// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/http/transport_security_state.h" #include #include #include #include #include #include #include "base/base64.h" #include "base/files/file_path.h" #include "base/functional/callback_helpers.h" #include "base/json/json_reader.h" #include "base/memory/raw_ptr.h" #include "base/metrics/field_trial.h" #include "base/metrics/field_trial_param_associator.h" #include "base/rand_util.h" #include "base/stl_util.h" #include "base/strings/string_piece.h" #include "base/strings/stringprintf.h" #include "base/test/metrics/histogram_tester.h" #include "base/test/mock_entropy_provider.h" #include "base/test/scoped_feature_list.h" #include "base/time/time.h" #include "base/values.h" #include "build/build_config.h" #include "crypto/openssl_util.h" #include "crypto/sha2.h" #include "net/base/features.h" #include "net/base/hash_value.h" #include "net/base/host_port_pair.h" #include "net/base/net_errors.h" #include "net/base/network_anonymization_key.h" #include "net/base/schemeful_site.h" #include "net/base/test_completion_callback.h" #include "net/cert/asn1_util.h" #include "net/cert/cert_verifier.h" #include "net/cert/cert_verify_result.h" #include "net/cert/ct_policy_status.h" #include "net/cert/test_root_certs.h" #include "net/cert/x509_certificate.h" #include "net/extras/preload_data/decoder.h" #include "net/http/http_status_code.h" #include "net/http/http_util.h" #include "net/http/transport_security_state_source.h" #include "net/net_buildflags.h" #include "net/ssl/ssl_info.h" #include "net/test/cert_test_util.h" #include "net/test/test_data_directory.h" #include "net/test/test_with_task_environment.h" #include "net/tools/huffman_trie/bit_writer.h" #include "net/tools/huffman_trie/trie/trie_bit_buffer.h" #include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest.h" #include "url/origin.h" namespace net { namespace { namespace test_default { #include "net/http/transport_security_state_static_unittest_default.h" } namespace test1 { #include "net/http/transport_security_state_static_unittest1.h" } namespace test2 { #include "net/http/transport_security_state_static_unittest2.h" } namespace test3 { #include "net/http/transport_security_state_static_unittest3.h" } const char kHost[] = "example.test"; const uint16_t kPort = 443; const char kReportUri[] = "http://report-example.test/test"; const char* const kGoodPath[] = { "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "sha256/fzP+pVAbH0hRoUphJKenIP8+2tD/d2QH9J+kQNieM6Q=", "sha256/9vRUVdjloCa4wXUKfDWotV5eUXYD7vu0v0z9SRzQdzg=", "sha256/Nn8jk5By4Vkq6BeOVZ7R7AC6XUUBZsWmUbJR1f1Y5FY=", nullptr, }; const char* const kBadPath[] = { "sha256/1111111111111111111111111111111111111111111=", "sha256/2222222222222222222222222222222222222222222=", "sha256/3333333333333333333333333333333333333333333=", nullptr, }; // A mock ReportSenderInterface that just remembers the latest report // URI and report to be sent. class MockCertificateReportSender : public TransportSecurityState::ReportSenderInterface { public: MockCertificateReportSender() = default; ~MockCertificateReportSender() override = default; void Send( const GURL& report_uri, base::StringPiece content_type, base::StringPiece report, const NetworkAnonymizationKey& network_anonymization_key, base::OnceCallback success_callback, base::OnceCallback error_callback) override { latest_report_uri_ = report_uri; latest_report_.assign(report.data(), report.size()); latest_content_type_.assign(content_type.data(), content_type.size()); latest_network_anonymization_key_ = network_anonymization_key; } void Clear() { latest_report_uri_ = GURL(); latest_report_ = std::string(); latest_content_type_ = std::string(); latest_network_anonymization_key_ = NetworkAnonymizationKey(); } const GURL& latest_report_uri() { return latest_report_uri_; } const std::string& latest_report() { return latest_report_; } const std::string& latest_content_type() { return latest_content_type_; } const NetworkAnonymizationKey& latest_network_anonymization_key() { return latest_network_anonymization_key_; } private: GURL latest_report_uri_; std::string latest_report_; std::string latest_content_type_; NetworkAnonymizationKey latest_network_anonymization_key_; }; // A mock ReportSenderInterface that simulates a net error on every report sent. class MockFailingCertificateReportSender : public TransportSecurityState::ReportSenderInterface { public: MockFailingCertificateReportSender() = default; ~MockFailingCertificateReportSender() override = default; int net_error() { return net_error_; } // TransportSecurityState::ReportSenderInterface: void Send( const GURL& report_uri, base::StringPiece content_type, base::StringPiece report, const NetworkAnonymizationKey& network_anonymization_key, base::OnceCallback success_callback, base::OnceCallback error_callback) override { ASSERT_FALSE(error_callback.is_null()); std::move(error_callback).Run(report_uri, net_error_, 0); } private: const int net_error_ = ERR_CONNECTION_FAILED; }; class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { public: MOCK_METHOD3(IsCTRequiredForHost, CTRequirementLevel(const std::string& hostname, const X509Certificate* chain, const HashValueVector& hashes)); }; void CompareCertificateChainWithList( const scoped_refptr& cert_chain, const base::Value* cert_list) { ASSERT_TRUE(cert_chain); ASSERT_TRUE(cert_list->is_list()); std::vector pem_encoded_chain; cert_chain->GetPEMEncodedChain(&pem_encoded_chain); ASSERT_EQ(pem_encoded_chain.size(), cert_list->GetList().size()); for (size_t i = 0; i < pem_encoded_chain.size(); i++) { const std::string& list_cert = cert_list->GetList()[i].GetString(); EXPECT_EQ(pem_encoded_chain[i], list_cert); } } void CheckHPKPReport( const std::string& report, const HostPortPair& host_port_pair, bool include_subdomains, const std::string& noted_hostname, const scoped_refptr& served_certificate_chain, const scoped_refptr& validated_certificate_chain, const HashValueVector& known_pins) { absl::optional value = base::JSONReader::Read(report); ASSERT_TRUE(value.has_value()); const base::Value::Dict* report_dict = value.value().GetIfDict(); ASSERT_TRUE(report_dict); const std::string* report_hostname = report_dict->FindString("hostname"); ASSERT_TRUE(report_hostname); EXPECT_EQ(host_port_pair.host(), *report_hostname); absl::optional report_port = report_dict->FindInt("port"); ASSERT_TRUE(report_port.has_value()); EXPECT_EQ(host_port_pair.port(), report_port.value()); absl::optional report_include_subdomains = report_dict->FindBool("include-subdomains"); ASSERT_TRUE(report_include_subdomains.has_value()); EXPECT_EQ(include_subdomains, report_include_subdomains.value()); const std::string* report_noted_hostname = report_dict->FindString("noted-hostname"); ASSERT_TRUE(report_noted_hostname); EXPECT_EQ(noted_hostname, *report_noted_hostname); // TODO(estark): check times in RFC3339 format. const std::string* report_expiration = report_dict->FindString("effective-expiration-date"); ASSERT_TRUE(report_expiration); EXPECT_FALSE(report_expiration->empty()); const std::string* report_date = report_dict->FindString("date-time"); ASSERT_TRUE(report_date); EXPECT_FALSE(report_date->empty()); const base::Value* report_served_certificate_chain = report_dict->Find("served-certificate-chain"); ASSERT_TRUE(report_served_certificate_chain); ASSERT_NO_FATAL_FAILURE(CompareCertificateChainWithList( served_certificate_chain, report_served_certificate_chain)); const base::Value* report_validated_certificate_chain = report_dict->Find("validated-certificate-chain"); ASSERT_TRUE(report_validated_certificate_chain); ASSERT_NO_FATAL_FAILURE(CompareCertificateChainWithList( validated_certificate_chain, report_validated_certificate_chain)); } bool operator==(const TransportSecurityState::STSState& lhs, const TransportSecurityState::STSState& rhs) { return lhs.last_observed == rhs.last_observed && lhs.expiry == rhs.expiry && lhs.upgrade_mode == rhs.upgrade_mode && lhs.include_subdomains == rhs.include_subdomains && lhs.domain == rhs.domain; } bool operator==(const TransportSecurityState::PKPState& lhs, const TransportSecurityState::PKPState& rhs) { return lhs.last_observed == rhs.last_observed && lhs.expiry == rhs.expiry && lhs.spki_hashes == rhs.spki_hashes && lhs.bad_spki_hashes == rhs.bad_spki_hashes && lhs.include_subdomains == rhs.include_subdomains && lhs.domain == rhs.domain && lhs.report_uri == rhs.report_uri; } } // namespace class TransportSecurityStateTest : public ::testing::Test, public WithTaskEnvironment { public: TransportSecurityStateTest() : WithTaskEnvironment( base::test::TaskEnvironment::TimeSource::MOCK_TIME) { SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource); // Need mocked out time for pruning tests. Don't start with a // time of 0, as code doesn't generally expect it. FastForwardBy(base::Days(1)); } ~TransportSecurityStateTest() override { SetTransportSecurityStateSourceForTesting(nullptr); } void SetUp() override { crypto::EnsureOpenSSLInit(); } static void DisableStaticPins(TransportSecurityState* state) { state->enable_static_pins_ = false; } static void EnableStaticPins(TransportSecurityState* state) { state->enable_static_pins_ = true; state->SetPinningListAlwaysTimelyForTesting(true); } static HashValueVector GetSampleSPKIHashes() { HashValueVector spki_hashes; HashValue hash(HASH_VALUE_SHA256); memset(hash.data(), 0, hash.size()); spki_hashes.push_back(hash); return spki_hashes; } static HashValue GetSampleSPKIHash(uint8_t value) { HashValue hash(HASH_VALUE_SHA256); memset(hash.data(), value, hash.size()); return hash; } protected: bool GetStaticDomainState(TransportSecurityState* state, const std::string& host, TransportSecurityState::STSState* sts_result, TransportSecurityState::PKPState* pkp_result) { bool ret = state->GetStaticSTSState(host, sts_result); if (state->GetStaticPKPState(host, pkp_result)) ret = true; return ret; } private: base::test::ScopedFeatureList scoped_feature_list_; }; TEST_F(TransportSecurityStateTest, DomainNameOddities) { TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); // DNS suffix search tests. Some DNS resolvers allow a terminal "." to // indicate not perform DNS suffix searching. Ensure that regardless // of how this is treated at the resolver layer, or at the URL/origin // layer (that is, whether they are treated as equivalent or distinct), // ensure that for policy matching, something lacking a terminal "." // is equivalent to something with a terminal "." EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); state.AddHSTS("example.com", expiry, true /* include_subdomains */); EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); // Trailing '.' should be equivalent; it's just a resolver hint EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com.")); // Leading '.' should be invalid EXPECT_FALSE(state.ShouldUpgradeToSSL(".example.com")); // Subdomains should work regardless EXPECT_TRUE(state.ShouldUpgradeToSSL("sub.example.com")); EXPECT_TRUE(state.ShouldUpgradeToSSL("sub.example.com.")); // But invalid subdomains should be rejected EXPECT_FALSE(state.ShouldUpgradeToSSL("sub..example.com")); EXPECT_FALSE(state.ShouldUpgradeToSSL("sub..example.com.")); // Now try the inverse form TransportSecurityState state2; state2.AddHSTS("example.net.", expiry, true /* include_subdomains */); EXPECT_TRUE(state2.ShouldUpgradeToSSL("example.net.")); EXPECT_TRUE(state2.ShouldUpgradeToSSL("example.net")); EXPECT_TRUE(state2.ShouldUpgradeToSSL("sub.example.net.")); EXPECT_TRUE(state2.ShouldUpgradeToSSL("sub.example.net")); // Finally, test weird things TransportSecurityState state3; state3.AddHSTS("", expiry, true /* include_subdomains */); EXPECT_FALSE(state3.ShouldUpgradeToSSL("")); EXPECT_FALSE(state3.ShouldUpgradeToSSL(".")); EXPECT_FALSE(state3.ShouldUpgradeToSSL("...")); // Make sure it didn't somehow apply HSTS to the world EXPECT_FALSE(state3.ShouldUpgradeToSSL("example.org")); TransportSecurityState state4; state4.AddHSTS(".", expiry, true /* include_subdomains */); EXPECT_FALSE(state4.ShouldUpgradeToSSL("")); EXPECT_FALSE(state4.ShouldUpgradeToSSL(".")); EXPECT_FALSE(state4.ShouldUpgradeToSSL("...")); EXPECT_FALSE(state4.ShouldUpgradeToSSL("example.org")); // Now do the same for preloaded entries TransportSecurityState state5; EXPECT_TRUE(state5.ShouldUpgradeToSSL("hsts-preloaded.test")); EXPECT_TRUE(state5.ShouldUpgradeToSSL("hsts-preloaded.test.")); EXPECT_FALSE(state5.ShouldUpgradeToSSL("hsts-preloaded..test")); EXPECT_FALSE(state5.ShouldUpgradeToSSL("hsts-preloaded..test.")); } TEST_F(TransportSecurityStateTest, SimpleMatches) { TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); bool include_subdomains = false; state.AddHSTS("example.com", expiry, include_subdomains); EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example.com")); EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example.com")); EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("foo.example.com")); } TEST_F(TransportSecurityStateTest, MatchesCase1) { TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); bool include_subdomains = false; state.AddHSTS("EXample.coM", expiry, include_subdomains); EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); } TEST_F(TransportSecurityStateTest, MatchesCase2) { TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); // Check dynamic entries EXPECT_FALSE(state.ShouldUpgradeToSSL("EXample.coM")); bool include_subdomains = false; state.AddHSTS("example.com", expiry, include_subdomains); EXPECT_TRUE(state.ShouldUpgradeToSSL("EXample.coM")); // Check static entries EXPECT_TRUE(state.ShouldUpgradeToSSL("hStS-prelOAded.tEsT")); EXPECT_TRUE( state.ShouldUpgradeToSSL("inClude-subDOmaIns-hsts-prEloaDed.TesT")); } TEST_F(TransportSecurityStateTest, SubdomainMatches) { TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test")); bool include_subdomains = true; state.AddHSTS("example.test", expiry, include_subdomains); EXPECT_TRUE(state.ShouldUpgradeToSSL("example.test")); EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example.test")); EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test")); EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test")); EXPECT_FALSE(state.ShouldUpgradeToSSL("test")); EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test")); } // Tests that a more-specific HSTS rule without the includeSubDomains bit does // not override a less-specific rule with includeSubDomains. Applicability is // checked before specificity. See https://crbug.com/821811. TEST_F(TransportSecurityStateTest, STSSubdomainNoOverride) { const GURL report_uri(kReportUri); TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); const base::Time older = current_time - base::Seconds(1000); state.AddHSTS("example.test", expiry, true); state.AddHSTS("foo.example.test", expiry, false); // The example.test rule applies to the entire domain, including subdomains of // foo.example.test. EXPECT_TRUE(state.ShouldUpgradeToSSL("example.test")); EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example.test")); EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example.test")); EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example.test")); // Expire the foo.example.test rule. state.AddHSTS("foo.example.test", older, false); // The example.test rule still applies. EXPECT_TRUE(state.ShouldUpgradeToSSL("example.test")); EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example.test")); EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example.test")); EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example.test")); } // Tests that a more-specific HPKP rule overrides a less-specific rule // with it, regardless of the includeSubDomains bit. Note this behavior does not // match HSTS. See https://crbug.com/821811. TEST_F(TransportSecurityStateTest, PKPSubdomainCarveout) { const GURL report_uri(kReportUri); TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); const base::Time older = current_time - base::Seconds(1000); state.AddHPKP("example.test", expiry, true, GetSampleSPKIHashes(), report_uri); state.AddHPKP("foo.example.test", expiry, false, GetSampleSPKIHashes(), report_uri); EXPECT_TRUE(state.HasPublicKeyPins("example.test")); EXPECT_TRUE(state.HasPublicKeyPins("foo.example.test")); // The foo.example.test rule overrides the example1.test rule, so // bar.foo.example.test has no HPKP state. EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example.test")); EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example.test")); // Expire the foo.example.test rule. state.AddHPKP("foo.example.test", older, false, GetSampleSPKIHashes(), report_uri); // Now the base example.test rule applies to bar.foo.example.test. EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example.test")); EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example.test")); } TEST_F(TransportSecurityStateTest, FatalSSLErrors) { const GURL report_uri(kReportUri); TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); state.AddHSTS("example1.test", expiry, false); state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), report_uri); // The presense of either HSTS or HPKP is enough to make SSL errors fatal. EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test")); } // Tests that HPKP and HSTS state both expire. Also tests that expired entries // are pruned. TEST_F(TransportSecurityStateTest, Expiration) { const GURL report_uri(kReportUri); TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); const base::Time older = current_time - base::Seconds(1000); // Note: this test assumes that inserting an entry with an expiration time in // the past works and is pruned on query. state.AddHSTS("example1.test", older, false); EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); // Querying |state| for a domain should flush out expired entries. EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), report_uri); EXPECT_TRUE(state.has_dynamic_pkp_state()); EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); // Querying |state| for a domain should flush out expired entries. EXPECT_FALSE(state.has_dynamic_pkp_state()); state.AddHSTS("example1.test", older, false); state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), report_uri); EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); EXPECT_TRUE(state.has_dynamic_pkp_state()); EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); // Querying |state| for a domain should flush out expired entries. EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); EXPECT_FALSE(state.has_dynamic_pkp_state()); // Test that HSTS can outlive HPKP. state.AddHSTS("example1.test", expiry, false); state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), report_uri); EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); // Test that HPKP can outlive HSTS. state.AddHSTS("example2.test", older, false); state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), report_uri); EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); } // Tests that HPKP and HSTS state are queried independently for subdomain // matches. TEST_F(TransportSecurityStateTest, IndependentSubdomain) { const GURL report_uri(kReportUri); TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); state.AddHSTS("example1.test", expiry, true); state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes(), report_uri); state.AddHSTS("example2.test", expiry, false); state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), report_uri); EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test")); EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); } // Tests that HPKP and HSTS state are inserted and overridden independently. TEST_F(TransportSecurityStateTest, IndependentInsertion) { const GURL report_uri(kReportUri); TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); // Place an includeSubdomains HSTS entry below a normal HPKP entry. state.AddHSTS("example1.test", expiry, true); state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes(), report_uri); EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); // Drop the includeSubdomains from the HSTS entry. state.AddHSTS("example1.test", expiry, false); EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test")); EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); // Place an includeSubdomains HPKP entry below a normal HSTS entry. state.AddHSTS("foo.example2.test", expiry, false); state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), report_uri); EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); // Drop the includeSubdomains from the HSTS entry. state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), report_uri); EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); } // Tests that GetDynamic[PKP|STS]State returns the correct data and that the // states are not mixed together. TEST_F(TransportSecurityStateTest, DynamicDomainState) { const GURL report_uri(kReportUri); TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry1 = current_time + base::Seconds(1000); const base::Time expiry2 = current_time + base::Seconds(2000); state.AddHSTS("example.com", expiry1, true); state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes(), report_uri); TransportSecurityState::STSState sts_state; TransportSecurityState::PKPState pkp_state; ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state)); ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); EXPECT_TRUE(pkp_state.HasPublicKeyPins()); EXPECT_TRUE(sts_state.include_subdomains); EXPECT_FALSE(pkp_state.include_subdomains); EXPECT_EQ(expiry1, sts_state.expiry); EXPECT_EQ(expiry2, pkp_state.expiry); EXPECT_EQ("example.com", sts_state.domain); EXPECT_EQ("foo.example.com", pkp_state.domain); } // Tests that new pins always override previous pins. This should be true for // both pins at the same domain or includeSubdomains pins at a parent domain. TEST_F(TransportSecurityStateTest, NewPinsOverride) { const GURL report_uri(kReportUri); TransportSecurityState state; TransportSecurityState::PKPState pkp_state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); HashValue hash1(HASH_VALUE_SHA256); memset(hash1.data(), 0x01, hash1.size()); HashValue hash2(HASH_VALUE_SHA256); memset(hash2.data(), 0x02, hash1.size()); HashValue hash3(HASH_VALUE_SHA256); memset(hash3.data(), 0x03, hash1.size()); state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1), report_uri); ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); ASSERT_EQ(1u, pkp_state.spki_hashes.size()); EXPECT_EQ(pkp_state.spki_hashes[0], hash1); state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2), report_uri); ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); ASSERT_EQ(1u, pkp_state.spki_hashes.size()); EXPECT_EQ(pkp_state.spki_hashes[0], hash2); state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3), report_uri); ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); ASSERT_EQ(1u, pkp_state.spki_hashes.size()); EXPECT_EQ(pkp_state.spki_hashes[0], hash3); } TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataBetween) { TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); const base::Time older = current_time - base::Seconds(1000); EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); EXPECT_FALSE(state.HasPublicKeyPins("example.com")); bool include_subdomains = false; state.AddHSTS("example.com", expiry, include_subdomains); state.AddHPKP("example.com", expiry, include_subdomains, GetSampleSPKIHashes(), GURL()); state.DeleteAllDynamicDataBetween(expiry, base::Time::Max(), base::DoNothing()); EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); EXPECT_TRUE(state.HasPublicKeyPins("example.com")); state.DeleteAllDynamicDataBetween(older, current_time, base::DoNothing()); EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); EXPECT_TRUE(state.HasPublicKeyPins("example.com")); state.DeleteAllDynamicDataBetween(base::Time(), current_time, base::DoNothing()); EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); EXPECT_TRUE(state.HasPublicKeyPins("example.com")); state.DeleteAllDynamicDataBetween(older, base::Time::Max(), base::DoNothing()); EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); EXPECT_FALSE(state.HasPublicKeyPins("example.com")); // Dynamic data in |state| should be empty now. EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); EXPECT_FALSE(state.has_dynamic_pkp_state()); } TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { TransportSecurityState state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); bool include_subdomains = false; state.AddHSTS("example1.test", expiry, include_subdomains); state.AddHPKP("example1.test", expiry, include_subdomains, GetSampleSPKIHashes(), GURL()); EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); } TEST_F(TransportSecurityStateTest, LongNames) { TransportSecurityState state; state.SetPinningListAlwaysTimelyForTesting(true); const char kLongName[] = "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" "WaveletIdDomainAndBlipBlipid"; TransportSecurityState::STSState sts_state; TransportSecurityState::PKPState pkp_state; // Just checks that we don't hit a NOTREACHED EXPECT_FALSE(state.GetStaticSTSState(kLongName, &sts_state)); EXPECT_FALSE(state.GetStaticPKPState(kLongName, &pkp_state)); EXPECT_FALSE(state.GetDynamicSTSState(kLongName, &sts_state)); EXPECT_FALSE(state.GetDynamicPKPState(kLongName, &pkp_state)); } static bool AddHash(const std::string& type_and_base64, HashValueVector* out) { HashValue hash; if (!hash.FromString(type_and_base64)) return false; out->push_back(hash); return true; } TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); HashValueVector good_hashes, bad_hashes; for (size_t i = 0; kGoodPath[i]; i++) { EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); } for (size_t i = 0; kBadPath[i]; i++) { EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); } TransportSecurityState state; state.SetPinningListAlwaysTimelyForTesting(true); EnableStaticPins(&state); TransportSecurityState::PKPState pkp_state; EXPECT_TRUE(state.GetStaticPKPState("no-rejected-pins-pkp.preloaded.test", &pkp_state)); EXPECT_TRUE(pkp_state.HasPublicKeyPins()); std::string failure_log; EXPECT_TRUE(pkp_state.CheckPublicKeyPins(good_hashes, &failure_log)); EXPECT_FALSE(pkp_state.CheckPublicKeyPins(bad_hashes, &failure_log)); } // Tests that pinning violations on preloaded pins trigger reports when // the preloaded pin contains a report URI. TEST_F(TransportSecurityStateTest, PreloadedPKPReportUri) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); const char kPreloadedPinDomain[] = "with-report-uri-pkp.preloaded.test"; HostPortPair host_port_pair(kPreloadedPinDomain, kPort); net::NetworkAnonymizationKey network_anonymization_key = NetworkAnonymizationKey::CreateTransient(); TransportSecurityState state; state.SetPinningListAlwaysTimelyForTesting(true); MockCertificateReportSender mock_report_sender; state.SetReportSender(&mock_report_sender); EnableStaticPins(&state); TransportSecurityState::PKPState pkp_state; ASSERT_TRUE(state.GetStaticPKPState(kPreloadedPinDomain, &pkp_state)); ASSERT_TRUE(pkp_state.HasPublicKeyPins()); GURL report_uri = pkp_state.report_uri; ASSERT_TRUE(report_uri.is_valid()); ASSERT_FALSE(report_uri.is_empty()); // Two dummy certs to use as the server-sent and validated chains. The // contents don't matter, as long as they are not the real google.com // certs in the pins. scoped_refptr cert1 = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); ASSERT_TRUE(cert1); scoped_refptr cert2 = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert2); HashValueVector bad_hashes; for (size_t i = 0; kBadPath[i]; i++) EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); // Trigger a violation and check that it sends a report. std::string failure_log; EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins(host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &failure_log)); EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); std::string report = mock_report_sender.latest_report(); ASSERT_FALSE(report.empty()); EXPECT_EQ("application/json; charset=utf-8", mock_report_sender.latest_content_type()); ASSERT_NO_FATAL_FAILURE(CheckHPKPReport( report, host_port_pair, pkp_state.include_subdomains, pkp_state.domain, cert1.get(), cert2.get(), pkp_state.spki_hashes)); EXPECT_EQ(network_anonymization_key, mock_report_sender.latest_network_anonymization_key()); state.SetReportSender(nullptr); } // Tests that report URIs are thrown out if they point to the same host, // over HTTPS, for which a pin was violated. TEST_F(TransportSecurityStateTest, HPKPReportUriToSameHost) { HostPortPair host_port_pair(kHost, kPort); GURL https_report_uri("https://example.test/report"); GURL http_report_uri("http://example.test/report"); NetworkAnonymizationKey network_anonymization_key = NetworkAnonymizationKey::CreateTransient(); TransportSecurityState state; MockCertificateReportSender mock_report_sender; state.SetReportSender(&mock_report_sender); const base::Time current_time = base::Time::Now(); const base::Time expiry = current_time + base::Seconds(1000); HashValueVector good_hashes; for (size_t i = 0; kGoodPath[i]; i++) EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); // Two dummy certs to use as the server-sent and validated chains. The // contents don't matter, as long as they don't match the certs in the pins. scoped_refptr cert1 = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); ASSERT_TRUE(cert1); scoped_refptr cert2 = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert2); HashValueVector bad_hashes; for (size_t i = 0; kBadPath[i]; i++) EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); state.AddHPKP(kHost, expiry, true, good_hashes, https_report_uri); // Trigger a violation and check that it does not send a report // because the report-uri is HTTPS and same-host as the pins. std::string failure_log; EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins(host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &failure_log)); EXPECT_TRUE(mock_report_sender.latest_report_uri().is_empty()); // An HTTP report uri to the same host should be okay. state.AddHPKP("example.test", expiry, true, good_hashes, http_report_uri); EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins(host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &failure_log)); EXPECT_EQ(http_report_uri, mock_report_sender.latest_report_uri()); EXPECT_EQ(network_anonymization_key, mock_report_sender.latest_network_anonymization_key()); state.SetReportSender(nullptr); } // Simple test for the HSTS preload process. The trie (generated from // transport_security_state_static_unittest1.json) contains 1 entry. Test that // the lookup methods can find the entry and correctly decode the different // preloaded states (HSTS and HPKP). TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource); TransportSecurityState state; TransportSecurityStateTest::EnableStaticPins(&state); TransportSecurityState::STSState sts_state; TransportSecurityState::PKPState pkp_state; EXPECT_TRUE( GetStaticDomainState(&state, "hsts.example.com", &sts_state, &pkp_state)); EXPECT_TRUE(sts_state.include_subdomains); EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS, sts_state.upgrade_mode); EXPECT_TRUE(pkp_state.include_subdomains); EXPECT_EQ(GURL(), pkp_state.report_uri); ASSERT_EQ(1u, pkp_state.spki_hashes.size()); EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1)); ASSERT_EQ(1u, pkp_state.bad_spki_hashes.size()); EXPECT_EQ(pkp_state.bad_spki_hashes[0], GetSampleSPKIHash(0x2)); } // More advanced test for the HSTS preload process where the trie (generated // from transport_security_state_static_unittest2.json) contains multiple // entries with a common prefix. Test that the lookup methods can find all // entries and correctly decode the different preloaded states (HSTS and HPKP) // for each entry. TEST_F(TransportSecurityStateTest, DecodePreloadedMultiplePrefix) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); SetTransportSecurityStateSourceForTesting(&test2::kHSTSSource); TransportSecurityState state; TransportSecurityStateTest::EnableStaticPins(&state); TransportSecurityState::STSState sts_state; TransportSecurityState::PKPState pkp_state; EXPECT_TRUE( GetStaticDomainState(&state, "hsts.example.com", &sts_state, &pkp_state)); EXPECT_FALSE(sts_state.include_subdomains); EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS, sts_state.upgrade_mode); EXPECT_TRUE(pkp_state == TransportSecurityState::PKPState()); sts_state = TransportSecurityState::STSState(); pkp_state = TransportSecurityState::PKPState(); EXPECT_TRUE( GetStaticDomainState(&state, "hpkp.example.com", &sts_state, &pkp_state)); EXPECT_TRUE(sts_state == TransportSecurityState::STSState()); EXPECT_TRUE(pkp_state.include_subdomains); EXPECT_EQ(GURL("https://report.example.com/hpkp-upload"), pkp_state.report_uri); EXPECT_EQ(1U, pkp_state.spki_hashes.size()); EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1)); EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size()); sts_state = TransportSecurityState::STSState(); pkp_state = TransportSecurityState::PKPState(); EXPECT_TRUE( GetStaticDomainState(&state, "mix.example.com", &sts_state, &pkp_state)); EXPECT_FALSE(sts_state.include_subdomains); EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS, sts_state.upgrade_mode); EXPECT_TRUE(pkp_state.include_subdomains); EXPECT_EQ(GURL(), pkp_state.report_uri); EXPECT_EQ(1U, pkp_state.spki_hashes.size()); EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x2)); EXPECT_EQ(1U, pkp_state.bad_spki_hashes.size()); EXPECT_EQ(pkp_state.bad_spki_hashes[0], GetSampleSPKIHash(0x1)); } // More advanced test for the HSTS preload process where the trie (generated // from transport_security_state_static_unittest3.json) contains a mix of // entries. Some entries share a prefix with the prefix also having its own // preloaded state while others share no prefix. This results in a trie with // several different internal structures. Test that the lookup methods can find // all entries and correctly decode the different preloaded states (HSTS and // HPKP) for each entry. TEST_F(TransportSecurityStateTest, DecodePreloadedMultipleMix) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); SetTransportSecurityStateSourceForTesting(&test3::kHSTSSource); TransportSecurityState state; TransportSecurityStateTest::EnableStaticPins(&state); TransportSecurityState::STSState sts_state; TransportSecurityState::PKPState pkp_state; EXPECT_TRUE( GetStaticDomainState(&state, "example.com", &sts_state, &pkp_state)); EXPECT_TRUE(sts_state.include_subdomains); EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS, sts_state.upgrade_mode); EXPECT_TRUE(pkp_state == TransportSecurityState::PKPState()); sts_state = TransportSecurityState::STSState(); pkp_state = TransportSecurityState::PKPState(); EXPECT_TRUE( GetStaticDomainState(&state, "hpkp.example.com", &sts_state, &pkp_state)); EXPECT_TRUE(sts_state == TransportSecurityState::STSState()); EXPECT_TRUE(pkp_state.include_subdomains); EXPECT_EQ(GURL("https://report.example.com/hpkp-upload"), pkp_state.report_uri); EXPECT_EQ(1U, pkp_state.spki_hashes.size()); EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1)); EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size()); sts_state = TransportSecurityState::STSState(); pkp_state = TransportSecurityState::PKPState(); EXPECT_TRUE( GetStaticDomainState(&state, "example.org", &sts_state, &pkp_state)); EXPECT_FALSE(sts_state.include_subdomains); EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS, sts_state.upgrade_mode); EXPECT_TRUE(pkp_state == TransportSecurityState::PKPState()); sts_state = TransportSecurityState::STSState(); pkp_state = TransportSecurityState::PKPState(); EXPECT_TRUE( GetStaticDomainState(&state, "badssl.com", &sts_state, &pkp_state)); EXPECT_TRUE(sts_state == TransportSecurityState::STSState()); EXPECT_TRUE(pkp_state.include_subdomains); EXPECT_EQ(GURL("https://report.example.com/hpkp-upload"), pkp_state.report_uri); EXPECT_EQ(1U, pkp_state.spki_hashes.size()); EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1)); EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size()); sts_state = TransportSecurityState::STSState(); pkp_state = TransportSecurityState::PKPState(); EXPECT_TRUE( GetStaticDomainState(&state, "mix.badssl.com", &sts_state, &pkp_state)); EXPECT_FALSE(sts_state.include_subdomains); EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS, sts_state.upgrade_mode); EXPECT_TRUE(pkp_state.include_subdomains); EXPECT_EQ(GURL(), pkp_state.report_uri); EXPECT_EQ(1U, pkp_state.spki_hashes.size()); EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x2)); EXPECT_EQ(1U, pkp_state.bad_spki_hashes.size()); EXPECT_EQ(pkp_state.bad_spki_hashes[0], GetSampleSPKIHash(0x1)); sts_state = TransportSecurityState::STSState(); pkp_state = TransportSecurityState::PKPState(); // This should be a simple entry in the context of // TrieWriter::IsSimpleEntry(). EXPECT_TRUE(GetStaticDomainState(&state, "simple-entry.example.com", &sts_state, &pkp_state)); EXPECT_TRUE(sts_state.include_subdomains); EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS, sts_state.upgrade_mode); EXPECT_TRUE(pkp_state == TransportSecurityState::PKPState()); } TEST_F(TransportSecurityStateTest, HstsHostBypassList) { SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource); TransportSecurityState::STSState sts_state; TransportSecurityState::PKPState pkp_state; std::string preloaded_tld = "example"; std::string subdomain = "sub.example"; { TransportSecurityState state; // Check that "example" is preloaded with subdomains. EXPECT_TRUE(state.ShouldUpgradeToSSL(preloaded_tld)); EXPECT_TRUE(state.ShouldUpgradeToSSL(subdomain)); } { // Add "example" to the bypass list. TransportSecurityState state({preloaded_tld}); EXPECT_FALSE(state.ShouldUpgradeToSSL(preloaded_tld)); // The preloaded entry should still apply to the subdomain. EXPECT_TRUE(state.ShouldUpgradeToSSL(subdomain)); } } // Tests that TransportSecurityState always consults the RequireCTDelegate, // if supplied. TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) { using ::testing::_; using ::testing::Return; using CTRequirementLevel = TransportSecurityState::RequireCTDelegate::CTRequirementLevel; // Dummy cert to use as the validation chain. The contents do not matter. scoped_refptr cert = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert); HashValueVector hashes; hashes.push_back( HashValue(X509Certificate::CalculateFingerprint256(cert->cert_buffer()))); // If CT is required, then the requirements are not met if the CT policy // wasn't met, but are met if the policy was met or the build was out of // date. { TransportSecurityState state; const TransportSecurityState::CTRequirementsStatus original_status = state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS); MockRequireCTDelegate always_require_delegate; EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_, _, _)) .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); state.SetRequireCTDelegate(&always_require_delegate); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_NOT_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_NOT_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS)); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS)); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY)); state.SetRequireCTDelegate(nullptr); EXPECT_EQ( original_status, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); } // If CT is not required, then regardless of the CT state for the host, // it should indicate CT is not required. { TransportSecurityState state; const TransportSecurityState::CTRequirementsStatus original_status = state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS); MockRequireCTDelegate never_require_delegate; EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_, _, _)) .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED)); state.SetRequireCTDelegate(&never_require_delegate); EXPECT_EQ( TransportSecurityState::CT_NOT_REQUIRED, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); EXPECT_EQ( TransportSecurityState::CT_NOT_REQUIRED, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS)); state.SetRequireCTDelegate(nullptr); EXPECT_EQ( original_status, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); } // If the Delegate is in the default state, then it should return the same // result as if there was no delegate in the first place. { TransportSecurityState state; const TransportSecurityState::CTRequirementsStatus original_status = state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS); MockRequireCTDelegate default_require_ct_delegate; EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_, _, _)) .WillRepeatedly(Return(CTRequirementLevel::DEFAULT)); state.SetRequireCTDelegate(&default_require_ct_delegate); EXPECT_EQ( original_status, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); state.SetRequireCTDelegate(nullptr); EXPECT_EQ( original_status, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); } } enum class CTEmergencyDisableSwitchKind { kFinchDrivenFeature, kComponentUpdaterDrivenSwitch, }; class CTEmergencyDisableTest : public TransportSecurityStateTest, public testing::WithParamInterface { public: CTEmergencyDisableTest() { if (GetParam() == CTEmergencyDisableSwitchKind::kComponentUpdaterDrivenSwitch) { scoped_feature_list_.Init(); } else { scoped_feature_list_.InitAndDisableFeature( kCertificateTransparencyEnforcement); } } void SetUp() override { if (GetParam() == CTEmergencyDisableSwitchKind::kComponentUpdaterDrivenSwitch) { state_.SetCTEmergencyDisabled(true); } else { ASSERT_EQ(GetParam(), CTEmergencyDisableSwitchKind::kFinchDrivenFeature); } } protected: base::test::ScopedFeatureList scoped_feature_list_; TransportSecurityState state_; }; // Tests that the emergency disable flags cause CT to stop being required // regardless of host or delegate status. TEST_P(CTEmergencyDisableTest, CTEmergencyDisable) { using ::testing::_; using ::testing::Return; using CTRequirementLevel = TransportSecurityState::RequireCTDelegate::CTRequirementLevel; // Dummy cert to use as the validation chain. The contents do not matter. scoped_refptr cert = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert); HashValueVector hashes; hashes.push_back( HashValue(X509Certificate::CalculateFingerprint256(cert->cert_buffer()))); MockRequireCTDelegate always_require_delegate; EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_, _, _)) .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); state_.SetRequireCTDelegate(&always_require_delegate); EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED, state_.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED, state_.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS)); EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED, state_.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS)); EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED, state_.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY)); state_.SetRequireCTDelegate(nullptr); EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED, state_.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, cert.get(), cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); } INSTANTIATE_TEST_SUITE_P( CTEmergencyDisable, CTEmergencyDisableTest, testing::Values(CTEmergencyDisableSwitchKind::kComponentUpdaterDrivenSwitch, CTEmergencyDisableSwitchKind::kFinchDrivenFeature)); // Tests that Certificate Transparency is required for Symantec-issued // certificates, unless the certificate was issued prior to 1 June 2016 // or the issuing CA is permitted as independently operated. TEST_F(TransportSecurityStateTest, RequireCTForSymantec) { // Test certificates before and after the 1 June 2016 deadline. scoped_refptr before_cert = ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem"); ASSERT_TRUE(before_cert); scoped_refptr after_cert = ImportCertFromFile(GetTestCertsDirectory(), "post_june_2016.pem"); ASSERT_TRUE(after_cert); const SHA256HashValue symantec_hash_value = { {0xb2, 0xde, 0xf5, 0x36, 0x2a, 0xd3, 0xfa, 0xcd, 0x04, 0xbd, 0x29, 0x04, 0x7a, 0x43, 0x84, 0x4f, 0x76, 0x70, 0x34, 0xea, 0x48, 0x92, 0xf8, 0x0e, 0x56, 0xbe, 0xe6, 0x90, 0x24, 0x3e, 0x25, 0x02}}; const SHA256HashValue google_hash_value = { {0xec, 0x72, 0x29, 0x69, 0xcb, 0x64, 0x20, 0x0a, 0xb6, 0x63, 0x8f, 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48, 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}}; TransportSecurityState state; HashValueVector hashes; hashes.push_back(HashValue(symantec_hash_value)); // Certificates issued by Symantec prior to 1 June 2016 should not // be required to be disclosed via CT. EXPECT_EQ( TransportSecurityState::CT_NOT_REQUIRED, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), before_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); // ... but certificates issued after 1 June 2016 are required to be... EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_NOT_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), after_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_NOT_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), after_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS)); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), after_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY)); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), after_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS)); // ... unless they were issued by an excluded intermediate. hashes.push_back(HashValue(google_hash_value)); EXPECT_EQ( TransportSecurityState::CT_NOT_REQUIRED, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), before_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); EXPECT_EQ( TransportSecurityState::CT_NOT_REQUIRED, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), after_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); // And other certificates should remain unaffected. SHA256HashValue unrelated_hash_value = {{0x01, 0x02}}; HashValueVector unrelated_hashes; unrelated_hashes.push_back(HashValue(unrelated_hash_value)); EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, unrelated_hashes, before_cert.get(), before_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, unrelated_hashes, after_cert.get(), after_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); } // Tests that Certificate Transparency is required for all of the Symantec // Managed CAs, regardless of when the certificate was issued. TEST_F(TransportSecurityStateTest, RequireCTForSymantecManagedCAs) { const SHA256HashValue symantec_hash_value = { {0xb2, 0xde, 0xf5, 0x36, 0x2a, 0xd3, 0xfa, 0xcd, 0x04, 0xbd, 0x29, 0x04, 0x7a, 0x43, 0x84, 0x4f, 0x76, 0x70, 0x34, 0xea, 0x48, 0x92, 0xf8, 0x0e, 0x56, 0xbe, 0xe6, 0x90, 0x24, 0x3e, 0x25, 0x02}}; const SHA256HashValue managed_hash_value = { {0x7c, 0xac, 0x9a, 0x0f, 0xf3, 0x15, 0x38, 0x77, 0x50, 0xba, 0x8b, 0xaf, 0xdb, 0x1c, 0x2b, 0xc2, 0x9b, 0x3f, 0x0b, 0xba, 0x16, 0x36, 0x2c, 0xa9, 0x3a, 0x90, 0xf8, 0x4d, 0xa2, 0xdf, 0x5f, 0x3e}}; TransportSecurityState state; HashValueVector hashes; hashes.push_back(HashValue(symantec_hash_value)); hashes.push_back(HashValue(managed_hash_value)); // All certificates, both before and after the pre-existing 1 June 2016 // date, are expected to be compliant. scoped_refptr before_cert = ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem"); ASSERT_TRUE(before_cert); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_NOT_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), before_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_NOT_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), before_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS)); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), before_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY)); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), before_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS)); scoped_refptr after_cert = ImportCertFromFile(GetTestCertsDirectory(), "post_june_2016.pem"); ASSERT_TRUE(after_cert); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_NOT_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), after_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS)); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_NOT_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), after_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS)); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), after_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY)); EXPECT_EQ( TransportSecurityState::CT_REQUIREMENTS_MET, state.CheckCTRequirements( HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), after_cert.get(), SignedCertificateTimestampAndStatusList(), ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS)); } #if BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) const char kSubdomain[] = "foo.example.test"; class TransportSecurityStateStaticTest : public TransportSecurityStateTest { public: TransportSecurityStateStaticTest() { SetTransportSecurityStateSourceForTesting(nullptr); } }; static bool StaticShouldRedirect(const char* hostname) { TransportSecurityState state; TransportSecurityState::STSState sts_state; return state.GetStaticSTSState(hostname, &sts_state) && sts_state.ShouldUpgradeToSSL(); } static bool HasStaticState(const char* hostname) { TransportSecurityState state; state.SetPinningListAlwaysTimelyForTesting(true); TransportSecurityState::STSState sts_state; TransportSecurityState::PKPState pkp_state; return state.GetStaticSTSState(hostname, &sts_state) || state.GetStaticPKPState(hostname, &pkp_state); } static bool HasStaticPublicKeyPins(const char* hostname) { TransportSecurityState state; state.SetPinningListAlwaysTimelyForTesting(true); TransportSecurityStateTest::EnableStaticPins(&state); TransportSecurityState::PKPState pkp_state; if (!state.GetStaticPKPState(hostname, &pkp_state)) return false; return pkp_state.HasPublicKeyPins(); } static bool OnlyPinningInStaticState(const char* hostname) { TransportSecurityState state; TransportSecurityStateTest::EnableStaticPins(&state); TransportSecurityState::STSState sts_state; TransportSecurityState::PKPState pkp_state; return HasStaticPublicKeyPins(hostname) && !StaticShouldRedirect(hostname); } TEST_F(TransportSecurityStateStaticTest, EnableStaticPins) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); TransportSecurityState state; state.SetPinningListAlwaysTimelyForTesting(true); TransportSecurityState::PKPState pkp_state; EnableStaticPins(&state); EXPECT_TRUE(state.GetStaticPKPState("chrome.google.com", &pkp_state)); EXPECT_FALSE(pkp_state.spki_hashes.empty()); } TEST_F(TransportSecurityStateStaticTest, DisableStaticPins) { TransportSecurityState state; state.SetPinningListAlwaysTimelyForTesting(true); TransportSecurityState::PKPState pkp_state; DisableStaticPins(&state); EXPECT_FALSE(state.GetStaticPKPState("chrome.google.com", &pkp_state)); EXPECT_TRUE(pkp_state.spki_hashes.empty()); } TEST_F(TransportSecurityStateStaticTest, IsPreloaded) { const std::string paypal = "paypal.com"; const std::string www_paypal = "www.paypal.com"; const std::string foo_paypal = "foo.paypal.com"; const std::string a_www_paypal = "a.www.paypal.com"; const std::string abc_paypal = "a.b.c.paypal.com"; const std::string example = "example.com"; const std::string aypal = "aypal.com"; const std::string google = "google"; const std::string www_google = "www.google"; const std::string foo = "foo"; const std::string bank = "example.bank"; const std::string insurance = "sub.example.insurance"; TransportSecurityState state; TransportSecurityState::STSState sts_state; TransportSecurityState::PKPState pkp_state; EXPECT_TRUE(GetStaticDomainState(&state, paypal, &sts_state, &pkp_state)); EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &sts_state, &pkp_state)); EXPECT_FALSE(sts_state.include_subdomains); EXPECT_TRUE(GetStaticDomainState(&state, google, &sts_state, &pkp_state)); EXPECT_TRUE(GetStaticDomainState(&state, www_google, &sts_state, &pkp_state)); EXPECT_TRUE(GetStaticDomainState(&state, foo, &sts_state, &pkp_state)); EXPECT_TRUE(GetStaticDomainState(&state, bank, &sts_state, &pkp_state)); EXPECT_TRUE(sts_state.include_subdomains); EXPECT_TRUE(GetStaticDomainState(&state, insurance, &sts_state, &pkp_state)); EXPECT_TRUE(sts_state.include_subdomains); EXPECT_FALSE( GetStaticDomainState(&state, a_www_paypal, &sts_state, &pkp_state)); EXPECT_FALSE( GetStaticDomainState(&state, abc_paypal, &sts_state, &pkp_state)); EXPECT_FALSE(GetStaticDomainState(&state, example, &sts_state, &pkp_state)); EXPECT_FALSE(GetStaticDomainState(&state, aypal, &sts_state, &pkp_state)); } TEST_F(TransportSecurityStateStaticTest, PreloadedDomainSet) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); TransportSecurityState state; EnableStaticPins(&state); TransportSecurityState::STSState sts_state; TransportSecurityState::PKPState pkp_state; // The domain wasn't being set, leading to a blank string in the // chrome://net-internals/#hsts UI. So test that. EXPECT_TRUE(state.GetStaticPKPState("market.android.com", &pkp_state)); EXPECT_TRUE(state.GetStaticSTSState("market.android.com", &sts_state)); EXPECT_EQ(sts_state.domain, "market.android.com"); EXPECT_EQ(pkp_state.domain, "market.android.com"); EXPECT_TRUE(state.GetStaticPKPState("sub.market.android.com", &pkp_state)); EXPECT_TRUE(state.GetStaticSTSState("sub.market.android.com", &sts_state)); EXPECT_EQ(sts_state.domain, "market.android.com"); EXPECT_EQ(pkp_state.domain, "market.android.com"); } TEST_F(TransportSecurityStateStaticTest, Preloaded) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); TransportSecurityState state; EnableStaticPins(&state); TransportSecurityState::STSState sts_state; TransportSecurityState::PKPState pkp_state; // We do more extensive checks for the first domain. EXPECT_TRUE(state.GetStaticSTSState("www.paypal.com", &sts_state)); EXPECT_FALSE(state.GetStaticPKPState("www.paypal.com", &pkp_state)); EXPECT_EQ(sts_state.upgrade_mode, TransportSecurityState::STSState::MODE_FORCE_HTTPS); EXPECT_FALSE(sts_state.include_subdomains); EXPECT_FALSE(pkp_state.include_subdomains); EXPECT_TRUE(HasStaticState("paypal.com")); EXPECT_FALSE(HasStaticState("www2.paypal.com")); // Google hosts: EXPECT_TRUE(StaticShouldRedirect("chrome.google.com")); EXPECT_TRUE(StaticShouldRedirect("checkout.google.com")); EXPECT_TRUE(StaticShouldRedirect("wallet.google.com")); EXPECT_TRUE(StaticShouldRedirect("docs.google.com")); EXPECT_TRUE(StaticShouldRedirect("sites.google.com")); EXPECT_TRUE(StaticShouldRedirect("drive.google.com")); EXPECT_TRUE(StaticShouldRedirect("spreadsheets.google.com")); EXPECT_TRUE(StaticShouldRedirect("appengine.google.com")); EXPECT_TRUE(StaticShouldRedirect("market.android.com")); EXPECT_TRUE(StaticShouldRedirect("encrypted.google.com")); EXPECT_TRUE(StaticShouldRedirect("accounts.google.com")); EXPECT_TRUE(StaticShouldRedirect("profiles.google.com")); EXPECT_TRUE(StaticShouldRedirect("mail.google.com")); EXPECT_TRUE(StaticShouldRedirect("chatenabled.mail.google.com")); EXPECT_TRUE(StaticShouldRedirect("talkgadget.google.com")); EXPECT_TRUE(StaticShouldRedirect("hostedtalkgadget.google.com")); EXPECT_TRUE(StaticShouldRedirect("talk.google.com")); EXPECT_TRUE(StaticShouldRedirect("plus.google.com")); EXPECT_TRUE(StaticShouldRedirect("groups.google.com")); EXPECT_TRUE(StaticShouldRedirect("apis.google.com")); EXPECT_TRUE(StaticShouldRedirect("oauthaccountmanager.googleapis.com")); EXPECT_TRUE(StaticShouldRedirect("passwordsleakcheck-pa.googleapis.com")); EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com")); EXPECT_TRUE(StaticShouldRedirect("google")); EXPECT_TRUE(StaticShouldRedirect("foo.google")); EXPECT_TRUE(StaticShouldRedirect("foo")); EXPECT_TRUE(StaticShouldRedirect("domaintest.foo")); EXPECT_TRUE(StaticShouldRedirect("gmail.com")); EXPECT_TRUE(StaticShouldRedirect("www.gmail.com")); EXPECT_TRUE(StaticShouldRedirect("googlemail.com")); EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com")); EXPECT_TRUE(StaticShouldRedirect("googleplex.com")); EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com")); EXPECT_TRUE(StaticShouldRedirect("www.google-analytics.com")); EXPECT_TRUE(StaticShouldRedirect("www.youtube.com")); EXPECT_TRUE(StaticShouldRedirect("youtube.com")); // These domains used to be only HSTS when SNI was available. EXPECT_TRUE(state.GetStaticSTSState("gmail.com", &sts_state)); EXPECT_TRUE(state.GetStaticPKPState("gmail.com", &pkp_state)); EXPECT_TRUE(state.GetStaticSTSState("www.gmail.com", &sts_state)); EXPECT_TRUE(state.GetStaticPKPState("www.gmail.com", &pkp_state)); EXPECT_TRUE(state.GetStaticSTSState("googlemail.com", &sts_state)); EXPECT_TRUE(state.GetStaticPKPState("googlemail.com", &pkp_state)); EXPECT_TRUE(state.GetStaticSTSState("www.googlemail.com", &sts_state)); EXPECT_TRUE(state.GetStaticPKPState("www.googlemail.com", &pkp_state)); // fi.g.co should not force HTTPS because there are still HTTP-only services // on it. EXPECT_FALSE(StaticShouldRedirect("fi.g.co")); // Other hosts: EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com")); EXPECT_TRUE(StaticShouldRedirect("ottospora.nl")); EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl")); EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com")); EXPECT_TRUE(StaticShouldRedirect("lastpass.com")); EXPECT_TRUE(StaticShouldRedirect("www.lastpass.com")); EXPECT_FALSE(HasStaticState("blog.lastpass.com")); EXPECT_TRUE(StaticShouldRedirect("keyerror.com")); EXPECT_TRUE(StaticShouldRedirect("www.keyerror.com")); EXPECT_TRUE(StaticShouldRedirect("entropia.de")); EXPECT_TRUE(StaticShouldRedirect("www.entropia.de")); EXPECT_FALSE(HasStaticState("foo.entropia.de")); EXPECT_TRUE(StaticShouldRedirect("www.elanex.biz")); EXPECT_FALSE(HasStaticState("elanex.biz")); EXPECT_FALSE(HasStaticState("foo.elanex.biz")); EXPECT_TRUE(StaticShouldRedirect("sunshinepress.org")); EXPECT_TRUE(StaticShouldRedirect("www.sunshinepress.org")); EXPECT_TRUE(StaticShouldRedirect("a.b.sunshinepress.org")); EXPECT_TRUE(StaticShouldRedirect("www.noisebridge.net")); EXPECT_FALSE(HasStaticState("noisebridge.net")); EXPECT_FALSE(HasStaticState("foo.noisebridge.net")); EXPECT_TRUE(StaticShouldRedirect("neg9.org")); EXPECT_FALSE(HasStaticState("www.neg9.org")); EXPECT_TRUE(StaticShouldRedirect("riseup.net")); EXPECT_TRUE(StaticShouldRedirect("foo.riseup.net")); EXPECT_TRUE(StaticShouldRedirect("factor.cc")); EXPECT_FALSE(HasStaticState("www.factor.cc")); EXPECT_TRUE(StaticShouldRedirect("members.mayfirst.org")); EXPECT_TRUE(StaticShouldRedirect("support.mayfirst.org")); EXPECT_TRUE(StaticShouldRedirect("id.mayfirst.org")); EXPECT_TRUE(StaticShouldRedirect("lists.mayfirst.org")); EXPECT_FALSE(HasStaticState("www.mayfirst.org")); EXPECT_TRUE(StaticShouldRedirect("romab.com")); EXPECT_TRUE(StaticShouldRedirect("www.romab.com")); EXPECT_TRUE(StaticShouldRedirect("foo.romab.com")); EXPECT_TRUE(StaticShouldRedirect("logentries.com")); EXPECT_TRUE(StaticShouldRedirect("www.logentries.com")); EXPECT_FALSE(HasStaticState("foo.logentries.com")); EXPECT_TRUE(StaticShouldRedirect("stripe.com")); EXPECT_TRUE(StaticShouldRedirect("foo.stripe.com")); EXPECT_TRUE(StaticShouldRedirect("cloudsecurityalliance.org")); EXPECT_TRUE(StaticShouldRedirect("foo.cloudsecurityalliance.org")); EXPECT_TRUE(StaticShouldRedirect("login.sapo.pt")); EXPECT_TRUE(StaticShouldRedirect("foo.login.sapo.pt")); EXPECT_TRUE(StaticShouldRedirect("mattmccutchen.net")); EXPECT_TRUE(StaticShouldRedirect("foo.mattmccutchen.net")); EXPECT_TRUE(StaticShouldRedirect("betnet.fr")); EXPECT_TRUE(StaticShouldRedirect("foo.betnet.fr")); EXPECT_TRUE(StaticShouldRedirect("uprotect.it")); EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it")); EXPECT_TRUE(StaticShouldRedirect("cert.se")); EXPECT_TRUE(StaticShouldRedirect("foo.cert.se")); EXPECT_TRUE(StaticShouldRedirect("crypto.is")); EXPECT_TRUE(StaticShouldRedirect("foo.crypto.is")); EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name")); EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name")); EXPECT_TRUE(StaticShouldRedirect("linx.net")); EXPECT_TRUE(StaticShouldRedirect("foo.linx.net")); EXPECT_TRUE(StaticShouldRedirect("dropcam.com")); EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com")); EXPECT_FALSE(HasStaticState("foo.dropcam.com")); EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn")); EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn")); EXPECT_TRUE(StaticShouldRedirect("epoxate.com")); EXPECT_FALSE(HasStaticState("foo.epoxate.com")); EXPECT_FALSE(HasStaticState("foo.torproject.org")); EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com")); EXPECT_FALSE(HasStaticState("moneybookers.com")); EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net")); EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net")); EXPECT_FALSE(HasStaticState("status.ledgerscope.net")); EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com")); EXPECT_TRUE(StaticShouldRedirect("foo.api.recurly.com")); EXPECT_TRUE(StaticShouldRedirect("greplin.com")); EXPECT_TRUE(StaticShouldRedirect("www.greplin.com")); EXPECT_FALSE(HasStaticState("foo.greplin.com")); EXPECT_TRUE(StaticShouldRedirect("luneta.nearbuysystems.com")); EXPECT_TRUE(StaticShouldRedirect("foo.luneta.nearbuysystems.com")); EXPECT_TRUE(StaticShouldRedirect("ubertt.org")); EXPECT_TRUE(StaticShouldRedirect("foo.ubertt.org")); EXPECT_TRUE(StaticShouldRedirect("pixi.me")); EXPECT_TRUE(StaticShouldRedirect("www.pixi.me")); EXPECT_TRUE(StaticShouldRedirect("grepular.com")); EXPECT_TRUE(StaticShouldRedirect("www.grepular.com")); EXPECT_TRUE(StaticShouldRedirect("mydigipass.com")); EXPECT_FALSE(StaticShouldRedirect("foo.mydigipass.com")); EXPECT_TRUE(StaticShouldRedirect("www.mydigipass.com")); EXPECT_FALSE(StaticShouldRedirect("foo.www.mydigipass.com")); EXPECT_TRUE(StaticShouldRedirect("developer.mydigipass.com")); EXPECT_FALSE(StaticShouldRedirect("foo.developer.mydigipass.com")); EXPECT_TRUE(StaticShouldRedirect("www.developer.mydigipass.com")); EXPECT_FALSE(StaticShouldRedirect("foo.www.developer.mydigipass.com")); EXPECT_TRUE(StaticShouldRedirect("sandbox.mydigipass.com")); EXPECT_FALSE(StaticShouldRedirect("foo.sandbox.mydigipass.com")); EXPECT_TRUE(StaticShouldRedirect("www.sandbox.mydigipass.com")); EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com")); EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net")); EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net")); EXPECT_TRUE(StaticShouldRedirect("crate.io")); EXPECT_TRUE(StaticShouldRedirect("foo.crate.io")); EXPECT_TRUE(StaticShouldRedirect("sub.bank")); EXPECT_TRUE(StaticShouldRedirect("sub.insurance")); } TEST_F(TransportSecurityStateStaticTest, PreloadedPins) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); TransportSecurityState state; EnableStaticPins(&state); TransportSecurityState::STSState sts_state; TransportSecurityState::PKPState pkp_state; // We do more extensive checks for the first domain. EXPECT_TRUE(state.GetStaticSTSState("www.paypal.com", &sts_state)); EXPECT_FALSE(state.GetStaticPKPState("www.paypal.com", &pkp_state)); EXPECT_EQ(sts_state.upgrade_mode, TransportSecurityState::STSState::MODE_FORCE_HTTPS); EXPECT_FALSE(sts_state.include_subdomains); EXPECT_FALSE(pkp_state.include_subdomains); EXPECT_TRUE(OnlyPinningInStaticState("www.google.com")); EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com")); EXPECT_TRUE(OnlyPinningInStaticState("google.com")); EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com")); EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com")); EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com")); EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com")); EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com")); EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com")); EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com")); EXPECT_TRUE(OnlyPinningInStaticState("appspot.com")); EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com")); EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net")); EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com")); EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org")); EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org")); EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org")); EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org")); EXPECT_FALSE(HasStaticState("foo.torproject.org")); EXPECT_TRUE(state.GetStaticPKPState("torproject.org", &pkp_state)); EXPECT_FALSE(pkp_state.spki_hashes.empty()); EXPECT_TRUE(state.GetStaticPKPState("www.torproject.org", &pkp_state)); EXPECT_FALSE(pkp_state.spki_hashes.empty()); EXPECT_TRUE(state.GetStaticPKPState("check.torproject.org", &pkp_state)); EXPECT_FALSE(pkp_state.spki_hashes.empty()); EXPECT_TRUE(state.GetStaticPKPState("blog.torproject.org", &pkp_state)); EXPECT_FALSE(pkp_state.spki_hashes.empty()); // Facebook has pinning and hsts on facebook.com, but only pinning on // subdomains. EXPECT_TRUE(state.GetStaticPKPState("facebook.com", &pkp_state)); EXPECT_FALSE(pkp_state.spki_hashes.empty()); EXPECT_TRUE(StaticShouldRedirect("facebook.com")); EXPECT_TRUE(state.GetStaticPKPState("foo.facebook.com", &pkp_state)); EXPECT_FALSE(pkp_state.spki_hashes.empty()); EXPECT_FALSE(StaticShouldRedirect("foo.facebook.com")); // www.facebook.com and subdomains have both pinning and hsts. EXPECT_TRUE(state.GetStaticPKPState("www.facebook.com", &pkp_state)); EXPECT_FALSE(pkp_state.spki_hashes.empty()); EXPECT_TRUE(StaticShouldRedirect("www.facebook.com")); EXPECT_TRUE(state.GetStaticPKPState("foo.www.facebook.com", &pkp_state)); EXPECT_FALSE(pkp_state.spki_hashes.empty()); EXPECT_TRUE(StaticShouldRedirect("foo.www.facebook.com")); } TEST_F(TransportSecurityStateStaticTest, BuiltinCertPins) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); TransportSecurityState state; EnableStaticPins(&state); TransportSecurityState::PKPState pkp_state; EXPECT_TRUE(state.GetStaticPKPState("chrome.google.com", &pkp_state)); EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com")); HashValueVector hashes; std::string failure_log; // Checks that a built-in list does exist. EXPECT_FALSE(pkp_state.CheckPublicKeyPins(hashes, &failure_log)); EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com")); EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("sites.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("drive.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("spreadsheets.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("wallet.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("checkout.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("appengine.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("market.android.com")); EXPECT_TRUE(HasStaticPublicKeyPins("encrypted.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("accounts.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("profiles.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("mail.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("chatenabled.mail.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("talkgadget.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("hostedtalkgadget.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("talk.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com")); EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com")); EXPECT_TRUE(HasStaticPublicKeyPins("youtube.com")); EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com")); EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com")); EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com")); EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com")); EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com")); } TEST_F(TransportSecurityStateStaticTest, OptionalHSTSCertPins) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); TransportSecurityState state; EnableStaticPins(&state); EXPECT_TRUE(HasStaticPublicKeyPins("google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com")); EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com")); EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com")); EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com")); EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com")); EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com")); EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com")); EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com")); EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com")); EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com")); EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com")); EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net")); EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net")); EXPECT_TRUE(HasStaticPublicKeyPins("redirector.gvt1.com")); EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com")); } TEST_F(TransportSecurityStateStaticTest, OverrideBuiltins) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); EXPECT_TRUE(HasStaticPublicKeyPins("google.com")); EXPECT_FALSE(StaticShouldRedirect("google.com")); EXPECT_FALSE(StaticShouldRedirect("www.google.com")); TransportSecurityState state; state.SetPinningListAlwaysTimelyForTesting(true); const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::Seconds(1000); state.AddHSTS("www.google.com", expiry, true); EXPECT_TRUE(state.ShouldUpgradeToSSL("www.google.com")); } // Tests that redundant reports are rate-limited. TEST_F(TransportSecurityStateStaticTest, HPKPReportRateLimiting) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); HostPortPair host_port_pair(kHost, kPort); HostPortPair subdomain_host_port_pair(kSubdomain, kPort); GURL report_uri(kReportUri); NetworkAnonymizationKey network_anonymization_key = NetworkAnonymizationKey::CreateTransient(); // Two dummy certs to use as the server-sent and validated chains. The // contents don't matter. scoped_refptr cert1 = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); ASSERT_TRUE(cert1); scoped_refptr cert2 = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert2); HashValueVector good_hashes, bad_hashes; for (size_t i = 0; kGoodPath[i]; i++) EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); for (size_t i = 0; kBadPath[i]; i++) EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); TransportSecurityState state; EnableStaticPins(&state); MockCertificateReportSender mock_report_sender; state.SetReportSender(&mock_report_sender); EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); EXPECT_EQ(std::string(), mock_report_sender.latest_report()); std::string failure_log; EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins(host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &failure_log)); // A report should have been sent. Check that it contains the // right information. EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); std::string report = mock_report_sender.latest_report(); ASSERT_FALSE(report.empty()); ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, true, kHost, cert1.get(), cert2.get(), good_hashes)); EXPECT_EQ(network_anonymization_key, mock_report_sender.latest_network_anonymization_key()); mock_report_sender.Clear(); // Now trigger the same violation; a duplicative report should not be // sent. EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins(host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &failure_log)); EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); EXPECT_EQ(std::string(), mock_report_sender.latest_report()); EXPECT_EQ(NetworkAnonymizationKey(), mock_report_sender.latest_network_anonymization_key()); state.SetReportSender(nullptr); } TEST_F(TransportSecurityStateStaticTest, HPKPReporting) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); HostPortPair host_port_pair(kHost, kPort); HostPortPair subdomain_host_port_pair(kSubdomain, kPort); GURL report_uri(kReportUri); NetworkAnonymizationKey network_anonymization_key = NetworkAnonymizationKey::CreateTransient(); // Two dummy certs to use as the server-sent and validated chains. The // contents don't matter. scoped_refptr cert1 = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); ASSERT_TRUE(cert1); scoped_refptr cert2 = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert2); HashValueVector good_hashes, bad_hashes; for (size_t i = 0; kGoodPath[i]; i++) EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); for (size_t i = 0; kBadPath[i]; i++) EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); TransportSecurityState state; EnableStaticPins(&state); MockCertificateReportSender mock_report_sender; state.SetReportSender(&mock_report_sender); EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); EXPECT_EQ(std::string(), mock_report_sender.latest_report()); std::string failure_log; EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins( host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::DISABLE_PIN_REPORTS, network_anonymization_key, &failure_log)); // No report should have been sent because of the DISABLE_PIN_REPORTS // argument. EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); EXPECT_EQ(std::string(), mock_report_sender.latest_report()); EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins(host_port_pair, true, good_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &failure_log)); // No report should have been sent because there was no violation. EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); EXPECT_EQ(std::string(), mock_report_sender.latest_report()); EXPECT_EQ(TransportSecurityState::PKPStatus::BYPASSED, state.CheckPublicKeyPins(host_port_pair, false, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &failure_log)); // No report should have been sent because the certificate chained to a // non-public root. EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); EXPECT_EQ(std::string(), mock_report_sender.latest_report()); EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins(host_port_pair, false, good_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &failure_log)); // No report should have been sent because there was no violation, even though // the certificate chained to a local trust anchor. EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); EXPECT_EQ(std::string(), mock_report_sender.latest_report()); EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins(host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &failure_log)); // Now a report should have been sent. Check that it contains the // right information. EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); std::string report = mock_report_sender.latest_report(); ASSERT_FALSE(report.empty()); EXPECT_EQ("application/json; charset=utf-8", mock_report_sender.latest_content_type()); ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, true, kHost, cert1.get(), cert2.get(), good_hashes)); mock_report_sender.Clear(); EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins(subdomain_host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &failure_log)); // Now a report should have been sent for the subdomain. Check that it // contains the right information. EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); report = mock_report_sender.latest_report(); ASSERT_FALSE(report.empty()); EXPECT_EQ("application/json; charset=utf-8", mock_report_sender.latest_content_type()); ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, subdomain_host_port_pair, true, kHost, cert1.get(), cert2.get(), good_hashes)); EXPECT_EQ(network_anonymization_key, mock_report_sender.latest_network_anonymization_key()); state.SetReportSender(nullptr); } TEST_F(TransportSecurityStateTest, WriteSizeDecodeSize) { for (size_t i = 0; i < 300; ++i) { SCOPED_TRACE(i); huffman_trie::TrieBitBuffer buffer; buffer.WriteSize(i); huffman_trie::BitWriter writer; buffer.WriteToBitWriter(&writer); size_t position = writer.position(); writer.Flush(); ASSERT_NE(writer.bytes().data(), nullptr); extras::PreloadDecoder::BitReader reader(writer.bytes().data(), position); size_t decoded_size; EXPECT_TRUE(reader.DecodeSize(&decoded_size)); EXPECT_EQ(i, decoded_size); } } TEST_F(TransportSecurityStateTest, DecodeSizeFour) { // Test that BitReader::DecodeSize properly handles the number 4, including // not over-reading input bytes. BitReader::Next only fails if there's not // another byte to read from; if it reads past the number of bits in the // buffer but is still in the last byte it will still succeed. For this // reason, this test puts the encoding of 4 at the end of the byte to check // that DecodeSize doesn't over-read. // // 4 is encoded as 0b010. Shifted right to fill one byte, it is 0x02, with 5 // bits of padding. uint8_t encoded = 0x02; extras::PreloadDecoder::BitReader reader(&encoded, 8); for (size_t i = 0; i < 5; ++i) { bool unused; ASSERT_TRUE(reader.Next(&unused)); } size_t decoded_size; EXPECT_TRUE(reader.DecodeSize(&decoded_size)); EXPECT_EQ(4u, decoded_size); } #endif // BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) TEST_F(TransportSecurityStateTest, UpdateKeyPinsListValidPin) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); HostPortPair host_port_pair(kHost, kPort); GURL report_uri(kReportUri); NetworkAnonymizationKey network_anonymization_key = NetworkAnonymizationKey::CreateTransient(); // Two dummy certs to use as the server-sent and validated chains. The // contents don't matter. scoped_refptr cert1 = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); ASSERT_TRUE(cert1); scoped_refptr cert2 = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert2); HashValueVector bad_hashes; for (size_t i = 0; kBadPath[i]; i++) EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); TransportSecurityState state; EnableStaticPins(&state); std::string unused_failure_log; // Prior to updating the list, bad_hashes should be rejected. EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins( host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); // Update the pins list, adding bad_hashes to the accepted hashes for this // host. std::vector> accepted_hashes; for (size_t i = 0; kBadPath[i]; i++) { HashValue hash; ASSERT_TRUE(hash.FromString(kBadPath[i])); accepted_hashes.emplace_back(hash.data(), hash.data() + hash.size()); } TransportSecurityState::PinSet test_pinset( /*name=*/"test", /*static_spki_hashes=*/accepted_hashes, /*bad_static_spki_hashes=*/{}, /*report_uri=*/kReportUri); TransportSecurityState::PinSetInfo test_pinsetinfo( /*hostname=*/kHost, /*pinset_name=*/"test", /*include_subdomains=*/false); state.UpdatePinList({test_pinset}, {test_pinsetinfo}, base::Time::Now()); // Hashes should now be accepted. EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins( host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); } TEST_F(TransportSecurityStateTest, UpdateKeyPinsListNotValidPin) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); HostPortPair host_port_pair(kHost, kPort); GURL report_uri(kReportUri); NetworkAnonymizationKey network_anonymization_key = NetworkAnonymizationKey::CreateTransient(); // Two dummy certs to use as the server-sent and validated chains. The // contents don't matter. scoped_refptr cert1 = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); ASSERT_TRUE(cert1); scoped_refptr cert2 = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert2); HashValueVector good_hashes; for (size_t i = 0; kGoodPath[i]; i++) EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); TransportSecurityState state; EnableStaticPins(&state); std::string unused_failure_log; // Prior to updating the list, good_hashes should be accepted EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins( host_port_pair, true, good_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); // Update the pins list, adding good_hashes to the rejected hashes for this // host. std::vector> rejected_hashes; for (size_t i = 0; kGoodPath[i]; i++) { HashValue hash; ASSERT_TRUE(hash.FromString(kGoodPath[i])); rejected_hashes.emplace_back(hash.data(), hash.data() + hash.size()); } TransportSecurityState::PinSet test_pinset( /*name=*/"test", /*static_spki_hashes=*/{}, /*bad_static_spki_hashes=*/rejected_hashes, /*report_uri=*/kReportUri); TransportSecurityState::PinSetInfo test_pinsetinfo( /*hostname=*/kHost, /* pinset_name=*/"test", /*include_subdomains=*/false); state.UpdatePinList({test_pinset}, {test_pinsetinfo}, base::Time::Now()); // Hashes should now be rejected. EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins( host_port_pair, true, good_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); // Hashes should also be rejected if the hostname has a trailing dot. host_port_pair = HostPortPair("example.test.", kPort); EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins( host_port_pair, true, good_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); // Hashes should also be rejected if the hostname has different // capitalization. host_port_pair = HostPortPair("ExAmpLe.tEsT", kPort); EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins( host_port_pair, true, good_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); } TEST_F(TransportSecurityStateTest, UpdateKeyPinsEmptyList) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); HostPortPair host_port_pair(kHost, kPort); GURL report_uri(kReportUri); NetworkAnonymizationKey network_anonymization_key = NetworkAnonymizationKey::CreateTransient(); // Two dummy certs to use as the server-sent and validated chains. The // contents don't matter. scoped_refptr cert1 = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); ASSERT_TRUE(cert1); scoped_refptr cert2 = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert2); HashValueVector bad_hashes; for (size_t i = 0; kBadPath[i]; i++) EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); TransportSecurityState state; EnableStaticPins(&state); std::string unused_failure_log; // Prior to updating the list, bad_hashes should be rejected. EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins( host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); // Update the pins list with an empty list. state.UpdatePinList({}, {}, base::Time::Now()); // Hashes should now be accepted. EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins( host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); } TEST_F(TransportSecurityStateTest, UpdateKeyPinsIncludeSubdomains) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); HostPortPair host_port_pair("example.sub.test", kPort); GURL report_uri(kReportUri); NetworkAnonymizationKey network_anonymization_key = NetworkAnonymizationKey::CreateTransient(); // Two dummy certs to use as the server-sent and validated chains. The // contents don't matter. scoped_refptr cert1 = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); ASSERT_TRUE(cert1); scoped_refptr cert2 = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert2); // unpinned_hashes is a set of hashes that (after the update) won't match the // expected hashes for the tld of this domain. kGoodPath is used here because // it's a path that is accepted prior to any updates, and this test will // validate it is rejected afterwards. HashValueVector unpinned_hashes; for (size_t i = 0; kGoodPath[i]; i++) { EXPECT_TRUE(AddHash(kGoodPath[i], &unpinned_hashes)); } TransportSecurityState state; EnableStaticPins(&state); std::string unused_failure_log; // Prior to updating the list, unpinned_hashes should be accepted EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins( host_port_pair, true, unpinned_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); // Update the pins list, adding kBadPath to the accepted hashes for this // host, relying on include_subdomains for enforcement. The contents of the // hashes don't matter as long as they are different from unpinned_hashes, // kBadPath is used for convenience. std::vector> accepted_hashes; for (size_t i = 0; kBadPath[i]; i++) { HashValue hash; ASSERT_TRUE(hash.FromString(kBadPath[i])); accepted_hashes.emplace_back(hash.data(), hash.data() + hash.size()); } TransportSecurityState::PinSet test_pinset( /*name=*/"test", /*static_spki_hashes=*/{accepted_hashes}, /*bad_static_spki_hashes=*/{}, /*report_uri=*/kReportUri); // The host used in the test is "example.sub.test", so this pinset will only // match due to include subdomains. TransportSecurityState::PinSetInfo test_pinsetinfo( /*hostname=*/"sub.test", /* pinset_name=*/"test", /*include_subdomains=*/true); state.UpdatePinList({test_pinset}, {test_pinsetinfo}, base::Time::Now()); // The path that was accepted before updating the pins should now be rejected. EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins( host_port_pair, true, unpinned_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); } TEST_F(TransportSecurityStateTest, UpdateKeyPinsIncludeSubdomainsTLD) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); HostPortPair host_port_pair(kHost, kPort); GURL report_uri(kReportUri); NetworkAnonymizationKey network_anonymization_key = NetworkAnonymizationKey::CreateTransient(); // Two dummy certs to use as the server-sent and validated chains. The // contents don't matter. scoped_refptr cert1 = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); ASSERT_TRUE(cert1); scoped_refptr cert2 = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert2); // unpinned_hashes is a set of hashes that (after the update) won't match the // expected hashes for the tld of this domain. kGoodPath is used here because // it's a path that is accepted prior to any updates, and this test will // validate it is rejected afterwards. HashValueVector unpinned_hashes; for (size_t i = 0; kGoodPath[i]; i++) { EXPECT_TRUE(AddHash(kGoodPath[i], &unpinned_hashes)); } TransportSecurityState state; EnableStaticPins(&state); std::string unused_failure_log; // Prior to updating the list, unpinned_hashes should be accepted EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins( host_port_pair, true, unpinned_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); // Update the pins list, adding kBadPath to the accepted hashes for this // host, relying on include_subdomains for enforcement. The contents of the // hashes don't matter as long as they are different from unpinned_hashes, // kBadPath is used for convenience. std::vector> accepted_hashes; for (size_t i = 0; kBadPath[i]; i++) { HashValue hash; ASSERT_TRUE(hash.FromString(kBadPath[i])); accepted_hashes.emplace_back(hash.data(), hash.data() + hash.size()); } TransportSecurityState::PinSet test_pinset( /*name=*/"test", /*static_spki_hashes=*/{accepted_hashes}, /*bad_static_spki_hashes=*/{}, /*report_uri=*/kReportUri); // The host used in the test is "example.test", so this pinset will only match // due to include subdomains. TransportSecurityState::PinSetInfo test_pinsetinfo( /*hostname=*/"test", /* pinset_name=*/"test", /*include_subdomains=*/true); state.UpdatePinList({test_pinset}, {test_pinsetinfo}, base::Time::Now()); // The path that was accepted before updating the pins should now be rejected. EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins( host_port_pair, true, unpinned_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); } TEST_F(TransportSecurityStateTest, UpdateKeyPinsDontIncludeSubdomains) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); HostPortPair host_port_pair(kHost, kPort); GURL report_uri(kReportUri); NetworkAnonymizationKey network_anonymization_key = NetworkAnonymizationKey::CreateTransient(); // Two dummy certs to use as the server-sent and validated chains. The // contents don't matter. scoped_refptr cert1 = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); ASSERT_TRUE(cert1); scoped_refptr cert2 = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert2); // unpinned_hashes is a set of hashes that (after the update) won't match the // expected hashes for the tld of this domain. kGoodPath is used here because // it's a path that is accepted prior to any updates, and this test will // validate it is accepted or rejected afterwards depending on whether the // domain is an exact match. HashValueVector unpinned_hashes; for (size_t i = 0; kGoodPath[i]; i++) { EXPECT_TRUE(AddHash(kGoodPath[i], &unpinned_hashes)); } TransportSecurityState state; EnableStaticPins(&state); std::string unused_failure_log; // Prior to updating the list, unpinned_hashes should be accepted EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins( host_port_pair, true, unpinned_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); // Update the pins list, adding kBadPath to the accepted hashes for the // tld of this host, but without include_subdomains set. The contents of the // hashes don't matter as long as they are different from unpinned_hashes, // kBadPath is used for convenience. std::vector> accepted_hashes; for (size_t i = 0; kBadPath[i]; i++) { HashValue hash; ASSERT_TRUE(hash.FromString(kBadPath[i])); accepted_hashes.emplace_back(hash.data(), hash.data() + hash.size()); } TransportSecurityState::PinSet test_pinset( /*name=*/"test", /*static_spki_hashes=*/{accepted_hashes}, /*bad_static_spki_hashes=*/{}, /*report_uri=*/kReportUri); // The host used in the test is "example.test", so this pinset will not match // due to include subdomains not being set. TransportSecurityState::PinSetInfo test_pinsetinfo( /*hostname=*/"test", /* pinset_name=*/"test", /*include_subdomains=*/false); state.UpdatePinList({test_pinset}, {test_pinsetinfo}, base::Time::Now()); // Hashes that were accepted before the update should still be accepted since // include subdomains is not set for the pinset, and this is not an exact // match. EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins( host_port_pair, true, unpinned_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); // Hashes should be rejected for an exact match of the hostname. HostPortPair exact_match_host("test", kPort); EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins( exact_match_host, true, unpinned_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); } TEST_F(TransportSecurityStateTest, UpdateKeyPinsListTimestamp) { base::test::ScopedFeatureList scoped_feature_list_; scoped_feature_list_.InitAndEnableFeature( net::features::kStaticKeyPinningEnforcement); HostPortPair host_port_pair(kHost, kPort); GURL report_uri(kReportUri); NetworkAnonymizationKey network_anonymization_key = NetworkAnonymizationKey::CreateTransient(); // Two dummy certs to use as the server-sent and validated chains. The // contents don't matter. scoped_refptr cert1 = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); ASSERT_TRUE(cert1); scoped_refptr cert2 = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert2); HashValueVector bad_hashes; for (size_t i = 0; kBadPath[i]; i++) EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); TransportSecurityState state; EnableStaticPins(&state); std::string unused_failure_log; // Prior to updating the list, bad_hashes should be rejected. EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins( host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); // TransportSecurityStateTest sets a flag when EnableStaticPins is called that // results in TransportSecurityState considering the pins list as always // timely. We need to disable it so we can test that the timestamp has the // required effect. state.SetPinningListAlwaysTimelyForTesting(false); // Update the pins list, with bad hashes as rejected, but a timestamp >70 days // old. std::vector> rejected_hashes; for (size_t i = 0; kBadPath[i]; i++) { HashValue hash; ASSERT_TRUE(hash.FromString(kBadPath[i])); rejected_hashes.emplace_back(hash.data(), hash.data() + hash.size()); } TransportSecurityState::PinSet test_pinset( /*name=*/"test", /*static_spki_hashes=*/{}, /*bad_static_spki_hashes=*/rejected_hashes, /*report_uri=*/kReportUri); TransportSecurityState::PinSetInfo test_pinsetinfo( /*hostname=*/kHost, /* pinset_name=*/"test", /*include_subdomains=*/false); state.UpdatePinList({test_pinset}, {test_pinsetinfo}, base::Time::Now() - base::Days(70)); // Hashes should now be accepted. EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins( host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); // Update the pins list again, with a timestamp <70 days old. state.UpdatePinList({test_pinset}, {test_pinsetinfo}, base::Time::Now() - base::Days(69)); // Hashes should now be rejected. EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins( host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); } class TransportSecurityStatePinningKillswitchTest : public TransportSecurityStateTest { public: TransportSecurityStatePinningKillswitchTest() { scoped_feature_list_.InitAndDisableFeature( features::kStaticKeyPinningEnforcement); } protected: base::test::ScopedFeatureList scoped_feature_list_; }; TEST_F(TransportSecurityStatePinningKillswitchTest, PinningKillswitchSet) { HostPortPair host_port_pair(kHost, kPort); GURL report_uri(kReportUri); NetworkAnonymizationKey network_anonymization_key = NetworkAnonymizationKey::CreateTransient(); // Two dummy certs to use as the server-sent and validated chains. The // contents don't matter. scoped_refptr cert1 = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); ASSERT_TRUE(cert1); scoped_refptr cert2 = ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); ASSERT_TRUE(cert2); HashValueVector bad_hashes; for (size_t i = 0; kBadPath[i]; i++) EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); TransportSecurityState state; EnableStaticPins(&state); std::string unused_failure_log; // Hashes should be accepted since pinning enforcement is disabled. EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins( host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), TransportSecurityState::ENABLE_PIN_REPORTS, network_anonymization_key, &unused_failure_log)); } } // namespace net