[Cronet] Public key pinning for Java API

components/cronet/android/cronet_url_request_context_adapter.cc

Index: components/cronet/android/cronet_url_request_context_adapter.cc
diff --git a/components/cronet/android/cronet_url_request_context_adapter.cc b/components/cronet/android/cronet_url_request_context_adapter.cc
index 37a18cefb5069d6d39141a0d0273914781c85816..53d29854df633eb3b64158a04f447184c043b925 100644
--- a/components/cronet/android/cronet_url_request_context_adapter.cc
+++ b/components/cronet/android/cronet_url_request_context_adapter.cc
@@ -372,6 +372,31 @@ void CronetURLRequestContextAdapter::InitializeOnNetworkThread(
     }
   }
 
+  // Iterate through HPKP configuration for every host.
+  for (auto hpkp_itr = config->hpkp_list.begin();
+       hpkp_itr != config->hpkp_list.end(); ++hpkp_itr) {
+    const URLRequestContextConfig::Hpkp& hpkp = **hpkp_itr;
+
+    // Convert the vector of hash strings from the config to
+    // a vector of HashValue objects.
+    net::HashValueVector hash_value_vector;
+    for (auto hash_itr = hpkp.pin_hashes.begin();
+         hash_itr != hpkp.pin_hashes.end(); ++hash_itr) {

[pauljensen, 2015/11/03 19:59:30]

for (auto hash_itr : hpkp.pin_hashes)

[mef, 2015/11/03 20:18:00]

for (const auto& hash_itr : hpkp.pin_hashes)

[kapishnikov, 2015/11/03 23:58:16]

Done.

[kapishnikov, 2015/11/03 23:58:17]

Done.

+      auto hash_value = net::HashValue(net::HASH_VALUE_SHA256);
+      bool good_hash = hash_value.FromString(**hash_itr);

[pauljensen, 2015/11/03 19:59:30]

Let's get rid of the base64 encoding here and memcpy into data()

[pauljensen, 2015/11/03 19:59:30]

I don't understand the net::HashValue type...I would have expected there to be
child classes Sha256HashValue and Sha1HashValue...but they're not children...and
I don't understand why I see code memcpy or memset the data()...  I've filed a
bug to refactor net::HashValue to include some type-safety, crbug.com/551067

[kapishnikov, 2015/11/03 23:58:17]

Paul, could you elaborate a little more here? The base64 encoded hash comes from
the config (json object). However, HashValue.data() stores the hash value in the
binary form; therefore, we need to convert base64 to bin. That is  what happens
in HashValue.FromString() method.

[pauljensen, 2015/11/04 12:36:43]

You convert the binary value to base64 and then back to binary.  I'm saying
let's not convert it at all and just keep it as binary the whole time.

+      if (good_hash) {
+        hash_value_vector.push_back(hash_value);
+      } else {
+        LOG(WARNING) << "Unable to add hash value " << **hash_itr;
+      }
+    }
+
+    // Add the host pinning.
+    context_->transport_security_state()->AddHPKP(hpkp.host, base::Time::Max(),

[pauljensen, 2015/11/03 19:59:30]

AddHPKP's comment says "(used for net-internals and unit tests)" so I don't
think we should be using it, or the comment needs to change.

[kapishnikov, 2015/11/03 23:58:17]

I have fixed the comment. The method is almost identical to AddHPKPInternal()
which is 'internal' according to the suffix.

+                                                  hpkp.include_subdomains,
+                                                  hash_value_vector, GURL());
+  }
+
   JNIEnv* env = base::android::AttachCurrentThread();
   jcronet_url_request_context_.Reset(env, jcronet_url_request_context.obj());
   Java_CronetUrlRequestContext_initNetworkThread(