Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(128)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: components/cronet/android/test/javatests/src/org/chromium/net/PkpTest.java

Issue 2052363002: Enable public key pinning of local trust anchors (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fixed CronetPerfTestActivity test Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « components/cronet/android/test/javatests/src/org/chromium/net/CronetUrlRequestContextTest.java ('k') | components/cronet/android/test/mock_cert_verifier.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: components/cronet/android/test/javatests/src/org/chromium/net/PkpTest.java
diff --git a/components/cronet/android/test/javatests/src/org/chromium/net/PkpTest.java b/components/cronet/android/test/javatests/src/org/chromium/net/PkpTest.java
index b05b3511b52d675fbf622c475aa57abee9db05ae..4a95c2f2940d6ed8e5607bc0b216099fc24c59f6 100644
--- a/components/cronet/android/test/javatests/src/org/chromium/net/PkpTest.java
+++ b/components/cronet/android/test/javatests/src/org/chromium/net/PkpTest.java
@@ -28,6 +28,10 @@ public class PkpTest extends CronetTestBase {
private static final int DISTANT_FUTURE = Integer.MAX_VALUE;
private static final boolean INCLUDE_SUBDOMAINS = true;
private static final boolean EXCLUDE_SUBDOMAINS = false;
+ private static final boolean KNOWN_ROOT = true;
+ private static final boolean UNKNOWN_ROOT = false;
+ private static final boolean ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS = true;
+ private static final boolean DISABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS = false;
private CronetTestFramework mTestFramework;
private CronetEngine.Builder mBuilder;
@@ -45,7 +49,6 @@ public class PkpTest extends CronetTestBase {
mServerUrl = QuicTestServer.getServerURL();
mServerHost = QuicTestServer.getServerHost();
mDomain = mServerHost.substring(mServerHost.indexOf('.') + 1, mServerHost.length());
- createCronetEngineBuilder();
}
@Override
@@ -65,6 +68,7 @@ public class PkpTest extends CronetTestBase {
@Feature({"Cronet"})
@OnlyRunNativeCronet
public void testErrorCodeIfPinDoesNotMatch() throws Exception {
+ createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
byte[] nonMatchingHash = generateSomeSha256();
addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
startCronetFramework();
@@ -84,6 +88,7 @@ public class PkpTest extends CronetTestBase {
@Feature({"Cronet"})
@OnlyRunNativeCronet
public void testSuccessIfPinMatches() throws Exception {
+ createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
// Get PKP hash of the real certificate
X509Certificate cert = readCertFromFileInPemFormat(CERT_USED);
byte[] matchingHash = CertTestUtil.getPublicKeySha256(cert);
@@ -107,6 +112,7 @@ public class PkpTest extends CronetTestBase {
@Feature({"Cronet"})
@OnlyRunNativeCronet
public void testIncludeSubdomainsFlagEqualTrue() throws Exception {
+ createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
byte[] nonMatchingHash = generateSomeSha256();
addPkpSha256(mDomain, nonMatchingHash, INCLUDE_SUBDOMAINS, DISTANT_FUTURE);
startCronetFramework();
@@ -127,6 +133,7 @@ public class PkpTest extends CronetTestBase {
@Feature({"Cronet"})
@OnlyRunNativeCronet
public void testIncludeSubdomainsFlagEqualFalse() throws Exception {
+ createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
byte[] nonMatchingHash = generateSomeSha256();
addPkpSha256(mDomain, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
startCronetFramework();
@@ -147,6 +154,7 @@ public class PkpTest extends CronetTestBase {
@Feature({"Cronet"})
@OnlyRunNativeCronet
public void testSuccessIfNoPinSpecified() throws Exception {
+ createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
byte[] nonMatchingHash = generateSomeSha256();
addPkpSha256("otherhost.com", nonMatchingHash, INCLUDE_SUBDOMAINS, DISTANT_FUTURE);
startCronetFramework();
@@ -166,6 +174,7 @@ public class PkpTest extends CronetTestBase {
@Feature({"Cronet"})
@OnlyRunNativeCronet
public void testSoonExpiringPin() throws Exception {
+ createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
final int tenSecondsAhead = 10;
byte[] nonMatchingHash = generateSomeSha256();
addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, tenSecondsAhead);
@@ -186,6 +195,7 @@ public class PkpTest extends CronetTestBase {
@Feature({"Cronet"})
@OnlyRunNativeCronet
public void testRecentlyExpiredPin() throws Exception {
+ createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
final int oneSecondAgo = -1;
byte[] nonMatchingHash = generateSomeSha256();
addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, oneSecondAgo);
@@ -197,6 +207,44 @@ public class PkpTest extends CronetTestBase {
}
/**
+ * Tests that the pinning of local trust anchors is enforced when pinning bypass for local
+ * trust anchors is disabled.
+ *
+ * @throws Exception
+ */
+ @SmallTest
+ @Feature({"Cronet"})
+ public void testLocalTrustAnchorPinningEnforced() throws Exception {
+ createCronetEngineBuilder(DISABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, UNKNOWN_ROOT);
+ byte[] nonMatchingHash = generateSomeSha256();
+ addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
+ startCronetFramework();
+ registerHostResolver(mTestFramework);
+ sendRequestAndWaitForResult();
+
+ assertErrorResponse();
+ }
+
+ /**
+ * Tests that the pinning of local trust anchors is not enforced when pinning bypass for local
+ * trust anchors is enabled.
+ *
+ * @throws Exception
+ */
+ @SmallTest
+ @Feature({"Cronet"})
+ public void testLocalTrustAnchorPinningNotEnforced() throws Exception {
+ createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, UNKNOWN_ROOT);
+ byte[] nonMatchingHash = generateSomeSha256();
+ addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
+ startCronetFramework();
+ registerHostResolver(mTestFramework);
+ sendRequestAndWaitForResult();
+
+ assertSuccessfulResponse();
+ }
+
+ /**
* Tests that host pinning is not persisted between multiple CronetEngine instances.
*
* @throws Exception
@@ -205,6 +253,7 @@ public class PkpTest extends CronetTestBase {
@Feature({"Cronet"})
@OnlyRunNativeCronet
public void testPinsAreNotPersisted() throws Exception {
+ createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
byte[] nonMatchingHash = generateSomeSha256();
addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
startCronetFramework();
@@ -215,7 +264,7 @@ public class PkpTest extends CronetTestBase {
// Restart Cronet engine and try the same request again. Since the pins are not persisted,
// a successful response is expected.
- createCronetEngineBuilder();
+ createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
startCronetFramework();
registerHostResolver(mTestFramework);
sendRequestAndWaitForResult();
@@ -231,6 +280,7 @@ public class PkpTest extends CronetTestBase {
@SmallTest
@Feature({"Cronet"})
public void testHostNameArgumentValidation() throws Exception {
+ createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
final String label63 = "123456789-123456789-123456789-123456789-123456789-123456789-123";
final String host255 = label63 + "." + label63 + "." + label63 + "." + label63;
// Valid host names.
@@ -281,10 +331,13 @@ public class PkpTest extends CronetTestBase {
/**
* Tests that NullPointerException is thrown if the host name or the collection of pins or
* the expiration date is null.
+ *
+ * @throws Exception
*/
@SmallTest
@Feature({"Cronet"})
- public void testNullArguments() {
+ public void testNullArguments() throws Exception {
+ createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
verifyExceptionWhenAddPkpArgumentIsNull(true, false, false);
verifyExceptionWhenAddPkpArgumentIsNull(false, true, false);
verifyExceptionWhenAddPkpArgumentIsNull(false, false, true);
@@ -293,10 +346,13 @@ public class PkpTest extends CronetTestBase {
/**
* Tests that IllegalArgumentException is thrown if SHA1 is passed as the value of a pin.
+ *
+ * @throws Exception
*/
@SmallTest
@Feature({"Cronet"})
- public void testIllegalArgumentExceptionWhenPinValueIsSHA1() {
+ public void testIllegalArgumentExceptionWhenPinValueIsSHA1() throws Exception {
+ createCronetEngineBuilder(ENABLE_PINNING_BYPASS_FOR_LOCAL_ANCHORS, KNOWN_ROOT);
byte[] sha1 = new byte[20];
try {
addPkpSha256(mServerHost, sha1, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE);
@@ -339,9 +395,11 @@ public class PkpTest extends CronetTestBase {
assertEquals(200, mListener.mResponseInfo.getHttpStatusCode());
}
- private void createCronetEngineBuilder() throws Exception {
+ private void createCronetEngineBuilder(boolean bypassPinningForLocalAnchors, boolean knownRoot)
+ throws Exception {
// Set common CronetEngine parameters
mBuilder = new CronetEngine.Builder(getContext());
+ mBuilder.enablePublicKeyPinningBypassForLocalTrustAnchors(bypassPinningForLocalAnchors);
mBuilder.enableQUIC(true);
mBuilder.addQuicHint(QuicTestServer.getServerHost(), QuicTestServer.getServerPort(),
QuicTestServer.getServerPort());
@@ -350,7 +408,8 @@ public class PkpTest extends CronetTestBase {
mBuilder.setExperimentalOptions(experimentalOptions.toString());
mBuilder.setStoragePath(CronetTestFramework.getTestStorage(getContext()));
mBuilder.enableHttpCache(CronetEngine.Builder.HTTP_CACHE_DISK_NO_HTTP, 1000 * 1024);
- mBuilder.setMockCertVerifierForTesting(MockCertVerifier.createMockCertVerifier(CERTS_USED));
+ mBuilder.setMockCertVerifierForTesting(
+ MockCertVerifier.createMockCertVerifier(CERTS_USED, knownRoot));
}
private void startCronetFramework() {
« no previous file with comments | « components/cronet/android/test/javatests/src/org/chromium/net/CronetUrlRequestContextTest.java ('k') | components/cronet/android/test/mock_cert_verifier.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698