Chromium Code Reviews Chromium Code Reviews
Issue 2052363002:
Enable public key pinning of local trust anchors (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: components/cronet/android/test/javatests/src/org/chromium/net/PkpTest.java |
| diff --git a/components/cronet/android/test/javatests/src/org/chromium/net/PkpTest.java b/components/cronet/android/test/javatests/src/org/chromium/net/PkpTest.java |
| index b05b3511b52d675fbf622c475aa57abee9db05ae..a38be4542f0840e1c5be62eb3432882f37ea8cba 100644 |
| --- a/components/cronet/android/test/javatests/src/org/chromium/net/PkpTest.java |
| +++ b/components/cronet/android/test/javatests/src/org/chromium/net/PkpTest.java |
| @@ -28,6 +28,10 @@ public class PkpTest extends CronetTestBase { |
| private static final int DISTANT_FUTURE = Integer.MAX_VALUE; |
| private static final boolean INCLUDE_SUBDOMAINS = true; |
| private static final boolean EXCLUDE_SUBDOMAINS = false; |
| + private static final boolean KNOWN_TRUST_ROOT = true; |
| + private static final boolean UNKNOWN_TRUST_ROOT = false; |
|
Ryan Sleevi
2016/06/21 00:52:26
Drop the "TRUST" - not sure what's trying to be co
kapishnikov
2016/06/29 23:04:32
Done.
|
| + private static final boolean ENABLE_LOCAL_CERT_PINNING = true; |
| + private static final boolean DISABLE_LOCAL_CERT_PINNING = false; |
|
Ryan Sleevi
2016/06/21 00:52:26
Previous comments about naming apply here too
kapishnikov
2016/06/29 23:04:32
Done.
|
| private CronetTestFramework mTestFramework; |
| private CronetEngine.Builder mBuilder; |
| @@ -45,7 +49,6 @@ public class PkpTest extends CronetTestBase { |
| mServerUrl = QuicTestServer.getServerURL(); |
| mServerHost = QuicTestServer.getServerHost(); |
| mDomain = mServerHost.substring(mServerHost.indexOf('.') + 1, mServerHost.length()); |
| - createCronetEngineBuilder(); |
| } |
| @Override |
| @@ -65,6 +68,7 @@ public class PkpTest extends CronetTestBase { |
| @Feature({"Cronet"}) |
| @OnlyRunNativeCronet |
| public void testErrorCodeIfPinDoesNotMatch() throws Exception { |
| + createCronetEngineBuilder(DISABLE_LOCAL_CERT_PINNING, KNOWN_TRUST_ROOT); |
| byte[] nonMatchingHash = generateSomeSha256(); |
| addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE); |
| startCronetFramework(); |
| @@ -84,6 +88,7 @@ public class PkpTest extends CronetTestBase { |
| @Feature({"Cronet"}) |
| @OnlyRunNativeCronet |
| public void testSuccessIfPinMatches() throws Exception { |
| + createCronetEngineBuilder(DISABLE_LOCAL_CERT_PINNING, KNOWN_TRUST_ROOT); |
| // Get PKP hash of the real certificate |
| X509Certificate cert = readCertFromFileInPemFormat(CERT_USED); |
| byte[] matchingHash = CertTestUtil.getPublicKeySha256(cert); |
| @@ -107,6 +112,7 @@ public class PkpTest extends CronetTestBase { |
| @Feature({"Cronet"}) |
| @OnlyRunNativeCronet |
| public void testIncludeSubdomainsFlagEqualTrue() throws Exception { |
| + createCronetEngineBuilder(DISABLE_LOCAL_CERT_PINNING, KNOWN_TRUST_ROOT); |
| byte[] nonMatchingHash = generateSomeSha256(); |
| addPkpSha256(mDomain, nonMatchingHash, INCLUDE_SUBDOMAINS, DISTANT_FUTURE); |
| startCronetFramework(); |
| @@ -127,6 +133,7 @@ public class PkpTest extends CronetTestBase { |
| @Feature({"Cronet"}) |
| @OnlyRunNativeCronet |
| public void testIncludeSubdomainsFlagEqualFalse() throws Exception { |
| + createCronetEngineBuilder(DISABLE_LOCAL_CERT_PINNING, KNOWN_TRUST_ROOT); |
| byte[] nonMatchingHash = generateSomeSha256(); |
| addPkpSha256(mDomain, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE); |
| startCronetFramework(); |
| @@ -147,6 +154,7 @@ public class PkpTest extends CronetTestBase { |
| @Feature({"Cronet"}) |
| @OnlyRunNativeCronet |
| public void testSuccessIfNoPinSpecified() throws Exception { |
| + createCronetEngineBuilder(DISABLE_LOCAL_CERT_PINNING, KNOWN_TRUST_ROOT); |
| byte[] nonMatchingHash = generateSomeSha256(); |
| addPkpSha256("otherhost.com", nonMatchingHash, INCLUDE_SUBDOMAINS, DISTANT_FUTURE); |
| startCronetFramework(); |
| @@ -166,6 +174,7 @@ public class PkpTest extends CronetTestBase { |
| @Feature({"Cronet"}) |
| @OnlyRunNativeCronet |
| public void testSoonExpiringPin() throws Exception { |
| + createCronetEngineBuilder(DISABLE_LOCAL_CERT_PINNING, KNOWN_TRUST_ROOT); |
| final int tenSecondsAhead = 10; |
| byte[] nonMatchingHash = generateSomeSha256(); |
| addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, tenSecondsAhead); |
| @@ -186,6 +195,7 @@ public class PkpTest extends CronetTestBase { |
| @Feature({"Cronet"}) |
| @OnlyRunNativeCronet |
| public void testRecentlyExpiredPin() throws Exception { |
| + createCronetEngineBuilder(DISABLE_LOCAL_CERT_PINNING, KNOWN_TRUST_ROOT); |
| final int oneSecondAgo = -1; |
| byte[] nonMatchingHash = generateSomeSha256(); |
| addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, oneSecondAgo); |
| @@ -197,6 +207,44 @@ public class PkpTest extends CronetTestBase { |
| } |
| /** |
| + * Tests that the pinning of local trust anchors is enforced when pinning of the local trust |
| + * anchors is enabled in the builder. |
| + * |
| + * @throws Exception |
| + */ |
| + @SmallTest |
| + @Feature({"Cronet"}) |
| + public void testLocalTrustAnchorPinningEnforced() throws Exception { |
| + createCronetEngineBuilder(ENABLE_LOCAL_CERT_PINNING, UNKNOWN_TRUST_ROOT); |
| + byte[] nonMatchingHash = generateSomeSha256(); |
| + addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE); |
| + startCronetFramework(); |
| + registerHostResolver(mTestFramework); |
| + sendRequestAndWaitForResult(); |
| + |
| + assertErrorResponse(); |
| + } |
| + |
| + /** |
| + * Tests that the pinning of local trust anchors is not enforced when pinning of the local trust |
| + * anchors is disabled in the builder. |
| + * |
| + * @throws Exception |
| + */ |
| + @SmallTest |
| + @Feature({"Cronet"}) |
| + public void testLocalTrustAnchorPinningNotEnforced() throws Exception { |
| + createCronetEngineBuilder(DISABLE_LOCAL_CERT_PINNING, UNKNOWN_TRUST_ROOT); |
| + byte[] nonMatchingHash = generateSomeSha256(); |
| + addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE); |
| + startCronetFramework(); |
| + registerHostResolver(mTestFramework); |
| + sendRequestAndWaitForResult(); |
| + |
| + assertSuccessfulResponse(); |
| + } |
| + |
| + /** |
| * Tests that host pinning is not persisted between multiple CronetEngine instances. |
| * |
| * @throws Exception |
| @@ -205,6 +253,7 @@ public class PkpTest extends CronetTestBase { |
| @Feature({"Cronet"}) |
| @OnlyRunNativeCronet |
| public void testPinsAreNotPersisted() throws Exception { |
| + createCronetEngineBuilder(DISABLE_LOCAL_CERT_PINNING, KNOWN_TRUST_ROOT); |
| byte[] nonMatchingHash = generateSomeSha256(); |
| addPkpSha256(mServerHost, nonMatchingHash, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE); |
| startCronetFramework(); |
| @@ -215,7 +264,7 @@ public class PkpTest extends CronetTestBase { |
| // Restart Cronet engine and try the same request again. Since the pins are not persisted, |
| // a successful response is expected. |
| - createCronetEngineBuilder(); |
| + createCronetEngineBuilder(DISABLE_LOCAL_CERT_PINNING, KNOWN_TRUST_ROOT); |
| startCronetFramework(); |
| registerHostResolver(mTestFramework); |
| sendRequestAndWaitForResult(); |
| @@ -231,6 +280,7 @@ public class PkpTest extends CronetTestBase { |
| @SmallTest |
| @Feature({"Cronet"}) |
| public void testHostNameArgumentValidation() throws Exception { |
| + createCronetEngineBuilder(DISABLE_LOCAL_CERT_PINNING, KNOWN_TRUST_ROOT); |
| final String label63 = "123456789-123456789-123456789-123456789-123456789-123456789-123"; |
| final String host255 = label63 + "." + label63 + "." + label63 + "." + label63; |
| // Valid host names. |
| @@ -281,10 +331,13 @@ public class PkpTest extends CronetTestBase { |
| /** |
| * Tests that NullPointerException is thrown if the host name or the collection of pins or |
| * the expiration date is null. |
| + * |
| + * @throws Exception |
| */ |
| @SmallTest |
| @Feature({"Cronet"}) |
| - public void testNullArguments() { |
| + public void testNullArguments() throws Exception { |
| + createCronetEngineBuilder(DISABLE_LOCAL_CERT_PINNING, KNOWN_TRUST_ROOT); |
| verifyExceptionWhenAddPkpArgumentIsNull(true, false, false); |
| verifyExceptionWhenAddPkpArgumentIsNull(false, true, false); |
| verifyExceptionWhenAddPkpArgumentIsNull(false, false, true); |
| @@ -293,10 +346,13 @@ public class PkpTest extends CronetTestBase { |
| /** |
| * Tests that IllegalArgumentException is thrown if SHA1 is passed as the value of a pin. |
| + * |
| + * @throws Exception |
| */ |
| @SmallTest |
| @Feature({"Cronet"}) |
| - public void testIllegalArgumentExceptionWhenPinValueIsSHA1() { |
| + public void testIllegalArgumentExceptionWhenPinValueIsSHA1() throws Exception { |
| + createCronetEngineBuilder(DISABLE_LOCAL_CERT_PINNING, KNOWN_TRUST_ROOT); |
| byte[] sha1 = new byte[20]; |
| try { |
| addPkpSha256(mServerHost, sha1, EXCLUDE_SUBDOMAINS, DISTANT_FUTURE); |
| @@ -339,9 +395,11 @@ public class PkpTest extends CronetTestBase { |
| assertEquals(200, mListener.mResponseInfo.getHttpStatusCode()); |
| } |
| - private void createCronetEngineBuilder() throws Exception { |
| + private void createCronetEngineBuilder(boolean pinLocalCerts, boolean knownRoot) |
| + throws Exception { |
| // Set common CronetEngine parameters |
| mBuilder = new CronetEngine.Builder(getContext()); |
| + mBuilder.enablePublicKeyPinsForLocalTrustAnchors(pinLocalCerts); |
| mBuilder.enableQUIC(true); |
| mBuilder.addQuicHint(QuicTestServer.getServerHost(), QuicTestServer.getServerPort(), |
| QuicTestServer.getServerPort()); |
| @@ -350,7 +408,8 @@ public class PkpTest extends CronetTestBase { |
| mBuilder.setExperimentalOptions(experimentalOptions.toString()); |
| mBuilder.setStoragePath(CronetTestFramework.getTestStorage(getContext())); |
| mBuilder.enableHttpCache(CronetEngine.Builder.HTTP_CACHE_DISK_NO_HTTP, 1000 * 1024); |
| - mBuilder.setMockCertVerifierForTesting(MockCertVerifier.createMockCertVerifier(CERTS_USED)); |
| + mBuilder.setMockCertVerifierForTesting( |
| + MockCertVerifier.createMockCertVerifier(CERTS_USED, knownRoot)); |
| } |
| private void startCronetFramework() { |
