Enable public key pinning of local trust anchors

components/cronet/android/test/javatests/src/org/chromium/net/PkpTest.java

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 package org.chromium.net;
 
 import android.test.suitebuilder.annotation.SmallTest;
 
 import org.chromium.base.test.util.Feature;
 import org.chromium.net.test.util.CertTestUtil;
@@ skipping 10 matching lines @@
 
 /**
  * Public-Key-Pinning tests of Cronet Java API.
  */
 public class PkpTest extends CronetTestBase {
     private static final String CERT_USED = "quic_test.example.com.crt";
     private static final String[] CERTS_USED = {CERT_USED};
     private static final int DISTANT_FUTURE = Integer.MAX_VALUE;
     private static final boolean INCLUDE_SUBDOMAINS = true;
     private static final boolean EXCLUDE_SUBDOMAINS = false;
+    private static final boolean KNOWN_ROOT = true;
+    private static final boolean UNKNOWN_ROOT = false;
+    private static final boolean ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS = true;
+    private static final boolean DISABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS = false;
 
     private CronetTestFramework mTestFramework;
     private CronetEngine.Builder mBuilder;
     private TestUrlRequestCallback mListener;
     private String mServerUrl; // https://test.example.com:6121
     private String mServerHost; // test.example.com
     private String mDomain; // example.com
 
     @Override
     protected void setUp() throws Exception {
         super.setUp();
         // Start QUIC Test Server
         System.loadLibrary("cronet_tests");
         QuicTestServer.startQuicTestServer(getContext());
         mServerUrl = QuicTestServer.getServerURL();
         mServerHost = QuicTestServer.getServerHost();
         mDomain = mServerHost.substring(mServerHost.indexOf('.') + 1, mServerHost.length());
-        createCronetEngineBuilder();
     }
 
     @Override
     protected void tearDown() throws Exception {
         QuicTestServer.shutdownQuicTestServer();
         shutdownCronetEngine();
         super.tearDown();
     }
 
     /**
      * Tests the case when the pin hash does not match. The client is expected to
      * receive the error response.
      *
      * @throws Exception
      */
     @SmallTest
     @Feature({"Cronet"})
     @OnlyRunNativeCronet
     public void testErrorCodeIfPinDoesNotMatch() throws Exception {
+        createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
         byte[] nonMatchingHash = generateSomeSha256();
         addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
         startCronetFramework();
         registerHostResolver(mTestFramework);
         sendRequestAndWaitForResult();
 
         assertErrorResponse();
     }
 
     /**
      * Tests the case when the pin hash matches. The client is expected to
      * receive the successful response with the response code 200.
      *
      * @throws Exception
      */
     @SmallTest
     @Feature({"Cronet"})
     @OnlyRunNativeCronet
     public void testSuccessIfPinMatches() throws Exception {
+        createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
         // Get PKP hash of the real certificate
         X509Certificate cert = readCertFromFileInPemFormat(CERT_USED);
         byte[] matchingHash = CertTestUtil.getPublicKeySha256(cert);
 
         addPkpSha256(mServerHost, matchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
         startCronetFramework();
         registerHostResolver(mTestFramework);
         sendRequestAndWaitForResult();
 
         assertSuccessfulResponse();
     }
 
     /**
      * Tests the case when the pin hash does not match and the client accesses the subdomain of
      * the configured PKP host with includeSubdomains flag set to true. The client is
      * expected to receive the error response.
      *
      * @throws Exception
      */
     @SmallTest
     @Feature({"Cronet"})
     @OnlyRunNativeCronet
     public void testIncludeSubdomainsFlagEqualTrue() throws Exception {
+        createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
         byte[] nonMatchingHash = generateSomeSha256();
         addPkpSha256(mDomain, nonMatchingHash, INCLUDE_SUBDOMAINS, DISTANT_FUTURE);
         startCronetFramework();
         registerHostResolver(mTestFramework);
         sendRequestAndWaitForResult();
 
         assertErrorResponse();
     }
 
     /**
      * Tests the case when the pin hash does not match and the client accesses the subdomain of
      * the configured PKP host with includeSubdomains flag set to false. The client is expected to
      * receive the successful response with the response code 200.
      *
      * @throws Exception
      */
     @SmallTest
     @Feature({"Cronet"})
     @OnlyRunNativeCronet
     public void testIncludeSubdomainsFlagEqualFalse() throws Exception {
+        createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
         byte[] nonMatchingHash = generateSomeSha256();
         addPkpSha256(mDomain, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
         startCronetFramework();
         registerHostResolver(mTestFramework);
         sendRequestAndWaitForResult();
 
         assertSuccessfulResponse();
     }
 
     /**
      * Tests the case when the mismatching pin is set for some host that is different from the one
      * the client wants to access. In that case the other host pinning policy should not be applied
      * and the client is expected to receive the successful response with the response code 200.
      *
      * @throws Exception
      */
     @SmallTest
     @Feature({"Cronet"})
     @OnlyRunNativeCronet
     public void testSuccessIfNoPinSpecified() throws Exception {
+        createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
         byte[] nonMatchingHash = generateSomeSha256();
         addPkpSha256("otherhost.com", nonMatchingHash, INCLUDE_SUBDOMAINS, DISTANT_FUTURE);
         startCronetFramework();
         registerHostResolver(mTestFramework);
         sendRequestAndWaitForResult();
 
         assertSuccessfulResponse();
     }
 
     /**
      * Tests mismatching pins that will expire in 10 seconds. The pins should be still valid and
      * enforced during the request; thus returning PIN mismatch error.
      *
      * @throws Exception
      */
     @SmallTest
     @Feature({"Cronet"})
     @OnlyRunNativeCronet
     public void testSoonExpiringPin() throws Exception {
+        createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
         final int tenSecondsAhead = 10;
         byte[] nonMatchingHash = generateSomeSha256();
         addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, tenSecondsAhead);
         startCronetFramework();
         registerHostResolver(mTestFramework);
         sendRequestAndWaitForResult();
 
         assertErrorResponse();
     }
 
     /**
      * Tests mismatching pins that expired 1 second ago. Since the pins have expired, they
      * should not be enforced during the request; thus a successful response is expected.
      *
      * @throws Exception
      */
     @SmallTest
     @Feature({"Cronet"})
     @OnlyRunNativeCronet
     public void testRecentlyExpiredPin() throws Exception {
+        createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
         final int oneSecondAgo = -1;
         byte[] nonMatchingHash = generateSomeSha256();
         addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, oneSecondAgo);
         startCronetFramework();
         registerHostResolver(mTestFramework);
         sendRequestAndWaitForResult();
 
         assertSuccessfulResponse();
     }
 
     /**
+     * Tests that the pinning of local trust anchors is enforced is enforced when pinning bypass for

[Ryan Sleevi, 2016/07/01 01:17:24]

typo: is enforced is enforced

[kapishnikov, 2016/07/01 17:20:54]

Done.

+     * local trust anchors is disabled.
+     *
+     * @throws Exception
+     */
+    @SmallTest
+    @Feature({"Cronet"})
+    public void testLocalTrustAnchorPinningEnforced() throws Exception {
+        createCronetEngineBuilder(DISABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, UNKNOWN_ROOT);
+        byte[] nonMatchingHash = generateSomeSha256();
+        addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
+        startCronetFramework();
+        registerHostResolver(mTestFramework);
+        sendRequestAndWaitForResult();
+
+        assertErrorResponse();
+    }
+
+    /**
+     * Tests that the pinning of local trust anchors is not enforced when pinning bypass for local
+     * trust anchors is enabled.
+     *
+     * @throws Exception
+     */
+    @SmallTest
+    @Feature({"Cronet"})
+    public void testLocalTrustAnchorPinningNotEnforced() throws Exception {
+        createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, UNKNOWN_ROOT);
+        byte[] nonMatchingHash = generateSomeSha256();
+        addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
+        startCronetFramework();
+        registerHostResolver(mTestFramework);
+        sendRequestAndWaitForResult();
+
+        assertSuccessfulResponse();
+    }
+
+    /**
      * Tests that host pinning is not persisted between multiple CronetEngine instances.
      *
      * @throws Exception
      */
     @SmallTest
     @Feature({"Cronet"})
     @OnlyRunNativeCronet
     public void testPinsAreNotPersisted() throws Exception {
+        createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
         byte[] nonMatchingHash = generateSomeSha256();
         addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
         startCronetFramework();
         registerHostResolver(mTestFramework);
         sendRequestAndWaitForResult();
         assertErrorResponse();
         shutdownCronetEngine();
 
         // Restart Cronet engine and try the same request again. Since the pins are not persisted,
         // a successful response is expected.
-        createCronetEngineBuilder();
+        createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
         startCronetFramework();
         registerHostResolver(mTestFramework);
         sendRequestAndWaitForResult();
         assertSuccessfulResponse();
     }
 
     /**
      * Tests that the client receives {@code InvalidArgumentException} when the pinned host name
      * is invalid.
      *
      * @throws Exception
      */
     @SmallTest
     @Feature({"Cronet"})
     public void testHostNameArgumentValidation() throws Exception {
+        createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
         final String label63 = "123456789-123456789-123456789-123456789-123456789-123456789-123";
         final String host255 = label63 + "." + label63 + "." + label63 + "." + label63;
         // Valid host names.
         assertNoExceptionWhenHostNameIsValid("domain.com");
         assertNoExceptionWhenHostNameIsValid("my-domain.com");
         assertNoExceptionWhenHostNameIsValid("section4.domain.info");
         assertNoExceptionWhenHostNameIsValid("44.domain44.info");
         assertNoExceptionWhenHostNameIsValid("very.long.long.long.long.long.long.long.domain.com");
         assertNoExceptionWhenHostNameIsValid("host");
         assertNoExceptionWhenHostNameIsValid("новости.ру");
@@ skipping 30 matching lines @@
         assertExceptionWhenHostNameIsInvalid("256.0.0.1");
         assertExceptionWhenHostNameIsInvalid("127.0.0.1.1");
         assertExceptionWhenHostNameIsInvalid("127.0.0");
         assertExceptionWhenHostNameIsInvalid("127.0.0.");
         assertExceptionWhenHostNameIsInvalid("127.0.0.299");
     }
 
     /**
      * Tests that NullPointerException is thrown if the host name or the collection of pins or
      * the expiration date is null.
+     *
+     * @throws Exception
      */
     @SmallTest
     @Feature({"Cronet"})
-    public void testNullArguments() {
+    public void testNullArguments() throws Exception {
+        createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
         verifyExceptionWhenAddPkpArgumentIsNull(true, false, false);
         verifyExceptionWhenAddPkpArgumentIsNull(false, true, false);
         verifyExceptionWhenAddPkpArgumentIsNull(false, false, true);
         verifyExceptionWhenAddPkpArgumentIsNull(false, false, false);
     }
 
     /**
      * Tests that IllegalArgumentException is thrown if SHA1 is passed as the value of a pin.
+     *
+     * @throws Exception
      */
     @SmallTest
     @Feature({"Cronet"})
-    public void testIllegalArgumentExceptionWhenPinValueIsSHA1() {
+    public void testIllegalArgumentExceptionWhenPinValueIsSHA1() throws Exception {
+        createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
         byte[] sha1 = new byte[20];
         try {
             addPkpSha256(mServerHost, sha1, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
         } catch (IllegalArgumentException ex) {
             // Expected exception
             return;
         }
         fail("Expected IllegalArgumentException with pin value: " + Arrays.toString(sha1));
     }
 
@@ skipping 22 matching lines @@
      */
     private void assertSuccessfulResponse() {
         if (mListener.mError != null) {
             fail("Did not expect an error but got error code "
                     + mListener.mError.getCronetInternalErrorCode());
         }
         assertNotNull("Expected non-null response from the server", mListener.mResponseInfo);
         assertEquals(200, mListener.mResponseInfo.getHttpStatusCode());
     }
 
-    private void createCronetEngineBuilder() throws Exception {
+    private void createCronetEngineBuilder(boolean bypassPinningForLocalAnchors, boolean knownRoot)
+            throws Exception {
         // Set common CronetEngine parameters
         mBuilder = new CronetEngine.Builder(getContext());
+        mBuilder.enablePublicKeyPinningBypassForLocalTrustAnchors(bypassPinningForLocalAnchors);
         mBuilder.enableQUIC(true);
         mBuilder.addQuicHint(QuicTestServer.getServerHost(), QuicTestServer.getServerPort(),
                 QuicTestServer.getServerPort());
         JSONObject quicParams = new JSONObject().put("host_whitelist", "test.example.com");
         JSONObject experimentalOptions = new JSONObject().put("QUIC", quicParams);
         mBuilder.setExperimentalOptions(experimentalOptions.toString());
         mBuilder.setStoragePath(CronetTestFramework.getTestStorage(getContext()));
         mBuilder.enableHttpCache(CronetEngine.Builder.HTTP_CACHE_DISK_NO_HTTP, 1000 * 1024);
-        mBuilder.setMockCertVerifierForTesting(MockCertVerifier.createMockCertVerifier(CERTS_USED));
+        mBuilder.setMockCertVerifierForTesting(
+                MockCertVerifier.createMockCertVerifier(CERTS_USED, knownRoot));
     }
 
     private void startCronetFramework() {
         mTestFramework = startCronetTestFrameworkWithUrlAndCronetEngineBuilder(null, mBuilder);
     }
 
     private void shutdownCronetEngine() {
         if (mTestFramework != null && mTestFramework.mCronetEngine != null) {
             mTestFramework.mCronetEngine.shutdown();
         }
@@ skipping 66 matching lines @@
             if (!shouldThrowNpe) {
                 fail("Null pointer exception was not expected: " + ex.toString());
             }
             return;
         }
         if (shouldThrowNpe) {
             fail("NullPointerException was expected");
         }
     }
 }