namespace net {
class TransportSecurityStateTest : public testing::Test {
+ public:
virtual void SetUp() {
#if defined(USE_OPENSSL)
crypto::EnsureOpenSSLInit();
#endif
}
+ static void DisableStaticPins(TransportSecurityState* state) {
+ state->enable_static_pins_ = false;
+ }
+
+ static void EnableStaticPins(TransportSecurityState* state) {
+ state->enable_static_pins_ = true;
+ }
+
protected:
bool GetStaticDomainState(TransportSecurityState* state,
const std::string& host,
EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
}
+TEST_F(TransportSecurityStateTest, EnableStaticPins) {
+ TransportSecurityState state;
+ TransportSecurityState::DomainState domain_state;
+
+ EnableStaticPins(&state);
+
+ EXPECT_TRUE(
+ state.GetStaticDomainState("chrome.google.com", true, &domain_state));
+ EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
+}
+
+TEST_F(TransportSecurityStateTest, DisableStaticPins) {
+ TransportSecurityState state;
+ TransportSecurityState::DomainState domain_state;
+
+ DisableStaticPins(&state);
+ EXPECT_TRUE(
+ state.GetStaticDomainState("chrome.google.com", true, &domain_state));
+ EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
+}
+
TEST_F(TransportSecurityStateTest, IsPreloaded) {
const std::string paypal = "paypal.com";
const std::string www_paypal = "www.paypal.com";
EXPECT_TRUE(GetStaticDomainState(&state, paypal, true, &domain_state));
EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, true, &domain_state));
EXPECT_FALSE(domain_state.sts.include_subdomains);
- EXPECT_FALSE(domain_state.pkp.include_subdomains);
EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, true, &domain_state));
EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, true, &domain_state));
EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state));
static bool HasStaticPublicKeyPins(const char* hostname, bool sni_enabled) {
TransportSecurityState state;
+ TransportSecurityStateTest::EnableStaticPins(&state);
TransportSecurityState::DomainState domain_state;
if (!state.GetStaticDomainState(hostname, sni_enabled, &domain_state))
return false;
static bool OnlyPinningInStaticState(const char* hostname) {
TransportSecurityState state;
+ TransportSecurityStateTest::EnableStaticPins(&state);
TransportSecurityState::DomainState domain_state;
if (!state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state))
return false;
EXPECT_FALSE(HasStaticState("m.gmail.com"));
EXPECT_FALSE(HasStaticState("m.googlemail.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
- EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
- EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
-
// Tests for domains that don't work without SNI.
EXPECT_FALSE(state.GetStaticDomainState("gmail.com", false, &domain_state));
EXPECT_FALSE(
EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
- EXPECT_TRUE(
- state.GetStaticDomainState("torproject.org", false, &domain_state));
- EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
- EXPECT_TRUE(
- state.GetStaticDomainState("www.torproject.org", false, &domain_state));
- EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
- EXPECT_TRUE(
- state.GetStaticDomainState("check.torproject.org", false, &domain_state));
- EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
- EXPECT_TRUE(
- state.GetStaticDomainState("blog.torproject.org", false, &domain_state));
- EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
- EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
- EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
- EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
- EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
EXPECT_FALSE(HasStaticState("foo.torproject.org"));
EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
EXPECT_TRUE(StaticShouldRedirect("crate.io"));
EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
+}
+
+TEST_F(TransportSecurityStateTest, PreloadedPins) {
+ TransportSecurityState state;
+ EnableStaticPins(&state);
+ TransportSecurityState::DomainState domain_state;
+
+ // We do more extensive checks for the first domain.
+ EXPECT_TRUE(
+ state.GetStaticDomainState("www.paypal.com", true, &domain_state));
+ EXPECT_EQ(domain_state.sts.upgrade_mode,
+ TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
+ EXPECT_FALSE(domain_state.sts.include_subdomains);
+ EXPECT_FALSE(domain_state.pkp.include_subdomains);
+
+ EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
+ EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
+ EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
+
+ EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
+ EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
+ EXPECT_FALSE(HasStaticState("foo.torproject.org"));
+
+ EXPECT_TRUE(
+ state.GetStaticDomainState("torproject.org", false, &domain_state));
+ EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
+ EXPECT_TRUE(
+ state.GetStaticDomainState("www.torproject.org", false, &domain_state));
+ EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
+ EXPECT_TRUE(
+ state.GetStaticDomainState("check.torproject.org", false, &domain_state));
+ EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
+ EXPECT_TRUE(
+ state.GetStaticDomainState("blog.torproject.org", false, &domain_state));
+ EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
}
TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
TransportSecurityState state;
+ EnableStaticPins(&state);
TransportSecurityState::DomainState domain_state;
EXPECT_TRUE(
EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
- // Disabled in order to help track down pinning failures --agl
EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
}
TransportSecurityState state;
+ EnableStaticPins(&state);
+
TransportSecurityState::DomainState domain_state;
EXPECT_TRUE(
state.GetStaticDomainState("blog.torproject.org", true, &domain_state));
TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
TransportSecurityState state;
+ EnableStaticPins(&state);
TransportSecurityState::DomainState domain_state;
EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));