| Index: components/cronet/android/test/javatests/src/org/chromium/net/HpkpTest.java
|
| diff --git a/components/cronet/android/test/javatests/src/org/chromium/net/HpkpTest.java b/components/cronet/android/test/javatests/src/org/chromium/net/HpkpTest.java
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..2841e3e333f6246e568fe54a21aee0cc58f9cfd4
|
| --- /dev/null
|
| +++ b/components/cronet/android/test/javatests/src/org/chromium/net/HpkpTest.java
|
| @@ -0,0 +1,292 @@
|
| +// Copyright 2015 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +package org.chromium.net;
|
| +
|
| +import android.test.suitebuilder.annotation.SmallTest;
|
| +
|
| +import org.chromium.base.test.util.Feature;
|
| +import org.chromium.net.test.util.CertTestUtil;
|
| +
|
| +import java.io.ByteArrayInputStream;
|
| +import java.security.cert.CertificateFactory;
|
| +import java.security.cert.X509Certificate;
|
| +import java.util.ArrayList;
|
| +import java.util.Arrays;
|
| +import java.util.Calendar;
|
| +import java.util.Collection;
|
| +import java.util.Date;
|
| +
|
| +/**
|
| + * Public-Key-Pinning tests of Cronet Java API.
|
| + */
|
| +public class HpkpTest extends CronetTestBase {
|
| + private static final String CERT_USED = "quic_test.example.com.crt";
|
| + private static final String[] CERTS_USED = {CERT_USED};
|
| + private static final int DISTANT_FUTURE = Integer.MAX_VALUE;
|
| + private static final boolean INCLUDE_SUBDOMAINS = true;
|
| + private static final boolean EXCLUDE_SUBDOMAINS = false;
|
| +
|
| + private CronetTestFramework mTestFramework;
|
| + private CronetEngine.Builder mBuilder;
|
| + private TestUrlRequestCallback mListener;
|
| + private String mServerUrl; // https://test.example.com:6121
|
| + private String mServerHost; // test.example.com
|
| + private String mDomain; // example.com
|
| +
|
| + @Override
|
| + protected void setUp() throws Exception {
|
| + super.setUp();
|
| + // Start QUIC Test Server
|
| + System.loadLibrary("cronet_tests");
|
| + QuicTestServer.startQuicTestServer(getContext());
|
| + mServerUrl = QuicTestServer.getServerURL();
|
| + mServerHost = QuicTestServer.getServerHost();
|
| + mDomain = mServerHost.substring(mServerHost.indexOf('.') + 1, mServerHost.length());
|
| +
|
| + // Set common CronetEngine parameters
|
| + mBuilder = new CronetEngine.Builder(getContext());
|
| + mBuilder.enableQUIC(true);
|
| + mBuilder.addQuicHint(QuicTestServer.getServerHost(), QuicTestServer.getServerPort(),
|
| + QuicTestServer.getServerPort());
|
| + mBuilder.setStoragePath(CronetTestFramework.getTestStorage(getContext()));
|
| + mBuilder.enableHttpCache(CronetEngine.Builder.HTTP_CACHE_DISK_NO_HTTP, 1000 * 1024);
|
| + mBuilder.setMockCertVerifierForTesting(MockCertVerifier.createMockCertVerifier(CERTS_USED));
|
| + }
|
| +
|
| + @Override
|
| + protected void tearDown() throws Exception {
|
| + QuicTestServer.shutdownQuicTestServer();
|
| + super.tearDown();
|
| + }
|
| +
|
| + /**
|
| + * Tests the case when the pin hash does not match. The client is expected to
|
| + * receive the error response.
|
| + *
|
| + * @throws Exception
|
| + */
|
| + @SmallTest
|
| + @Feature({"Cronet"})
|
| + public void testErrorCodeIfPinDoesNotMatch() throws Exception {
|
| + byte[] nonMatchingHash = generateSomeSha256();
|
| + addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
|
| + startCronetFramework();
|
| + registerHostResolver();
|
| + sendRequestAndWaitForResult();
|
| +
|
| + assertErrorResponse();
|
| + }
|
| +
|
| + /**
|
| + * Tests the case when the pin hash matches. The client is expected to
|
| + * receive the successful response with the response code 200.
|
| + *
|
| + * @throws Exception
|
| + */
|
| + @SmallTest
|
| + @Feature({"Cronet"})
|
| + public void testSuccessIfPinMatches() throws Exception {
|
| + // Get PKP hash of the real certificate
|
| + X509Certificate cert = readCertFromFileInPemFormat(CERT_USED);
|
| + byte[] matchingHash = CertTestUtil.getPublicKeySha256(cert);
|
| +
|
| + addPkpSha256(mServerHost, matchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
|
| + startCronetFramework();
|
| + registerHostResolver();
|
| + sendRequestAndWaitForResult();
|
| +
|
| + assertSuccessfulResponse();
|
| + }
|
| +
|
| + /**
|
| + * Tests the case when the pin hash does not match and the client accesses the subdomain of
|
| + * the configured HPKP host with includeSubdomains flag set to true. The client is
|
| + * expected to receive the error response.
|
| + *
|
| + * @throws Exception
|
| + */
|
| + @SmallTest
|
| + @Feature({"Cronet"})
|
| + public void testIncludeSubdomainsFlagEqualTrue() throws Exception {
|
| + addPkpSha256(mDomain, generateSomeSha256(), INCLUDE_SUBDOMAINS, DISTANT_FUTURE);
|
| + startCronetFramework();
|
| + registerHostResolver();
|
| + sendRequestAndWaitForResult();
|
| +
|
| + assertErrorResponse();
|
| + }
|
| +
|
| + /**
|
| + * Tests the case when the pin hash does not match and the client accesses the subdomain of
|
| + * the configured HPKP host with includeSubdomains flag set to false. The client is expected to
|
| + * receive the successful response with the response code 200.
|
| + *
|
| + * @throws Exception
|
| + */
|
| + @SmallTest
|
| + @Feature({"Cronet"})
|
| + public void testIncludeSubdomainsFlagEqualFalse() throws Exception {
|
| + addPkpSha256(mDomain, generateSomeSha256(), EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
|
| + startCronetFramework();
|
| + registerHostResolver();
|
| + sendRequestAndWaitForResult();
|
| +
|
| + assertSuccessfulResponse();
|
| + }
|
| +
|
| + /**
|
| + * Tests the case when the mismatching pin is set for some host that is different from the one
|
| + * the client wants to access. In that case the other host pinning policy should not be applied
|
| + * and the client is expected to receive the successful response with the response code 200.
|
| + *
|
| + * @throws Exception
|
| + */
|
| + @SmallTest
|
| + @Feature({"Cronet"})
|
| + public void testSuccessIfNoPinSpecified() throws Exception {
|
| + addPkpSha256("otherhost.com", generateSomeSha256(), INCLUDE_SUBDOMAINS, DISTANT_FUTURE);
|
| + startCronetFramework();
|
| + registerHostResolver();
|
| + sendRequestAndWaitForResult();
|
| +
|
| + assertSuccessfulResponse();
|
| + }
|
| +
|
| + /**
|
| + * Tests mismatching pins that will expire in 10 seconds. The pins should be still valid and
|
| + * enforced during the request; thus returning PIN mismatch error.
|
| + *
|
| + * @throws Exception
|
| + */
|
| + @SmallTest
|
| + @Feature({"Cronet"})
|
| + public void testSoonExpiringPin() throws Exception {
|
| + final int tenSecondsAhead = 10;
|
| + byte[] nonMatchingHash = generateSomeSha256();
|
| + addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, tenSecondsAhead);
|
| + startCronetFramework();
|
| + registerHostResolver();
|
| + sendRequestAndWaitForResult();
|
| +
|
| + assertErrorResponse();
|
| + }
|
| +
|
| + /**
|
| + * Tests mismatching pins that expired 1 second ago. Since the pins have expired, they
|
| + * should not be enforced during the request; thus a successful response is expected.
|
| + *
|
| + * @throws Exception
|
| + */
|
| + @SmallTest
|
| + @Feature({"Cronet"})
|
| + public void testRecentlyExpiredPin() throws Exception {
|
| + final int oneSecondAgo = -1;
|
| + byte[] nonMatchingHash = generateSomeSha256();
|
| + addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, oneSecondAgo);
|
| + startCronetFramework();
|
| + registerHostResolver();
|
| + sendRequestAndWaitForResult();
|
| +
|
| + assertSuccessfulResponse();
|
| + }
|
| +
|
| + /**
|
| + * Tests that the client receives {@code InvalidArgumentException} when the pinned host name
|
| + * is invalid.
|
| + *
|
| + * @throws Exception
|
| + */
|
| + @SmallTest
|
| + @Feature({"Cronet"})
|
| + public void testHostNameArgumentValidation() throws Exception {
|
| + assertExceptionWhenHostNameIsInvalid("http://domain.com");
|
| + assertExceptionWhenHostNameIsInvalid("domain.com:4000");
|
| + assertExceptionWhenHostNameIsInvalid("domain.com/mydoc.txt");
|
| + assertExceptionWhenHostNameIsInvalid("128.55.0.1");
|
| + }
|
| +
|
| + /**
|
| + * Asserts that the response from the server contains an HPKP error.
|
| + * TODO(kapishnikov): currently QUIC returns ERR_QUIC_PROTOCOL_ERROR instead of expected
|
| + * ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error code when the pin doesn't match.
|
| + * This method should be changed when the bug is resolved. See http://crbug.com/548378
|
| + */
|
| + private void assertErrorResponse() {
|
| + assertNotNull("Expected an error", mListener.mError);
|
| + int errorCode = mListener.mError.netError();
|
| + boolean correctErrorCode = errorCode == NetError.ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN
|
| + || errorCode == NetError.ERR_QUIC_PROTOCOL_ERROR;
|
| + assertTrue(String.format("Incorrect error code. Expected %s or %s but received %s",
|
| + NetError.ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN,
|
| + NetError.ERR_QUIC_PROTOCOL_ERROR, errorCode),
|
| + correctErrorCode);
|
| + }
|
| +
|
| + /**
|
| + * Asserts a successful response with response code 200.
|
| + */
|
| + private void assertSuccessfulResponse() {
|
| + if (mListener.mError != null) {
|
| + fail("Did not expect an error but got error code " + mListener.mError.mNetError);
|
| + }
|
| + assertNotNull("Expected non-null response from the server", mListener.mResponseInfo);
|
| + assertEquals(200, mListener.mResponseInfo.getHttpStatusCode());
|
| + }
|
| +
|
| + private void startCronetFramework() {
|
| + mTestFramework = startCronetTestFrameworkWithUrlAndCronetEngineBuilder(null, mBuilder);
|
| + }
|
| +
|
| + private void registerHostResolver() {
|
| + long urlRequestContextAdapter = ((CronetUrlRequestContext) mTestFramework.mCronetEngine)
|
| + .getUrlRequestContextAdapter();
|
| + NativeTestServer.registerHostResolverProc(urlRequestContextAdapter, false);
|
| + }
|
| +
|
| + private byte[] generateSomeSha256() {
|
| + byte[] sha256 = new byte[32];
|
| + Arrays.fill(sha256, (byte) 58);
|
| + return sha256;
|
| + }
|
| +
|
| + private void addPkpSha256(
|
| + String host, byte[] pinHashValue, boolean includeSubdomain, int maxAgeInSec) {
|
| + Collection<byte[]> hashes = new ArrayList<>();
|
| + hashes.add(pinHashValue);
|
| + mBuilder.addPublicKeyPins(host, hashes, includeSubdomain, dateInFuture(maxAgeInSec));
|
| + }
|
| +
|
| + private void sendRequestAndWaitForResult() {
|
| + mListener = new TestUrlRequestCallback();
|
| +
|
| + String quicURL = mServerUrl + "/simple.txt";
|
| + UrlRequest.Builder requestBuilder = new UrlRequest.Builder(
|
| + quicURL, mListener, mListener.getExecutor(), mTestFramework.mCronetEngine);
|
| + requestBuilder.build().start();
|
| + mListener.blockForDone();
|
| + }
|
| +
|
| + private X509Certificate readCertFromFileInPemFormat(String certFileName) throws Exception {
|
| + byte[] certDer = CertTestUtil.pemToDer(CertTestUtil.CERTS_DIRECTORY + certFileName);
|
| + CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
|
| + return (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(certDer));
|
| + }
|
| +
|
| + private Date dateInFuture(int secondsIntoFuture) {
|
| + Calendar cal = Calendar.getInstance();
|
| + cal.add(Calendar.SECOND, secondsIntoFuture);
|
| + return cal.getTime();
|
| + }
|
| +
|
| + private void assertExceptionWhenHostNameIsInvalid(String hostName) {
|
| + try {
|
| + addPkpSha256(hostName, generateSomeSha256(), INCLUDE_SUBDOMAINS, DISTANT_FUTURE);
|
| + } catch (IllegalArgumentException ex) {
|
| + // Expected exception.
|
| + return;
|
| + }
|
| + fail("Expected IllegalArgumentException when passing " + hostName + " host name");
|
| + }
|
| +}
|
|
|
Chromium Code Reviews
Issue 1407263010:
[Cronet] Public key pinning for Java API (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master