components/cronet/android/test/javatests/src/org/chromium/net/HpkpTest.java - Issue 1407263010: [Cronet] Public key pinning for Java API

Unified Diff: components/cronet/android/test/javatests/src/org/chromium/net/HpkpTest.java

Issue 1407263010: [Cronet] Public key pinning for Java API (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Addressed review comments Created 5 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« components/cronet/android/cronet_url_request_context_adapter.cc ('K') | « components/cronet/android/test/javatests/src/org/chromium/net/CronetUtilTest.java ('k') | components/cronet/android/test/mock_cert_verifier.cc » ('j') | components/cronet/url_request_context_config.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: components/cronet/android/test/javatests/src/org/chromium/net/HpkpTest.java

diff --git a/components/cronet/android/test/javatests/src/org/chromium/net/HpkpTest.java b/components/cronet/android/test/javatests/src/org/chromium/net/HpkpTest.java

new file mode 100644

index 0000000000000000000000000000000000000000..2841e3e333f6246e568fe54a21aee0cc58f9cfd4

--- /dev/null

+++ b/components/cronet/android/test/javatests/src/org/chromium/net/HpkpTest.java

@@ -0,0 +1,292 @@

+// Use of this source code is governed by a BSD-style license that can be

+// found in the LICENSE file.

+package org.chromium.net;

+import android.test.suitebuilder.annotation.SmallTest;

+import org.chromium.base.test.util.Feature;

+import org.chromium.net.test.util.CertTestUtil;

+import java.io.ByteArrayInputStream;

+import java.security.cert.CertificateFactory;

+import java.security.cert.X509Certificate;

+import java.util.ArrayList;

+import java.util.Arrays;

+import java.util.Calendar;

+import java.util.Collection;

+import java.util.Date;

+/**

+ * Public-Key-Pinning tests of Cronet Java API.

+ */

+public class HpkpTest extends CronetTestBase {

pauljensen 2015/11/17 19:01:23 can we add a test that the pins are not persisted?

kapishnikov 2015/11/18 00:10:31 I am adding the test. Somehow TransportSecuritySta

+ private static final String CERT_USED = "quic_test.example.com.crt";

+ private static final String[] CERTS_USED = {CERT_USED};

+ private static final int DISTANT_FUTURE = Integer.MAX_VALUE;

+ private static final boolean INCLUDE_SUBDOMAINS = true;

+ private static final boolean EXCLUDE_SUBDOMAINS = false;

+ private CronetTestFramework mTestFramework;

+ private CronetEngine.Builder mBuilder;

+ private TestUrlRequestCallback mListener;

+ private String mServerUrl; // https://test.example.com:6121

+ private String mServerHost; // test.example.com

+ private String mDomain; // example.com

+ @Override

+ protected void setUp() throws Exception {

+ super.setUp();

+ // Start QUIC Test Server

+ System.loadLibrary("cronet_tests");

+ QuicTestServer.startQuicTestServer(getContext());

+ mServerUrl = QuicTestServer.getServerURL();

+ mServerHost = QuicTestServer.getServerHost();

+ mDomain = mServerHost.substring(mServerHost.indexOf('.') + 1, mServerHost.length());

+ // Set common CronetEngine parameters

+ mBuilder = new CronetEngine.Builder(getContext());

+ mBuilder.enableQUIC(true);

+ mBuilder.addQuicHint(QuicTestServer.getServerHost(), QuicTestServer.getServerPort(),

+ QuicTestServer.getServerPort());

+ mBuilder.setStoragePath(CronetTestFramework.getTestStorage(getContext()));

+ mBuilder.enableHttpCache(CronetEngine.Builder.HTTP_CACHE_DISK_NO_HTTP, 1000 * 1024);

+ mBuilder.setMockCertVerifierForTesting(MockCertVerifier.createMockCertVerifier(CERTS_USED));

+ }

+ @Override

+ protected void tearDown() throws Exception {

+ QuicTestServer.shutdownQuicTestServer();

+ super.tearDown();

+ }

+ /**

+ * Tests the case when the pin hash does not match. The client is expected to

+ * receive the error response.

+ *

+ * @throws Exception

+ */

+ @SmallTest

+ @Feature({"Cronet"})

+ public void testErrorCodeIfPinDoesNotMatch() throws Exception {

+ byte[] nonMatchingHash = generateSomeSha256();

+ addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);

+ startCronetFramework();

+ registerHostResolver();

+ sendRequestAndWaitForResult();

+ assertErrorResponse();

+ }

+ /**

+ * Tests the case when the pin hash matches. The client is expected to

+ * receive the successful response with the response code 200.

+ *

+ * @throws Exception

+ */

+ @SmallTest

+ @Feature({"Cronet"})

+ public void testSuccessIfPinMatches() throws Exception {

+ // Get PKP hash of the real certificate

+ X509Certificate cert = readCertFromFileInPemFormat(CERT_USED);

+ byte[] matchingHash = CertTestUtil.getPublicKeySha256(cert);

+ addPkpSha256(mServerHost, matchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);

+ startCronetFramework();

+ registerHostResolver();

+ sendRequestAndWaitForResult();

+ assertSuccessfulResponse();

+ }

+ /**

+ * Tests the case when the pin hash does not match and the client accesses the subdomain of

+ * the configured HPKP host with includeSubdomains flag set to true. The client is

+ * expected to receive the error response.

+ *

+ * @throws Exception

+ */

+ @SmallTest

+ @Feature({"Cronet"})

+ public void testIncludeSubdomainsFlagEqualTrue() throws Exception {

+ addPkpSha256(mDomain, generateSomeSha256(), INCLUDE_SUBDOMAINS, DISTANT_FUTURE);

+ startCronetFramework();

+ registerHostResolver();

+ sendRequestAndWaitForResult();

+ assertErrorResponse();

+ }

+ /**

+ * Tests the case when the pin hash does not match and the client accesses the subdomain of

+ * the configured HPKP host with includeSubdomains flag set to false. The client is expected to

+ * receive the successful response with the response code 200.

+ *

+ * @throws Exception

+ */

+ @SmallTest

+ @Feature({"Cronet"})

+ public void testIncludeSubdomainsFlagEqualFalse() throws Exception {

+ addPkpSha256(mDomain, generateSomeSha256(), EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);

+ startCronetFramework();

+ registerHostResolver();

+ sendRequestAndWaitForResult();

+ assertSuccessfulResponse();

+ }

+ /**

+ * Tests the case when the mismatching pin is set for some host that is different from the one

+ * the client wants to access. In that case the other host pinning policy should not be applied

+ * and the client is expected to receive the successful response with the response code 200.

+ *

+ * @throws Exception

+ */

+ @SmallTest

+ @Feature({"Cronet"})

+ public void testSuccessIfNoPinSpecified() throws Exception {

+ addPkpSha256("otherhost.com", generateSomeSha256(), INCLUDE_SUBDOMAINS, DISTANT_FUTURE);

+ startCronetFramework();

+ registerHostResolver();

+ sendRequestAndWaitForResult();

+ assertSuccessfulResponse();

+ }

+ /**

+ * Tests mismatching pins that will expire in 10 seconds. The pins should be still valid and

+ * enforced during the request; thus returning PIN mismatch error.

+ *

+ * @throws Exception

+ */

+ @SmallTest

+ @Feature({"Cronet"})

+ public void testSoonExpiringPin() throws Exception {

+ final int tenSecondsAhead = 10;

+ byte[] nonMatchingHash = generateSomeSha256();

+ addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, tenSecondsAhead);

+ startCronetFramework();

+ registerHostResolver();

+ sendRequestAndWaitForResult();

+ assertErrorResponse();

+ }

+ /**

+ * Tests mismatching pins that expired 1 second ago. Since the pins have expired, they

+ * should not be enforced during the request; thus a successful response is expected.

+ *

+ * @throws Exception

+ */

+ @SmallTest

+ @Feature({"Cronet"})

+ public void testRecentlyExpiredPin() throws Exception {

+ final int oneSecondAgo = -1;

+ byte[] nonMatchingHash = generateSomeSha256();

+ addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, oneSecondAgo);

+ startCronetFramework();

+ registerHostResolver();

+ sendRequestAndWaitForResult();

+ assertSuccessfulResponse();

+ }

+ /**

+ * Tests that the client receives {@code InvalidArgumentException} when the pinned host name

+ * is invalid.

+ *

+ * @throws Exception

+ */

+ @SmallTest

+ @Feature({"Cronet"})

+ public void testHostNameArgumentValidation() throws Exception {

+ assertExceptionWhenHostNameIsInvalid("http://domain.com");

+ assertExceptionWhenHostNameIsInvalid("domain.com:4000");

+ assertExceptionWhenHostNameIsInvalid("domain.com/mydoc.txt");

+ assertExceptionWhenHostNameIsInvalid("128.55.0.1");

+ }

+ /**

+ * Asserts that the response from the server contains an HPKP error.

+ * TODO(kapishnikov): currently QUIC returns ERR_QUIC_PROTOCOL_ERROR instead of expected

+ * ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN error code when the pin doesn't match.

+ * This method should be changed when the bug is resolved. See http://crbug.com/548378

+ */

+ private void assertErrorResponse() {

+ assertNotNull("Expected an error", mListener.mError);

+ int errorCode = mListener.mError.netError();

+ boolean correctErrorCode = errorCode == NetError.ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN

+ || errorCode == NetError.ERR_QUIC_PROTOCOL_ERROR;

+ assertTrue(String.format("Incorrect error code. Expected %s or %s but received %s",

+ NetError.ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN,

+ NetError.ERR_QUIC_PROTOCOL_ERROR, errorCode),

+ correctErrorCode);

+ }

+ /**

+ * Asserts a successful response with response code 200.

+ */

+ private void assertSuccessfulResponse() {

+ if (mListener.mError != null) {

+ fail("Did not expect an error but got error code " + mListener.mError.mNetError);

+ }

+ assertNotNull("Expected non-null response from the server", mListener.mResponseInfo);

+ assertEquals(200, mListener.mResponseInfo.getHttpStatusCode());

+ }

+ private void startCronetFramework() {

+ mTestFramework = startCronetTestFrameworkWithUrlAndCronetEngineBuilder(null, mBuilder);

+ }

+ private void registerHostResolver() {

+ long urlRequestContextAdapter = ((CronetUrlRequestContext) mTestFramework.mCronetEngine)

+ .getUrlRequestContextAdapter();

+ NativeTestServer.registerHostResolverProc(urlRequestContextAdapter, false);

+ }

+ private byte[] generateSomeSha256() {

+ byte[] sha256 = new byte[32];

+ Arrays.fill(sha256, (byte) 58);

+ return sha256;

+ }

+ private void addPkpSha256(

+ String host, byte[] pinHashValue, boolean includeSubdomain, int maxAgeInSec) {

+ Collection<byte[]> hashes = new ArrayList<>();

+ hashes.add(pinHashValue);

+ mBuilder.addPublicKeyPins(host, hashes, includeSubdomain, dateInFuture(maxAgeInSec));

+ }

+ private void sendRequestAndWaitForResult() {

+ mListener = new TestUrlRequestCallback();

+ String quicURL = mServerUrl + "/simple.txt";

+ UrlRequest.Builder requestBuilder = new UrlRequest.Builder(

+ quicURL, mListener, mListener.getExecutor(), mTestFramework.mCronetEngine);

+ requestBuilder.build().start();

+ mListener.blockForDone();

+ }

+ private X509Certificate readCertFromFileInPemFormat(String certFileName) throws Exception {

+ byte[] certDer = CertTestUtil.pemToDer(CertTestUtil.CERTS_DIRECTORY + certFileName);

+ CertificateFactory certFactory = CertificateFactory.getInstance("X.509");

+ return (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(certDer));

+ }

+ private Date dateInFuture(int secondsIntoFuture) {

+ Calendar cal = Calendar.getInstance();

+ cal.add(Calendar.SECOND, secondsIntoFuture);

+ return cal.getTime();

+ }

+ private void assertExceptionWhenHostNameIsInvalid(String hostName) {

+ try {

+ addPkpSha256(hostName, generateSomeSha256(), INCLUDE_SUBDOMAINS, DISTANT_FUTURE);

+ } catch (IllegalArgumentException ex) {

+ // Expected exception.

+ return;

+ }

+ fail("Expected IllegalArgumentException when passing " + hostName + " host name");

+ }