 EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
380 EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
381
382 EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
383 EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
384
385 EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
386 EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
387
388 EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
389 EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
390
391 EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
392 EXPECT_FALSE(HasStaticState("foo.squareup.com"));
393
394 EXPECT_TRUE(StaticShouldRedirect("cert.se"));
395 EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
396
397 EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
398 EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
399
400 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
401 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
402
403 EXPECT_TRUE(StaticShouldRedirect("linx.net"));
404 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
405
406 EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
407 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
408 EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
409
410 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
411 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
412
413 EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
414 EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
415
416 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
417
418 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
419 EXPECT_FALSE(HasStaticState("moneybookers.com"));
420
421 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
422 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
423 EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
424
425 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
426 EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
427
428 EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
429 EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
430 EXPECT_FALSE(HasStaticState("foo.greplin.com"));
431
432 EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
433 EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
434
435 EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
436 EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
437
438 EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
439 EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
440
441 EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
442 EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
443
444 EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
445 EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
446 EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
447 EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
448 EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
449 EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
450 EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
451 EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
452 EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
453 EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
454 EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
455 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
456
457 EXPECT_TRUE(StaticShouldRedirect("crypto.cat"));
458 EXPECT_FALSE(StaticShouldRedirect("foo.crypto.cat"));
459
460 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
461 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
462
463 EXPECT_TRUE(StaticShouldRedirect("crate.io"));
464 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
465 }
466
467 TEST_F(TransportSecurityStateTest, PreloadedPins) {
468 TransportSecurityState state;
469 EnableStaticPins(&state);
470 TransportSecurityState::DomainState domain_state;
471
472 // We do more extensive checks for the first domain.
473 EXPECT_TRUE(
474 state.GetStaticDomainState("www.paypal.com", &domain_state));
475 EXPECT_EQ(domain_state.sts.upgrade_mode,
476 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
477 EXPECT_FALSE(domain_state.sts.include_subdomains);
478 EXPECT_FALSE(domain_state.pkp.include_subdomains);
479
480 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
481 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
482 EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
483 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
484 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
485 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
486 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
487 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
488 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
489 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
490 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
491 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
492 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
493 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
494 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
495 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
496 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
497
498 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
499 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
500 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
501 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
502 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
503
504 EXPECT_TRUE(state.GetStaticDomainState("torproject.org", &domain_state));
505 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
506 EXPECT_TRUE(state.GetStaticDomainState("www.torproject.org", &domain_state));
507 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
508 EXPECT_TRUE(
509 state.GetStaticDomainState("check.torproject.org", &domain_state));
510 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
511 EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &domain_state));
512 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
513
514 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
515 }
516
517 TEST_F(TransportSecurityStateTest, LongNames) {
518 TransportSecurityState state;
519 const char kLongName[] =
520 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
521 "WaveletIdDomainAndBlipBlipid";
522 TransportSecurityState::DomainState domain_state;
523 // Just checks that we don't hit a NOTREACHED.
524 EXPECT_FALSE(state.GetStaticDomainState(kLongName, &domain_state));
525 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state));
526 }
527
528 TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
529 TransportSecurityState state;
530 EnableStaticPins(&state);
531 TransportSecurityState::DomainState domain_state;
532
533 EXPECT_TRUE(
534 state.GetStaticDomainState("chrome.google.com", &domain_state));
535 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
536
537 HashValueVector hashes;
538 std::string failure_log;
539 // Checks that a built-in list does exist.
540 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log));
541 EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
542
543 EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
544 EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
545 EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
546 EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
547 EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
548 EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
549 EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
550 EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
551 EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
552 EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
553 EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
554 EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
555 EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
556 EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
557 EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
558 EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
559 EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
560 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
561 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
562 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
563
564 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
565 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
566 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
567 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
568 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
569
570 EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
571 EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
572 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
573 EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com"));
574 EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com"));
575 EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com"));
576 EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com"));
577 EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com"));
578 EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com"));
579 EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com"));
580 }
581
582 static bool AddHash(const std::string& type_and_base64,
583 HashValueVector* out) {
584 HashValue hash;
585 if (!hash.FromString(type_and_base64))
586 return false;
587
588 out->push_back(hash);
589 return true;
590 }
591
592 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
593 // kGoodPath is blog.torproject.org.
594 static const char* kGoodPath[] = {
595 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
596 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
597 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
598 NULL,
599 };
600
601 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
602 // torproject.org.
603 static const char* kBadPath[] = {
604 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
605 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
606 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
607 NULL,
608 };
609
610 HashValueVector good_hashes, bad_hashes;
611
612 for (size_t i = 0; kGoodPath[i]; i++) {
613 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
614 }
615 for (size_t i = 0; kBadPath[i]; i++) {
616 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
617 }
618
619 TransportSecurityState state;
620 EnableStaticPins(&state);
621
622 TransportSecurityState::DomainState domain_state;
623 EXPECT_TRUE(
624 state.GetStaticDomainState("blog.torproject.org", &domain_state));
625 EXPECT_TRUE(domain_state.HasPublicKeyPins());
626
627 std::string failure_log;
628 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log));
629 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log));
630 }
631
632 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
633 TransportSecurityState state;
634 EnableStaticPins(&state);
635 TransportSecurityState::DomainState domain_state;
636
637 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
638
639 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
640 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
641 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
642 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
643 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
644 EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
645 EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
646 EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
647 EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
648 EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
649 EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
650 EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
651 EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
652 EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
653 EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
654 EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
655 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
656 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
657 }
658
659 TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
660 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
661 EXPECT_FALSE(StaticShouldRedirect("google.com"));
662 EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
663
664 TransportSecurityState state;
665 TransportSecurityState::DomainState domain_state;
666 const base::Time current_time(base::Time::Now());
667 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
668 domain_state.sts.expiry = expiry;
669 EnableHost(&state, "www.google.com", domain_state);
670
671 EXPECT_TRUE(state.GetDynamicDomainState("www.google.com", &domain_state));
672 }
673
674 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
675 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
676 "www.example.com"));
677 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
678 "www.paypal.com"));
679 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
680 "mail.twitter.com"));
681 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
682 "www.google.com.int"));
683 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
684 "jottit.com"));
685 // learn.doubleclick.net has a more specific match than
686 // *.doubleclick.com, and has 0 or NULL for its required certs.
687 // This test ensures that the exact-match-preferred behavior
688 // works.
689 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
690 "learn.doubleclick.net"));
691
692 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
693 "encrypted.google.com"));
694 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
695 "mail.google.com"));
696 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
697 "accounts.google.com"));
698 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
699 "doubleclick.net"));
700 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
701 "ad.doubleclick.net"));
702 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
703 "youtube.com"));
704 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
705 "www.profiles.google.com"));
706 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
707 "checkout.google.com"));
708 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
709 "googleadservices.com"));
710
711 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
712 "www.example.com"));
713 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
714 "www.paypal.com"));
715 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
716 "checkout.google.com"));
717 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
718 "googleadservices.com"));
719
720 // Test some SNI hosts:
721 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
722 "gmail.com"));
723 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
724 "googlegroups.com"));
725 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
726 "www.googlegroups.com"));
727
728 // These hosts used to only be HSTS when SNI was available.
729 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
730 "gmail.com"));
731 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
732 "googlegroups.com"));
733 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
734 "www.googlegroups.com"));
735 }
736
737 } // namespace net