search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add missing mandoline build deps caught by the new GN version.
[chromium-blink-merge.git] / net / http / transport_security_state_unittest.cc
blob771f3c6c6a736b3176888a483674d0e159a12df5
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/transport_security_state.h"
6
7 #include <algorithm>
8 #include <string>
9 #include <vector>
10
11 #include "base/base64.h"
12 #include "base/files/file_path.h"
13 #include "base/rand_util.h"
14 #include "base/sha1.h"
15 #include "base/strings/string_piece.h"
16 #include "crypto/sha2.h"
17 #include "net/base/net_errors.h"
18 #include "net/base/test_completion_callback.h"
19 #include "net/base/test_data_directory.h"
20 #include "net/cert/asn1_util.h"
21 #include "net/cert/cert_verifier.h"
22 #include "net/cert/cert_verify_result.h"
23 #include "net/cert/test_root_certs.h"
24 #include "net/cert/x509_cert_types.h"
25 #include "net/cert/x509_certificate.h"
26 #include "net/http/http_util.h"
27 #include "net/log/net_log.h"
28 #include "net/ssl/ssl_info.h"
29 #include "net/test/cert_test_util.h"
30 #include "testing/gtest/include/gtest/gtest.h"
31
32 #if defined(USE_OPENSSL)
33 #include "crypto/openssl_util.h"
34 #else
35 #include "crypto/nss_util.h"
36 #endif
37
38 namespace net {
39
40 class TransportSecurityStateTest : public testing::Test {
41 public:
42 void SetUp() override {
43 #if defined(USE_OPENSSL)
44 crypto::EnsureOpenSSLInit();
45 #else
46 crypto::EnsureNSSInit();
47 #endif
48 }
49
50 static void DisableStaticPins(TransportSecurityState* state) {
51 state->enable_static_pins_ = false;
52 }
53
54 static void EnableStaticPins(TransportSecurityState* state) {
55 state->enable_static_pins_ = true;
56 }
57
58 static HashValueVector GetSampleSPKIHashes() {
59 HashValueVector spki_hashes;
60 HashValue hash(HASH_VALUE_SHA1);
61 memset(hash.data(), 0, hash.size());
62 spki_hashes.push_back(hash);
63 return spki_hashes;
64 }
65
66 protected:
67 bool GetStaticDomainState(TransportSecurityState* state,
68 const std::string& host,
69 TransportSecurityState::DomainState* result) {
70 return state->GetStaticDomainState(host, result);
71 }
72 };
73
74 TEST_F(TransportSecurityStateTest, DomainNameOddities) {
75 TransportSecurityState state;
76 const base::Time current_time(base::Time::Now());
77 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
78
79 // DNS suffix search tests. Some DNS resolvers allow a terminal "." to
80 // indicate not perform DNS suffix searching. Ensure that regardless
81 // of how this is treated at the resolver layer, or at the URL/origin
82 // layer (that is, whether they are treated as equivalent or distinct),
83 // ensure that for policy matching, something lacking a terminal "."
84 // is equivalent to something with a terminal "."
85 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
86
87 state.AddHSTS("example.com", expiry, true /* include_subdomains */);
88 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
89 // Trailing '.' should be equivalent; it's just a resolver hint
90 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com."));
91 // Leading '.' should be invalid
92 EXPECT_FALSE(state.ShouldUpgradeToSSL(".example.com"));
93 // Subdomains should work regardless
94 EXPECT_TRUE(state.ShouldUpgradeToSSL("sub.example.com"));
95 EXPECT_TRUE(state.ShouldUpgradeToSSL("sub.example.com."));
96 // But invalid subdomains should be rejected
97 EXPECT_FALSE(state.ShouldUpgradeToSSL("sub..example.com"));
98 EXPECT_FALSE(state.ShouldUpgradeToSSL("sub..example.com."));
99
100 // Now try the inverse form
101 TransportSecurityState state2;
102 state2.AddHSTS("example.net.", expiry, true /* include_subdomains */);
103 EXPECT_TRUE(state2.ShouldUpgradeToSSL("example.net."));
104 EXPECT_TRUE(state2.ShouldUpgradeToSSL("example.net"));
105 EXPECT_TRUE(state2.ShouldUpgradeToSSL("sub.example.net."));
106 EXPECT_TRUE(state2.ShouldUpgradeToSSL("sub.example.net"));
107
108 // Finally, test weird things
109 TransportSecurityState state3;
110 state3.AddHSTS("", expiry, true /* include_subdomains */);
111 EXPECT_FALSE(state3.ShouldUpgradeToSSL(""));
112 EXPECT_FALSE(state3.ShouldUpgradeToSSL("."));
113 EXPECT_FALSE(state3.ShouldUpgradeToSSL("..."));
114 // Make sure it didn't somehow apply HSTS to the world
115 EXPECT_FALSE(state3.ShouldUpgradeToSSL("example.org"));
116
117 TransportSecurityState state4;
118 state4.AddHSTS(".", expiry, true /* include_subdomains */);
119 EXPECT_FALSE(state4.ShouldUpgradeToSSL(""));
120 EXPECT_FALSE(state4.ShouldUpgradeToSSL("."));
121 EXPECT_FALSE(state4.ShouldUpgradeToSSL("..."));
122 EXPECT_FALSE(state4.ShouldUpgradeToSSL("example.org"));
123
124 // Now do the same for preloaded entries
125 TransportSecurityState state5;
126 EXPECT_TRUE(state5.ShouldUpgradeToSSL("accounts.google.com"));
127 EXPECT_TRUE(state5.ShouldUpgradeToSSL("accounts.google.com."));
128 EXPECT_FALSE(state5.ShouldUpgradeToSSL("accounts..google.com"));
129 EXPECT_FALSE(state5.ShouldUpgradeToSSL("accounts..google.com."));
130 }
131
132 TEST_F(TransportSecurityStateTest, SimpleMatches) {
133 TransportSecurityState state;
134 const base::Time current_time(base::Time::Now());
135 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
136
137 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
138 bool include_subdomains = false;
139 state.AddHSTS("example.com", expiry, include_subdomains);
140 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
141 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example.com"));
142 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example.com"));
143 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("foo.example.com"));
144 }
145
146 TEST_F(TransportSecurityStateTest, MatchesCase1) {
147 TransportSecurityState state;
148 const base::Time current_time(base::Time::Now());
149 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
150
151 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
152 bool include_subdomains = false;
153 state.AddHSTS("EXample.coM", expiry, include_subdomains);
154 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
155 }
156
157 TEST_F(TransportSecurityStateTest, Fuzz) {
158 TransportSecurityState state;
159 TransportSecurityState::DomainState domain_state;
160
161 EnableStaticPins(&state);
162
163 for (size_t i = 0; i < 128; i++) {
164 std::string hostname;
165
166 for (;;) {
167 if (base::RandInt(0, 16) == 7) {
168 break;
169 }
170 if (i > 0 && base::RandInt(0, 7) == 7) {
171 hostname.append(1, '.');
172 }
173 hostname.append(1, 'a' + base::RandInt(0, 25));
174 }
175 state.GetStaticDomainState(hostname, &domain_state);
176 }
177 }
178
179 TEST_F(TransportSecurityStateTest, MatchesCase2) {
180 TransportSecurityState state;
181 const base::Time current_time(base::Time::Now());
182 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
183
184 // Check dynamic entries
185 EXPECT_FALSE(state.ShouldUpgradeToSSL("EXample.coM"));
186 bool include_subdomains = false;
187 state.AddHSTS("example.com", expiry, include_subdomains);
188 EXPECT_TRUE(state.ShouldUpgradeToSSL("EXample.coM"));
189
190 // Check static entries
191 EXPECT_TRUE(state.ShouldUpgradeToSSL("AccounTs.GooGle.com"));
192 EXPECT_TRUE(state.ShouldUpgradeToSSL("mail.google.COM"));
193 }
194
195 TEST_F(TransportSecurityStateTest, SubdomainMatches) {
196 TransportSecurityState state;
197 const base::Time current_time(base::Time::Now());
198 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
199
200 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test"));
201 bool include_subdomains = true;
202 state.AddHSTS("example.test", expiry, include_subdomains);
203 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.test"));
204 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example.test"));
205 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test"));
206 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test"));
207 EXPECT_FALSE(state.ShouldUpgradeToSSL("test"));
208 EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test"));
209 }
210
211 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule
212 // with it, regardless of the includeSubDomains bit. This is a regression test
213 // for https://crbug.com/469957.
214 TEST_F(TransportSecurityStateTest, SubdomainCarveout) {
215 TransportSecurityState state;
216 const base::Time current_time(base::Time::Now());
217 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
218 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
219
220 state.AddHSTS("example1.test", expiry, true);
221 state.AddHSTS("foo.example1.test", expiry, false);
222
223 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes());
224 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes());
225
226 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
227 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test"));
228
229 // The foo.example1.test rule overrides the example1.test rule, so
230 // bar.foo.example1.test has no HSTS state.
231 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test"));
232 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test"));
233
234 EXPECT_TRUE(state.HasPublicKeyPins("example2.test"));
235 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test"));
236
237 // The foo.example2.test rule overrides the example1.test rule, so
238 // bar.foo.example2.test has no HPKP state.
239 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test"));
240 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test"));
241
242 // Expire the foo.example*.test rules.
243 state.AddHSTS("foo.example1.test", older, false);
244 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes());
245
246 // Now the base example*.test rules apply to bar.foo.example*.test.
247 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test"));
248 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test"));
249 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test"));
250 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test"));
251 }
252
253 TEST_F(TransportSecurityStateTest, FatalSSLErrors) {
254 TransportSecurityState state;
255 const base::Time current_time(base::Time::Now());
256 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
257
258 state.AddHSTS("example1.test", expiry, false);
259 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes());
260
261 // The presense of either HSTS or HPKP is enough to make SSL errors fatal.
262 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test"));
263 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test"));
264 }
265
266 // Tests that HPKP and HSTS state both expire. Also tests that expired entries
267 // are pruned.
268 TEST_F(TransportSecurityStateTest, Expiration) {
269 TransportSecurityState state;
270 const base::Time current_time(base::Time::Now());
271 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
272 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
273
274 // Note: this test assumes that inserting an entry with an expiration time in
275 // the past works and is pruned on query.
276 state.AddHSTS("example1.test", older, false);
277 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext());
278 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test"));
279 // Querying |state| for a domain should flush out expired entries.
280 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
281
282 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes());
283 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext());
284 EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
285 // Querying |state| for a domain should flush out expired entries.
286 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
287
288 state.AddHSTS("example1.test", older, false);
289 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes());
290 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext());
291 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test"));
292 // Querying |state| for a domain should flush out expired entries.
293 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
294
295 // Test that HSTS can outlive HPKP.
296 state.AddHSTS("example1.test", expiry, false);
297 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes());
298 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
299 EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
300
301 // Test that HPKP can outlive HSTS.
302 state.AddHSTS("example2.test", older, false);
303 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes());
304 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test"));
305 EXPECT_TRUE(state.HasPublicKeyPins("example2.test"));
306 }
307
308 TEST_F(TransportSecurityStateTest, InvalidDomains) {
309 TransportSecurityState state;
310 const base::Time current_time(base::Time::Now());
311 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
312
313 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test"));
314 bool include_subdomains = true;
315 state.AddHSTS("example.test", expiry, include_subdomains);
316 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test"));
317 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test"));
318 }
319
320 // Tests that HPKP and HSTS state are queried independently for subdomain
321 // matches.
322 TEST_F(TransportSecurityStateTest, IndependentSubdomain) {
323 TransportSecurityState state;
324 const base::Time current_time(base::Time::Now());
325 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
326
327 state.AddHSTS("example1.test", expiry, true);
328 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes());
329
330 state.AddHSTS("example2.test", expiry, false);
331 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes());
332
333 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test"));
334 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test"));
335 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test"));
336 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test"));
337 }
338
339 // Tests that HPKP and HSTS state are inserted and overridden independently.
340 TEST_F(TransportSecurityStateTest, IndependentInsertion) {
341 TransportSecurityState state;
342 const base::Time current_time(base::Time::Now());
343 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
344
345 // Place an includeSubdomains HSTS entry below a normal HPKP entry.
346 state.AddHSTS("example1.test", expiry, true);
347 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes());
348
349 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test"));
350 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test"));
351 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
352 EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
353
354 // Drop the includeSubdomains from the HSTS entry.
355 state.AddHSTS("example1.test", expiry, false);
356
357 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test"));
358 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test"));
359
360 // Place an includeSubdomains HPKP entry below a normal HSTS entry.
361 state.AddHSTS("foo.example2.test", expiry, false);
362 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes());
363
364 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test"));
365 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test"));
366
367 // Drop the includeSubdomains from the HSTS entry.
368 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes());
369
370 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test"));
371 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test"));
372 }
373
374 // Tests that GetDynamicDomainState appropriately stitches together the results
375 // of HSTS and HPKP.
376 TEST_F(TransportSecurityStateTest, DynamicDomainState) {
377 TransportSecurityState state;
378 const base::Time current_time(base::Time::Now());
379 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000);
380 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000);
381
382 state.AddHSTS("example.com", expiry1, true);
383 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes());
384
385 TransportSecurityState::DomainState domain_state;
386 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
387 EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());
388 EXPECT_TRUE(domain_state.HasPublicKeyPins());
389 EXPECT_TRUE(domain_state.sts.include_subdomains);
390 EXPECT_FALSE(domain_state.pkp.include_subdomains);
391 EXPECT_EQ(expiry1, domain_state.sts.expiry);
392 EXPECT_EQ(expiry2, domain_state.pkp.expiry);
393 EXPECT_EQ("example.com", domain_state.sts.domain);
394 EXPECT_EQ("foo.example.com", domain_state.pkp.domain);
395 }
396
397 // Tests that new pins always override previous pins. This should be true for
398 // both pins at the same domain or includeSubdomains pins at a parent domain.
399 TEST_F(TransportSecurityStateTest, NewPinsOverride) {
400 TransportSecurityState state;
401 TransportSecurityState::DomainState domain_state;
402 const base::Time current_time(base::Time::Now());
403 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
404 HashValue hash1(HASH_VALUE_SHA1);
405 memset(hash1.data(), 0x01, hash1.size());
406 HashValue hash2(HASH_VALUE_SHA1);
407 memset(hash2.data(), 0x02, hash1.size());
408 HashValue hash3(HASH_VALUE_SHA1);
409 memset(hash3.data(), 0x03, hash1.size());
410
411 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1));
412
413 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
414 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size());
415 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash1));
416
417 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2));
418
419 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
420 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size());
421 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash2));
422
423 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3));
424
425 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
426 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size());
427 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash3));
428 }
429
430 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) {
431 TransportSecurityState state;
432 const base::Time current_time(base::Time::Now());
433 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
434 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
435
436 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
437 bool include_subdomains = false;
438 state.AddHSTS("example.com", expiry, include_subdomains);
439
440 state.DeleteAllDynamicDataSince(expiry);
441 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
442 state.DeleteAllDynamicDataSince(older);
443 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
444
445 // |state| should be empty now.
446 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
447 }
448
449 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
450 TransportSecurityState state;
451 const base::Time current_time(base::Time::Now());
452 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
453 bool include_subdomains = false;
454 state.AddHSTS("example1.test", expiry, include_subdomains);
455
456 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
457 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test"));
458 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test"));
459 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test"));
460 }
461
462 TEST_F(TransportSecurityStateTest, EnableStaticPins) {
463 TransportSecurityState state;
464 TransportSecurityState::DomainState domain_state;
465
466 EnableStaticPins(&state);
467
468 EXPECT_TRUE(
469 state.GetStaticDomainState("chrome.google.com", &domain_state));
470 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
471 }
472
473 TEST_F(TransportSecurityStateTest, DisableStaticPins) {
474 TransportSecurityState state;
475 TransportSecurityState::DomainState domain_state;
476
477 DisableStaticPins(&state);
478 EXPECT_TRUE(
479 state.GetStaticDomainState("chrome.google.com", &domain_state));
480 EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
481 }
482
483 TEST_F(TransportSecurityStateTest, IsPreloaded) {
484 const std::string paypal = "paypal.com";
485 const std::string www_paypal = "www.paypal.com";
486 const std::string foo_paypal = "foo.paypal.com";
487 const std::string a_www_paypal = "a.www.paypal.com";
488 const std::string abc_paypal = "a.b.c.paypal.com";
489 const std::string example = "example.com";
490 const std::string aypal = "aypal.com";
491
492 TransportSecurityState state;
493 TransportSecurityState::DomainState domain_state;
494
495 EXPECT_TRUE(GetStaticDomainState(&state, paypal, &domain_state));
496 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &domain_state));
497 EXPECT_FALSE(domain_state.sts.include_subdomains);
498 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, &domain_state));
499 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, &domain_state));
500 EXPECT_FALSE(GetStaticDomainState(&state, example, &domain_state));
501 EXPECT_FALSE(GetStaticDomainState(&state, aypal, &domain_state));
502 }
503
504 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
505 TransportSecurityState state;
506 TransportSecurityState::DomainState domain_state;
507
508 // The domain wasn't being set, leading to a blank string in the
509 // chrome://net-internals/#hsts UI. So test that.
510 EXPECT_TRUE(
511 state.GetStaticDomainState("market.android.com", &domain_state));
512 EXPECT_EQ(domain_state.sts.domain, "market.android.com");
513 EXPECT_EQ(domain_state.pkp.domain, "market.android.com");
514 EXPECT_TRUE(state.GetStaticDomainState(
515 "sub.market.android.com", &domain_state));
516 EXPECT_EQ(domain_state.sts.domain, "market.android.com");
517 EXPECT_EQ(domain_state.pkp.domain, "market.android.com");
518 }
519
520 static bool StaticShouldRedirect(const char* hostname) {
521 TransportSecurityState state;
522 TransportSecurityState::DomainState domain_state;
523 return state.GetStaticDomainState(
524 hostname, &domain_state) &&
525 domain_state.ShouldUpgradeToSSL();
526 }
527
528 static bool HasStaticState(const char* hostname) {
529 TransportSecurityState state;
530 TransportSecurityState::DomainState domain_state;
531 return state.GetStaticDomainState(hostname, &domain_state);
532 }
533
534 static bool HasStaticPublicKeyPins(const char* hostname) {
535 TransportSecurityState state;
536 TransportSecurityStateTest::EnableStaticPins(&state);
537 TransportSecurityState::DomainState domain_state;
538 if (!state.GetStaticDomainState(hostname, &domain_state))
539 return false;
540
541 return domain_state.HasPublicKeyPins();
542 }
543
544 static bool OnlyPinningInStaticState(const char* hostname) {
545 TransportSecurityState state;
546 TransportSecurityStateTest::EnableStaticPins(&state);
547 TransportSecurityState::DomainState domain_state;
548 if (!state.GetStaticDomainState(hostname, &domain_state))
549 return false;
550
551 return (domain_state.pkp.spki_hashes.size() > 0 ||
552 domain_state.pkp.bad_spki_hashes.size() > 0) &&
553 !domain_state.ShouldUpgradeToSSL();
554 }
555
556 TEST_F(TransportSecurityStateTest, Preloaded) {
557 TransportSecurityState state;
558 TransportSecurityState::DomainState domain_state;
559
560 // We do more extensive checks for the first domain.
561 EXPECT_TRUE(
562 state.GetStaticDomainState("www.paypal.com", &domain_state));
563 EXPECT_EQ(domain_state.sts.upgrade_mode,
564 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
565 EXPECT_FALSE(domain_state.sts.include_subdomains);
566 EXPECT_FALSE(domain_state.pkp.include_subdomains);
567
568 EXPECT_TRUE(HasStaticState("paypal.com"));
569 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
570
571 // Google hosts:
572
573 EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
574 EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
575 EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
576 EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
577 EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
578 EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
579 EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
580 EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
581 EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
582 EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
583 EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
584 EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
585 EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
586 EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
587 EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
588 EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
589 EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
590 EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
591 EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
592 EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
593 EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
594 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
595 EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
596 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
597 EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
598 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
599 EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
600 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
601
602 // These domains used to be only HSTS when SNI was available.
603 EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &domain_state));
604 EXPECT_TRUE(state.GetStaticDomainState("www.gmail.com", &domain_state));
605 EXPECT_TRUE(state.GetStaticDomainState("googlemail.com", &domain_state));
606 EXPECT_TRUE(state.GetStaticDomainState("www.googlemail.com", &domain_state));
607
608 // Other hosts:
609
610 EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
611
612 EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
613 EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
614
615 EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
616
617 EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
618 EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
619 EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
620
621 EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
622 EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
623
624 EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
625 EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
626 EXPECT_FALSE(HasStaticState("foo.entropia.de"));
627
628 EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
629 EXPECT_FALSE(HasStaticState("elanex.biz"));
630 EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
631
632 EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
633 EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
634 EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
635
636 EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
637 EXPECT_FALSE(HasStaticState("noisebridge.net"));
638 EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
639
640 EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
641 EXPECT_FALSE(HasStaticState("www.neg9.org"));
642
643 EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
644 EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
645
646 EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
647 EXPECT_FALSE(HasStaticState("www.factor.cc"));
648
649 EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
650 EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
651 EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
652 EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
653 EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
654
655 EXPECT_TRUE(StaticShouldRedirect("romab.com"));
656 EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
657 EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
658
659 EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
660 EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
661 EXPECT_FALSE(HasStaticState("foo.logentries.com"));
662
663 EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
664 EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
665
666 EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
667 EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
668
669 EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
670 EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
671
672 EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
673 EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
674
675 EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
676 EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
677
678 EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
679 EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
680
681 EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
682 EXPECT_FALSE(HasStaticState("foo.squareup.com"));
683
684 EXPECT_TRUE(StaticShouldRedirect("cert.se"));
685 EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
686
687 EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
688 EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
689
690 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
691 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
692
693 EXPECT_TRUE(StaticShouldRedirect("linx.net"));
694 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
695
696 EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
697 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
698 EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
699
700 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
701 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
702
703 EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
704 EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
705
706 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
707
708 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
709 EXPECT_FALSE(HasStaticState("moneybookers.com"));
710
711 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
712 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
713 EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
714
715 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
716 EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
717
718 EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
719 EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
720 EXPECT_FALSE(HasStaticState("foo.greplin.com"));
721
722 EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
723 EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
724
725 EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
726 EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
727
728 EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
729 EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
730
731 EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
732 EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
733
734 EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
735 EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
736 EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
737 EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
738 EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
739 EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
740 EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
741 EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
742 EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
743 EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
744 EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
745 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
746
747 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
748 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
749
750 EXPECT_TRUE(StaticShouldRedirect("crate.io"));
751 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
752 }
753
754 TEST_F(TransportSecurityStateTest, PreloadedPins) {
755 TransportSecurityState state;
756 EnableStaticPins(&state);
757 TransportSecurityState::DomainState domain_state;
758
759 // We do more extensive checks for the first domain.
760 EXPECT_TRUE(
761 state.GetStaticDomainState("www.paypal.com", &domain_state));
762 EXPECT_EQ(domain_state.sts.upgrade_mode,
763 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
764 EXPECT_FALSE(domain_state.sts.include_subdomains);
765 EXPECT_FALSE(domain_state.pkp.include_subdomains);
766
767 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
768 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
769 EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
770 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
771 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
772 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
773 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
774 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
775 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
776 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
777 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
778 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
779 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
780 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
781 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
782 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
783 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
784
785 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
786 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
787 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
788 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
789 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
790
791 EXPECT_TRUE(state.GetStaticDomainState("torproject.org", &domain_state));
792 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
793 EXPECT_TRUE(state.GetStaticDomainState("www.torproject.org", &domain_state));
794 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
795 EXPECT_TRUE(
796 state.GetStaticDomainState("check.torproject.org", &domain_state));
797 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
798 EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &domain_state));
799 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
800
801 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
802
803 // Check that Facebook subdomains have pinning but not HSTS.
804 EXPECT_TRUE(state.GetStaticDomainState("facebook.com", &domain_state));
805 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
806 EXPECT_TRUE(StaticShouldRedirect("facebook.com"));
807
808 EXPECT_FALSE(state.GetStaticDomainState("foo.facebook.com", &domain_state));
809
810 EXPECT_TRUE(state.GetStaticDomainState("www.facebook.com", &domain_state));
811 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
812 EXPECT_TRUE(StaticShouldRedirect("www.facebook.com"));
813
814 EXPECT_TRUE(
815 state.GetStaticDomainState("foo.www.facebook.com", &domain_state));
816 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
817 EXPECT_TRUE(StaticShouldRedirect("foo.www.facebook.com"));
818 }
819
820 TEST_F(TransportSecurityStateTest, LongNames) {
821 TransportSecurityState state;
822 const char kLongName[] =
823 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
824 "WaveletIdDomainAndBlipBlipid";
825 TransportSecurityState::DomainState domain_state;
826 // Just checks that we don't hit a NOTREACHED.
827 EXPECT_FALSE(state.GetStaticDomainState(kLongName, &domain_state));
828 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state));
829 }
830
831 TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
832 TransportSecurityState state;
833 EnableStaticPins(&state);
834 TransportSecurityState::DomainState domain_state;
835
836 EXPECT_TRUE(
837 state.GetStaticDomainState("chrome.google.com", &domain_state));
838 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
839
840 HashValueVector hashes;
841 std::string failure_log;
842 // Checks that a built-in list does exist.
843 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log));
844 EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
845
846 EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
847 EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
848 EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
849 EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
850 EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
851 EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
852 EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
853 EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
854 EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
855 EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
856 EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
857 EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
858 EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
859 EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
860 EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
861 EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
862 EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
863 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
864 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
865 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
866
867 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
868 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
869 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
870 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
871 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
872
873 EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
874 EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
875 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
876 EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com"));
877 EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com"));
878 EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com"));
879 EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com"));
880 EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com"));
881 EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com"));
882 EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com"));
883 }
884
885 static bool AddHash(const std::string& type_and_base64,
886 HashValueVector* out) {
887 HashValue hash;
888 if (!hash.FromString(type_and_base64))
889 return false;
890
891 out->push_back(hash);
892 return true;
893 }
894
895 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
896 // kGoodPath is blog.torproject.org.
897 static const char* const kGoodPath[] = {
898 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
899 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
900 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
901 NULL,
902 };
903
904 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
905 // torproject.org.
906 static const char* const kBadPath[] = {
907 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
908 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
909 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
910 NULL,
911 };
912
913 HashValueVector good_hashes, bad_hashes;
914
915 for (size_t i = 0; kGoodPath[i]; i++) {
916 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
917 }
918 for (size_t i = 0; kBadPath[i]; i++) {
919 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
920 }
921
922 TransportSecurityState state;
923 EnableStaticPins(&state);
924
925 TransportSecurityState::DomainState domain_state;
926 EXPECT_TRUE(
927 state.GetStaticDomainState("blog.torproject.org", &domain_state));
928 EXPECT_TRUE(domain_state.HasPublicKeyPins());
929
930 std::string failure_log;
931 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log));
932 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log));
933 }
934
935 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
936 TransportSecurityState state;
937 EnableStaticPins(&state);
938 TransportSecurityState::DomainState domain_state;
939
940 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
941
942 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
943 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
944 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
945 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
946 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
947 EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
948 EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
949 EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
950 EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
951 EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
952 EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
953 EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
954 EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
955 EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
956 EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
957 EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
958 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
959 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
960 }
961
962 TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
963 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
964 EXPECT_FALSE(StaticShouldRedirect("google.com"));
965 EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
966
967 TransportSecurityState state;
968 const base::Time current_time(base::Time::Now());
969 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
970 state.AddHSTS("www.google.com", expiry, true);
971
972 EXPECT_TRUE(state.ShouldUpgradeToSSL("www.google.com"));
973 }
974
975 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
976 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
977 "www.example.com"));
978 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
979 "www.paypal.com"));
980 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
981 "mail.twitter.com"));
982 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
983 "www.google.com.int"));
984 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
985 "jottit.com"));
986 // learn.doubleclick.net has a more specific match than
987 // *.doubleclick.com, and has 0 or NULL for its required certs.
988 // This test ensures that the exact-match-preferred behavior
989 // works.
990 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
991 "learn.doubleclick.net"));
992
993 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
994 "encrypted.google.com"));
995 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
996 "mail.google.com"));
997 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
998 "accounts.google.com"));
999 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1000 "doubleclick.net"));
1001 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1002 "ad.doubleclick.net"));
1003 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1004 "youtube.com"));
1005 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1006 "www.profiles.google.com"));
1007 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1008 "checkout.google.com"));
1009 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1010 "googleadservices.com"));
1011
1012 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1013 "www.example.com"));
1014 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1015 "www.paypal.com"));
1016 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1017 "checkout.google.com"));
1018 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1019 "googleadservices.com"));
1020
1021 // Test some SNI hosts:
1022 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1023 "gmail.com"));
1024 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1025 "googlegroups.com"));
1026 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1027 "www.googlegroups.com"));
1028
1029 // These hosts used to only be HSTS when SNI was available.
1030 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1031 "gmail.com"));
1032 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1033 "googlegroups.com"));
1034 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1035 "www.googlegroups.com"));
1036 }
1037
1038 } // namespace net