projects / platform / framework / web / crosswalk.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Upstream version 10.39.225.0
[platform/framework/web/crosswalk.git] / src / net / http / transport_security_state_unittest.cc
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/transport_security_state.h"
6
7 #include <algorithm>
8 #include <string>
9 #include <vector>
10
11 #include "base/base64.h"
12 #include "base/files/file_path.h"
13 #include "base/sha1.h"
14 #include "base/strings/string_piece.h"
15 #include "crypto/sha2.h"
16 #include "net/base/net_errors.h"
17 #include "net/base/net_log.h"
18 #include "net/base/test_completion_callback.h"
19 #include "net/base/test_data_directory.h"
20 #include "net/cert/asn1_util.h"
21 #include "net/cert/cert_verifier.h"
22 #include "net/cert/cert_verify_result.h"
23 #include "net/cert/test_root_certs.h"
24 #include "net/cert/x509_cert_types.h"
25 #include "net/cert/x509_certificate.h"
26 #include "net/http/http_util.h"
27 #include "net/ssl/ssl_info.h"
28 #include "net/test/cert_test_util.h"
29 #include "testing/gtest/include/gtest/gtest.h"
30
31 #if defined(USE_OPENSSL)
32 #include "crypto/openssl_util.h"
33 #else
34 #include "crypto/nss_util.h"
35 #endif
36
37 namespace net {
38
39 class TransportSecurityStateTest : public testing::Test {
40  public:
41   virtual void SetUp() {
42 #if defined(USE_OPENSSL)
43     crypto::EnsureOpenSSLInit();
44 #else
45     crypto::EnsureNSSInit();
46 #endif
47   }
48
49   static void DisableStaticPins(TransportSecurityState* state) {
50     state->enable_static_pins_ = false;
51   }
52
53   static void EnableStaticPins(TransportSecurityState* state) {
54     state->enable_static_pins_ = true;
55   }
56
57  protected:
58   bool GetStaticDomainState(TransportSecurityState* state,
59                             const std::string& host,
60                             TransportSecurityState::DomainState* result) {
61     return state->GetStaticDomainState(host, result);
62   }
63
64   void EnableHost(TransportSecurityState* state,
65                   const std::string& host,
66                   const TransportSecurityState::DomainState& domain_state) {
67     return state->EnableHost(host, domain_state);
68   }
69 };
70
71 TEST_F(TransportSecurityStateTest, SimpleMatches) {
72   TransportSecurityState state;
73   TransportSecurityState::DomainState domain_state;
74   const base::Time current_time(base::Time::Now());
75   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
76
77   EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
78   bool include_subdomains = false;
79   state.AddHSTS("yahoo.com", expiry, include_subdomains);
80   EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
81 }
82
83 TEST_F(TransportSecurityStateTest, MatchesCase1) {
84   TransportSecurityState state;
85   TransportSecurityState::DomainState domain_state;
86   const base::Time current_time(base::Time::Now());
87   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
88
89   EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
90   bool include_subdomains = false;
91   state.AddHSTS("YAhoo.coM", expiry, include_subdomains);
92   EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
93 }
94
95 TEST_F(TransportSecurityStateTest, MatchesCase2) {
96   TransportSecurityState state;
97   TransportSecurityState::DomainState domain_state;
98   const base::Time current_time(base::Time::Now());
99   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
100
101   EXPECT_FALSE(state.GetDynamicDomainState("YAhoo.coM", &domain_state));
102   bool include_subdomains = false;
103   state.AddHSTS("yahoo.com", expiry, include_subdomains);
104   EXPECT_TRUE(state.GetDynamicDomainState("YAhoo.coM", &domain_state));
105 }
106
107 TEST_F(TransportSecurityStateTest, SubdomainMatches) {
108   TransportSecurityState state;
109   TransportSecurityState::DomainState domain_state;
110   const base::Time current_time(base::Time::Now());
111   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
112
113   EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
114   bool include_subdomains = true;
115   state.AddHSTS("yahoo.com", expiry, include_subdomains);
116   EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
117   EXPECT_TRUE(state.GetDynamicDomainState("foo.yahoo.com", &domain_state));
118   EXPECT_TRUE(state.GetDynamicDomainState("foo.bar.yahoo.com", &domain_state));
119   EXPECT_TRUE(
120       state.GetDynamicDomainState("foo.bar.baz.yahoo.com", &domain_state));
121   EXPECT_FALSE(state.GetDynamicDomainState("com", &domain_state));
122 }
123
124 TEST_F(TransportSecurityStateTest, InvalidDomains) {
125   TransportSecurityState state;
126   TransportSecurityState::DomainState domain_state;
127   const base::Time current_time(base::Time::Now());
128   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
129
130   EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
131   bool include_subdomains = true;
132   state.AddHSTS("yahoo.com", expiry, include_subdomains);
133   EXPECT_TRUE(state.GetDynamicDomainState("www-.foo.yahoo.com", &domain_state));
134   EXPECT_TRUE(
135       state.GetDynamicDomainState("2\x01.foo.yahoo.com", &domain_state));
136 }
137
138 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) {
139   TransportSecurityState state;
140   TransportSecurityState::DomainState domain_state;
141   const base::Time current_time(base::Time::Now());
142   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
143   const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
144
145   EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
146   bool include_subdomains = false;
147   state.AddHSTS("yahoo.com", expiry, include_subdomains);
148
149   state.DeleteAllDynamicDataSince(expiry);
150   EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
151   EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS,
152             domain_state.sts.upgrade_mode);
153   state.DeleteAllDynamicDataSince(older);
154   EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
155   EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT,
156             domain_state.sts.upgrade_mode);
157 }
158
159 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
160   TransportSecurityState state;
161   TransportSecurityState::DomainState domain_state;
162   const base::Time current_time(base::Time::Now());
163   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
164   bool include_subdomains = false;
165   state.AddHSTS("yahoo.com", expiry, include_subdomains);
166
167   EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
168   EXPECT_FALSE(state.GetDynamicDomainState("example.com", &domain_state));
169   EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com"));
170   EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
171 }
172
173 TEST_F(TransportSecurityStateTest, EnableStaticPins) {
174   TransportSecurityState state;
175   TransportSecurityState::DomainState domain_state;
176
177   EnableStaticPins(&state);
178
179   EXPECT_TRUE(
180       state.GetStaticDomainState("chrome.google.com", &domain_state));
181   EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
182 }
183
184 TEST_F(TransportSecurityStateTest, DisableStaticPins) {
185   TransportSecurityState state;
186   TransportSecurityState::DomainState domain_state;
187
188   DisableStaticPins(&state);
189   EXPECT_TRUE(
190       state.GetStaticDomainState("chrome.google.com", &domain_state));
191   EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
192 }
193
194 TEST_F(TransportSecurityStateTest, IsPreloaded) {
195   const std::string paypal = "paypal.com";
196   const std::string www_paypal = "www.paypal.com";
197   const std::string foo_paypal = "foo.paypal.com";
198   const std::string a_www_paypal = "a.www.paypal.com";
199   const std::string abc_paypal = "a.b.c.paypal.com";
200   const std::string example = "example.com";
201   const std::string aypal = "aypal.com";
202
203   TransportSecurityState state;
204   TransportSecurityState::DomainState domain_state;
205
206   EXPECT_TRUE(GetStaticDomainState(&state, paypal, &domain_state));
207   EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &domain_state));
208   EXPECT_FALSE(domain_state.sts.include_subdomains);
209   EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, &domain_state));
210   EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, &domain_state));
211   EXPECT_FALSE(GetStaticDomainState(&state, example, &domain_state));
212   EXPECT_FALSE(GetStaticDomainState(&state, aypal, &domain_state));
213 }
214
215 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
216   TransportSecurityState state;
217   TransportSecurityState::DomainState domain_state;
218
219   // The domain wasn't being set, leading to a blank string in the
220   // chrome://net-internals/#hsts UI. So test that.
221   EXPECT_TRUE(
222       state.GetStaticDomainState("market.android.com", &domain_state));
223   EXPECT_EQ(domain_state.domain, "market.android.com");
224   EXPECT_TRUE(state.GetStaticDomainState(
225       "sub.market.android.com", &domain_state));
226   EXPECT_EQ(domain_state.domain, "market.android.com");
227 }
228
229 static bool StaticShouldRedirect(const char* hostname) {
230   TransportSecurityState state;
231   TransportSecurityState::DomainState domain_state;
232   return state.GetStaticDomainState(
233              hostname, &domain_state) &&
234          domain_state.ShouldUpgradeToSSL();
235 }
236
237 static bool HasStaticState(const char* hostname) {
238   TransportSecurityState state;
239   TransportSecurityState::DomainState domain_state;
240   return state.GetStaticDomainState(hostname, &domain_state);
241 }
242
243 static bool HasStaticPublicKeyPins(const char* hostname) {
244   TransportSecurityState state;
245   TransportSecurityStateTest::EnableStaticPins(&state);
246   TransportSecurityState::DomainState domain_state;
247   if (!state.GetStaticDomainState(hostname, &domain_state))
248     return false;
249
250   return domain_state.HasPublicKeyPins();
251 }
252
253 static bool OnlyPinningInStaticState(const char* hostname) {
254   TransportSecurityState state;
255   TransportSecurityStateTest::EnableStaticPins(&state);
256   TransportSecurityState::DomainState domain_state;
257   if (!state.GetStaticDomainState(hostname, &domain_state))
258     return false;
259
260   return (domain_state.pkp.spki_hashes.size() > 0 ||
261           domain_state.pkp.bad_spki_hashes.size() > 0) &&
262          !domain_state.ShouldUpgradeToSSL();
263 }
264
265 TEST_F(TransportSecurityStateTest, Preloaded) {
266   TransportSecurityState state;
267   TransportSecurityState::DomainState domain_state;
268
269   // We do more extensive checks for the first domain.
270   EXPECT_TRUE(
271       state.GetStaticDomainState("www.paypal.com", &domain_state));
272   EXPECT_EQ(domain_state.sts.upgrade_mode,
273             TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
274   EXPECT_FALSE(domain_state.sts.include_subdomains);
275   EXPECT_FALSE(domain_state.pkp.include_subdomains);
276
277   EXPECT_TRUE(HasStaticState("paypal.com"));
278   EXPECT_FALSE(HasStaticState("www2.paypal.com"));
279   EXPECT_FALSE(HasStaticState("www2.paypal.com"));
280
281   // Google hosts:
282
283   EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
284   EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
285   EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
286   EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
287   EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
288   EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
289   EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
290   EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
291   EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
292   EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
293   EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
294   EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
295   EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
296   EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
297   EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
298   EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
299   EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
300   EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
301   EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
302   EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
303   EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
304   EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
305   EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
306   EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
307   EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
308   EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
309   EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
310   EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
311
312   // These domains used to be only HSTS when SNI was available.
313   EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &domain_state));
314   EXPECT_TRUE(state.GetStaticDomainState("www.gmail.com", &domain_state));
315   EXPECT_TRUE(state.GetStaticDomainState("googlemail.com", &domain_state));
316   EXPECT_TRUE(state.GetStaticDomainState("www.googlemail.com", &domain_state));
317
318   // Other hosts:
319
320   EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
321
322   EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
323   EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
324
325   EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
326
327   EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
328   EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
329   EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
330
331   EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
332   EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
333
334   EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
335   EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
336   EXPECT_FALSE(HasStaticState("foo.entropia.de"));
337
338   EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
339   EXPECT_FALSE(HasStaticState("elanex.biz"));
340   EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
341
342   EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
343   EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
344   EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
345
346   EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
347   EXPECT_FALSE(HasStaticState("noisebridge.net"));
348   EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
349
350   EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
351   EXPECT_FALSE(HasStaticState("www.neg9.org"));
352
353   EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
354   EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
355
356   EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
357   EXPECT_FALSE(HasStaticState("www.factor.cc"));
358
359   EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
360   EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
361   EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
362   EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
363   EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
364
365   EXPECT_TRUE(StaticShouldRedirect("romab.com"));
366   EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
367   EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
368
369   EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
370   EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
371   EXPECT_FALSE(HasStaticState("foo.logentries.com"));
372
373   EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
374   EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
375
376   EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
377   EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
378
379   EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
380   EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
381
382   EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
383   EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
384
385   EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
386   EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
387
388   EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
389   EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
390
391   EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
392   EXPECT_FALSE(HasStaticState("foo.squareup.com"));
393
394   EXPECT_TRUE(StaticShouldRedirect("cert.se"));
395   EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
396
397   EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
398   EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
399
400   EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
401   EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
402
403   EXPECT_TRUE(StaticShouldRedirect("linx.net"));
404   EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
405
406   EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
407   EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
408   EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
409
410   EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
411   EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
412
413   EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
414   EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
415
416   EXPECT_FALSE(HasStaticState("foo.torproject.org"));
417
418   EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
419   EXPECT_FALSE(HasStaticState("moneybookers.com"));
420
421   EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
422   EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
423   EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
424
425   EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
426   EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
427
428   EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
429   EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
430   EXPECT_FALSE(HasStaticState("foo.greplin.com"));
431
432   EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
433   EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
434
435   EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
436   EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
437
438   EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
439   EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
440
441   EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
442   EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
443
444   EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
445   EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
446   EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
447   EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
448   EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
449   EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
450   EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
451   EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
452   EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
453   EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
454   EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
455   EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
456
457   EXPECT_TRUE(StaticShouldRedirect("crypto.cat"));
458   EXPECT_FALSE(StaticShouldRedirect("foo.crypto.cat"));
459
460   EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
461   EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
462
463   EXPECT_TRUE(StaticShouldRedirect("crate.io"));
464   EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
465 }
466
467 TEST_F(TransportSecurityStateTest, PreloadedPins) {
468   TransportSecurityState state;
469   EnableStaticPins(&state);
470   TransportSecurityState::DomainState domain_state;
471
472   // We do more extensive checks for the first domain.
473   EXPECT_TRUE(
474       state.GetStaticDomainState("www.paypal.com", &domain_state));
475   EXPECT_EQ(domain_state.sts.upgrade_mode,
476             TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
477   EXPECT_FALSE(domain_state.sts.include_subdomains);
478   EXPECT_FALSE(domain_state.pkp.include_subdomains);
479
480   EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
481   EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
482   EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
483   EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
484   EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
485   EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
486   EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
487   EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
488   EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
489   EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
490   EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
491   EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
492   EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
493   EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
494   EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
495   EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
496   EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
497
498   EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
499   EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
500   EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
501   EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
502   EXPECT_FALSE(HasStaticState("foo.torproject.org"));
503
504   EXPECT_TRUE(state.GetStaticDomainState("torproject.org", &domain_state));
505   EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
506   EXPECT_TRUE(state.GetStaticDomainState("www.torproject.org", &domain_state));
507   EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
508   EXPECT_TRUE(
509       state.GetStaticDomainState("check.torproject.org", &domain_state));
510   EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
511   EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &domain_state));
512   EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
513
514   EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
515 }
516
517 TEST_F(TransportSecurityStateTest, LongNames) {
518   TransportSecurityState state;
519   const char kLongName[] =
520       "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
521       "WaveletIdDomainAndBlipBlipid";
522   TransportSecurityState::DomainState domain_state;
523   // Just checks that we don't hit a NOTREACHED.
524   EXPECT_FALSE(state.GetStaticDomainState(kLongName, &domain_state));
525   EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state));
526 }
527
528 TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
529   TransportSecurityState state;
530   EnableStaticPins(&state);
531   TransportSecurityState::DomainState domain_state;
532
533   EXPECT_TRUE(
534       state.GetStaticDomainState("chrome.google.com", &domain_state));
535   EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
536
537   HashValueVector hashes;
538   std::string failure_log;
539   // Checks that a built-in list does exist.
540   EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log));
541   EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
542
543   EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
544   EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
545   EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
546   EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
547   EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
548   EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
549   EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
550   EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
551   EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
552   EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
553   EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
554   EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
555   EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
556   EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
557   EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
558   EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
559   EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
560   EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
561   EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
562   EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
563
564   EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
565   EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
566   EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
567   EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
568   EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
569
570   EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
571   EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
572   EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
573   EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com"));
574   EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com"));
575   EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com"));
576   EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com"));
577   EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com"));
578   EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com"));
579   EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com"));
580 }
581
582 static bool AddHash(const std::string& type_and_base64,
583                     HashValueVector* out) {
584   HashValue hash;
585   if (!hash.FromString(type_and_base64))
586     return false;
587
588   out->push_back(hash);
589   return true;
590 }
591
592 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
593   // kGoodPath is blog.torproject.org.
594   static const char* kGoodPath[] = {
595     "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
596     "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
597     "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
598     NULL,
599   };
600
601   // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
602   // torproject.org.
603   static const char* kBadPath[] = {
604     "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
605     "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
606     "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
607     NULL,
608   };
609
610   HashValueVector good_hashes, bad_hashes;
611
612   for (size_t i = 0; kGoodPath[i]; i++) {
613     EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
614   }
615   for (size_t i = 0; kBadPath[i]; i++) {
616     EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
617   }
618
619   TransportSecurityState state;
620   EnableStaticPins(&state);
621
622   TransportSecurityState::DomainState domain_state;
623   EXPECT_TRUE(
624       state.GetStaticDomainState("blog.torproject.org", &domain_state));
625   EXPECT_TRUE(domain_state.HasPublicKeyPins());
626
627   std::string failure_log;
628   EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log));
629   EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log));
630 }
631
632 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
633   TransportSecurityState state;
634   EnableStaticPins(&state);
635   TransportSecurityState::DomainState domain_state;
636
637   EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
638
639   EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
640   EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
641   EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
642   EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
643   EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
644   EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
645   EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
646   EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
647   EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
648   EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
649   EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
650   EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
651   EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
652   EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
653   EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
654   EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
655   EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
656   EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
657 }
658
659 TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
660   EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
661   EXPECT_FALSE(StaticShouldRedirect("google.com"));
662   EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
663
664   TransportSecurityState state;
665   TransportSecurityState::DomainState domain_state;
666   const base::Time current_time(base::Time::Now());
667   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
668   domain_state.sts.expiry = expiry;
669   EnableHost(&state, "www.google.com", domain_state);
670
671   EXPECT_TRUE(state.GetDynamicDomainState("www.google.com", &domain_state));
672 }
673
674 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
675   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
676       "www.example.com"));
677   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
678       "www.paypal.com"));
679   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
680       "mail.twitter.com"));
681   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
682       "www.google.com.int"));
683   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
684       "jottit.com"));
685   // learn.doubleclick.net has a more specific match than
686   // *.doubleclick.com, and has 0 or NULL for its required certs.
687   // This test ensures that the exact-match-preferred behavior
688   // works.
689   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
690       "learn.doubleclick.net"));
691
692   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
693       "encrypted.google.com"));
694   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
695       "mail.google.com"));
696   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
697       "accounts.google.com"));
698   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
699       "doubleclick.net"));
700   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
701       "ad.doubleclick.net"));
702   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
703       "youtube.com"));
704   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
705       "www.profiles.google.com"));
706   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
707       "checkout.google.com"));
708   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
709       "googleadservices.com"));
710
711   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
712       "www.example.com"));
713   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
714       "www.paypal.com"));
715   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
716       "checkout.google.com"));
717   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
718       "googleadservices.com"));
719
720   // Test some SNI hosts:
721   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
722       "gmail.com"));
723   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
724       "googlegroups.com"));
725   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
726       "www.googlegroups.com"));
727
728   // These hosts used to only be HSTS when SNI was available.
729   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
730       "gmail.com"));
731   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
732       "googlegroups.com"));
733   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
734       "www.googlegroups.com"));
735 }
736
737 }  // namespace net
Domain: Web Framework / Uncategorized;