1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/http/transport_security_state.h"
11 #include "base/base64.h"
12 #include "base/files/file_path.h"
13 #include "base/rand_util.h"
14 #include "base/sha1.h"
15 #include "base/strings/string_piece.h"
16 #include "crypto/sha2.h"
17 #include "net/base/net_errors.h"
18 #include "net/base/net_log.h"
19 #include "net/base/test_completion_callback.h"
20 #include "net/base/test_data_directory.h"
21 #include "net/cert/asn1_util.h"
22 #include "net/cert/cert_verifier.h"
23 #include "net/cert/cert_verify_result.h"
24 #include "net/cert/test_root_certs.h"
25 #include "net/cert/x509_cert_types.h"
26 #include "net/cert/x509_certificate.h"
27 #include "net/http/http_util.h"
28 #include "net/ssl/ssl_info.h"
29 #include "net/test/cert_test_util.h"
30 #include "testing/gtest/include/gtest/gtest.h"
32 #if defined(USE_OPENSSL)
33 #include "crypto/openssl_util.h"
35 #include "crypto/nss_util.h"
40 class TransportSecurityStateTest : public testing::Test {
42 void SetUp() override {
43 #if defined(USE_OPENSSL)
44 crypto::EnsureOpenSSLInit();
46 crypto::EnsureNSSInit();
50 static void DisableStaticPins(TransportSecurityState* state) {
51 state->enable_static_pins_ = false;
54 static void EnableStaticPins(TransportSecurityState* state) {
55 state->enable_static_pins_ = true;
59 bool GetStaticDomainState(TransportSecurityState* state,
60 const std::string& host,
61 TransportSecurityState::DomainState* result) {
62 return state->GetStaticDomainState(host, result);
65 void EnableHost(TransportSecurityState* state,
66 const std::string& host,
67 const TransportSecurityState::DomainState& domain_state) {
68 return state->EnableHost(host, domain_state);
72 TEST_F(TransportSecurityStateTest, SimpleMatches) {
73 TransportSecurityState state;
74 TransportSecurityState::DomainState domain_state;
75 const base::Time current_time(base::Time::Now());
76 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
78 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
79 bool include_subdomains = false;
80 state.AddHSTS("yahoo.com", expiry, include_subdomains);
81 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
84 TEST_F(TransportSecurityStateTest, MatchesCase1) {
85 TransportSecurityState state;
86 TransportSecurityState::DomainState domain_state;
87 const base::Time current_time(base::Time::Now());
88 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
90 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
91 bool include_subdomains = false;
92 state.AddHSTS("YAhoo.coM", expiry, include_subdomains);
93 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
96 TEST_F(TransportSecurityStateTest, Fuzz) {
97 TransportSecurityState state;
98 TransportSecurityState::DomainState domain_state;
100 EnableStaticPins(&state);
102 for (size_t i = 0; i < 128; i++) {
103 std::string hostname;
106 if (base::RandInt(0, 16) == 7) {
109 if (i > 0 && base::RandInt(0, 7) == 7) {
110 hostname.append(1, '.');
112 hostname.append(1, 'a' + base::RandInt(0, 25));
114 state.GetStaticDomainState(hostname, &domain_state);
118 TEST_F(TransportSecurityStateTest, MatchesCase2) {
119 TransportSecurityState state;
120 TransportSecurityState::DomainState domain_state;
121 const base::Time current_time(base::Time::Now());
122 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
124 EXPECT_FALSE(state.GetDynamicDomainState("YAhoo.coM", &domain_state));
125 bool include_subdomains = false;
126 state.AddHSTS("yahoo.com", expiry, include_subdomains);
127 EXPECT_TRUE(state.GetDynamicDomainState("YAhoo.coM", &domain_state));
130 TEST_F(TransportSecurityStateTest, SubdomainMatches) {
131 TransportSecurityState state;
132 TransportSecurityState::DomainState domain_state;
133 const base::Time current_time(base::Time::Now());
134 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
136 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
137 bool include_subdomains = true;
138 state.AddHSTS("yahoo.com", expiry, include_subdomains);
139 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
140 EXPECT_TRUE(state.GetDynamicDomainState("foo.yahoo.com", &domain_state));
141 EXPECT_TRUE(state.GetDynamicDomainState("foo.bar.yahoo.com", &domain_state));
143 state.GetDynamicDomainState("foo.bar.baz.yahoo.com", &domain_state));
144 EXPECT_FALSE(state.GetDynamicDomainState("com", &domain_state));
147 TEST_F(TransportSecurityStateTest, InvalidDomains) {
148 TransportSecurityState state;
149 TransportSecurityState::DomainState domain_state;
150 const base::Time current_time(base::Time::Now());
151 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
153 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
154 bool include_subdomains = true;
155 state.AddHSTS("yahoo.com", expiry, include_subdomains);
156 EXPECT_TRUE(state.GetDynamicDomainState("www-.foo.yahoo.com", &domain_state));
158 state.GetDynamicDomainState("2\x01.foo.yahoo.com", &domain_state));
161 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) {
162 TransportSecurityState state;
163 TransportSecurityState::DomainState domain_state;
164 const base::Time current_time(base::Time::Now());
165 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
166 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
168 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
169 bool include_subdomains = false;
170 state.AddHSTS("yahoo.com", expiry, include_subdomains);
172 state.DeleteAllDynamicDataSince(expiry);
173 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
174 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS,
175 domain_state.sts.upgrade_mode);
176 state.DeleteAllDynamicDataSince(older);
177 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
178 EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT,
179 domain_state.sts.upgrade_mode);
182 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
183 TransportSecurityState state;
184 TransportSecurityState::DomainState domain_state;
185 const base::Time current_time(base::Time::Now());
186 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
187 bool include_subdomains = false;
188 state.AddHSTS("yahoo.com", expiry, include_subdomains);
190 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
191 EXPECT_FALSE(state.GetDynamicDomainState("example.com", &domain_state));
192 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com"));
193 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
196 TEST_F(TransportSecurityStateTest, EnableStaticPins) {
197 TransportSecurityState state;
198 TransportSecurityState::DomainState domain_state;
200 EnableStaticPins(&state);
203 state.GetStaticDomainState("chrome.google.com", &domain_state));
204 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
207 TEST_F(TransportSecurityStateTest, DisableStaticPins) {
208 TransportSecurityState state;
209 TransportSecurityState::DomainState domain_state;
211 DisableStaticPins(&state);
213 state.GetStaticDomainState("chrome.google.com", &domain_state));
214 EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
217 TEST_F(TransportSecurityStateTest, IsPreloaded) {
218 const std::string paypal = "paypal.com";
219 const std::string www_paypal = "www.paypal.com";
220 const std::string foo_paypal = "foo.paypal.com";
221 const std::string a_www_paypal = "a.www.paypal.com";
222 const std::string abc_paypal = "a.b.c.paypal.com";
223 const std::string example = "example.com";
224 const std::string aypal = "aypal.com";
226 TransportSecurityState state;
227 TransportSecurityState::DomainState domain_state;
229 EXPECT_TRUE(GetStaticDomainState(&state, paypal, &domain_state));
230 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &domain_state));
231 EXPECT_FALSE(domain_state.sts.include_subdomains);
232 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, &domain_state));
233 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, &domain_state));
234 EXPECT_FALSE(GetStaticDomainState(&state, example, &domain_state));
235 EXPECT_FALSE(GetStaticDomainState(&state, aypal, &domain_state));
238 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
239 TransportSecurityState state;
240 TransportSecurityState::DomainState domain_state;
242 // The domain wasn't being set, leading to a blank string in the
243 // chrome://net-internals/#hsts UI. So test that.
245 state.GetStaticDomainState("market.android.com", &domain_state));
246 EXPECT_EQ(domain_state.domain, "market.android.com");
247 EXPECT_TRUE(state.GetStaticDomainState(
248 "sub.market.android.com", &domain_state));
249 EXPECT_EQ(domain_state.domain, "market.android.com");
252 static bool StaticShouldRedirect(const char* hostname) {
253 TransportSecurityState state;
254 TransportSecurityState::DomainState domain_state;
255 return state.GetStaticDomainState(
256 hostname, &domain_state) &&
257 domain_state.ShouldUpgradeToSSL();
260 static bool HasStaticState(const char* hostname) {
261 TransportSecurityState state;
262 TransportSecurityState::DomainState domain_state;
263 return state.GetStaticDomainState(hostname, &domain_state);
266 static bool HasStaticPublicKeyPins(const char* hostname) {
267 TransportSecurityState state;
268 TransportSecurityStateTest::EnableStaticPins(&state);
269 TransportSecurityState::DomainState domain_state;
270 if (!state.GetStaticDomainState(hostname, &domain_state))
273 return domain_state.HasPublicKeyPins();
276 static bool OnlyPinningInStaticState(const char* hostname) {
277 TransportSecurityState state;
278 TransportSecurityStateTest::EnableStaticPins(&state);
279 TransportSecurityState::DomainState domain_state;
280 if (!state.GetStaticDomainState(hostname, &domain_state))
283 return (domain_state.pkp.spki_hashes.size() > 0 ||
284 domain_state.pkp.bad_spki_hashes.size() > 0) &&
285 !domain_state.ShouldUpgradeToSSL();
288 TEST_F(TransportSecurityStateTest, Preloaded) {
289 TransportSecurityState state;
290 TransportSecurityState::DomainState domain_state;
292 // We do more extensive checks for the first domain.
294 state.GetStaticDomainState("www.paypal.com", &domain_state));
295 EXPECT_EQ(domain_state.sts.upgrade_mode,
296 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
297 EXPECT_FALSE(domain_state.sts.include_subdomains);
298 EXPECT_FALSE(domain_state.pkp.include_subdomains);
300 EXPECT_TRUE(HasStaticState("paypal.com"));
301 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
302 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
306 EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
307 EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
308 EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
309 EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
310 EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
311 EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
312 EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
313 EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
314 EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
315 EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
316 EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
317 EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
318 EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
319 EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
320 EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
321 EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
322 EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
323 EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
324 EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
325 EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
326 EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
327 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
328 EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
329 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
330 EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
331 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
332 EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
333 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
335 // These domains used to be only HSTS when SNI was available.
336 EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &domain_state));
337 EXPECT_TRUE(state.GetStaticDomainState("www.gmail.com", &domain_state));
338 EXPECT_TRUE(state.GetStaticDomainState("googlemail.com", &domain_state));
339 EXPECT_TRUE(state.GetStaticDomainState("www.googlemail.com", &domain_state));
343 EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
345 EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
346 EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
348 EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
350 EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
351 EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
352 EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
354 EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
355 EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
357 EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
358 EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
359 EXPECT_FALSE(HasStaticState("foo.entropia.de"));
361 EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
362 EXPECT_FALSE(HasStaticState("elanex.biz"));
363 EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
365 EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
366 EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
367 EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
369 EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
370 EXPECT_FALSE(HasStaticState("noisebridge.net"));
371 EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
373 EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
374 EXPECT_FALSE(HasStaticState("www.neg9.org"));
376 EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
377 EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
379 EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
380 EXPECT_FALSE(HasStaticState("www.factor.cc"));
382 EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
383 EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
384 EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
385 EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
386 EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
388 EXPECT_TRUE(StaticShouldRedirect("romab.com"));
389 EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
390 EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
392 EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
393 EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
394 EXPECT_FALSE(HasStaticState("foo.logentries.com"));
396 EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
397 EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
399 EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
400 EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
402 EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
403 EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
405 EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
406 EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
408 EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
409 EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
411 EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
412 EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
414 EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
415 EXPECT_FALSE(HasStaticState("foo.squareup.com"));
417 EXPECT_TRUE(StaticShouldRedirect("cert.se"));
418 EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
420 EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
421 EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
423 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
424 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
426 EXPECT_TRUE(StaticShouldRedirect("linx.net"));
427 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
429 EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
430 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
431 EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
433 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
434 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
436 EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
437 EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
439 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
441 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
442 EXPECT_FALSE(HasStaticState("moneybookers.com"));
444 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
445 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
446 EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
448 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
449 EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
451 EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
452 EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
453 EXPECT_FALSE(HasStaticState("foo.greplin.com"));
455 EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
456 EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
458 EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
459 EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
461 EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
462 EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
464 EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
465 EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
467 EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
468 EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
469 EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
470 EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
471 EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
472 EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
473 EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
474 EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
475 EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
476 EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
477 EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
478 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
480 EXPECT_TRUE(StaticShouldRedirect("crypto.cat"));
481 EXPECT_FALSE(StaticShouldRedirect("foo.crypto.cat"));
483 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
484 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
486 EXPECT_TRUE(StaticShouldRedirect("crate.io"));
487 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
490 TEST_F(TransportSecurityStateTest, PreloadedPins) {
491 TransportSecurityState state;
492 EnableStaticPins(&state);
493 TransportSecurityState::DomainState domain_state;
495 // We do more extensive checks for the first domain.
497 state.GetStaticDomainState("www.paypal.com", &domain_state));
498 EXPECT_EQ(domain_state.sts.upgrade_mode,
499 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
500 EXPECT_FALSE(domain_state.sts.include_subdomains);
501 EXPECT_FALSE(domain_state.pkp.include_subdomains);
503 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
504 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
505 EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
506 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
507 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
508 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
509 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
510 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
511 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
512 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
513 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
514 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
515 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
516 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
517 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
518 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
519 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
521 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
522 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
523 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
524 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
525 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
527 EXPECT_TRUE(state.GetStaticDomainState("torproject.org", &domain_state));
528 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
529 EXPECT_TRUE(state.GetStaticDomainState("www.torproject.org", &domain_state));
530 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
532 state.GetStaticDomainState("check.torproject.org", &domain_state));
533 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
534 EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &domain_state));
535 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
537 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
540 TEST_F(TransportSecurityStateTest, LongNames) {
541 TransportSecurityState state;
542 const char kLongName[] =
543 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
544 "WaveletIdDomainAndBlipBlipid";
545 TransportSecurityState::DomainState domain_state;
546 // Just checks that we don't hit a NOTREACHED.
547 EXPECT_FALSE(state.GetStaticDomainState(kLongName, &domain_state));
548 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state));
551 TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
552 TransportSecurityState state;
553 EnableStaticPins(&state);
554 TransportSecurityState::DomainState domain_state;
557 state.GetStaticDomainState("chrome.google.com", &domain_state));
558 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
560 HashValueVector hashes;
561 std::string failure_log;
562 // Checks that a built-in list does exist.
563 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log));
564 EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
566 EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
567 EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
568 EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
569 EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
570 EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
571 EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
572 EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
573 EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
574 EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
575 EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
576 EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
577 EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
578 EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
579 EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
580 EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
581 EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
582 EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
583 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
584 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
585 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
587 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
588 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
589 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
590 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
591 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
593 EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
594 EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
595 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
596 EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com"));
597 EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com"));
598 EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com"));
599 EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com"));
600 EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com"));
601 EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com"));
602 EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com"));
605 static bool AddHash(const std::string& type_and_base64,
606 HashValueVector* out) {
608 if (!hash.FromString(type_and_base64))
611 out->push_back(hash);
615 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
616 // kGoodPath is blog.torproject.org.
617 static const char* kGoodPath[] = {
618 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=",
619 "sha1/o5OZxATDsgmwgcIfIWIneMJ0jkw=",
620 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=",
624 // kBadPath is plus.google.com via Trustcenter, which is utterly wrong for
626 static const char* kBadPath[] = {
627 "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU=",
628 "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k=",
629 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=",
633 HashValueVector good_hashes, bad_hashes;
635 for (size_t i = 0; kGoodPath[i]; i++) {
636 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
638 for (size_t i = 0; kBadPath[i]; i++) {
639 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
642 TransportSecurityState state;
643 EnableStaticPins(&state);
645 TransportSecurityState::DomainState domain_state;
647 state.GetStaticDomainState("blog.torproject.org", &domain_state));
648 EXPECT_TRUE(domain_state.HasPublicKeyPins());
650 std::string failure_log;
651 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log));
652 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log));
655 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
656 TransportSecurityState state;
657 EnableStaticPins(&state);
658 TransportSecurityState::DomainState domain_state;
660 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
662 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
663 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
664 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
665 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
666 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
667 EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
668 EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
669 EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
670 EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
671 EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
672 EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
673 EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
674 EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
675 EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
676 EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
677 EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
678 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
679 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
682 TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
683 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
684 EXPECT_FALSE(StaticShouldRedirect("google.com"));
685 EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
687 TransportSecurityState state;
688 TransportSecurityState::DomainState domain_state;
689 const base::Time current_time(base::Time::Now());
690 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
691 domain_state.sts.expiry = expiry;
692 EnableHost(&state, "www.google.com", domain_state);
694 EXPECT_TRUE(state.GetDynamicDomainState("www.google.com", &domain_state));
697 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
698 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
700 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
702 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
703 "mail.twitter.com"));
704 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
705 "www.google.com.int"));
706 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
708 // learn.doubleclick.net has a more specific match than
709 // *.doubleclick.com, and has 0 or NULL for its required certs.
710 // This test ensures that the exact-match-preferred behavior
712 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
713 "learn.doubleclick.net"));
715 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
716 "encrypted.google.com"));
717 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
719 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
720 "accounts.google.com"));
721 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
723 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
724 "ad.doubleclick.net"));
725 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
727 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
728 "www.profiles.google.com"));
729 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
730 "checkout.google.com"));
731 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
732 "googleadservices.com"));
734 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
736 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
738 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
739 "checkout.google.com"));
740 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
741 "googleadservices.com"));
743 // Test some SNI hosts:
744 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
746 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
747 "googlegroups.com"));
748 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
749 "www.googlegroups.com"));
751 // These hosts used to only be HSTS when SNI was available.
752 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
754 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
755 "googlegroups.com"));
756 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
757 "www.googlegroups.com"));