[Cronet] Public key pinning for Java API

components/cronet/android/test/javatests/src/org/chromium/net/HpkpTest.java

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package org.chromium.net;
+
+import android.test.suitebuilder.annotation.SmallTest;
+
+import org.chromium.base.test.util.Feature;
+import org.chromium.net.test.util.CertTestUtil;
+
+import java.io.ByteArrayInputStream;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Calendar;
+import java.util.Collection;
+import java.util.Date;
+
+/**
+ * Public-Key-Pinning tests of Cronet Java API.
+ */
+public class HpkpTest extends CronetTestBase {

[pauljensen, 2015/11/17 19:01:23]

can we add a test that the pins are not persisted?

[kapishnikov, 2015/11/18 00:10:31]

I am adding the test. Somehow TransportSecurityState is reused and not cleared
when a second instance of CronetEngine is created within the same test. Also
filed a related bug: http://crbug.com/557425

+    private static final String CERT_USED = "quic_test.example.com.crt";
+    private static final String[] CERTS_USED = {CERT_USED};
+    private static final int DISTANT_FUTURE = Integer.MAX_VALUE;
+    private static final boolean INCLUDE_SUBDOMAINS = true;
+    private static final boolean EXCLUDE_SUBDOMAINS = false;
+
+    private CronetTestFramework mTestFramework;
+    private CronetEngine.Builder mBuilder;
+    private TestUrlRequestCallback mListener;
+    private String mServerUrl; // https://test.example.com:6121
+    private String mServerHost; // test.example.com
+    private String mDomain; // example.com
+
+    @Override
+    protected void setUp() throws Exception {
+        super.setUp();
+        // Start QUIC Test Server
+        System.loadLibrary("cronet_tests");
+        QuicTestServer.startQuicTestServer(getContext());
+        mServerUrl = QuicTestServer.getServerURL();
+        mServerHost = QuicTestServer.getServerHost();
+        mDomain = mServerHost.substring(mServerHost.indexOf('.') + 1, mServerHost.length());
+
+        // Set common CronetEngine parameters
+        mBuilder = new CronetEngine.Builder(getContext());
+        mBuilder.enableQUIC(true);
+        mBuilder.addQuicHint(QuicTestServer.getServerHost(), QuicTestServer.getServerPort(),
+                QuicTestServer.getServerPort());
+        mBuilder.setStoragePath(CronetTestFramework.getTestStorage(getContext()));
+        mBuilder.enableHttpCache(CronetEngine.Builder.HTTP_CACHE_DISK_NO_HTTP, 1000 * 1024);
+        mBuilder.setMockCertVerifierForTesting(MockCertVerifier.createMockCertVerifier(CERTS_USED));
+    }
+
+    @Override
+    protected void tearDown() throws Exception {
+        QuicTestServer.shutdownQuicTestServer();
+        super.tearDown();
+    }
+
+    /**
+     * Tests the case when the pin hash does not match. The client is expected to
+     * receive the error response.
+     *
+     * @throws Exception
+     */
+    @SmallTest
+    @Feature({"Cronet"})
+    public void testErrorCodeIfPinDoesNotMatch() throws Exception {
+        byte[] nonMatchingHash = generateSomeSha256();
+        addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
+        startCronetFramework();
+        registerHostResolver();
+        sendRequestAndWaitForResult();
+
+        assertErrorResponse();
+    }
+
+    /**
+     * Tests the case when the pin hash matches. The client is expected to
+     * receive the successful response with the response code 200.
+     *
+     * @throws Exception
+     */
+    @SmallTest
+    @Feature({"Cronet"})
+    public void testSuccessIfPinMatches() throws Exception {
+        // Get PKP hash of the real certificate
+        X509Certificate cert = readCertFromFileInPemFormat(CERT_USED);
+        byte[] matchingHash = CertTestUtil.getPublicKeySha256(cert);
+
+        addPkpSha256(mServerHost, matchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
+        startCronetFramework();
+        registerHostResolver();
+        sendRequestAndWaitForResult();
+
+        assertSuccessfulResponse();
+    }
+
+    /**
+     * Tests the case when the pin hash does not match and the client accesses the subdomain of
+     * the configured HPKP host with includeSubdomains flag set to true. The client is
+     * expected to receive the error response.
+     *
+     * @throws Exception
+     */
+    @SmallTest
+    @Feature({"Cronet"})
+    public void testIncludeSubdomainsFlagEqualTrue() throws Exception {
+        addPkpSha256(mDomain, generateSomeSha256(), INCLUDE_SUBDOMAINS, DISTANT_FUTURE);
+        startCronetFramework();
+        registerHostResolver();
+        sendRequestAndWaitForResult();
+
+        assertErrorResponse();
+    }
+
+    /**
+     * Tests the case when the pin hash does not match and the client accesses the subdomain of
+     * the configured HPKP host with includeSubdomains flag set to false. The client is expected to
+     * receive the successful response with the response code 200.
+     *
+     * @throws Exception
+     */
+    @SmallTest
+    @Feature({"Cronet"})
+    public void testIncludeSubdomainsFlagEqualFalse() throws Exception {
+        addPkpSha256(mDomain, generateSomeSha256(), EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
+        startCronetFramework();
+        registerHostResolver();
+        sendRequestAndWaitForResult();
+
+        assertSuccessfulResponse();
+    }
+
+    /**
+     * Tests the case when the mismatching pin is set for some host that is different from the one
+     * the client wants to access. In that case the other host pinning policy should not be applied
+     * and the client is expected to receive the successful response with the response code 200.
+     *
+     * @throws Exception
+     */
+    @SmallTest
+    @Feature({"Cronet"})
+    public void testSuccessIfNoPinSpecified() throws Exception {
+        addPkpSha256("otherhost.com", generateSomeSha256(), INCLUDE_SUBDOMAINS, DISTANT_FUTURE);
+        startCronetFramework();
+        registerHostResolver();
+        sendRequestAndWaitForResult();
+
+        assertSuccessfulResponse();
+    }
+
+    /**
+     * Tests mismatching pins that will expire in 10 seconds. The pins should be still valid and
+     * enforced during the request; thus returning PIN mismatch error.
+     *
+     * @throws Exception
+     */
+    @SmallTest
+    @Feature({"Cronet"})
+    public void testSoonExpiringPin() throws Exception {
+        final int tenSecondsAhead = 10;
+        byte[] nonMatchingHash = generateSomeSha256();
+        addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, tenSecondsAhead);
+        startCronetFramework();
+        registerHostResolver();
+        sendRequestAndWaitForResult();
+
+        assertErrorResponse();
+    }
+
+    /**
+     * Tests mismatching pins that expired 1 second ago. Since the pins have expired, they
+     * should not be enforced during the request; thus a successful response is expected.
+     *
+     * @throws Exception
+     */
+    @SmallTest
+    @Feature({"Cronet"})
+    public void testRecentlyExpiredPin() throws Exception {
+        final int oneSecondAgo = -1;
+        byte[] nonMatchingHash = generateSomeSha256();
+        addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, oneSecondAgo);
+        startCronetFramework();
+        registerHostResolver();
+        sendRequestAndWaitForResult();
+
+        assertSuccessfulResponse();
+    }
+
+    /**
+     * Tests that the client receives {@code InvalidArgumentException} when the pinned host name
+     * is invalid.
+     *
+     * @throws Exception
+     */
+    @SmallTest
+    @Feature({"Cronet"})
+    public void testHostNameArgumentValidation() throws Exception {
+        assertExceptionWhenHostNameIsInvalid("http://domain.com");
+        assertExceptionWhenHostNameIsInvalid("domain.com:4000");
+        assertExceptionWhenHostNameIsInvalid("domain.com/mydoc.txt");
+        assertExceptionWhenHostNameIsInvalid("128.55.0.1");
+    }
+
+    /**
+     * Asserts that the response from the server contains an HPKP error.
+     * TODO(kapishnikov): currently QUIC returns ERR_QUIC_PROTOCOL_ERROR instead of expected
+     * ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error code when the pin doesn't match.
+     * This method should be changed when the bug is resolved. See http://crbug.com/548378
+     */
+    private void assertErrorResponse() {
+        assertNotNull("Expected an error", mListener.mError);
+        int errorCode = mListener.mError.netError();
+        boolean correctErrorCode = errorCode == NetError.ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN
+                || errorCode == NetError.ERR_QUIC_PROTOCOL_ERROR;
+        assertTrue(String.format("Incorrect error code. Expected %s or %s but received %s",
+                           NetError.ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN,
+                           NetError.ERR_QUIC_PROTOCOL_ERROR, errorCode),
+                correctErrorCode);
+    }
+
+    /**
+     * Asserts a successful response with response code 200.
+     */
+    private void assertSuccessfulResponse() {
+        if (mListener.mError != null) {
+            fail("Did not expect an error but got error code " + mListener.mError.mNetError);
+        }
+        assertNotNull("Expected non-null response from the server", mListener.mResponseInfo);
+        assertEquals(200, mListener.mResponseInfo.getHttpStatusCode());
+    }
+
+    private void startCronetFramework() {
+        mTestFramework = startCronetTestFrameworkWithUrlAndCronetEngineBuilder(null, mBuilder);
+    }
+
+    private void registerHostResolver() {
+        long urlRequestContextAdapter = ((CronetUrlRequestContext) mTestFramework.mCronetEngine)
+                                                .getUrlRequestContextAdapter();
+        NativeTestServer.registerHostResolverProc(urlRequestContextAdapter, false);
+    }
+
+    private byte[] generateSomeSha256() {
+        byte[] sha256 = new byte[32];
+        Arrays.fill(sha256, (byte) 58);
+        return sha256;
+    }
+
+    private void addPkpSha256(
+            String host, byte[] pinHashValue, boolean includeSubdomain, int maxAgeInSec) {
+        Collection<byte[]> hashes = new ArrayList<>();
+        hashes.add(pinHashValue);
+        mBuilder.addPublicKeyPins(host, hashes, includeSubdomain, dateInFuture(maxAgeInSec));
+    }
+
+    private void sendRequestAndWaitForResult() {
+        mListener = new TestUrlRequestCallback();
+
+        String quicURL = mServerUrl + "/simple.txt";
+        UrlRequest.Builder requestBuilder = new UrlRequest.Builder(
+                quicURL, mListener, mListener.getExecutor(), mTestFramework.mCronetEngine);
+        requestBuilder.build().start();
+        mListener.blockForDone();
+    }
+
+    private X509Certificate readCertFromFileInPemFormat(String certFileName) throws Exception {
+        byte[] certDer = CertTestUtil.pemToDer(CertTestUtil.CERTS_DIRECTORY + certFileName);
+        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+        return (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(certDer));
+    }
+
+    private Date dateInFuture(int secondsIntoFuture) {
+        Calendar cal = Calendar.getInstance();
+        cal.add(Calendar.SECOND, secondsIntoFuture);
+        return cal.getTime();
+    }
+
+    private void assertExceptionWhenHostNameIsInvalid(String hostName) {
+        try {
+            addPkpSha256(hostName, generateSomeSha256(), INCLUDE_SUBDOMAINS, DISTANT_FUTURE);
+        } catch (IllegalArgumentException ex) {
+            // Expected exception.
+            return;
+        }
+        fail("Expected IllegalArgumentException when passing " + hostName + " host name");
+    }
+}