[Cronet] Public key pinning for Java API

components/cronet/android/test/mock_cert_verifier.cc

Index: components/cronet/android/test/mock_cert_verifier.cc
diff --git a/components/cronet/android/test/mock_cert_verifier.cc b/components/cronet/android/test/mock_cert_verifier.cc
index 40eff7105b247b5c74b8816224047995d89360fa..4d1393cf67fe68155a6eeb106d68b8e6e8e40b9a 100644
--- a/components/cronet/android/test/mock_cert_verifier.cc
+++ b/components/cronet/android/test/mock_cert_verifier.cc
@@ -9,10 +9,11 @@
 
 #include "base/android/jni_android.h"
 #include "base/android/jni_array.h"
-#include "base/android/scoped_java_ref.h"
+#include "crypto/sha2.h"
 #include "jni/MockCertVerifier_jni.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_data_directory.h"
+#include "net/cert/asn1_util.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/mock_cert_verifier.h"
@@ -20,6 +21,9 @@
 
 namespace cronet {
 
+static bool calculatePublicKeySha256(const net::X509Certificate& cert,
+                                     net::HashValue* outHashValue);

[mef, 2015/11/02 17:56:56]

no camel case for local variables.
https://google.github.io/styleguide/cppguide.html#Variable_Names

[kapishnikov, 2015/11/02 22:45:49]

Done.

+
 static jlong CreateMockCertVerifier(JNIEnv* env,
                                     const JavaParamRef<jclass>& jcaller,
                                     const JavaParamRef<jobjectArray>& jcerts) {
@@ -30,6 +34,18 @@ static jlong CreateMockCertVerifier(JNIEnv* env,
     net::CertVerifyResult verify_result;
     verify_result.verified_cert =
         net::ImportCertFromFile(net::GetTestCertsDirectory(), cert);
+
+    // Let the cert be treated as a known root cert.
+    // This will enable HPKP verification.
+    verify_result.is_issued_by_known_root = true;
+
+    // Calculate the public key hash and add it to the verify_result
+    net::HashValue hashValue;
+    if (calculatePublicKeySha256(*verify_result.verified_cert.get(),
+                                 &hashValue)) {
+      verify_result.public_key_hashes.push_back(hashValue);
+    }
+
     mock_cert_verifier->AddResultForCert(verify_result.verified_cert.get(),
                                          verify_result, net::OK);
   }
@@ -37,6 +53,30 @@ static jlong CreateMockCertVerifier(JNIEnv* env,
   return reinterpret_cast<jlong>(mock_cert_verifier);
 }
 
+// Populates outHashValue with the SHA256 hash of the cert public key.
+// Returns true on success.
+static bool calculatePublicKeySha256(const net::X509Certificate& cert,

[mef, 2015/11/02 17:56:56]

move this to the top of the file into anonymous namespace {}.

[kapishnikov, 2015/11/02 22:45:49]

Done.

+                                     net::HashValue* outHashValue) {
+  // Convert the cert to DER encoded bytes
+  std::string der_cert_bytes;
+  net::X509Certificate::OSCertHandle cert_handle = cert.os_cert_handle();
+  if (!net::X509Certificate::GetDEREncoded(cert_handle, &der_cert_bytes)) {
+    LOG(INFO) << "Unable to convert the given cert to DER encoding";
+    return false;
+  }
+  // Extract the public key from the cert
+  base::StringPiece spki_bytes;
+  if (!net::asn1::ExtractSPKIFromDERCert(der_cert_bytes, &spki_bytes)) {
+    LOG(INFO) << "Unable to retrieve the public key from the DER cert";
+    return false;
+  }
+  // Convert the public key bytes to SHA256 hash
+  outHashValue->tag = net::HASH_VALUE_SHA256;
+  crypto::SHA256HashString(spki_bytes, outHashValue->data(),
+                           crypto::kSHA256Length);
+  return true;
+}
+
 bool RegisterMockCertVerifier(JNIEnv* env) {
   return RegisterNativesImpl(env);
 }