search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added #ifdefs around PrintHeaderAndFooter for Windows and Mac.
[chromium-blink-merge.git] / net / http / transport_security_state_unittest.cc
blobcf5f2435b0263e6544664abcffd841af7cd4c322
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/transport_security_state.h"
6
7 #include <algorithm>
8 #include <string>
9 #include <vector>
10
11 #include "base/base64.h"
12 #include "base/files/file_path.h"
13 #include "base/rand_util.h"
14 #include "base/sha1.h"
15 #include "base/strings/string_piece.h"
16 #include "crypto/sha2.h"
17 #include "net/base/net_errors.h"
18 #include "net/base/net_log.h"
19 #include "net/base/test_completion_callback.h"
20 #include "net/base/test_data_directory.h"
21 #include "net/cert/asn1_util.h"
22 #include "net/cert/cert_verifier.h"
23 #include "net/cert/cert_verify_result.h"
24 #include "net/cert/test_root_certs.h"
25 #include "net/cert/x509_cert_types.h"
26 #include "net/cert/x509_certificate.h"
27 #include "net/http/http_util.h"
28 #include "net/ssl/ssl_info.h"
29 #include "net/test/cert_test_util.h"
30 #include "testing/gtest/include/gtest/gtest.h"
31
32 #if defined(USE_OPENSSL)
33 #include "crypto/openssl_util.h"
34 #else
35 #include "crypto/nss_util.h"
36 #endif
37
38 namespace net {
39
40 class TransportSecurityStateTest : public testing::Test {
41 public:
42 void SetUp() override {
43 #if defined(USE_OPENSSL)
44 crypto::EnsureOpenSSLInit();
45 #else
46 crypto::EnsureNSSInit();
47 #endif
48 }
49
50 static void DisableStaticPins(TransportSecurityState* state) {
51 state->enable_static_pins_ = false;
52 }
53
54 static void EnableStaticPins(TransportSecurityState* state) {
55 state->enable_static_pins_ = true;
56 }
57
58 protected:
59 bool GetStaticDomainState(TransportSecurityState* state,
60 const std::string& host,
61 TransportSecurityState::DomainState* result) {
62 return state->GetStaticDomainState(host, result);
63 }
64
65 void EnableHost(TransportSecurityState* state,
66 const std::string& host,
67 const TransportSecurityState::DomainState& domain_state) {
68 return state->EnableHost(host, domain_state);
69 }
70 };
71
72 TEST_F(TransportSecurityStateTest, SimpleMatches) {
73 TransportSecurityState state;
74 TransportSecurityState::DomainState domain_state;
75 const base::Time current_time(base::Time::Now());
76 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
77
78 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
79 bool include_subdomains = false;
80 state.AddHSTS("yahoo.com", expiry, include_subdomains);
81 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
82 }
83
84 TEST_F(TransportSecurityStateTest, MatchesCase1) {
85 TransportSecurityState state;
86 TransportSecurityState::DomainState domain_state;
87 const base::Time current_time(base::Time::Now());
88 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
89
90 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
91 bool include_subdomains = false;
92 state.AddHSTS("YAhoo.coM", expiry, include_subdomains);
93 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
94 }
95
96 TEST_F(TransportSecurityStateTest, Fuzz) {
97 TransportSecurityState state;
98 TransportSecurityState::DomainState domain_state;
99
100 EnableStaticPins(&state);
101
102 for (size_t i = 0; i < 128; i++) {
103 std::string hostname;
104
105 for (;;) {
106 if (base::RandInt(0, 16) == 7) {
107 break;
108 }
109 if (i > 0 && base::RandInt(0, 7) == 7) {
110 hostname.append(1, '.');
111 }
112 hostname.append(1, 'a' + base::RandInt(0, 25));
113 }
114 state.GetStaticDomainState(hostname, &domain_state);
115 }
116 }
117
118 TEST_F(TransportSecurityStateTest, MatchesCase2) {
119 TransportSecurityState state;
120 TransportSecurityState::DomainState domain_state;
121 const base::Time current_time(base::Time::Now());
122 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
123
124 EXPECT_FALSE(state.GetDynamicDomainState("YAhoo.coM", &domain_state));
125 bool include_subdomains = false;
126 state.AddHSTS("yahoo.com", expiry, include_subdomains);
127 EXPECT_TRUE(state.GetDynamicDomainState("YAhoo.coM", &domain_state));
128 }
129
130 TEST_F(TransportSecurityStateTest, SubdomainMatches) {
131 TransportSecurityState state;
132 TransportSecurityState::DomainState domain_state;
133 const base::Time current_time(base::Time::Now());
134 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
135
136 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
137 bool include_subdomains = true;
138 state.AddHSTS("yahoo.com", expiry, include_subdomains);
139 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
140 EXPECT_TRUE(state.GetDynamicDomainState("foo.yahoo.com", &domain_state));
141 EXPECT_TRUE(state.GetDynamicDomainState("foo.bar.yahoo.com", &domain_state));
142 EXPECT_TRUE(
143 state.GetDynamicDomainState("foo.bar.baz.yahoo.com", &domain_state));
144 EXPECT_FALSE(state.GetDynamicDomainState("com", &domain_state));
145 }
146
147 TEST_F(TransportSecurityStateTest, InvalidDomains) {
148 TransportSecurityState state;
149 TransportSecurityState::DomainState domain_state;
150 const base::Time current_time(base::Time::Now());
151 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
152
153 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
154 bool include_subdomains = true;
155 state.AddHSTS("yahoo.com", expiry, include_subdomains);
156 EXPECT_TRUE(state.GetDynamicDomainState("www-.foo.yahoo.com", &domain_state));
157 EXPECT_TRUE(
158 state.GetDynamicDomainState("2\x01.foo.yahoo.com", &domain_state));
159 }
160
161 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) {
162 TransportSecurityState state;
163 TransportSecurityState::DomainState domain_state;
164 const base::Time current_time(base::Time::Now());
165 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
166 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
167
168 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
169 bool include_subdomains = false;
170 state.AddHSTS("yahoo.com", expiry, include_subdomains);
171
172 state.DeleteAllDynamicDataSince(expiry);
173 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
174 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS,
175 domain_state.sts.upgrade_mode);
176 state.DeleteAllDynamicDataSince(older);
177 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
178 EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT,
179 domain_state.sts.upgrade_mode);
180 }
181
182 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
183 TransportSecurityState state;
184 TransportSecurityState::DomainState domain_state;
185 const base::Time current_time(base::Time::Now());
186 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
187 bool include_subdomains = false;
188 state.AddHSTS("yahoo.com", expiry, include_subdomains);
189
190 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
191 EXPECT_FALSE(state.GetDynamicDomainState("example.com", &domain_state));
192 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com"));
193 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
194 }
195
196 TEST_F(TransportSecurityStateTest, EnableStaticPins) {
197 TransportSecurityState state;
198 TransportSecurityState::DomainState domain_state;
199
200 EnableStaticPins(&state);
201
202 EXPECT_TRUE(
203 state.GetStaticDomainState("chrome.google.com", &domain_state));
204 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
205 }
206
207 TEST_F(TransportSecurityStateTest, DisableStaticPins) {
208 TransportSecurityState state;
209 TransportSecurityState::DomainState domain_state;
210
211 DisableStaticPins(&state);
212 EXPECT_TRUE(
213 state.GetStaticDomainState("chrome.google.com", &domain_state));
214 EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
215 }
216
217 TEST_F(TransportSecurityStateTest, IsPreloaded) {
218 const std::string paypal = "paypal.com";
219 const std::string www_paypal = "www.paypal.com";
220 const std::string foo_paypal = "foo.paypal.com";
221 const std::string a_www_paypal = "a.www.paypal.com";
222 const std::string abc_paypal = "a.b.c.paypal.com";
223 const std::string example = "example.com";
224 const std::string aypal = "aypal.com";
225
226 TransportSecurityState state;
227 TransportSecurityState::DomainState domain_state;
228
229 EXPECT_TRUE(GetStaticDomainState(&state, paypal, &domain_state));
230 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &domain_state));
231 EXPECT_FALSE(domain_state.sts.include_subdomains);
232 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, &domain_state));
233 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, &domain_state));
234 EXPECT_FALSE(GetStaticDomainState(&state, example, &domain_state));
235 EXPECT_FALSE(GetStaticDomainState(&state, aypal, &domain_state));
236 }
237
238 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
239 TransportSecurityState state;
240 TransportSecurityState::DomainState domain_state;
241
242 // The domain wasn't being set, leading to a blank string in the
243 // chrome://net-internals/#hsts UI. So test that.
244 EXPECT_TRUE(
245 state.GetStaticDomainState("market.android.com", &domain_state));
246 EXPECT_EQ(domain_state.domain, "market.android.com");
247 EXPECT_TRUE(state.GetStaticDomainState(
248 "sub.market.android.com", &domain_state));
249 EXPECT_EQ(domain_state.domain, "market.android.com");
250 }
251
252 static bool StaticShouldRedirect(const char* hostname) {
253 TransportSecurityState state;
254 TransportSecurityState::DomainState domain_state;
255 return state.GetStaticDomainState(
256 hostname, &domain_state) &&
257 domain_state.ShouldUpgradeToSSL();
258 }
259
260 static bool HasStaticState(const char* hostname) {
261 TransportSecurityState state;
262 TransportSecurityState::DomainState domain_state;
263 return state.GetStaticDomainState(hostname, &domain_state);
264 }
265
266 static bool HasStaticPublicKeyPins(const char* hostname) {
267 TransportSecurityState state;
268 TransportSecurityStateTest::EnableStaticPins(&state);
269 TransportSecurityState::DomainState domain_state;
270 if (!state.GetStaticDomainState(hostname, &domain_state))
271 return false;
272
273 return domain_state.HasPublicKeyPins();
274 }
275
276 static bool OnlyPinningInStaticState(const char* hostname) {
277 TransportSecurityState state;
278 TransportSecurityStateTest::EnableStaticPins(&state);
279 TransportSecurityState::DomainState domain_state;
280 if (!state.GetStaticDomainState(hostname, &domain_state))
281 return false;
282
283 return (domain_state.pkp.spki_hashes.size() > 0 ||
284 domain_state.pkp.bad_spki_hashes.size() > 0) &&
285 !domain_state.ShouldUpgradeToSSL();
286 }
287
288 TEST_F(TransportSecurityStateTest, Preloaded) {
289 TransportSecurityState state;
290 TransportSecurityState::DomainState domain_state;
291
292 // We do more extensive checks for the first domain.
293 EXPECT_TRUE(
294 state.GetStaticDomainState("www.paypal.com", &domain_state));
295 EXPECT_EQ(domain_state.sts.upgrade_mode,
296 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
297 EXPECT_FALSE(domain_state.sts.include_subdomains);
298 EXPECT_FALSE(domain_state.pkp.include_subdomains);
299
300 EXPECT_TRUE(HasStaticState("paypal.com"));
301 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
302
303 // Google hosts:
304
305 EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
306 EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
307 EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
308 EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
309 EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
310 EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
311 EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
312 EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
313 EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
314 EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
315 EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
316 EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
317 EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
318 EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
319 EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
320 EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
321 EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
322 EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
323 EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
324 EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
325 EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
326 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
327 EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
328 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
329 EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
330 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
331 EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
332 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
333
334 // These domains used to be only HSTS when SNI was available.
335 EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &domain_state));
336 EXPECT_TRUE(state.GetStaticDomainState("www.gmail.com", &domain_state));
337 EXPECT_TRUE(state.GetStaticDomainState("googlemail.com", &domain_state));
338 EXPECT_TRUE(state.GetStaticDomainState("www.googlemail.com", &domain_state));
339
340 // Other hosts:
341
342 EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
343
344 EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
345 EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
346
347 EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
348
349 EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
350 EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
351 EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
352
353 EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
354 EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
355
356 EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
357 EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
358 EXPECT_FALSE(HasStaticState("foo.entropia.de"));
359
360 EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
361 EXPECT_FALSE(HasStaticState("elanex.biz"));
362 EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
363
364 EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
365 EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
366 EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
367
368 EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
369 EXPECT_FALSE(HasStaticState("noisebridge.net"));
370 EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
371
372 EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
373 EXPECT_FALSE(HasStaticState("www.neg9.org"));
374
375 EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
376 EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
377
378 EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
379 EXPECT_FALSE(HasStaticState("www.factor.cc"));
380
381 EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
382 EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
383 EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
384 EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
385 EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
386
387 EXPECT_TRUE(StaticShouldRedirect("romab.com"));
388 EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
389 EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
390
391 EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
392 EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
393 EXPECT_FALSE(HasStaticState("foo.logentries.com"));
394
395 EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
396 EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
397
398 EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
399 EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
400
401 EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
402 EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
403
404 EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
405 EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
406
407 EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
408 EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
409
410 EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
411 EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
412
413 EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
414 EXPECT_FALSE(HasStaticState("foo.squareup.com"));
415
416 EXPECT_TRUE(StaticShouldRedirect("cert.se"));
417 EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
418
419 EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
420 EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
421
422 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
423 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
424
425 EXPECT_TRUE(StaticShouldRedirect("linx.net"));
426 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
427
428 EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
429 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
430 EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
431
432 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
433 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
434
435 EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
436 EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
437
438 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
439
440 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
441 EXPECT_FALSE(HasStaticState("moneybookers.com"));
442
443 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
444 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
445 EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
446
447 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
448 EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
449
450 EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
451 EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
452 EXPECT_FALSE(HasStaticState("foo.greplin.com"));
453
454 EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
455 EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
456
457 EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
458 EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
459
460 EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
461 EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
462
463 EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
464 EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
465
466 EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
467 EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
468 EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
469 EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
470 EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
471 EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
472 EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
473 EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
474 EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
475 EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
476 EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
477 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
478
479 EXPECT_TRUE(StaticShouldRedirect("crypto.cat"));
480 EXPECT_FALSE(StaticShouldRedirect("foo.crypto.cat"));
481
482 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
483 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
484
485 EXPECT_TRUE(StaticShouldRedirect("crate.io"));
486 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
487 }
488
489 TEST_F(TransportSecurityStateTest, PreloadedPins) {
490 TransportSecurityState state;
491 EnableStaticPins(&state);
492 TransportSecurityState::DomainState domain_state;
493
494 // We do more extensive checks for the first domain.
495 EXPECT_TRUE(
496 state.GetStaticDomainState("www.paypal.com", &domain_state));
497 EXPECT_EQ(domain_state.sts.upgrade_mode,
498 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
499 EXPECT_FALSE(domain_state.sts.include_subdomains);
500 EXPECT_FALSE(domain_state.pkp.include_subdomains);
501
502 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
503 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
504 EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
505 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
506 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
507 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
508 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
509 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
510 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
511 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
512 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
513 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
514 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
515 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
516 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
517 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
518 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
519
520 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
521 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
522 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
523 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
524 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
525
526 EXPECT_TRUE(state.GetStaticDomainState("torproject.org", &domain_state));
527 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
528 EXPECT_TRUE(state.GetStaticDomainState("www.torproject.org", &domain_state));
529 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
530 EXPECT_TRUE(
531 state.GetStaticDomainState("check.torproject.org", &domain_state));
532 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
533 EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &domain_state));
534 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
535
536 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
537
538 // Check that Facebook subdomains have pinning but not HSTS.
539 EXPECT_TRUE(state.GetStaticDomainState("facebook.com", &domain_state));
540 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
541 EXPECT_TRUE(StaticShouldRedirect("facebook.com"));
542
543 EXPECT_TRUE(state.GetStaticDomainState("foo.facebook.com", &domain_state));
544 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
545 EXPECT_FALSE(StaticShouldRedirect("foo.facebook.com"));
546
547 EXPECT_TRUE(state.GetStaticDomainState("www.facebook.com", &domain_state));
548 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
549 EXPECT_TRUE(StaticShouldRedirect("www.facebook.com"));
550
551 EXPECT_TRUE(
552 state.GetStaticDomainState("foo.www.facebook.com", &domain_state));
553 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
554 EXPECT_TRUE(StaticShouldRedirect("foo.www.facebook.com"));
555 }
556
557 TEST_F(TransportSecurityStateTest, LongNames) {
558 TransportSecurityState state;
559 const char kLongName[] =
560 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
561 "WaveletIdDomainAndBlipBlipid";
562 TransportSecurityState::DomainState domain_state;
563 // Just checks that we don't hit a NOTREACHED.
564 EXPECT_FALSE(state.GetStaticDomainState(kLongName, &domain_state));
565 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state));
566 }
567
568 TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
569 TransportSecurityState state;
570 EnableStaticPins(&state);
571 TransportSecurityState::DomainState domain_state;
572
573 EXPECT_TRUE(
574 state.GetStaticDomainState("chrome.google.com", &domain_state));
575 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
576
577 HashValueVector hashes;
578 std::string failure_log;
579 // Checks that a built-in list does exist.
580 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log));
581 EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
582
583 EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
584 EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
585 EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
586 EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
587 EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
588 EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
589 EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
590 EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
591 EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
592 EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
593 EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
594 EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
595 EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
596 EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
597 EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
598 EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
599 EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
600 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
601 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
602 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
603
604 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
605 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
606 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
607 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
608 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
609
610 EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
611 EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
612 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
613 EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com"));
614 EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com"));
615 EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com"));
616 EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com"));
617 EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com"));
618 EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com"));
619 EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com"));
620 }
621
622 static bool AddHash(const std::string& type_and_base64,
623 HashValueVector* out) {
624 HashValue hash;
625 if (!hash.FromString(type_and_base64))
626 return false;
627
628 out->push_back(hash);
629 return true;
630 }
631
632 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
633 // kGoodPath is blog.torproject.org.
634 static const char* kGoodPath[] = {
635 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
636 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
637 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
638 NULL,
639 };
640
641 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
642 // torproject.org.
643 static const char* kBadPath[] = {
644 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
645 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
646 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
647 NULL,
648 };
649
650 HashValueVector good_hashes, bad_hashes;
651
652 for (size_t i = 0; kGoodPath[i]; i++) {
653 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
654 }
655 for (size_t i = 0; kBadPath[i]; i++) {
656 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
657 }
658
659 TransportSecurityState state;
660 EnableStaticPins(&state);
661
662 TransportSecurityState::DomainState domain_state;
663 EXPECT_TRUE(
664 state.GetStaticDomainState("blog.torproject.org", &domain_state));
665 EXPECT_TRUE(domain_state.HasPublicKeyPins());
666
667 std::string failure_log;
668 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log));
669 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log));
670 }
671
672 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
673 TransportSecurityState state;
674 EnableStaticPins(&state);
675 TransportSecurityState::DomainState domain_state;
676
677 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
678
679 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
680 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
681 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
682 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
683 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
684 EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
685 EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
686 EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
687 EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
688 EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
689 EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
690 EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
691 EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
692 EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
693 EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
694 EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
695 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
696 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
697 }
698
699 TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
700 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
701 EXPECT_FALSE(StaticShouldRedirect("google.com"));
702 EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
703
704 TransportSecurityState state;
705 TransportSecurityState::DomainState domain_state;
706 const base::Time current_time(base::Time::Now());
707 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
708 domain_state.sts.expiry = expiry;
709 EnableHost(&state, "www.google.com", domain_state);
710
711 EXPECT_TRUE(state.GetDynamicDomainState("www.google.com", &domain_state));
712 }
713
714 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
715 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
716 "www.example.com"));
717 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
718 "www.paypal.com"));
719 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
720 "mail.twitter.com"));
721 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
722 "www.google.com.int"));
723 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
724 "jottit.com"));
725 // learn.doubleclick.net has a more specific match than
726 // *.doubleclick.com, and has 0 or NULL for its required certs.
727 // This test ensures that the exact-match-preferred behavior
728 // works.
729 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
730 "learn.doubleclick.net"));
731
732 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
733 "encrypted.google.com"));
734 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
735 "mail.google.com"));
736 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
737 "accounts.google.com"));
738 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
739 "doubleclick.net"));
740 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
741 "ad.doubleclick.net"));
742 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
743 "youtube.com"));
744 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
745 "www.profiles.google.com"));
746 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
747 "checkout.google.com"));
748 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
749 "googleadservices.com"));
750
751 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
752 "www.example.com"));
753 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
754 "www.paypal.com"));
755 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
756 "checkout.google.com"));
757 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
758 "googleadservices.com"));
759
760 // Test some SNI hosts:
761 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
762 "gmail.com"));
763 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
764 "googlegroups.com"));
765 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
766 "www.googlegroups.com"));
767
768 // These hosts used to only be HSTS when SNI was available.
769 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
770 "gmail.com"));
771 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
772 "googlegroups.com"));
773 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
774 "www.googlegroups.com"));
775 }
776
777 } // namespace net