projects / platform / framework / web / crosswalk.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Update To 11.40.268.0
[platform/framework/web/crosswalk.git] / src / net / http / transport_security_state_unittest.cc
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/transport_security_state.h"
6
7 #include <algorithm>
8 #include <string>
9 #include <vector>
10
11 #include "base/base64.h"
12 #include "base/files/file_path.h"
13 #include "base/rand_util.h"
14 #include "base/sha1.h"
15 #include "base/strings/string_piece.h"
16 #include "crypto/sha2.h"
17 #include "net/base/net_errors.h"
18 #include "net/base/net_log.h"
19 #include "net/base/test_completion_callback.h"
20 #include "net/base/test_data_directory.h"
21 #include "net/cert/asn1_util.h"
22 #include "net/cert/cert_verifier.h"
23 #include "net/cert/cert_verify_result.h"
24 #include "net/cert/test_root_certs.h"
25 #include "net/cert/x509_cert_types.h"
26 #include "net/cert/x509_certificate.h"
27 #include "net/http/http_util.h"
28 #include "net/ssl/ssl_info.h"
29 #include "net/test/cert_test_util.h"
30 #include "testing/gtest/include/gtest/gtest.h"
31
32 #if defined(USE_OPENSSL)
33 #include "crypto/openssl_util.h"
34 #else
35 #include "crypto/nss_util.h"
36 #endif
37
38 namespace net {
39
40 class TransportSecurityStateTest : public testing::Test {
41  public:
42   void SetUp() override {
43 #if defined(USE_OPENSSL)
44     crypto::EnsureOpenSSLInit();
45 #else
46     crypto::EnsureNSSInit();
47 #endif
48   }
49
50   static void DisableStaticPins(TransportSecurityState* state) {
51     state->enable_static_pins_ = false;
52   }
53
54   static void EnableStaticPins(TransportSecurityState* state) {
55     state->enable_static_pins_ = true;
56   }
57
58  protected:
59   bool GetStaticDomainState(TransportSecurityState* state,
60                             const std::string& host,
61                             TransportSecurityState::DomainState* result) {
62     return state->GetStaticDomainState(host, result);
63   }
64
65   void EnableHost(TransportSecurityState* state,
66                   const std::string& host,
67                   const TransportSecurityState::DomainState& domain_state) {
68     return state->EnableHost(host, domain_state);
69   }
70 };
71
72 TEST_F(TransportSecurityStateTest, SimpleMatches) {
73   TransportSecurityState state;
74   TransportSecurityState::DomainState domain_state;
75   const base::Time current_time(base::Time::Now());
76   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
77
78   EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
79   bool include_subdomains = false;
80   state.AddHSTS("yahoo.com", expiry, include_subdomains);
81   EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
82 }
83
84 TEST_F(TransportSecurityStateTest, MatchesCase1) {
85   TransportSecurityState state;
86   TransportSecurityState::DomainState domain_state;
87   const base::Time current_time(base::Time::Now());
88   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
89
90   EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
91   bool include_subdomains = false;
92   state.AddHSTS("YAhoo.coM", expiry, include_subdomains);
93   EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
94 }
95
96 TEST_F(TransportSecurityStateTest, Fuzz) {
97   TransportSecurityState state;
98   TransportSecurityState::DomainState domain_state;
99
100   EnableStaticPins(&state);
101
102   for (size_t i = 0; i < 128; i++) {
103     std::string hostname;
104
105     for (;;) {
106       if (base::RandInt(0, 16) == 7) {
107         break;
108       }
109       if (i > 0 && base::RandInt(0, 7) == 7) {
110         hostname.append(1, '.');
111       }
112       hostname.append(1, 'a' + base::RandInt(0, 25));
113     }
114     state.GetStaticDomainState(hostname, &domain_state);
115   }
116 }
117
118 TEST_F(TransportSecurityStateTest, MatchesCase2) {
119   TransportSecurityState state;
120   TransportSecurityState::DomainState domain_state;
121   const base::Time current_time(base::Time::Now());
122   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
123
124   EXPECT_FALSE(state.GetDynamicDomainState("YAhoo.coM", &domain_state));
125   bool include_subdomains = false;
126   state.AddHSTS("yahoo.com", expiry, include_subdomains);
127   EXPECT_TRUE(state.GetDynamicDomainState("YAhoo.coM", &domain_state));
128 }
129
130 TEST_F(TransportSecurityStateTest, SubdomainMatches) {
131   TransportSecurityState state;
132   TransportSecurityState::DomainState domain_state;
133   const base::Time current_time(base::Time::Now());
134   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
135
136   EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
137   bool include_subdomains = true;
138   state.AddHSTS("yahoo.com", expiry, include_subdomains);
139   EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
140   EXPECT_TRUE(state.GetDynamicDomainState("foo.yahoo.com", &domain_state));
141   EXPECT_TRUE(state.GetDynamicDomainState("foo.bar.yahoo.com", &domain_state));
142   EXPECT_TRUE(
143       state.GetDynamicDomainState("foo.bar.baz.yahoo.com", &domain_state));
144   EXPECT_FALSE(state.GetDynamicDomainState("com", &domain_state));
145 }
146
147 TEST_F(TransportSecurityStateTest, InvalidDomains) {
148   TransportSecurityState state;
149   TransportSecurityState::DomainState domain_state;
150   const base::Time current_time(base::Time::Now());
151   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
152
153   EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
154   bool include_subdomains = true;
155   state.AddHSTS("yahoo.com", expiry, include_subdomains);
156   EXPECT_TRUE(state.GetDynamicDomainState("www-.foo.yahoo.com", &domain_state));
157   EXPECT_TRUE(
158       state.GetDynamicDomainState("2\x01.foo.yahoo.com", &domain_state));
159 }
160
161 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) {
162   TransportSecurityState state;
163   TransportSecurityState::DomainState domain_state;
164   const base::Time current_time(base::Time::Now());
165   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
166   const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
167
168   EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
169   bool include_subdomains = false;
170   state.AddHSTS("yahoo.com", expiry, include_subdomains);
171
172   state.DeleteAllDynamicDataSince(expiry);
173   EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
174   EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS,
175             domain_state.sts.upgrade_mode);
176   state.DeleteAllDynamicDataSince(older);
177   EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
178   EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT,
179             domain_state.sts.upgrade_mode);
180 }
181
182 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
183   TransportSecurityState state;
184   TransportSecurityState::DomainState domain_state;
185   const base::Time current_time(base::Time::Now());
186   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
187   bool include_subdomains = false;
188   state.AddHSTS("yahoo.com", expiry, include_subdomains);
189
190   EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
191   EXPECT_FALSE(state.GetDynamicDomainState("example.com", &domain_state));
192   EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com"));
193   EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
194 }
195
196 TEST_F(TransportSecurityStateTest, EnableStaticPins) {
197   TransportSecurityState state;
198   TransportSecurityState::DomainState domain_state;
199
200   EnableStaticPins(&state);
201
202   EXPECT_TRUE(
203       state.GetStaticDomainState("chrome.google.com", &domain_state));
204   EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
205 }
206
207 TEST_F(TransportSecurityStateTest, DisableStaticPins) {
208   TransportSecurityState state;
209   TransportSecurityState::DomainState domain_state;
210
211   DisableStaticPins(&state);
212   EXPECT_TRUE(
213       state.GetStaticDomainState("chrome.google.com", &domain_state));
214   EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
215 }
216
217 TEST_F(TransportSecurityStateTest, IsPreloaded) {
218   const std::string paypal = "paypal.com";
219   const std::string www_paypal = "www.paypal.com";
220   const std::string foo_paypal = "foo.paypal.com";
221   const std::string a_www_paypal = "a.www.paypal.com";
222   const std::string abc_paypal = "a.b.c.paypal.com";
223   const std::string example = "example.com";
224   const std::string aypal = "aypal.com";
225
226   TransportSecurityState state;
227   TransportSecurityState::DomainState domain_state;
228
229   EXPECT_TRUE(GetStaticDomainState(&state, paypal, &domain_state));
230   EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &domain_state));
231   EXPECT_FALSE(domain_state.sts.include_subdomains);
232   EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, &domain_state));
233   EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, &domain_state));
234   EXPECT_FALSE(GetStaticDomainState(&state, example, &domain_state));
235   EXPECT_FALSE(GetStaticDomainState(&state, aypal, &domain_state));
236 }
237
238 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
239   TransportSecurityState state;
240   TransportSecurityState::DomainState domain_state;
241
242   // The domain wasn't being set, leading to a blank string in the
243   // chrome://net-internals/#hsts UI. So test that.
244   EXPECT_TRUE(
245       state.GetStaticDomainState("market.android.com", &domain_state));
246   EXPECT_EQ(domain_state.domain, "market.android.com");
247   EXPECT_TRUE(state.GetStaticDomainState(
248       "sub.market.android.com", &domain_state));
249   EXPECT_EQ(domain_state.domain, "market.android.com");
250 }
251
252 static bool StaticShouldRedirect(const char* hostname) {
253   TransportSecurityState state;
254   TransportSecurityState::DomainState domain_state;
255   return state.GetStaticDomainState(
256              hostname, &domain_state) &&
257          domain_state.ShouldUpgradeToSSL();
258 }
259
260 static bool HasStaticState(const char* hostname) {
261   TransportSecurityState state;
262   TransportSecurityState::DomainState domain_state;
263   return state.GetStaticDomainState(hostname, &domain_state);
264 }
265
266 static bool HasStaticPublicKeyPins(const char* hostname) {
267   TransportSecurityState state;
268   TransportSecurityStateTest::EnableStaticPins(&state);
269   TransportSecurityState::DomainState domain_state;
270   if (!state.GetStaticDomainState(hostname, &domain_state))
271     return false;
272
273   return domain_state.HasPublicKeyPins();
274 }
275
276 static bool OnlyPinningInStaticState(const char* hostname) {
277   TransportSecurityState state;
278   TransportSecurityStateTest::EnableStaticPins(&state);
279   TransportSecurityState::DomainState domain_state;
280   if (!state.GetStaticDomainState(hostname, &domain_state))
281     return false;
282
283   return (domain_state.pkp.spki_hashes.size() > 0 ||
284           domain_state.pkp.bad_spki_hashes.size() > 0) &&
285          !domain_state.ShouldUpgradeToSSL();
286 }
287
288 TEST_F(TransportSecurityStateTest, Preloaded) {
289   TransportSecurityState state;
290   TransportSecurityState::DomainState domain_state;
291
292   // We do more extensive checks for the first domain.
293   EXPECT_TRUE(
294       state.GetStaticDomainState("www.paypal.com", &domain_state));
295   EXPECT_EQ(domain_state.sts.upgrade_mode,
296             TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
297   EXPECT_FALSE(domain_state.sts.include_subdomains);
298   EXPECT_FALSE(domain_state.pkp.include_subdomains);
299
300   EXPECT_TRUE(HasStaticState("paypal.com"));
301   EXPECT_FALSE(HasStaticState("www2.paypal.com"));
302   EXPECT_FALSE(HasStaticState("www2.paypal.com"));
303
304   // Google hosts:
305
306   EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
307   EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
308   EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
309   EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
310   EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
311   EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
312   EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
313   EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
314   EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
315   EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
316   EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
317   EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
318   EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
319   EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
320   EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
321   EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
322   EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
323   EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
324   EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
325   EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
326   EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
327   EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
328   EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
329   EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
330   EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
331   EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
332   EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
333   EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
334
335   // These domains used to be only HSTS when SNI was available.
336   EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &domain_state));
337   EXPECT_TRUE(state.GetStaticDomainState("www.gmail.com", &domain_state));
338   EXPECT_TRUE(state.GetStaticDomainState("googlemail.com", &domain_state));
339   EXPECT_TRUE(state.GetStaticDomainState("www.googlemail.com", &domain_state));
340
341   // Other hosts:
342
343   EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
344
345   EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
346   EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
347
348   EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
349
350   EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
351   EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
352   EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
353
354   EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
355   EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
356
357   EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
358   EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
359   EXPECT_FALSE(HasStaticState("foo.entropia.de"));
360
361   EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
362   EXPECT_FALSE(HasStaticState("elanex.biz"));
363   EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
364
365   EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
366   EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
367   EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
368
369   EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
370   EXPECT_FALSE(HasStaticState("noisebridge.net"));
371   EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
372
373   EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
374   EXPECT_FALSE(HasStaticState("www.neg9.org"));
375
376   EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
377   EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
378
379   EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
380   EXPECT_FALSE(HasStaticState("www.factor.cc"));
381
382   EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
383   EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
384   EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
385   EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
386   EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
387
388   EXPECT_TRUE(StaticShouldRedirect("romab.com"));
389   EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
390   EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
391
392   EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
393   EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
394   EXPECT_FALSE(HasStaticState("foo.logentries.com"));
395
396   EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
397   EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
398
399   EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
400   EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
401
402   EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
403   EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
404
405   EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
406   EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
407
408   EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
409   EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
410
411   EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
412   EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
413
414   EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
415   EXPECT_FALSE(HasStaticState("foo.squareup.com"));
416
417   EXPECT_TRUE(StaticShouldRedirect("cert.se"));
418   EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
419
420   EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
421   EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
422
423   EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
424   EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
425
426   EXPECT_TRUE(StaticShouldRedirect("linx.net"));
427   EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
428
429   EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
430   EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
431   EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
432
433   EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
434   EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
435
436   EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
437   EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
438
439   EXPECT_FALSE(HasStaticState("foo.torproject.org"));
440
441   EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
442   EXPECT_FALSE(HasStaticState("moneybookers.com"));
443
444   EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
445   EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
446   EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
447
448   EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
449   EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
450
451   EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
452   EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
453   EXPECT_FALSE(HasStaticState("foo.greplin.com"));
454
455   EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
456   EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
457
458   EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
459   EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
460
461   EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
462   EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
463
464   EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
465   EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
466
467   EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
468   EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
469   EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
470   EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
471   EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
472   EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
473   EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
474   EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
475   EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
476   EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
477   EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
478   EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
479
480   EXPECT_TRUE(StaticShouldRedirect("crypto.cat"));
481   EXPECT_FALSE(StaticShouldRedirect("foo.crypto.cat"));
482
483   EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
484   EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
485
486   EXPECT_TRUE(StaticShouldRedirect("crate.io"));
487   EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
488 }
489
490 TEST_F(TransportSecurityStateTest, PreloadedPins) {
491   TransportSecurityState state;
492   EnableStaticPins(&state);
493   TransportSecurityState::DomainState domain_state;
494
495   // We do more extensive checks for the first domain.
496   EXPECT_TRUE(
497       state.GetStaticDomainState("www.paypal.com", &domain_state));
498   EXPECT_EQ(domain_state.sts.upgrade_mode,
499             TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
500   EXPECT_FALSE(domain_state.sts.include_subdomains);
501   EXPECT_FALSE(domain_state.pkp.include_subdomains);
502
503   EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
504   EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
505   EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
506   EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
507   EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
508   EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
509   EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
510   EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
511   EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
512   EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
513   EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
514   EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
515   EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
516   EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
517   EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
518   EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
519   EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
520
521   EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
522   EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
523   EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
524   EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
525   EXPECT_FALSE(HasStaticState("foo.torproject.org"));
526
527   EXPECT_TRUE(state.GetStaticDomainState("torproject.org", &domain_state));
528   EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
529   EXPECT_TRUE(state.GetStaticDomainState("www.torproject.org", &domain_state));
530   EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
531   EXPECT_TRUE(
532       state.GetStaticDomainState("check.torproject.org", &domain_state));
533   EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
534   EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &domain_state));
535   EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
536
537   EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
538 }
539
540 TEST_F(TransportSecurityStateTest, LongNames) {
541   TransportSecurityState state;
542   const char kLongName[] =
543       "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
544       "WaveletIdDomainAndBlipBlipid";
545   TransportSecurityState::DomainState domain_state;
546   // Just checks that we don't hit a NOTREACHED.
547   EXPECT_FALSE(state.GetStaticDomainState(kLongName, &domain_state));
548   EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state));
549 }
550
551 TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
552   TransportSecurityState state;
553   EnableStaticPins(&state);
554   TransportSecurityState::DomainState domain_state;
555
556   EXPECT_TRUE(
557       state.GetStaticDomainState("chrome.google.com", &domain_state));
558   EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
559
560   HashValueVector hashes;
561   std::string failure_log;
562   // Checks that a built-in list does exist.
563   EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log));
564   EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
565
566   EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
567   EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
568   EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
569   EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
570   EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
571   EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
572   EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
573   EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
574   EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
575   EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
576   EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
577   EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
578   EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
579   EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
580   EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
581   EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
582   EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
583   EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
584   EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
585   EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
586
587   EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
588   EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
589   EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
590   EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
591   EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
592
593   EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
594   EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
595   EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
596   EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com"));
597   EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com"));
598   EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com"));
599   EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com"));
600   EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com"));
601   EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com"));
602   EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com"));
603 }
604
605 static bool AddHash(const std::string& type_and_base64,
606                     HashValueVector* out) {
607   HashValue hash;
608   if (!hash.FromString(type_and_base64))
609     return false;
610
611   out->push_back(hash);
612   return true;
613 }
614
615 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
616   // kGoodPath is blog.torproject.org.
617   static const char* kGoodPath[] = {
618     "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
619     "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
620     "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
621     NULL,
622   };
623
624   // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
625   // torproject.org.
626   static const char* kBadPath[] = {
627     "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
628     "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
629     "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
630     NULL,
631   };
632
633   HashValueVector good_hashes, bad_hashes;
634
635   for (size_t i = 0; kGoodPath[i]; i++) {
636     EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
637   }
638   for (size_t i = 0; kBadPath[i]; i++) {
639     EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
640   }
641
642   TransportSecurityState state;
643   EnableStaticPins(&state);
644
645   TransportSecurityState::DomainState domain_state;
646   EXPECT_TRUE(
647       state.GetStaticDomainState("blog.torproject.org", &domain_state));
648   EXPECT_TRUE(domain_state.HasPublicKeyPins());
649
650   std::string failure_log;
651   EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log));
652   EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log));
653 }
654
655 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
656   TransportSecurityState state;
657   EnableStaticPins(&state);
658   TransportSecurityState::DomainState domain_state;
659
660   EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
661
662   EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
663   EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
664   EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
665   EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
666   EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
667   EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
668   EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
669   EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
670   EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
671   EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
672   EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
673   EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
674   EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
675   EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
676   EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
677   EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
678   EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
679   EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
680 }
681
682 TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
683   EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
684   EXPECT_FALSE(StaticShouldRedirect("google.com"));
685   EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
686
687   TransportSecurityState state;
688   TransportSecurityState::DomainState domain_state;
689   const base::Time current_time(base::Time::Now());
690   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
691   domain_state.sts.expiry = expiry;
692   EnableHost(&state, "www.google.com", domain_state);
693
694   EXPECT_TRUE(state.GetDynamicDomainState("www.google.com", &domain_state));
695 }
696
697 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
698   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
699       "www.example.com"));
700   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
701       "www.paypal.com"));
702   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
703       "mail.twitter.com"));
704   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
705       "www.google.com.int"));
706   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
707       "jottit.com"));
708   // learn.doubleclick.net has a more specific match than
709   // *.doubleclick.com, and has 0 or NULL for its required certs.
710   // This test ensures that the exact-match-preferred behavior
711   // works.
712   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
713       "learn.doubleclick.net"));
714
715   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
716       "encrypted.google.com"));
717   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
718       "mail.google.com"));
719   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
720       "accounts.google.com"));
721   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
722       "doubleclick.net"));
723   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
724       "ad.doubleclick.net"));
725   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
726       "youtube.com"));
727   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
728       "www.profiles.google.com"));
729   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
730       "checkout.google.com"));
731   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
732       "googleadservices.com"));
733
734   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
735       "www.example.com"));
736   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
737       "www.paypal.com"));
738   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
739       "checkout.google.com"));
740   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
741       "googleadservices.com"));
742
743   // Test some SNI hosts:
744   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
745       "gmail.com"));
746   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
747       "googlegroups.com"));
748   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
749       "www.googlegroups.com"));
750
751   // These hosts used to only be HSTS when SNI was available.
752   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
753       "gmail.com"));
754   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
755       "googlegroups.com"));
756   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
757       "www.googlegroups.com"));
758 }
759
760 }  // namespace net
Domain: Web Framework / Uncategorized;