1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/transport_security_state.h"
6
7 #include <stdint.h>
8
9 #include <algorithm>
10 #include <iterator>
11 #include <memory>
12 #include <string>
13 #include <vector>
14
15 #include "base/base64.h"
16 #include "base/files/file_path.h"
17 #include "base/functional/callback_helpers.h"
18 #include "base/json/json_reader.h"
19 #include "base/memory/raw_ptr.h"
20 #include "base/metrics/field_trial.h"
21 #include "base/metrics/field_trial_param_associator.h"
22 #include "base/rand_util.h"
23 #include "base/stl_util.h"
24 #include "base/strings/string_piece.h"
25 #include "base/strings/stringprintf.h"
26 #include "base/test/metrics/histogram_tester.h"
27 #include "base/test/mock_entropy_provider.h"
28 #include "base/test/scoped_feature_list.h"
29 #include "base/time/time.h"
30 #include "base/values.h"
31 #include "build/build_config.h"
32 #include "crypto/openssl_util.h"
33 #include "crypto/sha2.h"
34 #include "net/base/features.h"
35 #include "net/base/hash_value.h"
36 #include "net/base/host_port_pair.h"
37 #include "net/base/net_errors.h"
38 #include "net/base/schemeful_site.h"
39 #include "net/base/test_completion_callback.h"
40 #include "net/cert/asn1_util.h"
41 #include "net/cert/cert_verifier.h"
42 #include "net/cert/cert_verify_result.h"
43 #include "net/cert/ct_policy_status.h"
44 #include "net/cert/test_root_certs.h"
45 #include "net/cert/x509_certificate.h"
46 #include "net/extras/preload_data/decoder.h"
47 #include "net/http/http_status_code.h"
48 #include "net/http/http_util.h"
49 #include "net/http/transport_security_state_source.h"
50 #include "net/net_buildflags.h"
51 #include "net/ssl/ssl_info.h"
52 #include "net/test/cert_test_util.h"
53 #include "net/test/test_data_directory.h"
54 #include "net/test/test_with_task_environment.h"
55 #include "net/tools/huffman_trie/bit_writer.h"
56 #include "net/tools/huffman_trie/trie/trie_bit_buffer.h"
57 #include "testing/gmock/include/gmock/gmock.h"
58 #include "testing/gtest/include/gtest/gtest.h"
59 #include "url/origin.h"
60
61 namespace net {
62
63 namespace {
64
65 namespace test_default {
66 #include "net/http/transport_security_state_static_unittest_default.h"
67 }
68 namespace test1 {
69 #include "net/http/transport_security_state_static_unittest1.h"
70 }
71 namespace test2 {
72 #include "net/http/transport_security_state_static_unittest2.h"
73 }
74 namespace test3 {
75 #include "net/http/transport_security_state_static_unittest3.h"
76 }
77
78 const char kHost[] = "example.test";
79 const uint16_t kPort = 443;
80
81 const char* const kGoodPath[] = {
82 "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
83 "sha256/fzP+pVAbH0hRoUphJKenIP8+2tD/d2QH9J+kQNieM6Q=",
84 "sha256/9vRUVdjloCa4wXUKfDWotV5eUXYD7vu0v0z9SRzQdzg=",
85 "sha256/Nn8jk5By4Vkq6BeOVZ7R7AC6XUUBZsWmUbJR1f1Y5FY=",
86 nullptr,
87 };
88
89 const char* const kBadPath[] = {
90 "sha256/1111111111111111111111111111111111111111111=",
91 "sha256/2222222222222222222222222222222222222222222=",
92 "sha256/3333333333333333333333333333333333333333333=",
93 nullptr,
94 };
95
96 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate {
97 public:
98 MOCK_METHOD3(IsCTRequiredForHost,
99 CTRequirementLevel(const std::string& hostname,
100 const X509Certificate* chain,
101 const HashValueVector& hashes));
102 };
103
operator ==(const TransportSecurityState::STSState & lhs,const TransportSecurityState::STSState & rhs)104 bool operator==(const TransportSecurityState::STSState& lhs,
105 const TransportSecurityState::STSState& rhs) {
106 return lhs.last_observed == rhs.last_observed && lhs.expiry == rhs.expiry &&
107 lhs.upgrade_mode == rhs.upgrade_mode &&
108 lhs.include_subdomains == rhs.include_subdomains &&
109 lhs.domain == rhs.domain;
110 }
111
operator ==(const TransportSecurityState::PKPState & lhs,const TransportSecurityState::PKPState & rhs)112 bool operator==(const TransportSecurityState::PKPState& lhs,
113 const TransportSecurityState::PKPState& rhs) {
114 return lhs.last_observed == rhs.last_observed && lhs.expiry == rhs.expiry &&
115 lhs.spki_hashes == rhs.spki_hashes &&
116 lhs.bad_spki_hashes == rhs.bad_spki_hashes &&
117 lhs.include_subdomains == rhs.include_subdomains &&
118 lhs.domain == rhs.domain;
119 }
120
121 } // namespace
122
123 class TransportSecurityStateTest : public ::testing::Test,
124 public WithTaskEnvironment {
125 public:
TransportSecurityStateTest()126 TransportSecurityStateTest()
127 : WithTaskEnvironment(
128 base::test::TaskEnvironment::TimeSource::MOCK_TIME) {
129 SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
130 // Need mocked out time for pruning tests. Don't start with a
131 // time of 0, as code doesn't generally expect it.
132 FastForwardBy(base::Days(1));
133 }
134
~TransportSecurityStateTest()135 ~TransportSecurityStateTest() override {
136 SetTransportSecurityStateSourceForTesting(nullptr);
137 }
138
SetUp()139 void SetUp() override { crypto::EnsureOpenSSLInit(); }
140
DisableStaticPins(TransportSecurityState * state)141 static void DisableStaticPins(TransportSecurityState* state) {
142 state->enable_static_pins_ = false;
143 }
144
EnableStaticPins(TransportSecurityState * state)145 static void EnableStaticPins(TransportSecurityState* state) {
146 state->enable_static_pins_ = true;
147 state->SetPinningListAlwaysTimelyForTesting(true);
148 }
149
GetSampleSPKIHashes()150 static HashValueVector GetSampleSPKIHashes() {
151 HashValueVector spki_hashes;
152 HashValue hash(HASH_VALUE_SHA256);
153 memset(hash.data(), 0, hash.size());
154 spki_hashes.push_back(hash);
155 return spki_hashes;
156 }
157
GetSampleSPKIHash(uint8_t value)158 static HashValue GetSampleSPKIHash(uint8_t value) {
159 HashValue hash(HASH_VALUE_SHA256);
160 memset(hash.data(), value, hash.size());
161 return hash;
162 }
163
164 protected:
GetStaticDomainState(TransportSecurityState * state,const std::string & host,TransportSecurityState::STSState * sts_result,TransportSecurityState::PKPState * pkp_result)165 bool GetStaticDomainState(TransportSecurityState* state,
166 const std::string& host,
167 TransportSecurityState::STSState* sts_result,
168 TransportSecurityState::PKPState* pkp_result) {
169 bool ret = state->GetStaticSTSState(host, sts_result);
170 if (state->GetStaticPKPState(host, pkp_result))
171 ret = true;
172 return ret;
173 }
174
175 private:
176 base::test::ScopedFeatureList scoped_feature_list_;
177 };
178
TEST_F(TransportSecurityStateTest,DomainNameOddities)179 TEST_F(TransportSecurityStateTest, DomainNameOddities) {
180 TransportSecurityState state;
181 const base::Time current_time(base::Time::Now());
182 const base::Time expiry = current_time + base::Seconds(1000);
183
184 // DNS suffix search tests. Some DNS resolvers allow a terminal "." to
185 // indicate not perform DNS suffix searching. Ensure that regardless
186 // of how this is treated at the resolver layer, or at the URL/origin
187 // layer (that is, whether they are treated as equivalent or distinct),
188 // ensure that for policy matching, something lacking a terminal "."
189 // is equivalent to something with a terminal "."
190 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
191
192 state.AddHSTS("example.com", expiry, true /* include_subdomains */);
193 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
194 // Trailing '.' should be equivalent; it's just a resolver hint
195 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com."));
196 // Leading '.' should be invalid
197 EXPECT_FALSE(state.ShouldUpgradeToSSL(".example.com"));
198 // Subdomains should work regardless
199 EXPECT_TRUE(state.ShouldUpgradeToSSL("sub.example.com"));
200 EXPECT_TRUE(state.ShouldUpgradeToSSL("sub.example.com."));
201 // But invalid subdomains should be rejected
202 EXPECT_FALSE(state.ShouldUpgradeToSSL("sub..example.com"));
203 EXPECT_FALSE(state.ShouldUpgradeToSSL("sub..example.com."));
204
205 // Now try the inverse form
206 TransportSecurityState state2;
207 state2.AddHSTS("example.net.", expiry, true /* include_subdomains */);
208 EXPECT_TRUE(state2.ShouldUpgradeToSSL("example.net."));
209 EXPECT_TRUE(state2.ShouldUpgradeToSSL("example.net"));
210 EXPECT_TRUE(state2.ShouldUpgradeToSSL("sub.example.net."));
211 EXPECT_TRUE(state2.ShouldUpgradeToSSL("sub.example.net"));
212
213 // Finally, test weird things
214 TransportSecurityState state3;
215 state3.AddHSTS("", expiry, true /* include_subdomains */);
216 EXPECT_FALSE(state3.ShouldUpgradeToSSL(""));
217 EXPECT_FALSE(state3.ShouldUpgradeToSSL("."));
218 EXPECT_FALSE(state3.ShouldUpgradeToSSL("..."));
219 // Make sure it didn't somehow apply HSTS to the world
220 EXPECT_FALSE(state3.ShouldUpgradeToSSL("example.org"));
221
222 TransportSecurityState state4;
223 state4.AddHSTS(".", expiry, true /* include_subdomains */);
224 EXPECT_FALSE(state4.ShouldUpgradeToSSL(""));
225 EXPECT_FALSE(state4.ShouldUpgradeToSSL("."));
226 EXPECT_FALSE(state4.ShouldUpgradeToSSL("..."));
227 EXPECT_FALSE(state4.ShouldUpgradeToSSL("example.org"));
228
229 // Now do the same for preloaded entries
230 TransportSecurityState state5;
231 EXPECT_TRUE(state5.ShouldUpgradeToSSL("hsts-preloaded.test"));
232 EXPECT_TRUE(state5.ShouldUpgradeToSSL("hsts-preloaded.test."));
233 EXPECT_FALSE(state5.ShouldUpgradeToSSL("hsts-preloaded..test"));
234 EXPECT_FALSE(state5.ShouldUpgradeToSSL("hsts-preloaded..test."));
235 }
236
TEST_F(TransportSecurityStateTest,SimpleMatches)237 TEST_F(TransportSecurityStateTest, SimpleMatches) {
238 TransportSecurityState state;
239 const base::Time current_time(base::Time::Now());
240 const base::Time expiry = current_time + base::Seconds(1000);
241
242 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
243 bool include_subdomains = false;
244 state.AddHSTS("example.com", expiry, include_subdomains);
245 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
246 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example.com"));
247 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example.com"));
248 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("foo.example.com"));
249 }
250
TEST_F(TransportSecurityStateTest,MatchesCase1)251 TEST_F(TransportSecurityStateTest, MatchesCase1) {
252 TransportSecurityState state;
253 const base::Time current_time(base::Time::Now());
254 const base::Time expiry = current_time + base::Seconds(1000);
255
256 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
257 bool include_subdomains = false;
258 state.AddHSTS("EXample.coM", expiry, include_subdomains);
259 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
260 }
261
TEST_F(TransportSecurityStateTest,MatchesCase2)262 TEST_F(TransportSecurityStateTest, MatchesCase2) {
263 TransportSecurityState state;
264 const base::Time current_time(base::Time::Now());
265 const base::Time expiry = current_time + base::Seconds(1000);
266
267 // Check dynamic entries
268 EXPECT_FALSE(state.ShouldUpgradeToSSL("EXample.coM"));
269 bool include_subdomains = false;
270 state.AddHSTS("example.com", expiry, include_subdomains);
271 EXPECT_TRUE(state.ShouldUpgradeToSSL("EXample.coM"));
272
273 // Check static entries
274 EXPECT_TRUE(state.ShouldUpgradeToSSL("hStS-prelOAded.tEsT"));
275 EXPECT_TRUE(
276 state.ShouldUpgradeToSSL("inClude-subDOmaIns-hsts-prEloaDed.TesT"));
277 }
278
TEST_F(TransportSecurityStateTest,SubdomainMatches)279 TEST_F(TransportSecurityStateTest, SubdomainMatches) {
280 TransportSecurityState state;
281 const base::Time current_time(base::Time::Now());
282 const base::Time expiry = current_time + base::Seconds(1000);
283
284 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test"));
285 bool include_subdomains = true;
286 state.AddHSTS("example.test", expiry, include_subdomains);
287 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.test"));
288 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example.test"));
289 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test"));
290 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test"));
291 EXPECT_FALSE(state.ShouldUpgradeToSSL("test"));
292 EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test"));
293 }
294
295 // Tests that a more-specific HSTS rule without the includeSubDomains bit does
296 // not override a less-specific rule with includeSubDomains. Applicability is
297 // checked before specificity. See https://crbug.com/821811.
TEST_F(TransportSecurityStateTest,STSSubdomainNoOverride)298 TEST_F(TransportSecurityStateTest, STSSubdomainNoOverride) {
299 TransportSecurityState state;
300 const base::Time current_time(base::Time::Now());
301 const base::Time expiry = current_time + base::Seconds(1000);
302 const base::Time older = current_time - base::Seconds(1000);
303
304 state.AddHSTS("example.test", expiry, true);
305 state.AddHSTS("foo.example.test", expiry, false);
306
307 // The example.test rule applies to the entire domain, including subdomains of
308 // foo.example.test.
309 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.test"));
310 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example.test"));
311 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example.test"));
312 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example.test"));
313
314 // Expire the foo.example.test rule.
315 state.AddHSTS("foo.example.test", older, false);
316
317 // The example.test rule still applies.
318 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.test"));
319 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example.test"));
320 EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example.test"));
321 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example.test"));
322 }
323
324 // Tests that a more-specific HPKP rule overrides a less-specific rule
325 // with it, regardless of the includeSubDomains bit. Note this behavior does not
326 // match HSTS. See https://crbug.com/821811.
TEST_F(TransportSecurityStateTest,PKPSubdomainCarveout)327 TEST_F(TransportSecurityStateTest, PKPSubdomainCarveout) {
328 TransportSecurityState state;
329 const base::Time current_time(base::Time::Now());
330 const base::Time expiry = current_time + base::Seconds(1000);
331 const base::Time older = current_time - base::Seconds(1000);
332
333 state.AddHPKP("example.test", expiry, true, GetSampleSPKIHashes());
334 state.AddHPKP("foo.example.test", expiry, false, GetSampleSPKIHashes());
335 EXPECT_TRUE(state.HasPublicKeyPins("example.test"));
336 EXPECT_TRUE(state.HasPublicKeyPins("foo.example.test"));
337
338 // The foo.example.test rule overrides the example1.test rule, so
339 // bar.foo.example.test has no HPKP state.
340 EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example.test"));
341 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example.test"));
342
343 // Expire the foo.example.test rule.
344 state.AddHPKP("foo.example.test", older, false, GetSampleSPKIHashes());
345
346 // Now the base example.test rule applies to bar.foo.example.test.
347 EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example.test"));
348 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example.test"));
349 }
350
TEST_F(TransportSecurityStateTest,FatalSSLErrors)351 TEST_F(TransportSecurityStateTest, FatalSSLErrors) {
352 TransportSecurityState state;
353 const base::Time current_time(base::Time::Now());
354 const base::Time expiry = current_time + base::Seconds(1000);
355
356 state.AddHSTS("example1.test", expiry, false);
357 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes());
358
359 // The presense of either HSTS or HPKP is enough to make SSL errors fatal.
360 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test"));
361 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test"));
362 }
363
364 // Tests that HPKP and HSTS state both expire. Also tests that expired entries
365 // are pruned.
TEST_F(TransportSecurityStateTest,Expiration)366 TEST_F(TransportSecurityStateTest, Expiration) {
367 TransportSecurityState state;
368 const base::Time current_time(base::Time::Now());
369 const base::Time expiry = current_time + base::Seconds(1000);
370 const base::Time older = current_time - base::Seconds(1000);
371
372 // Note: this test assumes that inserting an entry with an expiration time in
373 // the past works and is pruned on query.
374 state.AddHSTS("example1.test", older, false);
375 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext());
376 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test"));
377 // Querying |state| for a domain should flush out expired entries.
378 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext());
379
380 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes());
381 EXPECT_TRUE(state.has_dynamic_pkp_state());
382 EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
383 // Querying |state| for a domain should flush out expired entries.
384 EXPECT_FALSE(state.has_dynamic_pkp_state());
385
386 state.AddHSTS("example1.test", older, false);
387 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes());
388 EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext());
389 EXPECT_TRUE(state.has_dynamic_pkp_state());
390 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test"));
391 // Querying |state| for a domain should flush out expired entries.
392 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext());
393 EXPECT_FALSE(state.has_dynamic_pkp_state());
394
395 // Test that HSTS can outlive HPKP.
396 state.AddHSTS("example1.test", expiry, false);
397 state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes());
398 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
399 EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
400
401 // Test that HPKP can outlive HSTS.
402 state.AddHSTS("example2.test", older, false);
403 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes());
404 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test"));
405 EXPECT_TRUE(state.HasPublicKeyPins("example2.test"));
406 }
407
408 // Tests that HPKP and HSTS state are queried independently for subdomain
409 // matches.
TEST_F(TransportSecurityStateTest,IndependentSubdomain)410 TEST_F(TransportSecurityStateTest, IndependentSubdomain) {
411 TransportSecurityState state;
412 const base::Time current_time(base::Time::Now());
413 const base::Time expiry = current_time + base::Seconds(1000);
414
415 state.AddHSTS("example1.test", expiry, true);
416 state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes());
417
418 state.AddHSTS("example2.test", expiry, false);
419 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes());
420
421 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test"));
422 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test"));
423 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test"));
424 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test"));
425 }
426
427 // Tests that HPKP and HSTS state are inserted and overridden independently.
TEST_F(TransportSecurityStateTest,IndependentInsertion)428 TEST_F(TransportSecurityStateTest, IndependentInsertion) {
429 TransportSecurityState state;
430 const base::Time current_time(base::Time::Now());
431 const base::Time expiry = current_time + base::Seconds(1000);
432
433 // Place an includeSubdomains HSTS entry below a normal HPKP entry.
434 state.AddHSTS("example1.test", expiry, true);
435 state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes());
436
437 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test"));
438 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test"));
439 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
440 EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
441
442 // Drop the includeSubdomains from the HSTS entry.
443 state.AddHSTS("example1.test", expiry, false);
444
445 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test"));
446 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test"));
447
448 // Place an includeSubdomains HPKP entry below a normal HSTS entry.
449 state.AddHSTS("foo.example2.test", expiry, false);
450 state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes());
451
452 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test"));
453 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test"));
454
455 // Drop the includeSubdomains from the HSTS entry.
456 state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes());
457
458 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test"));
459 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test"));
460 }
461
462 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the
463 // states are not mixed together.
TEST_F(TransportSecurityStateTest,DynamicDomainState)464 TEST_F(TransportSecurityStateTest, DynamicDomainState) {
465 TransportSecurityState state;
466 const base::Time current_time(base::Time::Now());
467 const base::Time expiry1 = current_time + base::Seconds(1000);
468 const base::Time expiry2 = current_time + base::Seconds(2000);
469
470 state.AddHSTS("example.com", expiry1, true);
471 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes());
472
473 TransportSecurityState::STSState sts_state;
474 TransportSecurityState::PKPState pkp_state;
475 ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state));
476 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state));
477 EXPECT_TRUE(sts_state.ShouldUpgradeToSSL());
478 EXPECT_TRUE(pkp_state.HasPublicKeyPins());
479 EXPECT_TRUE(sts_state.include_subdomains);
480 EXPECT_FALSE(pkp_state.include_subdomains);
481 EXPECT_EQ(expiry1, sts_state.expiry);
482 EXPECT_EQ(expiry2, pkp_state.expiry);
483 EXPECT_EQ("example.com", sts_state.domain);
484 EXPECT_EQ("foo.example.com", pkp_state.domain);
485 }
486
487 // Tests that new pins always override previous pins. This should be true for
488 // both pins at the same domain or includeSubdomains pins at a parent domain.
TEST_F(TransportSecurityStateTest,NewPinsOverride)489 TEST_F(TransportSecurityStateTest, NewPinsOverride) {
490 TransportSecurityState state;
491 TransportSecurityState::PKPState pkp_state;
492 const base::Time current_time(base::Time::Now());
493 const base::Time expiry = current_time + base::Seconds(1000);
494 HashValue hash1(HASH_VALUE_SHA256);
495 memset(hash1.data(), 0x01, hash1.size());
496 HashValue hash2(HASH_VALUE_SHA256);
497 memset(hash2.data(), 0x02, hash1.size());
498 HashValue hash3(HASH_VALUE_SHA256);
499 memset(hash3.data(), 0x03, hash1.size());
500
501 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1));
502
503 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state));
504 ASSERT_EQ(1u, pkp_state.spki_hashes.size());
505 EXPECT_EQ(pkp_state.spki_hashes[0], hash1);
506
507 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2));
508
509 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state));
510 ASSERT_EQ(1u, pkp_state.spki_hashes.size());
511 EXPECT_EQ(pkp_state.spki_hashes[0], hash2);
512
513 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3));
514
515 ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state));
516 ASSERT_EQ(1u, pkp_state.spki_hashes.size());
517 EXPECT_EQ(pkp_state.spki_hashes[0], hash3);
518 }
519
TEST_F(TransportSecurityStateTest,DeleteAllDynamicDataBetween)520 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataBetween) {
521 TransportSecurityState state;
522 const base::Time current_time(base::Time::Now());
523 const base::Time expiry = current_time + base::Seconds(1000);
524 const base::Time older = current_time - base::Seconds(1000);
525
526 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
527 EXPECT_FALSE(state.HasPublicKeyPins("example.com"));
528 bool include_subdomains = false;
529 state.AddHSTS("example.com", expiry, include_subdomains);
530 state.AddHPKP("example.com", expiry, include_subdomains,
531 GetSampleSPKIHashes());
532
533 state.DeleteAllDynamicDataBetween(expiry, base::Time::Max(),
534 base::DoNothing());
535 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
536 EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
537
538 state.DeleteAllDynamicDataBetween(older, current_time, base::DoNothing());
539 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
540 EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
541
542 state.DeleteAllDynamicDataBetween(base::Time(), current_time,
543 base::DoNothing());
544 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
545 EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
546
547 state.DeleteAllDynamicDataBetween(older, base::Time::Max(),
548 base::DoNothing());
549 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
550 EXPECT_FALSE(state.HasPublicKeyPins("example.com"));
551
552 // Dynamic data in |state| should be empty now.
553 EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext());
554 EXPECT_FALSE(state.has_dynamic_pkp_state());
555 }
556
TEST_F(TransportSecurityStateTest,DeleteDynamicDataForHost)557 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
558 TransportSecurityState state;
559 const base::Time current_time(base::Time::Now());
560 const base::Time expiry = current_time + base::Seconds(1000);
561 bool include_subdomains = false;
562
563 state.AddHSTS("example1.test", expiry, include_subdomains);
564 state.AddHPKP("example1.test", expiry, include_subdomains,
565 GetSampleSPKIHashes());
566
567 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
568 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test"));
569 EXPECT_TRUE(state.HasPublicKeyPins("example1.test"));
570 EXPECT_FALSE(state.HasPublicKeyPins("example2.test"));
571
572 EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test"));
573 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test"));
574 EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
575 }
576
TEST_F(TransportSecurityStateTest,LongNames)577 TEST_F(TransportSecurityStateTest, LongNames) {
578 TransportSecurityState state;
579 state.SetPinningListAlwaysTimelyForTesting(true);
580 const char kLongName[] =
581 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
582 "WaveletIdDomainAndBlipBlipid";
583 TransportSecurityState::STSState sts_state;
584 TransportSecurityState::PKPState pkp_state;
585 // Just checks that we don't hit a NOTREACHED
586 EXPECT_FALSE(state.GetStaticSTSState(kLongName, &sts_state));
587 EXPECT_FALSE(state.GetStaticPKPState(kLongName, &pkp_state));
588 EXPECT_FALSE(state.GetDynamicSTSState(kLongName, &sts_state));
589 EXPECT_FALSE(state.GetDynamicPKPState(kLongName, &pkp_state));
590 }
591
AddHash(const std::string & type_and_base64,HashValueVector * out)592 static bool AddHash(const std::string& type_and_base64, HashValueVector* out) {
593 HashValue hash;
594 if (!hash.FromString(type_and_base64))
595 return false;
596
597 out->push_back(hash);
598 return true;
599 }
600
TEST_F(TransportSecurityStateTest,PinValidationWithoutRejectedCerts)601 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
602 base::test::ScopedFeatureList scoped_feature_list_;
603 scoped_feature_list_.InitAndEnableFeature(
604 net::features::kStaticKeyPinningEnforcement);
605 HashValueVector good_hashes, bad_hashes;
606
607 for (size_t i = 0; kGoodPath[i]; i++) {
608 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
609 }
610 for (size_t i = 0; kBadPath[i]; i++) {
611 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
612 }
613
614 TransportSecurityState state;
615 state.SetPinningListAlwaysTimelyForTesting(true);
616 EnableStaticPins(&state);
617
618 TransportSecurityState::PKPState pkp_state;
619 EXPECT_TRUE(state.GetStaticPKPState("no-rejected-pins-pkp.preloaded.test",
620 &pkp_state));
621 EXPECT_TRUE(pkp_state.HasPublicKeyPins());
622
623 EXPECT_TRUE(pkp_state.CheckPublicKeyPins(good_hashes));
624 EXPECT_FALSE(pkp_state.CheckPublicKeyPins(bad_hashes));
625 }
626
627 // Simple test for the HSTS preload process. The trie (generated from
628 // transport_security_state_static_unittest1.json) contains 1 entry. Test that
629 // the lookup methods can find the entry and correctly decode the different
630 // preloaded states (HSTS and HPKP).
TEST_F(TransportSecurityStateTest,DecodePreloadedSingle)631 TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) {
632 base::test::ScopedFeatureList scoped_feature_list_;
633 scoped_feature_list_.InitAndEnableFeature(
634 net::features::kStaticKeyPinningEnforcement);
635 SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource);
636
637 TransportSecurityState state;
638 TransportSecurityStateTest::EnableStaticPins(&state);
639
640 TransportSecurityState::STSState sts_state;
641 TransportSecurityState::PKPState pkp_state;
642 EXPECT_TRUE(
643 GetStaticDomainState(&state, "hsts.example.com", &sts_state, &pkp_state));
644 EXPECT_TRUE(sts_state.include_subdomains);
645 EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
646 sts_state.upgrade_mode);
647 EXPECT_TRUE(pkp_state.include_subdomains);
648 ASSERT_EQ(1u, pkp_state.spki_hashes.size());
649 EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1));
650 ASSERT_EQ(1u, pkp_state.bad_spki_hashes.size());
651 EXPECT_EQ(pkp_state.bad_spki_hashes[0], GetSampleSPKIHash(0x2));
652 }
653
654 // More advanced test for the HSTS preload process where the trie (generated
655 // from transport_security_state_static_unittest2.json) contains multiple
656 // entries with a common prefix. Test that the lookup methods can find all
657 // entries and correctly decode the different preloaded states (HSTS and HPKP)
658 // for each entry.
TEST_F(TransportSecurityStateTest,DecodePreloadedMultiplePrefix)659 TEST_F(TransportSecurityStateTest, DecodePreloadedMultiplePrefix) {
660 base::test::ScopedFeatureList scoped_feature_list_;
661 scoped_feature_list_.InitAndEnableFeature(
662 net::features::kStaticKeyPinningEnforcement);
663 SetTransportSecurityStateSourceForTesting(&test2::kHSTSSource);
664
665 TransportSecurityState state;
666 TransportSecurityStateTest::EnableStaticPins(&state);
667
668 TransportSecurityState::STSState sts_state;
669 TransportSecurityState::PKPState pkp_state;
670
671 EXPECT_TRUE(
672 GetStaticDomainState(&state, "hsts.example.com", &sts_state, &pkp_state));
673 EXPECT_FALSE(sts_state.include_subdomains);
674 EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
675 sts_state.upgrade_mode);
676 EXPECT_TRUE(pkp_state == TransportSecurityState::PKPState());
677
678 sts_state = TransportSecurityState::STSState();
679 pkp_state = TransportSecurityState::PKPState();
680 EXPECT_TRUE(
681 GetStaticDomainState(&state, "hpkp.example.com", &sts_state, &pkp_state));
682 EXPECT_TRUE(sts_state == TransportSecurityState::STSState());
683 EXPECT_TRUE(pkp_state.include_subdomains);
684 EXPECT_EQ(1U, pkp_state.spki_hashes.size());
685 EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1));
686 EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
687
688 sts_state = TransportSecurityState::STSState();
689 pkp_state = TransportSecurityState::PKPState();
690 EXPECT_TRUE(
691 GetStaticDomainState(&state, "mix.example.com", &sts_state, &pkp_state));
692 EXPECT_FALSE(sts_state.include_subdomains);
693 EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
694 sts_state.upgrade_mode);
695 EXPECT_TRUE(pkp_state.include_subdomains);
696 EXPECT_EQ(1U, pkp_state.spki_hashes.size());
697 EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x2));
698 EXPECT_EQ(1U, pkp_state.bad_spki_hashes.size());
699 EXPECT_EQ(pkp_state.bad_spki_hashes[0], GetSampleSPKIHash(0x1));
700 }
701
702 // More advanced test for the HSTS preload process where the trie (generated
703 // from transport_security_state_static_unittest3.json) contains a mix of
704 // entries. Some entries share a prefix with the prefix also having its own
705 // preloaded state while others share no prefix. This results in a trie with
706 // several different internal structures. Test that the lookup methods can find
707 // all entries and correctly decode the different preloaded states (HSTS and
708 // HPKP) for each entry.
TEST_F(TransportSecurityStateTest,DecodePreloadedMultipleMix)709 TEST_F(TransportSecurityStateTest, DecodePreloadedMultipleMix) {
710 base::test::ScopedFeatureList scoped_feature_list_;
711 scoped_feature_list_.InitAndEnableFeature(
712 net::features::kStaticKeyPinningEnforcement);
713 SetTransportSecurityStateSourceForTesting(&test3::kHSTSSource);
714
715 TransportSecurityState state;
716 TransportSecurityStateTest::EnableStaticPins(&state);
717
718 TransportSecurityState::STSState sts_state;
719 TransportSecurityState::PKPState pkp_state;
720
721 EXPECT_TRUE(
722 GetStaticDomainState(&state, "example.com", &sts_state, &pkp_state));
723 EXPECT_TRUE(sts_state.include_subdomains);
724 EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
725 sts_state.upgrade_mode);
726 EXPECT_TRUE(pkp_state == TransportSecurityState::PKPState());
727
728 sts_state = TransportSecurityState::STSState();
729 pkp_state = TransportSecurityState::PKPState();
730 EXPECT_TRUE(
731 GetStaticDomainState(&state, "hpkp.example.com", &sts_state, &pkp_state));
732 EXPECT_TRUE(sts_state == TransportSecurityState::STSState());
733 EXPECT_TRUE(pkp_state.include_subdomains);
734 EXPECT_EQ(1U, pkp_state.spki_hashes.size());
735 EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1));
736 EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
737
738 sts_state = TransportSecurityState::STSState();
739 pkp_state = TransportSecurityState::PKPState();
740 EXPECT_TRUE(
741 GetStaticDomainState(&state, "example.org", &sts_state, &pkp_state));
742 EXPECT_FALSE(sts_state.include_subdomains);
743 EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
744 sts_state.upgrade_mode);
745 EXPECT_TRUE(pkp_state == TransportSecurityState::PKPState());
746
747 sts_state = TransportSecurityState::STSState();
748 pkp_state = TransportSecurityState::PKPState();
749 EXPECT_TRUE(
750 GetStaticDomainState(&state, "badssl.com", &sts_state, &pkp_state));
751 EXPECT_TRUE(sts_state == TransportSecurityState::STSState());
752 EXPECT_TRUE(pkp_state.include_subdomains);
753 EXPECT_EQ(1U, pkp_state.spki_hashes.size());
754 EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1));
755 EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
756
757 sts_state = TransportSecurityState::STSState();
758 pkp_state = TransportSecurityState::PKPState();
759 EXPECT_TRUE(
760 GetStaticDomainState(&state, "mix.badssl.com", &sts_state, &pkp_state));
761 EXPECT_FALSE(sts_state.include_subdomains);
762 EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
763 sts_state.upgrade_mode);
764 EXPECT_TRUE(pkp_state.include_subdomains);
765 EXPECT_EQ(1U, pkp_state.spki_hashes.size());
766 EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x2));
767 EXPECT_EQ(1U, pkp_state.bad_spki_hashes.size());
768 EXPECT_EQ(pkp_state.bad_spki_hashes[0], GetSampleSPKIHash(0x1));
769
770 sts_state = TransportSecurityState::STSState();
771 pkp_state = TransportSecurityState::PKPState();
772
773 // This should be a simple entry in the context of
774 // TrieWriter::IsSimpleEntry().
775 EXPECT_TRUE(GetStaticDomainState(&state, "simple-entry.example.com",
776 &sts_state, &pkp_state));
777 EXPECT_TRUE(sts_state.include_subdomains);
778 EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
779 sts_state.upgrade_mode);
780 EXPECT_TRUE(pkp_state == TransportSecurityState::PKPState());
781 }
782
TEST_F(TransportSecurityStateTest,HstsHostBypassList)783 TEST_F(TransportSecurityStateTest, HstsHostBypassList) {
784 SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
785
786 TransportSecurityState::STSState sts_state;
787 TransportSecurityState::PKPState pkp_state;
788
789 std::string preloaded_tld = "example";
790 std::string subdomain = "sub.example";
791
792 {
793 TransportSecurityState state;
794 // Check that "example" is preloaded with subdomains.
795 EXPECT_TRUE(state.ShouldUpgradeToSSL(preloaded_tld));
796 EXPECT_TRUE(state.ShouldUpgradeToSSL(subdomain));
797 }
798
799 {
800 // Add "example" to the bypass list.
801 TransportSecurityState state({preloaded_tld});
802 EXPECT_FALSE(state.ShouldUpgradeToSSL(preloaded_tld));
803 // The preloaded entry should still apply to the subdomain.
804 EXPECT_TRUE(state.ShouldUpgradeToSSL(subdomain));
805 }
806 }
807
808 // Tests that TransportSecurityState always consults the RequireCTDelegate,
809 // if supplied.
TEST_F(TransportSecurityStateTest,RequireCTConsultsDelegate)810 TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
811 using ::testing::_;
812 using ::testing::Return;
813 using CTRequirementLevel =
814 TransportSecurityState::RequireCTDelegate::CTRequirementLevel;
815
816 // Dummy cert to use as the validation chain. The contents do not matter.
817 scoped_refptr<X509Certificate> cert =
818 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
819 ASSERT_TRUE(cert);
820
821 HashValueVector hashes;
822 hashes.push_back(
823 HashValue(X509Certificate::CalculateFingerprint256(cert->cert_buffer())));
824
825 // If CT is required, then the requirements are not met if the CT policy
826 // wasn't met, but are met if the policy was met or the build was out of
827 // date.
828 {
829 TransportSecurityState state;
830 const TransportSecurityState::CTRequirementsStatus original_status =
831 state.CheckCTRequirements(
832 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
833 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS);
834
835 MockRequireCTDelegate always_require_delegate;
836 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_, _, _))
837 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED));
838 state.SetRequireCTDelegate(&always_require_delegate);
839 EXPECT_EQ(
840 TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
841 state.CheckCTRequirements(
842 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
843 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
844 EXPECT_EQ(
845 TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
846 state.CheckCTRequirements(
847 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
848 ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS));
849 EXPECT_EQ(
850 TransportSecurityState::CT_REQUIREMENTS_MET,
851 state.CheckCTRequirements(
852 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
853 ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
854 EXPECT_EQ(
855 TransportSecurityState::CT_REQUIREMENTS_MET,
856 state.CheckCTRequirements(
857 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
858 ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY));
859
860 state.SetRequireCTDelegate(nullptr);
861 EXPECT_EQ(
862 original_status,
863 state.CheckCTRequirements(
864 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
865 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
866 }
867
868 // If CT is not required, then regardless of the CT state for the host,
869 // it should indicate CT is not required.
870 {
871 TransportSecurityState state;
872 const TransportSecurityState::CTRequirementsStatus original_status =
873 state.CheckCTRequirements(
874 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
875 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS);
876
877 MockRequireCTDelegate never_require_delegate;
878 EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_, _, _))
879 .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED));
880 state.SetRequireCTDelegate(&never_require_delegate);
881 EXPECT_EQ(
882 TransportSecurityState::CT_NOT_REQUIRED,
883 state.CheckCTRequirements(
884 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
885 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
886 EXPECT_EQ(
887 TransportSecurityState::CT_NOT_REQUIRED,
888 state.CheckCTRequirements(
889 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
890 ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS));
891
892 state.SetRequireCTDelegate(nullptr);
893 EXPECT_EQ(
894 original_status,
895 state.CheckCTRequirements(
896 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
897 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
898 }
899 }
900
901 // Tests that the emergency disable flags cause CT to stop being required
902 // regardless of host or delegate status.
TEST(CTEmergencyDisableTest,CTEmergencyDisable)903 TEST(CTEmergencyDisableTest, CTEmergencyDisable) {
904 using ::testing::_;
905 using ::testing::Return;
906 using CTRequirementLevel =
907 TransportSecurityState::RequireCTDelegate::CTRequirementLevel;
908
909 // Dummy cert to use as the validation chain. The contents do not matter.
910 scoped_refptr<X509Certificate> cert =
911 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
912 ASSERT_TRUE(cert);
913
914 HashValueVector hashes;
915 hashes.push_back(
916 HashValue(X509Certificate::CalculateFingerprint256(cert->cert_buffer())));
917
918 TransportSecurityState state;
919 state.SetCTEmergencyDisabled(true);
920
921 MockRequireCTDelegate always_require_delegate;
922 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_, _, _))
923 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED));
924 state.SetRequireCTDelegate(&always_require_delegate);
925 EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED,
926 state.CheckCTRequirements(
927 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
928 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
929 EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED,
930 state.CheckCTRequirements(
931 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
932 ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS));
933 EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED,
934 state.CheckCTRequirements(
935 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
936 ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
937 EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED,
938 state.CheckCTRequirements(
939 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
940 ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY));
941
942 state.SetRequireCTDelegate(nullptr);
943 EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED,
944 state.CheckCTRequirements(
945 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
946 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
947 }
948
949 #if BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
950
951 class TransportSecurityStateStaticTest : public TransportSecurityStateTest {
952 public:
TransportSecurityStateStaticTest()953 TransportSecurityStateStaticTest() {
954 SetTransportSecurityStateSourceForTesting(nullptr);
955 }
956 };
957
StaticShouldRedirect(const char * hostname)958 static bool StaticShouldRedirect(const char* hostname) {
959 TransportSecurityState state;
960 TransportSecurityState::STSState sts_state;
961 return state.GetStaticSTSState(hostname, &sts_state) &&
962 sts_state.ShouldUpgradeToSSL();
963 }
964
HasStaticState(const char * hostname)965 static bool HasStaticState(const char* hostname) {
966 TransportSecurityState state;
967 state.SetPinningListAlwaysTimelyForTesting(true);
968 TransportSecurityState::STSState sts_state;
969 TransportSecurityState::PKPState pkp_state;
970 return state.GetStaticSTSState(hostname, &sts_state) ||
971 state.GetStaticPKPState(hostname, &pkp_state);
972 }
973
HasStaticPublicKeyPins(const char * hostname)974 static bool HasStaticPublicKeyPins(const char* hostname) {
975 TransportSecurityState state;
976 state.SetPinningListAlwaysTimelyForTesting(true);
977 TransportSecurityStateTest::EnableStaticPins(&state);
978 TransportSecurityState::PKPState pkp_state;
979 if (!state.GetStaticPKPState(hostname, &pkp_state))
980 return false;
981
982 return pkp_state.HasPublicKeyPins();
983 }
984
OnlyPinningInStaticState(const char * hostname)985 static bool OnlyPinningInStaticState(const char* hostname) {
986 TransportSecurityState state;
987 TransportSecurityStateTest::EnableStaticPins(&state);
988 TransportSecurityState::STSState sts_state;
989 TransportSecurityState::PKPState pkp_state;
990 return HasStaticPublicKeyPins(hostname) && !StaticShouldRedirect(hostname);
991 }
992
TEST_F(TransportSecurityStateStaticTest,EnableStaticPins)993 TEST_F(TransportSecurityStateStaticTest, EnableStaticPins) {
994 base::test::ScopedFeatureList scoped_feature_list_;
995 scoped_feature_list_.InitAndEnableFeature(
996 net::features::kStaticKeyPinningEnforcement);
997 TransportSecurityState state;
998 state.SetPinningListAlwaysTimelyForTesting(true);
999 TransportSecurityState::PKPState pkp_state;
1000
1001 EnableStaticPins(&state);
1002
1003 EXPECT_TRUE(state.GetStaticPKPState("chrome.google.com", &pkp_state));
1004 EXPECT_FALSE(pkp_state.spki_hashes.empty());
1005 }
1006
TEST_F(TransportSecurityStateStaticTest,DisableStaticPins)1007 TEST_F(TransportSecurityStateStaticTest, DisableStaticPins) {
1008 TransportSecurityState state;
1009 state.SetPinningListAlwaysTimelyForTesting(true);
1010 TransportSecurityState::PKPState pkp_state;
1011
1012 DisableStaticPins(&state);
1013 EXPECT_FALSE(state.GetStaticPKPState("chrome.google.com", &pkp_state));
1014 EXPECT_TRUE(pkp_state.spki_hashes.empty());
1015 }
1016
TEST_F(TransportSecurityStateStaticTest,IsPreloaded)1017 TEST_F(TransportSecurityStateStaticTest, IsPreloaded) {
1018 const std::string paypal = "paypal.com";
1019 const std::string www_paypal = "www.paypal.com";
1020 const std::string foo_paypal = "foo.paypal.com";
1021 const std::string a_www_paypal = "a.www.paypal.com";
1022 const std::string abc_paypal = "a.b.c.paypal.com";
1023 const std::string example = "example.com";
1024 const std::string aypal = "aypal.com";
1025 const std::string google = "google";
1026 const std::string www_google = "www.google";
1027 const std::string foo = "foo";
1028 const std::string bank = "example.bank";
1029 const std::string insurance = "sub.example.insurance";
1030
1031 TransportSecurityState state;
1032 TransportSecurityState::STSState sts_state;
1033 TransportSecurityState::PKPState pkp_state;
1034
1035 EXPECT_TRUE(GetStaticDomainState(&state, paypal, &sts_state, &pkp_state));
1036 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &sts_state, &pkp_state));
1037 EXPECT_FALSE(sts_state.include_subdomains);
1038 EXPECT_TRUE(GetStaticDomainState(&state, google, &sts_state, &pkp_state));
1039 EXPECT_TRUE(GetStaticDomainState(&state, www_google, &sts_state, &pkp_state));
1040 EXPECT_TRUE(GetStaticDomainState(&state, foo, &sts_state, &pkp_state));
1041 EXPECT_TRUE(GetStaticDomainState(&state, bank, &sts_state, &pkp_state));
1042 EXPECT_TRUE(sts_state.include_subdomains);
1043 EXPECT_TRUE(GetStaticDomainState(&state, insurance, &sts_state, &pkp_state));
1044 EXPECT_TRUE(sts_state.include_subdomains);
1045 EXPECT_FALSE(
1046 GetStaticDomainState(&state, a_www_paypal, &sts_state, &pkp_state));
1047 EXPECT_FALSE(
1048 GetStaticDomainState(&state, abc_paypal, &sts_state, &pkp_state));
1049 EXPECT_FALSE(GetStaticDomainState(&state, example, &sts_state, &pkp_state));
1050 EXPECT_FALSE(GetStaticDomainState(&state, aypal, &sts_state, &pkp_state));
1051 }
1052
TEST_F(TransportSecurityStateStaticTest,PreloadedDomainSet)1053 TEST_F(TransportSecurityStateStaticTest, PreloadedDomainSet) {
1054 base::test::ScopedFeatureList scoped_feature_list_;
1055 scoped_feature_list_.InitAndEnableFeature(
1056 net::features::kStaticKeyPinningEnforcement);
1057 TransportSecurityState state;
1058 EnableStaticPins(&state);
1059 TransportSecurityState::STSState sts_state;
1060 TransportSecurityState::PKPState pkp_state;
1061
1062 // The domain wasn't being set, leading to a blank string in the
1063 // chrome://net-internals/#hsts UI. So test that.
1064 EXPECT_TRUE(state.GetStaticPKPState("market.android.com", &pkp_state));
1065 EXPECT_TRUE(state.GetStaticSTSState("market.android.com", &sts_state));
1066 EXPECT_EQ(sts_state.domain, "market.android.com");
1067 EXPECT_EQ(pkp_state.domain, "market.android.com");
1068 EXPECT_TRUE(state.GetStaticPKPState("sub.market.android.com", &pkp_state));
1069 EXPECT_TRUE(state.GetStaticSTSState("sub.market.android.com", &sts_state));
1070 EXPECT_EQ(sts_state.domain, "market.android.com");
1071 EXPECT_EQ(pkp_state.domain, "market.android.com");
1072 }
1073
TEST_F(TransportSecurityStateStaticTest,Preloaded)1074 TEST_F(TransportSecurityStateStaticTest, Preloaded) {
1075 base::test::ScopedFeatureList scoped_feature_list_;
1076 scoped_feature_list_.InitAndEnableFeature(
1077 net::features::kStaticKeyPinningEnforcement);
1078 TransportSecurityState state;
1079 EnableStaticPins(&state);
1080 TransportSecurityState::STSState sts_state;
1081 TransportSecurityState::PKPState pkp_state;
1082
1083 // We do more extensive checks for the first domain.
1084 EXPECT_TRUE(state.GetStaticSTSState("www.paypal.com", &sts_state));
1085 EXPECT_FALSE(state.GetStaticPKPState("www.paypal.com", &pkp_state));
1086 EXPECT_EQ(sts_state.upgrade_mode,
1087 TransportSecurityState::STSState::MODE_FORCE_HTTPS);
1088 EXPECT_FALSE(sts_state.include_subdomains);
1089 EXPECT_FALSE(pkp_state.include_subdomains);
1090
1091 EXPECT_TRUE(HasStaticState("paypal.com"));
1092 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
1093
1094 // Google hosts:
1095
1096 EXPECT_TRUE(StaticShouldRedirect("chrome.google.com"));
1097 EXPECT_TRUE(StaticShouldRedirect("checkout.google.com"));
1098 EXPECT_TRUE(StaticShouldRedirect("wallet.google.com"));
1099 EXPECT_TRUE(StaticShouldRedirect("docs.google.com"));
1100 EXPECT_TRUE(StaticShouldRedirect("sites.google.com"));
1101 EXPECT_TRUE(StaticShouldRedirect("drive.google.com"));
1102 EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com"));
1103 EXPECT_TRUE(StaticShouldRedirect("appengine.google.com"));
1104 EXPECT_TRUE(StaticShouldRedirect("market.android.com"));
1105 EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com"));
1106 EXPECT_TRUE(StaticShouldRedirect("accounts.google.com"));
1107 EXPECT_TRUE(StaticShouldRedirect("profiles.google.com"));
1108 EXPECT_TRUE(StaticShouldRedirect("mail.google.com"));
1109 EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com"));
1110 EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com"));
1111 EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com"));
1112 EXPECT_TRUE(StaticShouldRedirect("talk.google.com"));
1113 EXPECT_TRUE(StaticShouldRedirect("plus.google.com"));
1114 EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
1115 EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
1116 EXPECT_TRUE(StaticShouldRedirect("oauthaccountmanager.googleapis.com"));
1117 EXPECT_TRUE(StaticShouldRedirect("passwordsleakcheck-pa.googleapis.com"));
1118 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
1119 EXPECT_TRUE(StaticShouldRedirect("google"));
1120 EXPECT_TRUE(StaticShouldRedirect("foo.google"));
1121 EXPECT_TRUE(StaticShouldRedirect("foo"));
1122 EXPECT_TRUE(StaticShouldRedirect("domaintest.foo"));
1123 EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
1124 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
1125 EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
1126 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
1127 EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
1128 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
1129 EXPECT_TRUE(StaticShouldRedirect("www.google-analytics.com"));
1130 EXPECT_TRUE(StaticShouldRedirect("www.youtube.com"));
1131 EXPECT_TRUE(StaticShouldRedirect("youtube.com"));
1132
1133 // These domains used to be only HSTS when SNI was available.
1134 EXPECT_TRUE(state.GetStaticSTSState("gmail.com", &sts_state));
1135 EXPECT_TRUE(state.GetStaticPKPState("gmail.com", &pkp_state));
1136 EXPECT_TRUE(state.GetStaticSTSState("www.gmail.com", &sts_state));
1137 EXPECT_TRUE(state.GetStaticPKPState("www.gmail.com", &pkp_state));
1138 EXPECT_TRUE(state.GetStaticSTSState("googlemail.com", &sts_state));
1139 EXPECT_TRUE(state.GetStaticPKPState("googlemail.com", &pkp_state));
1140 EXPECT_TRUE(state.GetStaticSTSState("www.googlemail.com", &sts_state));
1141 EXPECT_TRUE(state.GetStaticPKPState("www.googlemail.com", &pkp_state));
1142
1143 // fi.g.co should not force HTTPS because there are still HTTP-only services
1144 // on it.
1145 EXPECT_FALSE(StaticShouldRedirect("fi.g.co"));
1146
1147 // Other hosts:
1148
1149 EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
1150
1151 EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
1152 EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
1153
1154 EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
1155
1156 EXPECT_TRUE(StaticShouldRedirect("lastpass.com"));
1157 EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com"));
1158 EXPECT_FALSE(HasStaticState("blog.lastpass.com"));
1159
1160 EXPECT_TRUE(StaticShouldRedirect("keyerror.com"));
1161 EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com"));
1162
1163 EXPECT_TRUE(StaticShouldRedirect("entropia.de"));
1164 EXPECT_TRUE(StaticShouldRedirect("www.entropia.de"));
1165 EXPECT_FALSE(HasStaticState("foo.entropia.de"));
1166
1167 EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz"));
1168 EXPECT_FALSE(HasStaticState("elanex.biz"));
1169 EXPECT_FALSE(HasStaticState("foo.elanex.biz"));
1170
1171 EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org"));
1172 EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org"));
1173 EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org"));
1174
1175 EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net"));
1176 EXPECT_FALSE(HasStaticState("noisebridge.net"));
1177 EXPECT_FALSE(HasStaticState("foo.noisebridge.net"));
1178
1179 EXPECT_TRUE(StaticShouldRedirect("neg9.org"));
1180 EXPECT_FALSE(HasStaticState("www.neg9.org"));
1181
1182 EXPECT_TRUE(StaticShouldRedirect("riseup.net"));
1183 EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net"));
1184
1185 EXPECT_TRUE(StaticShouldRedirect("factor.cc"));
1186 EXPECT_FALSE(HasStaticState("www.factor.cc"));
1187
1188 EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org"));
1189 EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org"));
1190 EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org"));
1191 EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org"));
1192 EXPECT_FALSE(HasStaticState("www.mayfirst.org"));
1193
1194 EXPECT_TRUE(StaticShouldRedirect("romab.com"));
1195 EXPECT_TRUE(StaticShouldRedirect("www.romab.com"));
1196 EXPECT_TRUE(StaticShouldRedirect("foo.romab.com"));
1197
1198 EXPECT_TRUE(StaticShouldRedirect("logentries.com"));
1199 EXPECT_TRUE(StaticShouldRedirect("www.logentries.com"));
1200 EXPECT_FALSE(HasStaticState("foo.logentries.com"));
1201
1202 EXPECT_TRUE(StaticShouldRedirect("stripe.com"));
1203 EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com"));
1204
1205 EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org"));
1206 EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org"));
1207
1208 EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt"));
1209 EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt"));
1210
1211 EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net"));
1212 EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net"));
1213
1214 EXPECT_TRUE(StaticShouldRedirect("betnet.fr"));
1215 EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr"));
1216
1217 EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
1218 EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
1219
1220 EXPECT_TRUE(StaticShouldRedirect("cert.se"));
1221 EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
1222
1223 EXPECT_TRUE(StaticShouldRedirect("crypto.is"));
1224 EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is"));
1225
1226 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name"));
1227 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name"));
1228
1229 EXPECT_TRUE(StaticShouldRedirect("linx.net"));
1230 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net"));
1231
1232 EXPECT_TRUE(StaticShouldRedirect("dropcam.com"));
1233 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
1234 EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
1235
1236 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
1237 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
1238
1239 EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
1240 EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
1241
1242 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
1243
1244 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
1245 EXPECT_FALSE(HasStaticState("moneybookers.com"));
1246
1247 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net"));
1248 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net"));
1249 EXPECT_FALSE(HasStaticState("status.ledgerscope.net"));
1250
1251 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com"));
1252 EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com"));
1253
1254 EXPECT_TRUE(StaticShouldRedirect("greplin.com"));
1255 EXPECT_TRUE(StaticShouldRedirect("www.greplin.com"));
1256 EXPECT_FALSE(HasStaticState("foo.greplin.com"));
1257
1258 EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com"));
1259 EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com"));
1260
1261 EXPECT_TRUE(StaticShouldRedirect("ubertt.org"));
1262 EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org"));
1263
1264 EXPECT_TRUE(StaticShouldRedirect("pixi.me"));
1265 EXPECT_TRUE(StaticShouldRedirect("www.pixi.me"));
1266
1267 EXPECT_TRUE(StaticShouldRedirect("grepular.com"));
1268 EXPECT_TRUE(StaticShouldRedirect("www.grepular.com"));
1269
1270 EXPECT_TRUE(StaticShouldRedirect("mydigipass.com"));
1271 EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com"));
1272 EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com"));
1273 EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com"));
1274 EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com"));
1275 EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com"));
1276 EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com"));
1277 EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com"));
1278 EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com"));
1279 EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com"));
1280 EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com"));
1281 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com"));
1282
1283 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net"));
1284 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net"));
1285
1286 EXPECT_TRUE(StaticShouldRedirect("crate.io"));
1287 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
1288
1289 EXPECT_TRUE(StaticShouldRedirect("sub.bank"));
1290 EXPECT_TRUE(StaticShouldRedirect("sub.insurance"));
1291 }
1292
TEST_F(TransportSecurityStateStaticTest,PreloadedPins)1293 TEST_F(TransportSecurityStateStaticTest, PreloadedPins) {
1294 base::test::ScopedFeatureList scoped_feature_list_;
1295 scoped_feature_list_.InitAndEnableFeature(
1296 net::features::kStaticKeyPinningEnforcement);
1297 TransportSecurityState state;
1298 EnableStaticPins(&state);
1299 TransportSecurityState::STSState sts_state;
1300 TransportSecurityState::PKPState pkp_state;
1301
1302 // We do more extensive checks for the first domain.
1303 EXPECT_TRUE(state.GetStaticSTSState("www.paypal.com", &sts_state));
1304 EXPECT_FALSE(state.GetStaticPKPState("www.paypal.com", &pkp_state));
1305 EXPECT_EQ(sts_state.upgrade_mode,
1306 TransportSecurityState::STSState::MODE_FORCE_HTTPS);
1307 EXPECT_FALSE(sts_state.include_subdomains);
1308 EXPECT_FALSE(pkp_state.include_subdomains);
1309
1310 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
1311 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
1312 EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
1313 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
1314 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
1315 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
1316 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
1317 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
1318 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
1319 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
1320 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
1321 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
1322 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
1323 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
1324
1325 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
1326 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
1327 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
1328 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
1329 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
1330
1331 EXPECT_TRUE(state.GetStaticPKPState("torproject.org", &pkp_state));
1332 EXPECT_FALSE(pkp_state.spki_hashes.empty());
1333 EXPECT_TRUE(state.GetStaticPKPState("www.torproject.org", &pkp_state));
1334 EXPECT_FALSE(pkp_state.spki_hashes.empty());
1335 EXPECT_TRUE(state.GetStaticPKPState("check.torproject.org", &pkp_state));
1336 EXPECT_FALSE(pkp_state.spki_hashes.empty());
1337 EXPECT_TRUE(state.GetStaticPKPState("blog.torproject.org", &pkp_state));
1338 EXPECT_FALSE(pkp_state.spki_hashes.empty());
1339
1340 // Facebook has pinning and hsts on facebook.com, but only pinning on
1341 // subdomains.
1342 EXPECT_TRUE(state.GetStaticPKPState("facebook.com", &pkp_state));
1343 EXPECT_FALSE(pkp_state.spki_hashes.empty());
1344 EXPECT_TRUE(StaticShouldRedirect("facebook.com"));
1345
1346 EXPECT_TRUE(state.GetStaticPKPState("foo.facebook.com", &pkp_state));
1347 EXPECT_FALSE(pkp_state.spki_hashes.empty());
1348 EXPECT_FALSE(StaticShouldRedirect("foo.facebook.com"));
1349
1350 // www.facebook.com and subdomains have both pinning and hsts.
1351 EXPECT_TRUE(state.GetStaticPKPState("www.facebook.com", &pkp_state));
1352 EXPECT_FALSE(pkp_state.spki_hashes.empty());
1353 EXPECT_TRUE(StaticShouldRedirect("www.facebook.com"));
1354
1355 EXPECT_TRUE(state.GetStaticPKPState("foo.www.facebook.com", &pkp_state));
1356 EXPECT_FALSE(pkp_state.spki_hashes.empty());
1357 EXPECT_TRUE(StaticShouldRedirect("foo.www.facebook.com"));
1358 }
1359
TEST_F(TransportSecurityStateStaticTest,BuiltinCertPins)1360 TEST_F(TransportSecurityStateStaticTest, BuiltinCertPins) {
1361 base::test::ScopedFeatureList scoped_feature_list_;
1362 scoped_feature_list_.InitAndEnableFeature(
1363 net::features::kStaticKeyPinningEnforcement);
1364 TransportSecurityState state;
1365 EnableStaticPins(&state);
1366 TransportSecurityState::PKPState pkp_state;
1367
1368 EXPECT_TRUE(state.GetStaticPKPState("chrome.google.com", &pkp_state));
1369 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
1370
1371 HashValueVector hashes;
1372 // Checks that a built-in list does exist.
1373 EXPECT_FALSE(pkp_state.CheckPublicKeyPins(hashes));
1374 EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
1375
1376 EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
1377 EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
1378 EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com"));
1379 EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com"));
1380 EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com"));
1381 EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com"));
1382 EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com"));
1383 EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com"));
1384 EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com"));
1385 EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com"));
1386 EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com"));
1387 EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com"));
1388 EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com"));
1389 EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com"));
1390 EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com"));
1391 EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com"));
1392 EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com"));
1393 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com"));
1394 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com"));
1395 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com"));
1396 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
1397 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
1398 EXPECT_TRUE(HasStaticPublicKeyPins("youtube.com"));
1399
1400 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com"));
1401 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com"));
1402 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com"));
1403 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
1404 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
1405 }
1406
TEST_F(TransportSecurityStateStaticTest,OptionalHSTSCertPins)1407 TEST_F(TransportSecurityStateStaticTest, OptionalHSTSCertPins) {
1408 base::test::ScopedFeatureList scoped_feature_list_;
1409 scoped_feature_list_.InitAndEnableFeature(
1410 net::features::kStaticKeyPinningEnforcement);
1411 TransportSecurityState state;
1412 EnableStaticPins(&state);
1413
1414 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
1415 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
1416 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
1417 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
1418 EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
1419 EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
1420 EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
1421 EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
1422 EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
1423 EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
1424 EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
1425 EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
1426 EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
1427 EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
1428 EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
1429 EXPECT_TRUE(HasStaticPublicKeyPins("redirector.gvt1.com"));
1430 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
1431 }
1432
TEST_F(TransportSecurityStateStaticTest,OverrideBuiltins)1433 TEST_F(TransportSecurityStateStaticTest, OverrideBuiltins) {
1434 base::test::ScopedFeatureList scoped_feature_list_;
1435 scoped_feature_list_.InitAndEnableFeature(
1436 net::features::kStaticKeyPinningEnforcement);
1437 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
1438 EXPECT_FALSE(StaticShouldRedirect("google.com"));
1439 EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
1440
1441 TransportSecurityState state;
1442 state.SetPinningListAlwaysTimelyForTesting(true);
1443
1444 const base::Time current_time(base::Time::Now());
1445 const base::Time expiry = current_time + base::Seconds(1000);
1446 state.AddHSTS("www.google.com", expiry, true);
1447
1448 EXPECT_TRUE(state.ShouldUpgradeToSSL("www.google.com"));
1449 }
1450
TEST_F(TransportSecurityStateTest,WriteSizeDecodeSize)1451 TEST_F(TransportSecurityStateTest, WriteSizeDecodeSize) {
1452 for (size_t i = 0; i < 300; ++i) {
1453 SCOPED_TRACE(i);
1454 huffman_trie::TrieBitBuffer buffer;
1455 buffer.WriteSize(i);
1456 huffman_trie::BitWriter writer;
1457 buffer.WriteToBitWriter(&writer);
1458 size_t position = writer.position();
1459 writer.Flush();
1460 ASSERT_NE(writer.bytes().data(), nullptr);
1461 extras::PreloadDecoder::BitReader reader(writer.bytes().data(), position);
1462 size_t decoded_size;
1463 EXPECT_TRUE(reader.DecodeSize(&decoded_size));
1464 EXPECT_EQ(i, decoded_size);
1465 }
1466 }
1467
TEST_F(TransportSecurityStateTest,DecodeSizeFour)1468 TEST_F(TransportSecurityStateTest, DecodeSizeFour) {
1469 // Test that BitReader::DecodeSize properly handles the number 4, including
1470 // not over-reading input bytes. BitReader::Next only fails if there's not
1471 // another byte to read from; if it reads past the number of bits in the
1472 // buffer but is still in the last byte it will still succeed. For this
1473 // reason, this test puts the encoding of 4 at the end of the byte to check
1474 // that DecodeSize doesn't over-read.
1475 //
1476 // 4 is encoded as 0b010. Shifted right to fill one byte, it is 0x02, with 5
1477 // bits of padding.
1478 uint8_t encoded = 0x02;
1479 extras::PreloadDecoder::BitReader reader(&encoded, 8);
1480 for (size_t i = 0; i < 5; ++i) {
1481 bool unused;
1482 ASSERT_TRUE(reader.Next(&unused));
1483 }
1484 size_t decoded_size;
1485 EXPECT_TRUE(reader.DecodeSize(&decoded_size));
1486 EXPECT_EQ(4u, decoded_size);
1487 }
1488
1489 #endif // BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
1490
TEST_F(TransportSecurityStateTest,UpdateKeyPinsListValidPin)1491 TEST_F(TransportSecurityStateTest, UpdateKeyPinsListValidPin) {
1492 base::test::ScopedFeatureList scoped_feature_list_;
1493 scoped_feature_list_.InitAndEnableFeature(
1494 net::features::kStaticKeyPinningEnforcement);
1495 HostPortPair host_port_pair(kHost, kPort);
1496
1497 HashValueVector bad_hashes;
1498 for (size_t i = 0; kBadPath[i]; i++)
1499 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
1500
1501 TransportSecurityState state;
1502 EnableStaticPins(&state);
1503
1504 // Prior to updating the list, bad_hashes should be rejected.
1505 EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED,
1506 state.CheckPublicKeyPins(host_port_pair, true, bad_hashes));
1507
1508 // Update the pins list, adding bad_hashes to the accepted hashes for this
1509 // host.
1510 std::vector<std::vector<uint8_t>> accepted_hashes;
1511 for (size_t i = 0; kBadPath[i]; i++) {
1512 HashValue hash;
1513 ASSERT_TRUE(hash.FromString(kBadPath[i]));
1514 accepted_hashes.emplace_back(hash.data(), hash.data() + hash.size());
1515 }
1516 TransportSecurityState::PinSet test_pinset(
1517 /*name=*/"test",
1518 /*static_spki_hashes=*/accepted_hashes,
1519 /*bad_static_spki_hashes=*/{});
1520 TransportSecurityState::PinSetInfo test_pinsetinfo(
1521 /*hostname=*/kHost, /*pinset_name=*/"test",
1522 /*include_subdomains=*/false);
1523 state.UpdatePinList({test_pinset}, {test_pinsetinfo}, base::Time::Now());
1524
1525 // Hashes should now be accepted.
1526 EXPECT_EQ(TransportSecurityState::PKPStatus::OK,
1527 state.CheckPublicKeyPins(host_port_pair, true, bad_hashes));
1528 }
1529
TEST_F(TransportSecurityStateTest,UpdateKeyPinsListNotValidPin)1530 TEST_F(TransportSecurityStateTest, UpdateKeyPinsListNotValidPin) {
1531 base::test::ScopedFeatureList scoped_feature_list_;
1532 scoped_feature_list_.InitAndEnableFeature(
1533 net::features::kStaticKeyPinningEnforcement);
1534 HostPortPair host_port_pair(kHost, kPort);
1535
1536 HashValueVector good_hashes;
1537 for (size_t i = 0; kGoodPath[i]; i++)
1538 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
1539
1540 TransportSecurityState state;
1541 EnableStaticPins(&state);
1542
1543 // Prior to updating the list, good_hashes should be accepted
1544 EXPECT_EQ(TransportSecurityState::PKPStatus::OK,
1545 state.CheckPublicKeyPins(host_port_pair, true, good_hashes));
1546
1547 // Update the pins list, adding good_hashes to the rejected hashes for this
1548 // host.
1549 std::vector<std::vector<uint8_t>> rejected_hashes;
1550 for (size_t i = 0; kGoodPath[i]; i++) {
1551 HashValue hash;
1552 ASSERT_TRUE(hash.FromString(kGoodPath[i]));
1553 rejected_hashes.emplace_back(hash.data(), hash.data() + hash.size());
1554 }
1555 TransportSecurityState::PinSet test_pinset(
1556 /*name=*/"test",
1557 /*static_spki_hashes=*/{},
1558 /*bad_static_spki_hashes=*/rejected_hashes);
1559 TransportSecurityState::PinSetInfo test_pinsetinfo(
1560 /*hostname=*/kHost, /* pinset_name=*/"test",
1561 /*include_subdomains=*/false);
1562 state.UpdatePinList({test_pinset}, {test_pinsetinfo}, base::Time::Now());
1563
1564 // Hashes should now be rejected.
1565 EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED,
1566 state.CheckPublicKeyPins(host_port_pair, true, good_hashes));
1567
1568 // Hashes should also be rejected if the hostname has a trailing dot.
1569 host_port_pair = HostPortPair("example.test.", kPort);
1570 EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED,
1571 state.CheckPublicKeyPins(host_port_pair, true, good_hashes));
1572
1573 // Hashes should also be rejected if the hostname has different
1574 // capitalization.
1575 host_port_pair = HostPortPair("ExAmpLe.tEsT", kPort);
1576 EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED,
1577 state.CheckPublicKeyPins(host_port_pair, true, good_hashes));
1578 }
1579
TEST_F(TransportSecurityStateTest,UpdateKeyPinsEmptyList)1580 TEST_F(TransportSecurityStateTest, UpdateKeyPinsEmptyList) {
1581 base::test::ScopedFeatureList scoped_feature_list_;
1582 scoped_feature_list_.InitAndEnableFeature(
1583 net::features::kStaticKeyPinningEnforcement);
1584 HostPortPair host_port_pair(kHost, kPort);
1585
1586 HashValueVector bad_hashes;
1587 for (size_t i = 0; kBadPath[i]; i++)
1588 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
1589
1590 TransportSecurityState state;
1591 EnableStaticPins(&state);
1592
1593 // Prior to updating the list, bad_hashes should be rejected.
1594 EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED,
1595 state.CheckPublicKeyPins(host_port_pair, true, bad_hashes));
1596
1597 // Update the pins list with an empty list.
1598 state.UpdatePinList({}, {}, base::Time::Now());
1599
1600 // Hashes should now be accepted.
1601 EXPECT_EQ(TransportSecurityState::PKPStatus::OK,
1602 state.CheckPublicKeyPins(host_port_pair, true, bad_hashes));
1603 }
1604
TEST_F(TransportSecurityStateTest,UpdateKeyPinsIncludeSubdomains)1605 TEST_F(TransportSecurityStateTest, UpdateKeyPinsIncludeSubdomains) {
1606 base::test::ScopedFeatureList scoped_feature_list_;
1607 scoped_feature_list_.InitAndEnableFeature(
1608 net::features::kStaticKeyPinningEnforcement);
1609 HostPortPair host_port_pair("example.sub.test", kPort);
1610
1611 // unpinned_hashes is a set of hashes that (after the update) won't match the
1612 // expected hashes for the tld of this domain. kGoodPath is used here because
1613 // it's a path that is accepted prior to any updates, and this test will
1614 // validate it is rejected afterwards.
1615 HashValueVector unpinned_hashes;
1616 for (size_t i = 0; kGoodPath[i]; i++) {
1617 EXPECT_TRUE(AddHash(kGoodPath[i], &unpinned_hashes));
1618 }
1619
1620 TransportSecurityState state;
1621 EnableStaticPins(&state);
1622
1623 // Prior to updating the list, unpinned_hashes should be accepted
1624 EXPECT_EQ(TransportSecurityState::PKPStatus::OK,
1625 state.CheckPublicKeyPins(host_port_pair, true, unpinned_hashes));
1626
1627 // Update the pins list, adding kBadPath to the accepted hashes for this
1628 // host, relying on include_subdomains for enforcement. The contents of the
1629 // hashes don't matter as long as they are different from unpinned_hashes,
1630 // kBadPath is used for convenience.
1631 std::vector<std::vector<uint8_t>> accepted_hashes;
1632 for (size_t i = 0; kBadPath[i]; i++) {
1633 HashValue hash;
1634 ASSERT_TRUE(hash.FromString(kBadPath[i]));
1635 accepted_hashes.emplace_back(hash.data(), hash.data() + hash.size());
1636 }
1637 TransportSecurityState::PinSet test_pinset(
1638 /*name=*/"test",
1639 /*static_spki_hashes=*/{accepted_hashes},
1640 /*bad_static_spki_hashes=*/{});
1641 // The host used in the test is "example.sub.test", so this pinset will only
1642 // match due to include subdomains.
1643 TransportSecurityState::PinSetInfo test_pinsetinfo(
1644 /*hostname=*/"sub.test", /* pinset_name=*/"test",
1645 /*include_subdomains=*/true);
1646 state.UpdatePinList({test_pinset}, {test_pinsetinfo}, base::Time::Now());
1647
1648 // The path that was accepted before updating the pins should now be rejected.
1649 EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED,
1650 state.CheckPublicKeyPins(host_port_pair, true, unpinned_hashes));
1651 }
1652
TEST_F(TransportSecurityStateTest,UpdateKeyPinsIncludeSubdomainsTLD)1653 TEST_F(TransportSecurityStateTest, UpdateKeyPinsIncludeSubdomainsTLD) {
1654 base::test::ScopedFeatureList scoped_feature_list_;
1655 scoped_feature_list_.InitAndEnableFeature(
1656 net::features::kStaticKeyPinningEnforcement);
1657 HostPortPair host_port_pair(kHost, kPort);
1658
1659 // unpinned_hashes is a set of hashes that (after the update) won't match the
1660 // expected hashes for the tld of this domain. kGoodPath is used here because
1661 // it's a path that is accepted prior to any updates, and this test will
1662 // validate it is rejected afterwards.
1663 HashValueVector unpinned_hashes;
1664 for (size_t i = 0; kGoodPath[i]; i++) {
1665 EXPECT_TRUE(AddHash(kGoodPath[i], &unpinned_hashes));
1666 }
1667
1668 TransportSecurityState state;
1669 EnableStaticPins(&state);
1670
1671 // Prior to updating the list, unpinned_hashes should be accepted
1672 EXPECT_EQ(TransportSecurityState::PKPStatus::OK,
1673 state.CheckPublicKeyPins(host_port_pair, true, unpinned_hashes));
1674
1675 // Update the pins list, adding kBadPath to the accepted hashes for this
1676 // host, relying on include_subdomains for enforcement. The contents of the
1677 // hashes don't matter as long as they are different from unpinned_hashes,
1678 // kBadPath is used for convenience.
1679 std::vector<std::vector<uint8_t>> accepted_hashes;
1680 for (size_t i = 0; kBadPath[i]; i++) {
1681 HashValue hash;
1682 ASSERT_TRUE(hash.FromString(kBadPath[i]));
1683 accepted_hashes.emplace_back(hash.data(), hash.data() + hash.size());
1684 }
1685 TransportSecurityState::PinSet test_pinset(
1686 /*name=*/"test",
1687 /*static_spki_hashes=*/{accepted_hashes},
1688 /*bad_static_spki_hashes=*/{});
1689 // The host used in the test is "example.test", so this pinset will only match
1690 // due to include subdomains.
1691 TransportSecurityState::PinSetInfo test_pinsetinfo(
1692 /*hostname=*/"test", /* pinset_name=*/"test",
1693 /*include_subdomains=*/true);
1694 state.UpdatePinList({test_pinset}, {test_pinsetinfo}, base::Time::Now());
1695
1696 // The path that was accepted before updating the pins should now be rejected.
1697 EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED,
1698 state.CheckPublicKeyPins(host_port_pair, true, unpinned_hashes));
1699 }
1700
TEST_F(TransportSecurityStateTest,UpdateKeyPinsDontIncludeSubdomains)1701 TEST_F(TransportSecurityStateTest, UpdateKeyPinsDontIncludeSubdomains) {
1702 base::test::ScopedFeatureList scoped_feature_list_;
1703 scoped_feature_list_.InitAndEnableFeature(
1704 net::features::kStaticKeyPinningEnforcement);
1705 HostPortPair host_port_pair(kHost, kPort);
1706
1707 // unpinned_hashes is a set of hashes that (after the update) won't match the
1708 // expected hashes for the tld of this domain. kGoodPath is used here because
1709 // it's a path that is accepted prior to any updates, and this test will
1710 // validate it is accepted or rejected afterwards depending on whether the
1711 // domain is an exact match.
1712 HashValueVector unpinned_hashes;
1713 for (size_t i = 0; kGoodPath[i]; i++) {
1714 EXPECT_TRUE(AddHash(kGoodPath[i], &unpinned_hashes));
1715 }
1716
1717 TransportSecurityState state;
1718 EnableStaticPins(&state);
1719
1720 // Prior to updating the list, unpinned_hashes should be accepted
1721 EXPECT_EQ(TransportSecurityState::PKPStatus::OK,
1722 state.CheckPublicKeyPins(host_port_pair, true, unpinned_hashes));
1723
1724 // Update the pins list, adding kBadPath to the accepted hashes for the
1725 // tld of this host, but without include_subdomains set. The contents of the
1726 // hashes don't matter as long as they are different from unpinned_hashes,
1727 // kBadPath is used for convenience.
1728 std::vector<std::vector<uint8_t>> accepted_hashes;
1729 for (size_t i = 0; kBadPath[i]; i++) {
1730 HashValue hash;
1731 ASSERT_TRUE(hash.FromString(kBadPath[i]));
1732 accepted_hashes.emplace_back(hash.data(), hash.data() + hash.size());
1733 }
1734 TransportSecurityState::PinSet test_pinset(
1735 /*name=*/"test",
1736 /*static_spki_hashes=*/{accepted_hashes},
1737 /*bad_static_spki_hashes=*/{});
1738 // The host used in the test is "example.test", so this pinset will not match
1739 // due to include subdomains not being set.
1740 TransportSecurityState::PinSetInfo test_pinsetinfo(
1741 /*hostname=*/"test", /* pinset_name=*/"test",
1742 /*include_subdomains=*/false);
1743 state.UpdatePinList({test_pinset}, {test_pinsetinfo}, base::Time::Now());
1744
1745 // Hashes that were accepted before the update should still be accepted since
1746 // include subdomains is not set for the pinset, and this is not an exact
1747 // match.
1748 EXPECT_EQ(TransportSecurityState::PKPStatus::OK,
1749 state.CheckPublicKeyPins(host_port_pair, true, unpinned_hashes));
1750
1751 // Hashes should be rejected for an exact match of the hostname.
1752 HostPortPair exact_match_host("test", kPort);
1753 EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED,
1754 state.CheckPublicKeyPins(exact_match_host, true, unpinned_hashes));
1755 }
1756
TEST_F(TransportSecurityStateTest,UpdateKeyPinsListTimestamp)1757 TEST_F(TransportSecurityStateTest, UpdateKeyPinsListTimestamp) {
1758 base::test::ScopedFeatureList scoped_feature_list_;
1759 scoped_feature_list_.InitAndEnableFeature(
1760 net::features::kStaticKeyPinningEnforcement);
1761 HostPortPair host_port_pair(kHost, kPort);
1762
1763 HashValueVector bad_hashes;
1764 for (size_t i = 0; kBadPath[i]; i++)
1765 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
1766
1767 TransportSecurityState state;
1768 EnableStaticPins(&state);
1769
1770 // Prior to updating the list, bad_hashes should be rejected.
1771 EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED,
1772 state.CheckPublicKeyPins(host_port_pair, true, bad_hashes));
1773
1774 // TransportSecurityStateTest sets a flag when EnableStaticPins is called that
1775 // results in TransportSecurityState considering the pins list as always
1776 // timely. We need to disable it so we can test that the timestamp has the
1777 // required effect.
1778 state.SetPinningListAlwaysTimelyForTesting(false);
1779
1780 // Update the pins list, with bad hashes as rejected, but a timestamp >70 days
1781 // old.
1782 std::vector<std::vector<uint8_t>> rejected_hashes;
1783 for (size_t i = 0; kBadPath[i]; i++) {
1784 HashValue hash;
1785 ASSERT_TRUE(hash.FromString(kBadPath[i]));
1786 rejected_hashes.emplace_back(hash.data(), hash.data() + hash.size());
1787 }
1788 TransportSecurityState::PinSet test_pinset(
1789 /*name=*/"test",
1790 /*static_spki_hashes=*/{},
1791 /*bad_static_spki_hashes=*/rejected_hashes);
1792 TransportSecurityState::PinSetInfo test_pinsetinfo(
1793 /*hostname=*/kHost, /* pinset_name=*/"test",
1794 /*include_subdomains=*/false);
1795 state.UpdatePinList({test_pinset}, {test_pinsetinfo},
1796 base::Time::Now() - base::Days(70));
1797
1798 // Hashes should now be accepted.
1799 EXPECT_EQ(TransportSecurityState::PKPStatus::OK,
1800 state.CheckPublicKeyPins(host_port_pair, true, bad_hashes));
1801
1802 // Update the pins list again, with a timestamp <70 days old.
1803 state.UpdatePinList({test_pinset}, {test_pinsetinfo},
1804 base::Time::Now() - base::Days(69));
1805
1806 // Hashes should now be rejected.
1807 EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED,
1808 state.CheckPublicKeyPins(host_port_pair, true, bad_hashes));
1809 }
1810
1811 class TransportSecurityStatePinningKillswitchTest
1812 : public TransportSecurityStateTest {
1813 public:
TransportSecurityStatePinningKillswitchTest()1814 TransportSecurityStatePinningKillswitchTest() {
1815 scoped_feature_list_.InitAndDisableFeature(
1816 features::kStaticKeyPinningEnforcement);
1817 }
1818
1819 protected:
1820 base::test::ScopedFeatureList scoped_feature_list_;
1821 };
1822
TEST_F(TransportSecurityStatePinningKillswitchTest,PinningKillswitchSet)1823 TEST_F(TransportSecurityStatePinningKillswitchTest, PinningKillswitchSet) {
1824 HostPortPair host_port_pair(kHost, kPort);
1825
1826 HashValueVector bad_hashes;
1827 for (size_t i = 0; kBadPath[i]; i++)
1828 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
1829
1830 TransportSecurityState state;
1831 EnableStaticPins(&state);
1832
1833 // Hashes should be accepted since pinning enforcement is disabled.
1834 EXPECT_EQ(TransportSecurityState::PKPStatus::OK,
1835 state.CheckPublicKeyPins(host_port_pair, true, bad_hashes));
1836 }
1837
1838 } // namespace net
1839