search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert of Revert of Use BoringSSL in the implementation of ClearKey for Chromecast...
[chromium-blink-merge.git] / net / http / transport_security_state_unittest.cc
blob61d291251754db82772f959468a0ad66581da2c5
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/transport_security_state.h"
6
7 #include <algorithm>
8 #include <string>
9 #include <vector>
10
11 #include "base/base64.h"
12 #include "base/files/file_path.h"
13 #include "base/rand_util.h"
14 #include "base/sha1.h"
15 #include "base/strings/string_piece.h"
16 #include "crypto/sha2.h"
17 #include "net/base/net_errors.h"
18 #include "net/base/test_completion_callback.h"
19 #include "net/base/test_data_directory.h"
20 #include "net/cert/asn1_util.h"
21 #include "net/cert/cert_verifier.h"
22 #include "net/cert/cert_verify_result.h"
23 #include "net/cert/test_root_certs.h"
24 #include "net/cert/x509_cert_types.h"
25 #include "net/cert/x509_certificate.h"
26 #include "net/http/http_util.h"
27 #include "net/log/net_log.h"
28 #include "net/ssl/ssl_info.h"
29 #include "net/test/cert_test_util.h"
30 #include "testing/gtest/include/gtest/gtest.h"
31
32 #if defined(USE_OPENSSL)
33 #include "crypto/openssl_util.h"
34 #else
35 #include "crypto/nss_util.h"
36 #endif
37
38 namespace net {
39
40 class TransportSecurityStateTest : public testing::Test {
41 public:
42 void SetUp() override {
43 #if defined(USE_OPENSSL)
44 crypto::EnsureOpenSSLInit();
45 #else
46 crypto::EnsureNSSInit();
47 #endif
48 }
49
50 static void DisableStaticPins(TransportSecurityState* state) {
51 state->enable_static_pins_ = false;
52 }
53
54 static void EnableStaticPins(TransportSecurityState* state) {
55 state->enable_static_pins_ = true;
56 }
57
58 static HashValueVector GetSampleSPKIHashes() {
59 HashValueVector spki_hashes;
60 HashValue hash(HASH_VALUE_SHA1);
61 memset(hash.data(), 0, hash.size());
62 spki_hashes.push_back(hash);
63 return spki_hashes;
64 }
65
66 protected:
67 bool GetStaticDomainState(TransportSecurityState* state,
68 const std::string& host,
69 TransportSecurityState::DomainState* result) {
70 return state->GetStaticDomainState(host, result);
71 }
72 };
73
74 TEST_F(TransportSecurityStateTest, SimpleMatches) {
75 TransportSecurityState state;
76 const base::Time current_time(base::Time::Now());
77 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
78
79 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
80 bool include_subdomains = false;
81 state.AddHSTS("yahoo.com", expiry, include_subdomains);
82 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com"));
83 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("yahoo.com"));
84 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.yahoo.com"));
85 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("foo.yahoo.com"));
86 }
87
88 TEST_F(TransportSecurityStateTest, MatchesCase1) {
89 TransportSecurityState state;
90 const base::Time current_time(base::Time::Now());
91 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
92
93 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
94 bool include_subdomains = false;
95 state.AddHSTS("YAhoo.coM", expiry, include_subdomains);
96 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com"));
97 }
98
99 TEST_F(TransportSecurityStateTest, Fuzz) {
100 TransportSecurityState state;
101 TransportSecurityState::DomainState domain_state;
102
103 EnableStaticPins(&state);
104
105 for (size_t i = 0; i < 128; i++) {
106 std::string hostname;
107
108 for (;;) {
109 if (base::RandInt(0, 16) == 7) {
110 break;
111 }
112 if (i > 0 && base::RandInt(0, 7) == 7) {
113 hostname.append(1, '.');
114 }
115 hostname.append(1, 'a' + base::RandInt(0, 25));
116 }
117 state.GetStaticDomainState(hostname, &domain_state);
118 }
119 }
120
121 TEST_F(TransportSecurityStateTest, MatchesCase2) {
122 TransportSecurityState state;
123 const base::Time current_time(base::Time::Now());
124 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
125
126 EXPECT_FALSE(state.ShouldUpgradeToSSL("YAhoo.coM"));
127 bool include_subdomains = false;
128 state.AddHSTS("yahoo.com", expiry, include_subdomains);
129 EXPECT_TRUE(state.ShouldUpgradeToSSL("YAhoo.coM"));
130 }
131
132 TEST_F(TransportSecurityStateTest, SubdomainMatches) {
133 TransportSecurityState state;
134 const base::Time current_time(base::Time::Now());
135 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
136
137 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
138 bool include_subdomains = true;
139 state.AddHSTS("yahoo.com", expiry, include_subdomains);
140 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com"));
141 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.yahoo.com"));
142 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.yahoo.com"));
143 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.yahoo.com"));
144 EXPECT_FALSE(state.ShouldUpgradeToSSL("com"));
145 EXPECT_FALSE(state.ShouldUpgradeToSSL("notyahoo.com"));
146 }
147
148 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule
149 // with it, regardless of the includeSubDomains bit. This is a regression test
150 // for https://crbug.com/469957.
151 TEST_F(TransportSecurityStateTest, SubdomainCarveout) {
152 TransportSecurityState state;
153 const base::Time current_time(base::Time::Now());
154 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
155 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
156
157 state.AddHSTS("example1.com", expiry, true);
158 state.AddHSTS("foo.example1.com", expiry, false);
159
160 state.AddHPKP("example2.com", expiry, true, GetSampleSPKIHashes());
161 state.AddHPKP("foo.example2.com", expiry, false, GetSampleSPKIHashes());
162
163 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.com"));
164 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.com"));
165
166 // The foo.example1.com rule overrides the example1.com rule, so
167 // bar.foo.example1.com has no HSTS state.
168 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.com"));
169 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.com"));
170
171 EXPECT_TRUE(state.HasPublicKeyPins("example2.com"));
172 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.com"));
173
174 // The foo.example2.com rule overrides the example1.com rule, so
175 // bar.foo.example2.com has no HPKP state.
176 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.com"));
177 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.com"));
178
179 // Expire the foo.example*.com rules.
180 state.AddHSTS("foo.example1.com", older, false);
181 state.AddHPKP("foo.example2.com", older, false, GetSampleSPKIHashes());
182
183 // Now the base example*.com rules apply to bar.foo.example*.com.
184 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.com"));
185 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.com"));
186 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.com"));
187 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.com"));
188 }
189
190 TEST_F(TransportSecurityStateTest, FatalSSLErrors) {
191 TransportSecurityState state;
192 const base::Time current_time(base::Time::Now());
193 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
194
195 state.AddHSTS("example1.com", expiry, false);
196 state.AddHPKP("example2.com", expiry, false, GetSampleSPKIHashes());
197
198 // The presense of either HSTS or HPKP is enough to make SSL errors fatal.
199 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.com"));
200 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.com"));
201 }
202
203 // Tests that HPKP and HSTS state both expire. Also tests that expired entries
204 // are pruned.
205 TEST_F(TransportSecurityStateTest, Expiration) {
206 TransportSecurityState state;
207 const base::Time current_time(base::Time::Now());
208 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
209 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
210
211 // Note: this test assumes that inserting an entry with an expiration time in
212 // the past works and is pruned on query.
213 state.AddHSTS("example1.com", older, false);
214 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext());
215 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.com"));
216 // Querying |state| for a domain should flush out expired entries.
217 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
218
219 state.AddHPKP("example1.com", older, false, GetSampleSPKIHashes());
220 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext());
221 EXPECT_FALSE(state.HasPublicKeyPins("example1.com"));
222 // Querying |state| for a domain should flush out expired entries.
223 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
224
225 state.AddHSTS("example1.com", older, false);
226 state.AddHPKP("example1.com", older, false, GetSampleSPKIHashes());
227 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext());
228 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.com"));
229 // Querying |state| for a domain should flush out expired entries.
230 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
231
232 // Test that HSTS can outlive HPKP.
233 state.AddHSTS("example1.com", expiry, false);
234 state.AddHPKP("example1.com", older, false, GetSampleSPKIHashes());
235 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.com"));
236 EXPECT_FALSE(state.HasPublicKeyPins("example1.com"));
237
238 // Test that HPKP can outlive HSTS.
239 state.AddHSTS("example2.com", older, false);
240 state.AddHPKP("example2.com", expiry, false, GetSampleSPKIHashes());
241 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.com"));
242 EXPECT_TRUE(state.HasPublicKeyPins("example2.com"));
243 }
244
245 TEST_F(TransportSecurityStateTest, InvalidDomains) {
246 TransportSecurityState state;
247 const base::Time current_time(base::Time::Now());
248 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
249
250 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
251 bool include_subdomains = true;
252 state.AddHSTS("yahoo.com", expiry, include_subdomains);
253 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.yahoo.com"));
254 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.yahoo.com"));
255 }
256
257 // Tests that HPKP and HSTS state are queried independently for subdomain
258 // matches.
259 TEST_F(TransportSecurityStateTest, IndependentSubdomain) {
260 TransportSecurityState state;
261 const base::Time current_time(base::Time::Now());
262 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
263
264 state.AddHSTS("example1.com", expiry, true);
265 state.AddHPKP("example1.com", expiry, false, GetSampleSPKIHashes());
266
267 state.AddHSTS("example2.com", expiry, false);
268 state.AddHPKP("example2.com", expiry, true, GetSampleSPKIHashes());
269
270 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.com"));
271 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.com"));
272 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.com"));
273 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.com"));
274 }
275
276 // Tests that HPKP and HSTS state are inserted and overridden independently.
277 TEST_F(TransportSecurityStateTest, IndependentInsertion) {
278 TransportSecurityState state;
279 const base::Time current_time(base::Time::Now());
280 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
281
282 // Place an includeSubdomains HSTS entry below a normal HPKP entry.
283 state.AddHSTS("example1.com", expiry, true);
284 state.AddHPKP("foo.example1.com", expiry, false, GetSampleSPKIHashes());
285
286 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.com"));
287 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.com"));
288 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.com"));
289 EXPECT_FALSE(state.HasPublicKeyPins("example1.com"));
290
291 // Drop the includeSubdomains from the HSTS entry.
292 state.AddHSTS("example1.com", expiry, false);
293
294 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.com"));
295 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.com"));
296
297 // Place an includeSubdomains HPKP entry below a normal HSTS entry.
298 state.AddHSTS("foo.example2.com", expiry, false);
299 state.AddHPKP("example2.com", expiry, true, GetSampleSPKIHashes());
300
301 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.com"));
302 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.com"));
303
304 // Drop the includeSubdomains from the HSTS entry.
305 state.AddHPKP("example2.com", expiry, false, GetSampleSPKIHashes());
306
307 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.com"));
308 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.com"));
309 }
310
311 // Tests that GetDynamicDomainState appropriately stitches together the results
312 // of HSTS and HPKP.
313 TEST_F(TransportSecurityStateTest, DynamicDomainState) {
314 TransportSecurityState state;
315 const base::Time current_time(base::Time::Now());
316 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000);
317 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000);
318
319 state.AddHSTS("example.com", expiry1, true);
320 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes());
321
322 TransportSecurityState::DomainState domain_state;
323 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
324 EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());
325 EXPECT_TRUE(domain_state.HasPublicKeyPins());
326 EXPECT_TRUE(domain_state.sts.include_subdomains);
327 EXPECT_FALSE(domain_state.pkp.include_subdomains);
328 EXPECT_EQ(expiry1, domain_state.sts.expiry);
329 EXPECT_EQ(expiry2, domain_state.pkp.expiry);
330 EXPECT_EQ("example.com", domain_state.sts.domain);
331 EXPECT_EQ("foo.example.com", domain_state.pkp.domain);
332 }
333
334 // Tests that new pins always override previous pins. This should be true for
335 // both pins at the same domain or includeSubdomains pins at a parent domain.
336 TEST_F(TransportSecurityStateTest, NewPinsOverride) {
337 TransportSecurityState state;
338 TransportSecurityState::DomainState domain_state;
339 const base::Time current_time(base::Time::Now());
340 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
341 HashValue hash1(HASH_VALUE_SHA1);
342 memset(hash1.data(), 0x01, hash1.size());
343 HashValue hash2(HASH_VALUE_SHA1);
344 memset(hash2.data(), 0x02, hash1.size());
345 HashValue hash3(HASH_VALUE_SHA1);
346 memset(hash3.data(), 0x03, hash1.size());
347
348 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1));
349
350 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
351 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size());
352 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash1));
353
354 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2));
355
356 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
357 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size());
358 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash2));
359
360 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3));
361
362 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
363 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size());
364 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash3));
365 }
366
367 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) {
368 TransportSecurityState state;
369 const base::Time current_time(base::Time::Now());
370 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
371 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
372
373 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
374 bool include_subdomains = false;
375 state.AddHSTS("yahoo.com", expiry, include_subdomains);
376
377 state.DeleteAllDynamicDataSince(expiry);
378 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com"));
379 state.DeleteAllDynamicDataSince(older);
380 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
381
382 // |state| should be empty now.
383 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
384 }
385
386 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
387 TransportSecurityState state;
388 const base::Time current_time(base::Time::Now());
389 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
390 bool include_subdomains = false;
391 state.AddHSTS("yahoo.com", expiry, include_subdomains);
392
393 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com"));
394 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
395 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com"));
396 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com"));
397 }
398
399 TEST_F(TransportSecurityStateTest, EnableStaticPins) {
400 TransportSecurityState state;
401 TransportSecurityState::DomainState domain_state;
402
403 EnableStaticPins(&state);
404
405 EXPECT_TRUE(
406 state.GetStaticDomainState("chrome.google.com", &domain_state));
407 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
408 }
409
410 TEST_F(TransportSecurityStateTest, DisableStaticPins) {
411 TransportSecurityState state;
412 TransportSecurityState::DomainState domain_state;
413
414 DisableStaticPins(&state);
415 EXPECT_TRUE(
416 state.GetStaticDomainState("chrome.google.com", &domain_state));
417 EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
418 }
419
420 TEST_F(TransportSecurityStateTest, IsPreloaded) {
421 const std::string paypal = "paypal.com";
422 const std::string www_paypal = "www.paypal.com";
423 const std::string foo_paypal = "foo.paypal.com";
424 const std::string a_www_paypal = "a.www.paypal.com";
425 const std::string abc_paypal = "a.b.c.paypal.com";
426 const std::string example = "example.com";
427 const std::string aypal = "aypal.com";
428
429 TransportSecurityState state;
430 TransportSecurityState::DomainState domain_state;
431
432 EXPECT_TRUE(GetStaticDomainState(&state, paypal, &domain_state));
433 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &domain_state));
434 EXPECT_FALSE(domain_state.sts.include_subdomains);
435 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, &domain_state));
436 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, &domain_state));
437 EXPECT_FALSE(GetStaticDomainState(&state, example, &domain_state));
438 EXPECT_FALSE(GetStaticDomainState(&state, aypal, &domain_state));
439 }
440
441 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
442 TransportSecurityState state;
443 TransportSecurityState::DomainState domain_state;
444
445 // The domain wasn't being set, leading to a blank string in the
446 // chrome://net-internals/#hsts UI. So test that.
447 EXPECT_TRUE(
448 state.GetStaticDomainState("market.android.com", &domain_state));
449 EXPECT_EQ(domain_state.sts.domain, "market.android.com");
450 EXPECT_EQ(domain_state.pkp.domain, "market.android.com");
451 EXPECT_TRUE(state.GetStaticDomainState(
452 "sub.market.android.com", &domain_state));
453 EXPECT_EQ(domain_state.sts.domain, "market.android.com");
454 EXPECT_EQ(domain_state.pkp.domain, "market.android.com");
455 }
456
457 static bool StaticShouldRedirect(const char* hostname) {
458 TransportSecurityState state;
459 TransportSecurityState::DomainState domain_state;
460 return state.GetStaticDomainState(
461 hostname, &domain_state) &&
462 domain_state.ShouldUpgradeToSSL();
463 }
464
465 static bool HasStaticState(const char* hostname) {
466 TransportSecurityState state;
467 TransportSecurityState::DomainState domain_state;
468 return state.GetStaticDomainState(hostname, &domain_state);
469 }
470
471 static bool HasStaticPublicKeyPins(const char* hostname) {
472 TransportSecurityState state;
473 TransportSecurityStateTest::EnableStaticPins(&state);
474 TransportSecurityState::DomainState domain_state;
475 if (!state.GetStaticDomainState(hostname, &domain_state))
476 return false;
477
478 return domain_state.HasPublicKeyPins();
479 }
480
481 static bool OnlyPinningInStaticState(const char* hostname) {
482 TransportSecurityState state;
483 TransportSecurityStateTest::EnableStaticPins(&state);
484 TransportSecurityState::DomainState domain_state;
485 if (!state.GetStaticDomainState(hostname, &domain_state))
486 return false;
487
488 return (domain_state.pkp.spki_hashes.size() > 0 ||
489 domain_state.pkp.bad_spki_hashes.size() > 0) &&
490 !domain_state.ShouldUpgradeToSSL();
491 }
492
493 TEST_F(TransportSecurityStateTest, Preloaded) {
494 TransportSecurityState state;
495 TransportSecurityState::DomainState domain_state;
496
497 // We do more extensive checks for the first domain.
498 EXPECT_TRUE(
499 state.GetStaticDomainState("www.paypal.com", &domain_state));
500 EXPECT_EQ(domain_state.sts.upgrade_mode,
501 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
502 EXPECT_FALSE(domain_state.sts.include_subdomains);
503 EXPECT_FALSE(domain_state.pkp.include_subdomains);
504
505 EXPECT_TRUE(HasStaticState("paypal.com"));
506 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
507
508 // Google hosts:
509
510 EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
511 EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
512 EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
513 EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
514 EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
515 EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
516 EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
517 EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
518 EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
519 EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
520 EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
521 EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
522 EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
523 EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
524 EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
525 EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
526 EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
527 EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
528 EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
529 EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
530 EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
531 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
532 EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
533 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
534 EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
535 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
536 EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
537 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
538
539 // These domains used to be only HSTS when SNI was available.
540 EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &domain_state));
541 EXPECT_TRUE(state.GetStaticDomainState("www.gmail.com", &domain_state));
542 EXPECT_TRUE(state.GetStaticDomainState("googlemail.com", &domain_state));
543 EXPECT_TRUE(state.GetStaticDomainState("www.googlemail.com", &domain_state));
544
545 // Other hosts:
546
547 EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
548
549 EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
550 EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
551
552 EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
553
554 EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
555 EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
556 EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
557
558 EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
559 EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
560
561 EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
562 EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
563 EXPECT_FALSE(HasStaticState("foo.entropia.de"));
564
565 EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
566 EXPECT_FALSE(HasStaticState("elanex.biz"));
567 EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
568
569 EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
570 EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
571 EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
572
573 EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
574 EXPECT_FALSE(HasStaticState("noisebridge.net"));
575 EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
576
577 EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
578 EXPECT_FALSE(HasStaticState("www.neg9.org"));
579
580 EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
581 EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
582
583 EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
584 EXPECT_FALSE(HasStaticState("www.factor.cc"));
585
586 EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
587 EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
588 EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
589 EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
590 EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
591
592 EXPECT_TRUE(StaticShouldRedirect("romab.com"));
593 EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
594 EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
595
596 EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
597 EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
598 EXPECT_FALSE(HasStaticState("foo.logentries.com"));
599
600 EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
601 EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
602
603 EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
604 EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
605
606 EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
607 EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
608
609 EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
610 EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
611
612 EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
613 EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
614
615 EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
616 EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
617
618 EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
619 EXPECT_FALSE(HasStaticState("foo.squareup.com"));
620
621 EXPECT_TRUE(StaticShouldRedirect("cert.se"));
622 EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
623
624 EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
625 EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
626
627 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
628 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
629
630 EXPECT_TRUE(StaticShouldRedirect("linx.net"));
631 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
632
633 EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
634 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
635 EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
636
637 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
638 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
639
640 EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
641 EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
642
643 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
644
645 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
646 EXPECT_FALSE(HasStaticState("moneybookers.com"));
647
648 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
649 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
650 EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
651
652 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
653 EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
654
655 EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
656 EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
657 EXPECT_FALSE(HasStaticState("foo.greplin.com"));
658
659 EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
660 EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
661
662 EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
663 EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
664
665 EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
666 EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
667
668 EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
669 EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
670
671 EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
672 EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
673 EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
674 EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
675 EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
676 EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
677 EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
678 EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
679 EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
680 EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
681 EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
682 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
683
684 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
685 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
686
687 EXPECT_TRUE(StaticShouldRedirect("crate.io"));
688 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
689 }
690
691 TEST_F(TransportSecurityStateTest, PreloadedPins) {
692 TransportSecurityState state;
693 EnableStaticPins(&state);
694 TransportSecurityState::DomainState domain_state;
695
696 // We do more extensive checks for the first domain.
697 EXPECT_TRUE(
698 state.GetStaticDomainState("www.paypal.com", &domain_state));
699 EXPECT_EQ(domain_state.sts.upgrade_mode,
700 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
701 EXPECT_FALSE(domain_state.sts.include_subdomains);
702 EXPECT_FALSE(domain_state.pkp.include_subdomains);
703
704 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
705 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
706 EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
707 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
708 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
709 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
710 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
711 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
712 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
713 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
714 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
715 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
716 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
717 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
718 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
719 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
720 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
721
722 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
723 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
724 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
725 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
726 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
727
728 EXPECT_TRUE(state.GetStaticDomainState("torproject.org", &domain_state));
729 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
730 EXPECT_TRUE(state.GetStaticDomainState("www.torproject.org", &domain_state));
731 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
732 EXPECT_TRUE(
733 state.GetStaticDomainState("check.torproject.org", &domain_state));
734 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
735 EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &domain_state));
736 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
737
738 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
739
740 // Check that Facebook subdomains have pinning but not HSTS.
741 EXPECT_TRUE(state.GetStaticDomainState("facebook.com", &domain_state));
742 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
743 EXPECT_TRUE(StaticShouldRedirect("facebook.com"));
744
745 EXPECT_FALSE(state.GetStaticDomainState("foo.facebook.com", &domain_state));
746
747 EXPECT_TRUE(state.GetStaticDomainState("www.facebook.com", &domain_state));
748 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
749 EXPECT_TRUE(StaticShouldRedirect("www.facebook.com"));
750
751 EXPECT_TRUE(
752 state.GetStaticDomainState("foo.www.facebook.com", &domain_state));
753 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
754 EXPECT_TRUE(StaticShouldRedirect("foo.www.facebook.com"));
755 }
756
757 TEST_F(TransportSecurityStateTest, LongNames) {
758 TransportSecurityState state;
759 const char kLongName[] =
760 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
761 "WaveletIdDomainAndBlipBlipid";
762 TransportSecurityState::DomainState domain_state;
763 // Just checks that we don't hit a NOTREACHED.
764 EXPECT_FALSE(state.GetStaticDomainState(kLongName, &domain_state));
765 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state));
766 }
767
768 TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
769 TransportSecurityState state;
770 EnableStaticPins(&state);
771 TransportSecurityState::DomainState domain_state;
772
773 EXPECT_TRUE(
774 state.GetStaticDomainState("chrome.google.com", &domain_state));
775 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
776
777 HashValueVector hashes;
778 std::string failure_log;
779 // Checks that a built-in list does exist.
780 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log));
781 EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
782
783 EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
784 EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
785 EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
786 EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
787 EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
788 EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
789 EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
790 EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
791 EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
792 EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
793 EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
794 EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
795 EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
796 EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
797 EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
798 EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
799 EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
800 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
801 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
802 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
803
804 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
805 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
806 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
807 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
808 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
809
810 EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
811 EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
812 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
813 EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com"));
814 EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com"));
815 EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com"));
816 EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com"));
817 EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com"));
818 EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com"));
819 EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com"));
820 }
821
822 static bool AddHash(const std::string& type_and_base64,
823 HashValueVector* out) {
824 HashValue hash;
825 if (!hash.FromString(type_and_base64))
826 return false;
827
828 out->push_back(hash);
829 return true;
830 }
831
832 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
833 // kGoodPath is blog.torproject.org.
834 static const char* const kGoodPath[] = {
835 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
836 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
837 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
838 NULL,
839 };
840
841 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
842 // torproject.org.
843 static const char* const kBadPath[] = {
844 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
845 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
846 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
847 NULL,
848 };
849
850 HashValueVector good_hashes, bad_hashes;
851
852 for (size_t i = 0; kGoodPath[i]; i++) {
853 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
854 }
855 for (size_t i = 0; kBadPath[i]; i++) {
856 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
857 }
858
859 TransportSecurityState state;
860 EnableStaticPins(&state);
861
862 TransportSecurityState::DomainState domain_state;
863 EXPECT_TRUE(
864 state.GetStaticDomainState("blog.torproject.org", &domain_state));
865 EXPECT_TRUE(domain_state.HasPublicKeyPins());
866
867 std::string failure_log;
868 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log));
869 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log));
870 }
871
872 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
873 TransportSecurityState state;
874 EnableStaticPins(&state);
875 TransportSecurityState::DomainState domain_state;
876
877 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
878
879 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
880 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
881 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
882 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
883 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
884 EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
885 EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
886 EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
887 EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
888 EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
889 EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
890 EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
891 EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
892 EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
893 EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
894 EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
895 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
896 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
897 }
898
899 TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
900 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
901 EXPECT_FALSE(StaticShouldRedirect("google.com"));
902 EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
903
904 TransportSecurityState state;
905 const base::Time current_time(base::Time::Now());
906 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
907 state.AddHSTS("www.google.com", expiry, true);
908
909 EXPECT_TRUE(state.ShouldUpgradeToSSL("www.google.com"));
910 }
911
912 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
913 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
914 "www.example.com"));
915 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
916 "www.paypal.com"));
917 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
918 "mail.twitter.com"));
919 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
920 "www.google.com.int"));
921 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
922 "jottit.com"));
923 // learn.doubleclick.net has a more specific match than
924 // *.doubleclick.com, and has 0 or NULL for its required certs.
925 // This test ensures that the exact-match-preferred behavior
926 // works.
927 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
928 "learn.doubleclick.net"));
929
930 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
931 "encrypted.google.com"));
932 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
933 "mail.google.com"));
934 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
935 "accounts.google.com"));
936 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
937 "doubleclick.net"));
938 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
939 "ad.doubleclick.net"));
940 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
941 "youtube.com"));
942 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
943 "www.profiles.google.com"));
944 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
945 "checkout.google.com"));
946 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
947 "googleadservices.com"));
948
949 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
950 "www.example.com"));
951 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
952 "www.paypal.com"));
953 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
954 "checkout.google.com"));
955 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
956 "googleadservices.com"));
957
958 // Test some SNI hosts:
959 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
960 "gmail.com"));
961 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
962 "googlegroups.com"));
963 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
964 "www.googlegroups.com"));
965
966 // These hosts used to only be HSTS when SNI was available.
967 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
968 "gmail.com"));
969 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
970 "googlegroups.com"));
971 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
972 "www.googlegroups.com"));
973 }
974
975 } // namespace net