search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Compute can_use_lcd_text using property trees.
[chromium-blink-merge.git] / net / http / transport_security_state_unittest.cc
blob9200b5a8fada85bf2929c3f764f13e913753dd76
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/transport_security_state.h"
6
7 #include <algorithm>
8 #include <string>
9 #include <vector>
10
11 #include "base/base64.h"
12 #include "base/files/file_path.h"
13 #include "base/rand_util.h"
14 #include "base/sha1.h"
15 #include "base/strings/string_piece.h"
16 #include "crypto/sha2.h"
17 #include "net/base/net_errors.h"
18 #include "net/base/test_completion_callback.h"
19 #include "net/base/test_data_directory.h"
20 #include "net/cert/asn1_util.h"
21 #include "net/cert/cert_verifier.h"
22 #include "net/cert/cert_verify_result.h"
23 #include "net/cert/test_root_certs.h"
24 #include "net/cert/x509_cert_types.h"
25 #include "net/cert/x509_certificate.h"
26 #include "net/http/http_util.h"
27 #include "net/log/net_log.h"
28 #include "net/ssl/ssl_info.h"
29 #include "net/test/cert_test_util.h"
30 #include "testing/gtest/include/gtest/gtest.h"
31
32 #if defined(USE_OPENSSL)
33 #include "crypto/openssl_util.h"
34 #else
35 #include "crypto/nss_util.h"
36 #endif
37
38 namespace net {
39
40 class TransportSecurityStateTest : public testing::Test {
41 public:
42 void SetUp() override {
43 #if defined(USE_OPENSSL)
44 crypto::EnsureOpenSSLInit();
45 #else
46 crypto::EnsureNSSInit();
47 #endif
48 }
49
50 static void DisableStaticPins(TransportSecurityState* state) {
51 state->enable_static_pins_ = false;
52 }
53
54 static void EnableStaticPins(TransportSecurityState* state) {
55 state->enable_static_pins_ = true;
56 }
57
58 static HashValueVector GetSampleSPKIHashes() {
59 HashValueVector spki_hashes;
60 HashValue hash(HASH_VALUE_SHA1);
61 memset(hash.data(), 0, hash.size());
62 spki_hashes.push_back(hash);
63 return spki_hashes;
64 }
65
66 protected:
67 bool GetStaticDomainState(TransportSecurityState* state,
68 const std::string& host,
69 TransportSecurityState::DomainState* result) {
70 return state->GetStaticDomainState(host, result);
71 }
72 };
73
74 TEST_F(TransportSecurityStateTest, DomainNameOddities) {
75 TransportSecurityState state;
76 const base::Time current_time(base::Time::Now());
77 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
78
79 // DNS suffix search tests. Some DNS resolvers allow a terminal "." to
80 // indicate not perform DNS suffix searching. Ensure that regardless
81 // of how this is treated at the resolver layer, or at the URL/origin
82 // layer (that is, whether they are treated as equivalent or distinct),
83 // ensure that for policy matching, something lacking a terminal "."
84 // is equivalent to something with a terminal "."
85 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
86
87 state.AddHSTS("example.com", expiry, true /* include_subdomains */);
88 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
89 // Trailing '.' should be equivalent; it's just a resolver hint
90 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com."));
91 // Leading '.' should be invalid
92 EXPECT_FALSE(state.ShouldUpgradeToSSL(".example.com"));
93 // Subdomains should work regardless
94 EXPECT_TRUE(state.ShouldUpgradeToSSL("sub.example.com"));
95 EXPECT_TRUE(state.ShouldUpgradeToSSL("sub.example.com."));
96 // But invalid subdomains should be rejected
97 EXPECT_FALSE(state.ShouldUpgradeToSSL("sub..example.com"));
98 EXPECT_FALSE(state.ShouldUpgradeToSSL("sub..example.com."));
99
100 // Now try the inverse form
101 TransportSecurityState state2;
102 state2.AddHSTS("example.net.", expiry, true /* include_subdomains */);
103 EXPECT_TRUE(state2.ShouldUpgradeToSSL("example.net."));
104 EXPECT_TRUE(state2.ShouldUpgradeToSSL("example.net"));
105 EXPECT_TRUE(state2.ShouldUpgradeToSSL("sub.example.net."));
106 EXPECT_TRUE(state2.ShouldUpgradeToSSL("sub.example.net"));
107
108 // Finally, test weird things
109 TransportSecurityState state3;
110 state3.AddHSTS("", expiry, true /* include_subdomains */);
111 EXPECT_FALSE(state3.ShouldUpgradeToSSL(""));
112 EXPECT_FALSE(state3.ShouldUpgradeToSSL("."));
113 EXPECT_FALSE(state3.ShouldUpgradeToSSL("..."));
114 // Make sure it didn't somehow apply HSTS to the world
115 EXPECT_FALSE(state3.ShouldUpgradeToSSL("example.org"));
116
117 TransportSecurityState state4;
118 state4.AddHSTS(".", expiry, true /* include_subdomains */);
119 EXPECT_FALSE(state4.ShouldUpgradeToSSL(""));
120 EXPECT_FALSE(state4.ShouldUpgradeToSSL("."));
121 EXPECT_FALSE(state4.ShouldUpgradeToSSL("..."));
122 EXPECT_FALSE(state4.ShouldUpgradeToSSL("example.org"));
123
124 // Now do the same for preloaded entries
125 TransportSecurityState state5;
126 EXPECT_TRUE(state5.ShouldUpgradeToSSL("accounts.google.com"));
127 EXPECT_TRUE(state5.ShouldUpgradeToSSL("accounts.google.com."));
128 EXPECT_FALSE(state5.ShouldUpgradeToSSL("accounts..google.com"));
129 EXPECT_FALSE(state5.ShouldUpgradeToSSL("accounts..google.com."));
130 }
131
132 TEST_F(TransportSecurityStateTest, SimpleMatches) {
133 TransportSecurityState state;
134 const base::Time current_time(base::Time::Now());
135 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
136
137 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
138 bool include_subdomains = false;
139 state.AddHSTS("example.com", expiry, include_subdomains);
140 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
141 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example.com"));
142 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example.com"));
143 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("foo.example.com"));
144 }
145
146 TEST_F(TransportSecurityStateTest, MatchesCase1) {
147 TransportSecurityState state;
148 const base::Time current_time(base::Time::Now());
149 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
150
151 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
152 bool include_subdomains = false;
153 state.AddHSTS("EXample.coM", expiry, include_subdomains);
154 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
155 }
156
157 TEST_F(TransportSecurityStateTest, Fuzz) {
158 TransportSecurityState state;
159 TransportSecurityState::DomainState domain_state;
160
161 EnableStaticPins(&state);
162
163 for (size_t i = 0; i < 128; i++) {
164 std::string hostname;
165
166 for (;;) {
167 if (base::RandInt(0, 16) == 7) {
168 break;
169 }
170 if (i > 0 && base::RandInt(0, 7) == 7) {
171 hostname.append(1, '.');
172 }
173 hostname.append(1, 'a' + base::RandInt(0, 25));
174 }
175 state.GetStaticDomainState(hostname, &domain_state);
176 }
177 }
178
179 TEST_F(TransportSecurityStateTest, MatchesCase2) {
180 TransportSecurityState state;
181 const base::Time current_time(base::Time::Now());
182 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
183
184 // Check dynamic entries
185 EXPECT_FALSE(state.ShouldUpgradeToSSL("EXample.coM"));
186 bool include_subdomains = false;
187 state.AddHSTS("example.com", expiry, include_subdomains);
188 EXPECT_TRUE(state.ShouldUpgradeToSSL("EXample.coM"));
189
190 // Check static entries
191 EXPECT_TRUE(state.ShouldUpgradeToSSL("AccounTs.GooGle.com"));
192 EXPECT_TRUE(state.ShouldUpgradeToSSL("mail.google.COM"));
193 }
194
195 TEST_F(TransportSecurityStateTest, SubdomainMatches) {
196 TransportSecurityState state;
197 const base::Time current_time(base::Time::Now());
198 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
199
200 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test"));
201 bool include_subdomains = true;
202 state.AddHSTS("example.test", expiry, include_subdomains);
203 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.test"));
204 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example.test"));
205 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test"));
206 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test"));
207 EXPECT_FALSE(state.ShouldUpgradeToSSL("test"));
208 EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test"));
209 }
210
211 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule
212 // with it, regardless of the includeSubDomains bit. This is a regression test
213 // for https://crbug.com/469957.
214 TEST_F(TransportSecurityStateTest, SubdomainCarveout) {
215 TransportSecurityState state;
216 const base::Time current_time(base::Time::Now());
217 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
218 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
219
220 state.AddHSTS("example1.test", expiry, true);
221 state.AddHSTS("foo.example1.test", expiry, false);
222
223 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes());
224 state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes());
225
226 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
227 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test"));
228
229 // The foo.example1.test rule overrides the example1.test rule, so
230 // bar.foo.example1.test has no HSTS state.
231 EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test"));
232 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test"));
233
234 EXPECT_TRUE(state.HasPublicKeyPins("example2.test"));
235 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test"));
236
237 // The foo.example2.test rule overrides the example1.test rule, so
238 // bar.foo.example2.test has no HPKP state.
239 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test"));
240 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test"));
241
242 // Expire the foo.example*.test rules.
243 state.AddHSTS("foo.example1.test", older, false);
244 state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes());
245
246 // Now the base example*.test rules apply to bar.foo.example*.test.
247 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test"));
248 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test"));
249 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test"));
250 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test"));
251 }
252
253 TEST_F(TransportSecurityStateTest, FatalSSLErrors) {
254 TransportSecurityState state;
255 const base::Time current_time(base::Time::Now());
256 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
257
258 state.AddHSTS("example1.test", expiry, false);
259 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes());
260
261 // The presense of either HSTS or HPKP is enough to make SSL errors fatal.
262 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test"));
263 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test"));
264 }
265
266 // Tests that HPKP and HSTS state both expire. Also tests that expired entries
267 // are pruned.
268 TEST_F(TransportSecurityStateTest, Expiration) {
269 TransportSecurityState state;
270 const base::Time current_time(base::Time::Now());
271 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
272 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
273
274 // Note: this test assumes that inserting an entry with an expiration time in
275 // the past works and is pruned on query.
276 state.AddHSTS("example1.test", older, false);
277 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext());
278 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test"));
279 // Querying |state| for a domain should flush out expired entries.
280 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
281
282 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes());
283 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext());
284 EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
285 // Querying |state| for a domain should flush out expired entries.
286 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
287
288 state.AddHSTS("example1.test", older, false);
289 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes());
290 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext());
291 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test"));
292 // Querying |state| for a domain should flush out expired entries.
293 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
294
295 // Test that HSTS can outlive HPKP.
296 state.AddHSTS("example1.test", expiry, false);
297 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes());
298 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
299 EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
300
301 // Test that HPKP can outlive HSTS.
302 state.AddHSTS("example2.test", older, false);
303 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes());
304 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test"));
305 EXPECT_TRUE(state.HasPublicKeyPins("example2.test"));
306 }
307
308 TEST_F(TransportSecurityStateTest, InvalidDomains) {
309 TransportSecurityState state;
310 const base::Time current_time(base::Time::Now());
311 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
312
313 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test"));
314 bool include_subdomains = true;
315 state.AddHSTS("example.test", expiry, include_subdomains);
316 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test"));
317 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test"));
318 }
319
320 // Tests that HPKP and HSTS state are queried independently for subdomain
321 // matches.
322 TEST_F(TransportSecurityStateTest, IndependentSubdomain) {
323 TransportSecurityState state;
324 const base::Time current_time(base::Time::Now());
325 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
326
327 state.AddHSTS("example1.test", expiry, true);
328 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes());
329
330 state.AddHSTS("example2.test", expiry, false);
331 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes());
332
333 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test"));
334 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test"));
335 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test"));
336 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test"));
337 }
338
339 // Tests that HPKP and HSTS state are inserted and overridden independently.
340 TEST_F(TransportSecurityStateTest, IndependentInsertion) {
341 TransportSecurityState state;
342 const base::Time current_time(base::Time::Now());
343 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
344
345 // Place an includeSubdomains HSTS entry below a normal HPKP entry.
346 state.AddHSTS("example1.test", expiry, true);
347 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes());
348
349 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test"));
350 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test"));
351 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
352 EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
353
354 // Drop the includeSubdomains from the HSTS entry.
355 state.AddHSTS("example1.test", expiry, false);
356
357 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test"));
358 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test"));
359
360 // Place an includeSubdomains HPKP entry below a normal HSTS entry.
361 state.AddHSTS("foo.example2.test", expiry, false);
362 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes());
363
364 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test"));
365 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test"));
366
367 // Drop the includeSubdomains from the HSTS entry.
368 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes());
369
370 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test"));
371 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test"));
372 }
373
374 // Tests that GetDynamicDomainState appropriately stitches together the results
375 // of HSTS and HPKP.
376 TEST_F(TransportSecurityStateTest, DynamicDomainState) {
377 TransportSecurityState state;
378 const base::Time current_time(base::Time::Now());
379 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000);
380 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000);
381
382 state.AddHSTS("example.com", expiry1, true);
383 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes());
384
385 TransportSecurityState::DomainState domain_state;
386 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
387 EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());
388 EXPECT_TRUE(domain_state.HasPublicKeyPins());
389 EXPECT_TRUE(domain_state.sts.include_subdomains);
390 EXPECT_FALSE(domain_state.pkp.include_subdomains);
391 EXPECT_EQ(expiry1, domain_state.sts.expiry);
392 EXPECT_EQ(expiry2, domain_state.pkp.expiry);
393 EXPECT_EQ("example.com", domain_state.sts.domain);
394 EXPECT_EQ("foo.example.com", domain_state.pkp.domain);
395 }
396
397 // Tests that new pins always override previous pins. This should be true for
398 // both pins at the same domain or includeSubdomains pins at a parent domain.
399 TEST_F(TransportSecurityStateTest, NewPinsOverride) {
400 TransportSecurityState state;
401 TransportSecurityState::DomainState domain_state;
402 const base::Time current_time(base::Time::Now());
403 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
404 HashValue hash1(HASH_VALUE_SHA1);
405 memset(hash1.data(), 0x01, hash1.size());
406 HashValue hash2(HASH_VALUE_SHA1);
407 memset(hash2.data(), 0x02, hash1.size());
408 HashValue hash3(HASH_VALUE_SHA1);
409 memset(hash3.data(), 0x03, hash1.size());
410
411 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1));
412
413 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
414 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size());
415 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash1));
416
417 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2));
418
419 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
420 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size());
421 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash2));
422
423 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3));
424
425 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state));
426 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size());
427 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash3));
428 }
429
430 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) {
431 TransportSecurityState state;
432 const base::Time current_time(base::Time::Now());
433 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
434 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
435
436 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
437 bool include_subdomains = false;
438 state.AddHSTS("example.com", expiry, include_subdomains);
439
440 state.DeleteAllDynamicDataSince(expiry);
441 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
442 state.DeleteAllDynamicDataSince(older);
443 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
444
445 // |state| should be empty now.
446 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext());
447 }
448
449 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
450 TransportSecurityState state;
451 const base::Time current_time(base::Time::Now());
452 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
453 bool include_subdomains = false;
454 state.AddHSTS("example1.test", expiry, include_subdomains);
455
456 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
457 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test"));
458 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test"));
459 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test"));
460 }
461
462 TEST_F(TransportSecurityStateTest, EnableStaticPins) {
463 TransportSecurityState state;
464 TransportSecurityState::DomainState domain_state;
465
466 EnableStaticPins(&state);
467
468 EXPECT_TRUE(
469 state.GetStaticDomainState("chrome.google.com", &domain_state));
470 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
471 }
472
473 TEST_F(TransportSecurityStateTest, DisableStaticPins) {
474 TransportSecurityState state;
475 TransportSecurityState::DomainState domain_state;
476
477 DisableStaticPins(&state);
478 EXPECT_TRUE(
479 state.GetStaticDomainState("chrome.google.com", &domain_state));
480 EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
481 }
482
483 TEST_F(TransportSecurityStateTest, IsPreloaded) {
484 const std::string paypal = "paypal.com";
485 const std::string www_paypal = "www.paypal.com";
486 const std::string foo_paypal = "foo.paypal.com";
487 const std::string a_www_paypal = "a.www.paypal.com";
488 const std::string abc_paypal = "a.b.c.paypal.com";
489 const std::string example = "example.com";
490 const std::string aypal = "aypal.com";
491 const std::string google = "google";
492 const std::string www_google = "www.google";
493
494 TransportSecurityState state;
495 TransportSecurityState::DomainState domain_state;
496
497 EXPECT_TRUE(GetStaticDomainState(&state, paypal, &domain_state));
498 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &domain_state));
499 EXPECT_FALSE(domain_state.sts.include_subdomains);
500 EXPECT_TRUE(GetStaticDomainState(&state, google, &domain_state));
501 EXPECT_TRUE(GetStaticDomainState(&state, www_google, &domain_state));
502 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, &domain_state));
503 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, &domain_state));
504 EXPECT_FALSE(GetStaticDomainState(&state, example, &domain_state));
505 EXPECT_FALSE(GetStaticDomainState(&state, aypal, &domain_state));
506 }
507
508 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
509 TransportSecurityState state;
510 TransportSecurityState::DomainState domain_state;
511
512 // The domain wasn't being set, leading to a blank string in the
513 // chrome://net-internals/#hsts UI. So test that.
514 EXPECT_TRUE(
515 state.GetStaticDomainState("market.android.com", &domain_state));
516 EXPECT_EQ(domain_state.sts.domain, "market.android.com");
517 EXPECT_EQ(domain_state.pkp.domain, "market.android.com");
518 EXPECT_TRUE(state.GetStaticDomainState(
519 "sub.market.android.com", &domain_state));
520 EXPECT_EQ(domain_state.sts.domain, "market.android.com");
521 EXPECT_EQ(domain_state.pkp.domain, "market.android.com");
522 }
523
524 static bool StaticShouldRedirect(const char* hostname) {
525 TransportSecurityState state;
526 TransportSecurityState::DomainState domain_state;
527 return state.GetStaticDomainState(
528 hostname, &domain_state) &&
529 domain_state.ShouldUpgradeToSSL();
530 }
531
532 static bool HasStaticState(const char* hostname) {
533 TransportSecurityState state;
534 TransportSecurityState::DomainState domain_state;
535 return state.GetStaticDomainState(hostname, &domain_state);
536 }
537
538 static bool HasStaticPublicKeyPins(const char* hostname) {
539 TransportSecurityState state;
540 TransportSecurityStateTest::EnableStaticPins(&state);
541 TransportSecurityState::DomainState domain_state;
542 if (!state.GetStaticDomainState(hostname, &domain_state))
543 return false;
544
545 return domain_state.HasPublicKeyPins();
546 }
547
548 static bool OnlyPinningInStaticState(const char* hostname) {
549 TransportSecurityState state;
550 TransportSecurityStateTest::EnableStaticPins(&state);
551 TransportSecurityState::DomainState domain_state;
552 if (!state.GetStaticDomainState(hostname, &domain_state))
553 return false;
554
555 return (domain_state.pkp.spki_hashes.size() > 0 ||
556 domain_state.pkp.bad_spki_hashes.size() > 0) &&
557 !domain_state.ShouldUpgradeToSSL();
558 }
559
560 TEST_F(TransportSecurityStateTest, Preloaded) {
561 TransportSecurityState state;
562 TransportSecurityState::DomainState domain_state;
563
564 // We do more extensive checks for the first domain.
565 EXPECT_TRUE(
566 state.GetStaticDomainState("www.paypal.com", &domain_state));
567 EXPECT_EQ(domain_state.sts.upgrade_mode,
568 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
569 EXPECT_FALSE(domain_state.sts.include_subdomains);
570 EXPECT_FALSE(domain_state.pkp.include_subdomains);
571
572 EXPECT_TRUE(HasStaticState("paypal.com"));
573 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
574
575 // Google hosts:
576
577 EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
578 EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
579 EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
580 EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
581 EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
582 EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
583 EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
584 EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
585 EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
586 EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
587 EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
588 EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
589 EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
590 EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
591 EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
592 EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
593 EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
594 EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
595 EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
596 EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
597 EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
598 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
599 EXPECT_TRUE(StaticShouldRedirect("google"));
600 EXPECT_TRUE(StaticShouldRedirect("foo.google"));
601 EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
602 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
603 EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
604 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
605 EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
606 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
607
608 // These domains used to be only HSTS when SNI was available.
609 EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &domain_state));
610 EXPECT_TRUE(state.GetStaticDomainState("www.gmail.com", &domain_state));
611 EXPECT_TRUE(state.GetStaticDomainState("googlemail.com", &domain_state));
612 EXPECT_TRUE(state.GetStaticDomainState("www.googlemail.com", &domain_state));
613
614 // Other hosts:
615
616 EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
617
618 EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
619 EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
620
621 EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
622
623 EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
624 EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
625 EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
626
627 EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
628 EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
629
630 EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
631 EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
632 EXPECT_FALSE(HasStaticState("foo.entropia.de"));
633
634 EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
635 EXPECT_FALSE(HasStaticState("elanex.biz"));
636 EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
637
638 EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
639 EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
640 EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
641
642 EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
643 EXPECT_FALSE(HasStaticState("noisebridge.net"));
644 EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
645
646 EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
647 EXPECT_FALSE(HasStaticState("www.neg9.org"));
648
649 EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
650 EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
651
652 EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
653 EXPECT_FALSE(HasStaticState("www.factor.cc"));
654
655 EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
656 EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
657 EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
658 EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
659 EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
660
661 EXPECT_TRUE(StaticShouldRedirect("romab.com"));
662 EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
663 EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
664
665 EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
666 EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
667 EXPECT_FALSE(HasStaticState("foo.logentries.com"));
668
669 EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
670 EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
671
672 EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
673 EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
674
675 EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
676 EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
677
678 EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
679 EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
680
681 EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
682 EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
683
684 EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
685 EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
686
687 EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
688 EXPECT_FALSE(HasStaticState("foo.squareup.com"));
689
690 EXPECT_TRUE(StaticShouldRedirect("cert.se"));
691 EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
692
693 EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
694 EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
695
696 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
697 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
698
699 EXPECT_TRUE(StaticShouldRedirect("linx.net"));
700 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
701
702 EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
703 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
704 EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
705
706 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
707 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
708
709 EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
710 EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
711
712 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
713
714 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
715 EXPECT_FALSE(HasStaticState("moneybookers.com"));
716
717 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
718 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
719 EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
720
721 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
722 EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
723
724 EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
725 EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
726 EXPECT_FALSE(HasStaticState("foo.greplin.com"));
727
728 EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
729 EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
730
731 EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
732 EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
733
734 EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
735 EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
736
737 EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
738 EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
739
740 EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
741 EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
742 EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
743 EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
744 EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
745 EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
746 EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
747 EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
748 EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
749 EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
750 EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
751 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
752
753 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
754 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
755
756 EXPECT_TRUE(StaticShouldRedirect("crate.io"));
757 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
758 }
759
760 TEST_F(TransportSecurityStateTest, PreloadedPins) {
761 TransportSecurityState state;
762 EnableStaticPins(&state);
763 TransportSecurityState::DomainState domain_state;
764
765 // We do more extensive checks for the first domain.
766 EXPECT_TRUE(
767 state.GetStaticDomainState("www.paypal.com", &domain_state));
768 EXPECT_EQ(domain_state.sts.upgrade_mode,
769 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
770 EXPECT_FALSE(domain_state.sts.include_subdomains);
771 EXPECT_FALSE(domain_state.pkp.include_subdomains);
772
773 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
774 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
775 EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
776 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
777 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
778 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
779 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
780 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
781 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
782 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
783 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
784 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
785 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
786 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
787 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
788 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
789 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
790
791 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
792 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
793 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
794 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
795 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
796
797 EXPECT_TRUE(state.GetStaticDomainState("torproject.org", &domain_state));
798 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
799 EXPECT_TRUE(state.GetStaticDomainState("www.torproject.org", &domain_state));
800 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
801 EXPECT_TRUE(
802 state.GetStaticDomainState("check.torproject.org", &domain_state));
803 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
804 EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &domain_state));
805 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
806
807 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
808
809 // Check that Facebook subdomains have pinning but not HSTS.
810 EXPECT_TRUE(state.GetStaticDomainState("facebook.com", &domain_state));
811 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
812 EXPECT_TRUE(StaticShouldRedirect("facebook.com"));
813
814 EXPECT_FALSE(state.GetStaticDomainState("foo.facebook.com", &domain_state));
815
816 EXPECT_TRUE(state.GetStaticDomainState("www.facebook.com", &domain_state));
817 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
818 EXPECT_TRUE(StaticShouldRedirect("www.facebook.com"));
819
820 EXPECT_TRUE(
821 state.GetStaticDomainState("foo.www.facebook.com", &domain_state));
822 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
823 EXPECT_TRUE(StaticShouldRedirect("foo.www.facebook.com"));
824 }
825
826 TEST_F(TransportSecurityStateTest, LongNames) {
827 TransportSecurityState state;
828 const char kLongName[] =
829 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
830 "WaveletIdDomainAndBlipBlipid";
831 TransportSecurityState::DomainState domain_state;
832 // Just checks that we don't hit a NOTREACHED.
833 EXPECT_FALSE(state.GetStaticDomainState(kLongName, &domain_state));
834 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state));
835 }
836
837 TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
838 TransportSecurityState state;
839 EnableStaticPins(&state);
840 TransportSecurityState::DomainState domain_state;
841
842 EXPECT_TRUE(
843 state.GetStaticDomainState("chrome.google.com", &domain_state));
844 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
845
846 HashValueVector hashes;
847 std::string failure_log;
848 // Checks that a built-in list does exist.
849 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log));
850 EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
851
852 EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
853 EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
854 EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
855 EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
856 EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
857 EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
858 EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
859 EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
860 EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
861 EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
862 EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
863 EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
864 EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
865 EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
866 EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
867 EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
868 EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
869 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
870 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
871 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
872
873 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
874 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
875 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
876 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
877 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
878
879 EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
880 EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
881 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
882 EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com"));
883 EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com"));
884 EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com"));
885 EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com"));
886 EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com"));
887 EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com"));
888 EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com"));
889 }
890
891 static bool AddHash(const std::string& type_and_base64,
892 HashValueVector* out) {
893 HashValue hash;
894 if (!hash.FromString(type_and_base64))
895 return false;
896
897 out->push_back(hash);
898 return true;
899 }
900
901 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
902 // kGoodPath is blog.torproject.org.
903 static const char* const kGoodPath[] = {
904 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
905 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
906 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
907 NULL,
908 };
909
910 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
911 // torproject.org.
912 static const char* const kBadPath[] = {
913 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
914 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
915 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
916 NULL,
917 };
918
919 HashValueVector good_hashes, bad_hashes;
920
921 for (size_t i = 0; kGoodPath[i]; i++) {
922 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
923 }
924 for (size_t i = 0; kBadPath[i]; i++) {
925 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
926 }
927
928 TransportSecurityState state;
929 EnableStaticPins(&state);
930
931 TransportSecurityState::DomainState domain_state;
932 EXPECT_TRUE(
933 state.GetStaticDomainState("blog.torproject.org", &domain_state));
934 EXPECT_TRUE(domain_state.HasPublicKeyPins());
935
936 std::string failure_log;
937 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log));
938 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log));
939 }
940
941 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
942 TransportSecurityState state;
943 EnableStaticPins(&state);
944 TransportSecurityState::DomainState domain_state;
945
946 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
947
948 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
949 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
950 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
951 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
952 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
953 EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
954 EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
955 EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
956 EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
957 EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
958 EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
959 EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
960 EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
961 EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
962 EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
963 EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
964 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
965 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
966 }
967
968 TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
969 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
970 EXPECT_FALSE(StaticShouldRedirect("google.com"));
971 EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
972
973 TransportSecurityState state;
974 const base::Time current_time(base::Time::Now());
975 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
976 state.AddHSTS("www.google.com", expiry, true);
977
978 EXPECT_TRUE(state.ShouldUpgradeToSSL("www.google.com"));
979 }
980
981 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
982 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
983 "www.example.com"));
984 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
985 "www.paypal.com"));
986 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
987 "mail.twitter.com"));
988 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
989 "www.google.com.int"));
990 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
991 "jottit.com"));
992 // learn.doubleclick.net has a more specific match than
993 // *.doubleclick.com, and has 0 or NULL for its required certs.
994 // This test ensures that the exact-match-preferred behavior
995 // works.
996 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
997 "learn.doubleclick.net"));
998
999 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1000 "encrypted.google.com"));
1001 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1002 "mail.google.com"));
1003 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1004 "accounts.google.com"));
1005 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1006 "doubleclick.net"));
1007 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1008 "ad.doubleclick.net"));
1009 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1010 "youtube.com"));
1011 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1012 "www.profiles.google.com"));
1013 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1014 "checkout.google.com"));
1015 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1016 "googleadservices.com"));
1017
1018 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1019 "www.example.com"));
1020 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
1021 "www.paypal.com"));
1022 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1023 "checkout.google.com"));
1024 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1025 "googleadservices.com"));
1026
1027 // Test some SNI hosts:
1028 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1029 "gmail.com"));
1030 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1031 "googlegroups.com"));
1032 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1033 "www.googlegroups.com"));
1034
1035 // These hosts used to only be HSTS when SNI was available.
1036 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1037 "gmail.com"));
1038 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1039 "googlegroups.com"));
1040 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
1041 "www.googlegroups.com"));
1042 }
1043
1044 } // namespace net