[Cronet] Public key pinning for Java API

components/cronet/android/test/mock_cert_verifier.cc

Index: components/cronet/android/test/mock_cert_verifier.cc
diff --git a/components/cronet/android/test/mock_cert_verifier.cc b/components/cronet/android/test/mock_cert_verifier.cc
index 40eff7105b247b5c74b8816224047995d89360fa..2fbd729bd2796b6fdc5aae88503ba6cb250bdda3 100644
--- a/components/cronet/android/test/mock_cert_verifier.cc
+++ b/components/cronet/android/test/mock_cert_verifier.cc
@@ -9,10 +9,11 @@
 
 #include "base/android/jni_android.h"
 #include "base/android/jni_array.h"
-#include "base/android/scoped_java_ref.h"
+#include "crypto/sha2.h"

[mef, 2015/11/18 22:41:38]

This requires adding +crypto to DEPS. 
David, could you OWNER-approve that or suggest a better way?

[davidben, 2015/11/18 22:46:32]

Adding +crypto to DEPS lgtm. I haven't looked at the rest.

 #include "jni/MockCertVerifier_jni.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_data_directory.h"
+#include "net/cert/asn1_util.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/mock_cert_verifier.h"
@@ -20,6 +21,34 @@
 
 namespace cronet {
 
+namespace {
+
+// Populates |out_hash_value| with the SHA256 hash of the cert public key.
+// Returns true on success.
+static bool calculatePublicKeySha256(const net::X509Certificate& cert,

[davidben, 2015/11/18 22:46:32]

Style: UpperCamelCase

[kapishnikov, 2015/11/19 00:06:56]

Done.

+                                     net::HashValue* out_hash_value) {
+  // Convert the cert to DER encoded bytes.
+  std::string der_cert_bytes;
+  net::X509Certificate::OSCertHandle cert_handle = cert.os_cert_handle();
+  if (!net::X509Certificate::GetDEREncoded(cert_handle, &der_cert_bytes)) {
+    LOG(INFO) << "Unable to convert the given cert to DER encoding";
+    return false;
+  }
+  // Extract the public key from the cert.
+  base::StringPiece spki_bytes;
+  if (!net::asn1::ExtractSPKIFromDERCert(der_cert_bytes, &spki_bytes)) {
+    LOG(INFO) << "Unable to retrieve the public key from the DER cert";
+    return false;
+  }
+  // Calculate SHA256 hash of public key bytes.
+  out_hash_value->tag = net::HASH_VALUE_SHA256;
+  crypto::SHA256HashString(spki_bytes, out_hash_value->data(),
+                           crypto::kSHA256Length);
+  return true;
+}
+
+}  // namespace
+
 static jlong CreateMockCertVerifier(JNIEnv* env,
                                     const JavaParamRef<jclass>& jcaller,
                                     const JavaParamRef<jobjectArray>& jcerts) {
@@ -30,6 +59,17 @@ static jlong CreateMockCertVerifier(JNIEnv* env,
     net::CertVerifyResult verify_result;
     verify_result.verified_cert =
         net::ImportCertFromFile(net::GetTestCertsDirectory(), cert);
+
+    // Let the cert be treated as a known root cert.
+    // This will enable HPKP verification.
+    verify_result.is_issued_by_known_root = true;
+
+    // Calculate the public key hash and add it to the verify_result.
+    net::HashValue hashValue;
+    CHECK(calculatePublicKeySha256(*verify_result.verified_cert.get(),
+                                   &hashValue));
+    verify_result.public_key_hashes.push_back(hashValue);
+
     mock_cert_verifier->AddResultForCert(verify_result.verified_cert.get(),
                                          verify_result, net::OK);
   }