[Cronet] Public key pinning for Java API

components/cronet/android/api/src/org/chromium/net/CronetEngine.java

Index: components/cronet/android/api/src/org/chromium/net/CronetEngine.java
diff --git a/components/cronet/android/api/src/org/chromium/net/CronetEngine.java b/components/cronet/android/api/src/org/chromium/net/CronetEngine.java
index 4dc237107f3c10e06d670922715f67cdcbb5c3fd..080747d372d55d92166872b8ee1b08c7bfad9f04 100644
--- a/components/cronet/android/api/src/org/chromium/net/CronetEngine.java
+++ b/components/cronet/android/api/src/org/chromium/net/CronetEngine.java
@@ -6,6 +6,7 @@ package org.chromium.net;
 
 import android.content.Context;
 import android.support.annotation.IntDef;
+import android.util.Base64;
 import android.util.Log;
 
 import org.json.JSONArray;
@@ -20,8 +21,11 @@ import java.net.Proxy;
 import java.net.URL;
 import java.net.URLConnection;
 import java.net.URLStreamHandlerFactory;
+import java.util.Collection;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.Executor;
 
 /**
@@ -301,6 +305,73 @@ public abstract class CronetEngine {
         }
 
         /**
+         * Adds public key pinning for a given host.
+         *
+         * @param hostName name of the host to which public keys should be pinned.
+         * @param pinsSha256 a collection of pins. Each pin is the SHA-256 cryptographic
+         *                   hash of DER-encoded ASN.1 representation of Subject Public
+         *                   Key Info (SPKI) of the host X.509 certificate. You can use
+         *                   {@code security.cert.X509Certificate.getPublicKey().getEncoded()}
+         *                   to obtain DER-encoded ASN.1 representation of SPKI.
+         * @param includeSubdomains indicates whether the pinning policy should be applied to
+         *                          subdomains of {@code hostName}.
+         * @return the builder to facilitate chaining.
+         * @throws NullPointerException if one of the input parameters is null.
+         * @throws IllegalArgumentException if {@code pinsSha256} collection contains a byte array
+         *                                  that does not represent a valid SHA-256 hash.
+         *
+         */
+        public Builder addPublicKeyPins(
+                String hostName, Collection<byte[]> pinsSha256, boolean includeSubdomains) {
+            // Validate the input
+            if (hostName == null) {
+                throw new NullPointerException("The hostname cannot be null");
+            }
+            if (pinsSha256 == null) {
+                throw new NullPointerException("The collection of SHA256 pins cannot be null");
+            }
+            try {
+                // Add HPKP_LIST json array element if it is not present

[xunjieli, 2015/11/06 15:47:54]

nit: s/json/JSON. And add a period at the end.

[kapishnikov, 2015/11/06 16:18:13]

I looked at Java style guide and could not find explicitly about the period at
the end of the one line comments; however, some of the examples there are given
without the period.

https://engdoc.corp.google.com/eng/doc/devguide/java/styleguide.shtml?cl=head...

I wounder if we have a document that explicitly says whether there should be
period or not.

+                JSONArray hpkpList = mConfig.optJSONArray(CronetEngineBuilderList.HPKP_LIST);
+                if (hpkpList == null) {
+                    hpkpList = new JSONArray();
+                    mConfig.put(CronetEngineBuilderList.HPKP_LIST, hpkpList);
+                }
+
+                // Convert the pin to BASE64 encoding.
+                Set<String> hashes = new HashSet<>(pinsSha256.size());
+                for (byte[] pinSha256 : pinsSha256) {
+                    hashes.add(convertSha256ToBase64WithPrefix(pinSha256));
+                }
+
+                // Add new element to HPKP_LIST json array

[xunjieli, 2015/11/06 15:47:54]

nit: s/json/JSON. And add a period at the end.
s/new element/a new element

+                JSONObject hpkp = new JSONObject();
+                hpkp.put(CronetEngineBuilderList.HPKP_HOST, hostName);
+                hpkp.put(CronetEngineBuilderList.HPKP_PIN_HASHES, new JSONArray(hashes));
+                hpkp.put(CronetEngineBuilderList.HPKP_INCLUDE_SUBDOMAINS, includeSubdomains);
+                hpkpList.put(hpkp);
+            } catch (JSONException e) {
+                Log.e(TAG, "Unable to add public key pins", e);
+            }
+            return this;
+        }
+
+        /**
+         * Converts a given SHA256 array of bytes to BASE64 encoding with the prefix. The format
+         * corresponds to the format that is expected by net::HashValue class.
+         *
+         * @param sha256 SHA256 bytes to convert to BASE64.
+         * @return the BASE64 conversion.
+         * @throws IllegalArgumentException if the provided pin is invalid.
+         */
+        private String convertSha256ToBase64WithPrefix(byte[] sha256) {
+            if (sha256 == null || sha256.length != 32) {
+                throw new IllegalArgumentException("The provided pin is invalid");
+            }
+            return "sha256/" + Base64.encodeToString(sha256, Base64.NO_WRAP);
+        }
+
+        /**
          * Sets experimental QUIC connection options, overwriting any pre-existing
          * options. List of options is subject to change.
          *