// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include #include #include "base/base64.h" #include "base/strings/string_piece.h" #include "crypto/sha2.h" #include "net/base/host_port_pair.h" #include "net/base/test_completion_callback.h" #include "net/http/http_security_headers.h" #include "net/http/http_util.h" #include "net/http/transport_security_state.h" #include "net/ssl/ssl_info.h" #include "testing/gtest/include/gtest/gtest.h" namespace net { namespace { HashValue GetTestHashValue(uint8_t label, HashValueTag tag) { HashValue hash_value(tag); memset(hash_value.data(), label, hash_value.size()); return hash_value; } std::string GetTestPinImpl(uint8_t label, HashValueTag tag, bool quoted) { HashValue hash_value = GetTestHashValue(label, tag); std::string base64; base::Base64Encode(base::StringPiece( reinterpret_cast(hash_value.data()), hash_value.size()), &base64); std::string ret; switch (hash_value.tag) { case HASH_VALUE_SHA256: ret = "pin-sha256="; break; default: NOTREACHED() << "Unknown HashValueTag " << hash_value.tag; return std::string("ERROR"); } if (quoted) ret += '\"'; ret += base64; if (quoted) ret += '\"'; return ret; } std::string GetTestPin(uint8_t label, HashValueTag tag) { return GetTestPinImpl(label, tag, true); } std::string GetTestPinUnquoted(uint8_t label, HashValueTag tag) { return GetTestPinImpl(label, tag, false); } }; // Parses the given header |value| as both a Public-Key-Pins-Report-Only // and Public-Key-Pins header. Returns true if the value parses // successfully for both header types, and if the parsed hashes and // report_uri match for both header types. bool ParseAsHPKPHeader(const std::string& value, const HashValueVector& chain_hashes, base::TimeDelta* max_age, bool* include_subdomains, HashValueVector* hashes, GURL* report_uri) { GURL report_only_uri; bool report_only_include_subdomains; HashValueVector report_only_hashes; if (!ParseHPKPReportOnlyHeader(value, &report_only_include_subdomains, &report_only_hashes, &report_only_uri)) { return false; } bool result = ParseHPKPHeader(value, chain_hashes, max_age, include_subdomains, hashes, report_uri); if (!result || report_only_include_subdomains != *include_subdomains || report_only_uri != *report_uri || report_only_hashes != *hashes) { return false; } return true; } class HttpSecurityHeadersTest : public testing::Test { }; TEST_F(HttpSecurityHeadersTest, BogusHeaders) { base::TimeDelta max_age; bool include_subdomains = false; EXPECT_FALSE( ParseHSTSHeader(std::string(), &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(" ", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("abc", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(" abc", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(" abc ", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(" max-age", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(" max-age ", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(" max-age=", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(" max-age =", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(" max-age= ", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(" max-age = ", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(" max-age = xy", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(" max-age = 3488a923", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=3488a923 ", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-ag=3488923", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-aged=3488923", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age==3488923", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("amax-age=3488923", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=-3488923", &max_age, &include_subdomains)); EXPECT_FALSE( ParseHSTSHeader("max-age=+3488923", &max_age, &include_subdomains)); EXPECT_FALSE( ParseHSTSHeader("max-age=13####", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=9223372036854775807#####", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=18446744073709551615####", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=999999999999999999999999$.&#!", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 e", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomain", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=3488923includesubdomains", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=3488923=includesubdomains", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomainx", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomain=", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomain=true", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomainsx", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomains x", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=34889.23 includesubdomains", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age=34889 includesubdomains", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(";;;; ;;;", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(";;;; includeSubDomains;;;", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(" includeSubDomains; ", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader(";", &max_age, &include_subdomains)); EXPECT_FALSE(ParseHSTSHeader("max-age; ;", &max_age, &include_subdomains)); // Check the out args were not updated by checking the default // values for its predictable fields. EXPECT_EQ(0, max_age.InSeconds()); EXPECT_FALSE(include_subdomains); } static void TestBogusPinsHeaders(HashValueTag tag) { base::TimeDelta max_age; bool include_subdomains; HashValueVector hashes; HashValueVector chain_hashes; GURL report_uri; // Set some fake "chain" hashes chain_hashes.push_back(GetTestHashValue(1, tag)); chain_hashes.push_back(GetTestHashValue(2, tag)); chain_hashes.push_back(GetTestHashValue(3, tag)); // The good pin must be in the chain, the backup pin must not be std::string good_pin = GetTestPin(2, tag); std::string good_pin_unquoted = GetTestPinUnquoted(2, tag); std::string backup_pin = GetTestPin(4, tag); EXPECT_FALSE(ParseAsHPKPHeader(std::string(), chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader(" ", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("abc", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader(" abc", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader(" abc ", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("max-age", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader(" max-age", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader(" max-age ", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("max-age=", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader(" max-age=", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader(" max-age =", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader(" max-age= ", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader(" max-age = ", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader(" max-age = xy", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader(" max-age = 3488a923", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("max-age=3488a923 ", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader( "max-ag=3488923pins=" + good_pin + "," + backup_pin, chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader( "max-age=3488923;pins=" + good_pin + "," + backup_pin + "report-uri=\"http://foo.com\"", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("max-aged=3488923" + backup_pin, chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("max-aged=3488923; " + backup_pin, chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader( "max-aged=3488923; " + backup_pin + ";" + backup_pin, chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader( "max-aged=3488923; " + good_pin + ";" + good_pin, chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("max-aged=3488923; " + good_pin, chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("max-age==3488923", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("amax-age=3488923", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("max-age=-3488923", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("max-age=3488923;", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("max-age=3488923 e", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("max-age=3488923 includesubdomain", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader( "max-age=3488923 report-uri=\"http://foo.com\"", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("max-age=34889.23", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader( "max-age=243; " + good_pin_unquoted + ";" + backup_pin, chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader( "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=;", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=http://foo.com;", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_FALSE(ParseAsHPKPHeader( "max-age=243; " + good_pin + ";" + backup_pin + ";report-uri=''", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); // Test that the parser rejects misquoted strings. EXPECT_FALSE(ParseAsHPKPHeader( "max-age=999; " + backup_pin + "; " + good_pin + "; report-uri=\"http://foo;bar\'", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); // Test that the parser rejects invalid report-uris. EXPECT_FALSE(ParseAsHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + "; report-uri=\"foo;bar\'", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); // Check the out args were not updated by checking the default // values for its predictable fields. EXPECT_EQ(0, max_age.InSeconds()); EXPECT_EQ(hashes.size(), (size_t)0); } TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) { base::TimeDelta max_age; base::TimeDelta expect_max_age; bool include_subdomains = false; EXPECT_TRUE(ParseHSTSHeader("max-age=243", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(243); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader("max-age=3488923;", &max_age, &include_subdomains)); EXPECT_TRUE(ParseHSTSHeader(" Max-agE = 567", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(567); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader(" mAx-aGe = 890 ", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(890); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader("max-age=123;incLudesUbdOmains", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(123); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader("incLudesUbdOmains; max-age=123", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(123); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader(" incLudesUbdOmains; max-age=123", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(123); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( " incLudesUbdOmains; max-age=123; pumpkin=kitten", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(123); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( " pumpkin=894; incLudesUbdOmains; max-age=123 ", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(123); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( " pumpkin; incLudesUbdOmains; max-age=123 ", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(123); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( " pumpkin; incLudesUbdOmains; max-age=\"123\" ", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(123); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( "animal=\"squirrel; distinguished\"; incLudesUbdOmains; max-age=123", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(123); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader("max-age=394082; incLudesUbdOmains", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(394082); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( "max-age=39408299 ;incLudesUbdOmains", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(std::min(kMaxHSTSAgeSecs, 39408299u)); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( "max-age=394082038 ; incLudesUbdOmains", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(std::min(kMaxHSTSAgeSecs, 394082038u)); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( "max-age=394082038 ; incLudesUbdOmains;", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(std::min(kMaxHSTSAgeSecs, 394082038u)); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( ";; max-age=394082038 ; incLudesUbdOmains; ;", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(std::min(kMaxHSTSAgeSecs, 394082038u)); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( ";; max-age=394082038 ;", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(std::min(kMaxHSTSAgeSecs, 394082038u)); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( ";; ; ; max-age=394082038;;; includeSubdomains ;; ;", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(std::min(kMaxHSTSAgeSecs, 394082038u)); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( "incLudesUbdOmains ; max-age=394082038 ;;", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(std::min(kMaxHSTSAgeSecs, 394082038u)); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( " max-age=0 ; incLudesUbdOmains ", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds(0); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseHSTSHeader( " max-age=999999999999999999999999999999999999999999999 ;" " incLudesUbdOmains ", &max_age, &include_subdomains)); expect_max_age = base::TimeDelta::FromSeconds( kMaxHSTSAgeSecs); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); } static void TestValidPKPHeaders(HashValueTag tag) { base::TimeDelta max_age; base::TimeDelta expect_max_age; bool include_subdomains; HashValueVector hashes; HashValueVector chain_hashes; GURL expect_report_uri; GURL report_uri; // Set some fake "chain" hashes into chain_hashes chain_hashes.push_back(GetTestHashValue(1, tag)); chain_hashes.push_back(GetTestHashValue(2, tag)); chain_hashes.push_back(GetTestHashValue(3, tag)); // The good pin must be in the chain, the backup pin must not be std::string good_pin = GetTestPin(2, tag); std::string good_pin2 = GetTestPin(3, tag); std::string backup_pin = GetTestPin(4, tag); EXPECT_TRUE(ParseAsHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin, chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(243); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_TRUE(report_uri.is_empty()); EXPECT_TRUE(ParseAsHPKPHeader("max-age=243; " + good_pin + ";" + backup_pin + "; report-uri= \"http://example.test/foo\"", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(243); expect_report_uri = GURL("http://example.test/foo"); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_EQ(expect_report_uri, report_uri); EXPECT_TRUE(ParseAsHPKPHeader( " " + good_pin + "; " + backup_pin + " ; Max-agE = 567; repOrT-URi = \"http://example.test/foo\"", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(567); expect_report_uri = GURL("http://example.test/foo"); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_EQ(expect_report_uri, report_uri); EXPECT_TRUE(ParseAsHPKPHeader("includeSubDOMAINS;" + good_pin + ";" + backup_pin + " ; mAx-aGe = 890 ", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(890); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseAsHPKPHeader( good_pin + ";" + backup_pin + "; max-age=123;IGNORED;", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(123); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_TRUE(ParseAsHPKPHeader( "max-age=394082;" + backup_pin + ";" + good_pin + "; ", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(394082); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_TRUE(ParseAsHPKPHeader( "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(std::min(kMaxHPKPAgeSecs, 39408299u)); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_TRUE(ParseAsHPKPHeader( "max-age=39408038 ; cybers=39408038 ; includeSubdomains; " + good_pin + ";" + backup_pin + "; ", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(std::min(kMaxHPKPAgeSecs, 394082038u)); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseAsHPKPHeader( " max-age=0 ; " + good_pin + ";" + backup_pin, chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(0); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_TRUE(ParseAsHPKPHeader( " max-age=0 ; includeSubdomains; " + good_pin + ";" + backup_pin, chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(0); EXPECT_EQ(expect_max_age, max_age); EXPECT_TRUE(include_subdomains); EXPECT_TRUE(ParseAsHPKPHeader( " max-age=999999999999999999999999999999999999999999999 ; " + backup_pin + ";" + good_pin + "; ", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(kMaxHPKPAgeSecs); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_TRUE(ParseAsHPKPHeader( " max-age=999999999999999999999999999999999999999999999 ; " + backup_pin + ";" + good_pin + "; report-uri=\"http://example.test/foo\"", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(kMaxHPKPAgeSecs); expect_report_uri = GURL("http://example.test/foo"); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_EQ(expect_report_uri, report_uri); // Test that parsing a different header resets the hashes. hashes.clear(); EXPECT_TRUE(ParseAsHPKPHeader( " max-age=999; " + backup_pin + ";" + good_pin + "; ", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_EQ(2u, hashes.size()); EXPECT_TRUE(ParseAsHPKPHeader( " max-age=999; " + backup_pin + ";" + good_pin2 + "; ", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); EXPECT_EQ(2u, hashes.size()); // Test that the parser correctly parses an unencoded ';' inside a // quoted report-uri. EXPECT_TRUE(ParseAsHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + "; report-uri=\"http://foo.com/?;bar\"", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(999); expect_report_uri = GURL("http://foo.com/?;bar"); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_EQ(expect_report_uri, report_uri); // Test that the parser correctly parses a report-uri with a >0x7f // character. std::string uri = "http://foo.com/"; uri += char(0x7f); expect_report_uri = GURL(uri); EXPECT_TRUE(ParseAsHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + "; report-uri=\"" + uri + "\"", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(999); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_EQ(expect_report_uri, report_uri); // Test that the parser allows quoted max-age values. EXPECT_TRUE(ParseAsHPKPHeader( "max-age='999'; " + backup_pin + "; " + good_pin, chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(999); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); // Test that the parser handles escaped values. expect_report_uri = GURL("http://foo.com'a"); EXPECT_TRUE(ParseAsHPKPHeader("max-age=999; " + backup_pin + "; " + good_pin + "; report-uri='http://foo.com\\'\\a'", chain_hashes, &max_age, &include_subdomains, &hashes, &report_uri)); expect_max_age = base::TimeDelta::FromSeconds(999); EXPECT_EQ(expect_max_age, max_age); EXPECT_FALSE(include_subdomains); EXPECT_EQ(expect_report_uri, report_uri); // Test that the parser does not require max-age for Report-Only // headers. expect_report_uri = GURL("http://foo.com"); EXPECT_TRUE(ParseHPKPReportOnlyHeader( backup_pin + "; " + good_pin + "; report-uri='http://foo.com'", &include_subdomains, &hashes, &report_uri)); EXPECT_EQ(expect_report_uri, report_uri); } TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { TestBogusPinsHeaders(HASH_VALUE_SHA256); } TEST_F(HttpSecurityHeadersTest, ValidPKPHeadersSHA256) { TestValidPKPHeaders(HASH_VALUE_SHA256); } TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) { TransportSecurityState state; TransportSecurityState::STSState static_sts_state; TransportSecurityState::PKPState static_pkp_state; // docs.google.com has preloaded pins. std::string domain = "docs.google.com"; state.enable_static_pins_ = true; EXPECT_TRUE( state.GetStaticDomainState(domain, &static_sts_state, &static_pkp_state)); EXPECT_GT(static_pkp_state.spki_hashes.size(), 1UL); HashValueVector saved_hashes = static_pkp_state.spki_hashes; // Add a header, which should only update the dynamic state. HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA256); HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA256); std::string good_pin = GetTestPin(1, HASH_VALUE_SHA256); std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA256); GURL report_uri("http://google.com"); std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin + ";report-uri=\"" + report_uri.spec() + "\""; // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. SSLInfo ssl_info; ssl_info.public_key_hashes.push_back(good_hash); ssl_info.public_key_hashes.push_back(saved_hashes[0]); EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); // Expect the static state to remain unchanged. TransportSecurityState::STSState new_static_sts_state; TransportSecurityState::PKPState new_static_pkp_state; EXPECT_TRUE(state.GetStaticDomainState(domain, &new_static_sts_state, &new_static_pkp_state)); EXPECT_EQ(saved_hashes, new_static_pkp_state.spki_hashes); // Expect the dynamic state to reflect the header. TransportSecurityState::PKPState dynamic_pkp_state; EXPECT_TRUE(state.GetDynamicPKPState(domain, &dynamic_pkp_state)); EXPECT_EQ(2UL, dynamic_pkp_state.spki_hashes.size()); EXPECT_EQ(report_uri, dynamic_pkp_state.report_uri); HashValueVector::const_iterator hash = std::find(dynamic_pkp_state.spki_hashes.begin(), dynamic_pkp_state.spki_hashes.end(), good_hash); EXPECT_NE(dynamic_pkp_state.spki_hashes.end(), hash); hash = std::find(dynamic_pkp_state.spki_hashes.begin(), dynamic_pkp_state.spki_hashes.end(), backup_hash); EXPECT_NE(dynamic_pkp_state.spki_hashes.end(), hash); // Expect the overall state to reflect the header, too. EXPECT_TRUE(state.HasPublicKeyPins(domain)); HashValueVector hashes; hashes.push_back(good_hash); std::string failure_log; const bool is_issued_by_known_root = true; HostPortPair domain_port(domain, 443); EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins( domain_port, is_issued_by_known_root, hashes, nullptr, nullptr, TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); TransportSecurityState::PKPState new_dynamic_pkp_state; EXPECT_TRUE(state.GetDynamicPKPState(domain, &new_dynamic_pkp_state)); EXPECT_EQ(2UL, new_dynamic_pkp_state.spki_hashes.size()); EXPECT_EQ(report_uri, new_dynamic_pkp_state.report_uri); hash = std::find(new_dynamic_pkp_state.spki_hashes.begin(), new_dynamic_pkp_state.spki_hashes.end(), good_hash); EXPECT_NE(new_dynamic_pkp_state.spki_hashes.end(), hash); hash = std::find(new_dynamic_pkp_state.spki_hashes.begin(), new_dynamic_pkp_state.spki_hashes.end(), backup_hash); EXPECT_NE(new_dynamic_pkp_state.spki_hashes.end(), hash); } TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0) { TransportSecurityState state; TransportSecurityState::STSState static_sts_state; TransportSecurityState::PKPState static_pkp_state; // docs.google.com has preloaded pins. std::string domain = "docs.google.com"; state.enable_static_pins_ = true; ASSERT_TRUE( state.GetStaticDomainState(domain, &static_sts_state, &static_pkp_state)); EXPECT_GT(static_pkp_state.spki_hashes.size(), 1UL); HashValueVector saved_hashes = static_pkp_state.spki_hashes; // Add a header, which should only update the dynamic state. HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA256); std::string good_pin = GetTestPin(1, HASH_VALUE_SHA256); std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA256); std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin; // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. SSLInfo ssl_info; ssl_info.public_key_hashes.push_back(good_hash); ssl_info.public_key_hashes.push_back(saved_hashes[0]); EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); // Expect the static state to remain unchanged. TransportSecurityState::STSState new_static_sts_state; TransportSecurityState::PKPState new_static_pkp_state; EXPECT_TRUE(state.GetStaticDomainState(domain, &new_static_sts_state, &new_static_pkp_state)); EXPECT_EQ(saved_hashes, new_static_pkp_state.spki_hashes); // Expect the dynamic state to have pins. TransportSecurityState::PKPState new_dynamic_pkp_state; EXPECT_TRUE(state.GetDynamicPKPState(domain, &new_dynamic_pkp_state)); EXPECT_EQ(2UL, new_dynamic_pkp_state.spki_hashes.size()); EXPECT_TRUE(new_dynamic_pkp_state.HasPublicKeyPins()); // Now set another header with max-age=0, and check that the pins are // cleared in the dynamic state only. header = "max-age = 0; " + good_pin + "; " + backup_pin; EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); // Expect the static state to remain unchanged. TransportSecurityState::PKPState new_static_pkp_state2; EXPECT_TRUE(state.GetStaticDomainState(domain, &static_sts_state, &new_static_pkp_state2)); EXPECT_EQ(saved_hashes, new_static_pkp_state2.spki_hashes); // Expect the dynamic pins to be gone. TransportSecurityState::PKPState new_dynamic_pkp_state2; EXPECT_FALSE(state.GetDynamicPKPState(domain, &new_dynamic_pkp_state2)); // Expect the exact-matching static policy to continue to apply, even // though dynamic policy has been removed. (This policy may change in the // future, in which case this test must be updated.) EXPECT_TRUE(state.HasPublicKeyPins(domain)); EXPECT_TRUE(state.ShouldSSLErrorsBeFatal(domain)); std::string failure_log; // Damage the hashes to cause a pin validation failure. for (size_t i = 0; i < new_static_pkp_state2.spki_hashes.size(); i++) { new_static_pkp_state2.spki_hashes[i].data()[0] ^= 0x80; } const bool is_issued_by_known_root = true; HostPortPair domain_port(domain, 443); EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins( domain_port, is_issued_by_known_root, new_static_pkp_state2.spki_hashes, nullptr, nullptr, TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); EXPECT_NE(0UL, failure_log.length()); } // Tests that when a static HSTS and a static HPKP entry are present, adding a // dynamic HSTS header does not clobber the static HPKP entry. Further, adding a // dynamic HPKP entry could not affect the HSTS entry for the site. TEST_F(HttpSecurityHeadersTest, NoClobberPins) { TransportSecurityState state; TransportSecurityState::STSState sts_state; TransportSecurityState::PKPState pkp_state; // accounts.google.com has preloaded pins. std::string domain = "accounts.google.com"; state.enable_static_pins_ = true; // Retrieve the static STS and PKP states as it is by default, including its // known good pins. EXPECT_TRUE(state.GetStaticDomainState(domain, &sts_state, &pkp_state)); HashValueVector saved_hashes = pkp_state.spki_hashes; EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); EXPECT_TRUE(pkp_state.HasPublicKeyPins()); EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); EXPECT_TRUE(state.HasPublicKeyPins(domain)); // Add a dynamic HSTS header. CheckPublicKeyPins should still pass when given // the original |saved_hashes|, indicating that the static PKP data is still // configured for the domain. EXPECT_TRUE(state.AddHSTSHeader(domain, "includesubdomains; max-age=10000")); EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); std::string failure_log; const bool is_issued_by_known_root = true; HostPortPair domain_port(domain, 443); EXPECT_EQ( TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins( domain_port, is_issued_by_known_root, saved_hashes, nullptr, nullptr, TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); // Add an HPKP header, which should only update the dynamic state. HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA256); std::string good_pin = GetTestPin(1, HASH_VALUE_SHA256); std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA256); std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin; // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. SSLInfo ssl_info; ssl_info.public_key_hashes.push_back(good_hash); ssl_info.public_key_hashes.push_back(saved_hashes[0]); EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); // HSTS should still be configured for this domain. EXPECT_TRUE(sts_state.ShouldUpgradeToSSL()); EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); // The dynamic pins, which do not match |saved_hashes|, should take // precedence over the static pins and cause the check to fail. EXPECT_EQ( TransportSecurityState::PKPStatus::VIOLATED, state.CheckPublicKeyPins( domain_port, is_issued_by_known_root, saved_hashes, nullptr, nullptr, TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); } // Tests that seeing an invalid HPKP header leaves the existing one alone. TEST_F(HttpSecurityHeadersTest, IgnoreInvalidHeaders) { TransportSecurityState state; HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA256); std::string good_pin = GetTestPin(1, HASH_VALUE_SHA256); std::string bad_pin = GetTestPin(2, HASH_VALUE_SHA256); std::string backup_pin = GetTestPin(3, HASH_VALUE_SHA256); SSLInfo ssl_info; ssl_info.public_key_hashes.push_back(good_hash); // Add a valid HPKP header. EXPECT_TRUE(state.AddHPKPHeader( "example.com", "max-age = 10000; " + good_pin + "; " + backup_pin, ssl_info)); // Check the insertion was valid. EXPECT_TRUE(state.HasPublicKeyPins("example.com")); std::string failure_log; bool is_issued_by_known_root = true; HostPortPair domain_port("example.com", 443); EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins( domain_port, is_issued_by_known_root, ssl_info.public_key_hashes, nullptr, nullptr, TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); // Now assert an invalid one. This should fail. EXPECT_FALSE(state.AddHPKPHeader( "example.com", "max-age = 10000; " + bad_pin + "; " + backup_pin, ssl_info)); // The old pins must still exist. EXPECT_TRUE(state.HasPublicKeyPins("example.com")); EXPECT_EQ(TransportSecurityState::PKPStatus::OK, state.CheckPublicKeyPins( domain_port, is_issued_by_known_root, ssl_info.public_key_hashes, nullptr, nullptr, TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); } }; // namespace net