[Cronet-iOS] Public-Key-Pinning Tests

components/cronet/ios/Cronet.h

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import <Foundation/Foundation.h>
 
 #include "bidirectional_stream_c.h"
 
 // Type of HTTP cache; public interface to private implementation defined in
 // URLRequestContextConfig class.
 typedef NS_ENUM(NSInteger, CRNHttpCacheType) {
   // Disabled HTTP cache.  Some data may still be temporarily stored in memory.
   CRNHttpCacheTypeDisabled,
   // Enable on-disk HTTP cache, including HTTP data.
   CRNHttpCacheTypeDisk,
   // Enable in-memory cache, including HTTP data.
   CRNHttpCacheTypeMemory,
 };
 
+/// Cronet Domain Name.

[mef, 2017/06/19 15:02:33]

Should it be 'Cronet Error Domain Name'?

[kapishnikov, 2017/06/19 18:32:48]

The convention is not to add the 'Name' suffix. Changed it to
|CRNCronetErrorDomain|.

+NSString* const CRNCronetDomain = @"Cronet";
+
+/// Enum of Cronet NSError codes.
+NS_ENUM(NSInteger){
+    CRNErrorInvalidArgument = 1001,
+};
+
+/// The corresponding value is a String object that contains the name of
+/// an invalid argument inside the NSError userInfo dictionary.
+NSString* const CRNInvalidArgumentKey = @"CRNInvalidArgumentKey";
+
 // A block, that takes a request, and returns YES if the request should
 // be handled.
 typedef BOOL (^RequestFilterBlock)(NSURLRequest* request);
 
 // Interface for installing Cronet.
 // TODO(gcasto): Should this macro be separate from the one defined in
 // bidirectional_stream_c.h?
 GRPC_SUPPORT_EXPORT
 @interface Cronet : NSObject
 
@@ skipping 32 matching lines @@
 // If |partial| is set to NO, then |userAgent| value is complete value sent to
 // the remote. For Example: "Foo/3.0.0.0" is sent as "Foo/3.0.0.0".
 //
 // This method only has any effect before |start| is called.
 + (void)setUserAgent:(NSString*)userAgent partial:(BOOL)partial;
 
 // Sets SSLKEYLogFileName to export SSL key for Wireshark decryption of packet
 // captures. This method only has any effect before |start| is called.
 + (void)setSslKeyLogFileName:(NSString*)sslKeyLogFileName;
 
+/// Pins a set of public keys for a given host. This method only has any effect
+/// before |start| is called. By pinning a set of public keys,
+/// |pinsSha256|, communication with |hostName| is required to

[mef, 2017/06/19 15:02:33]

host

[mef, 2017/06/19 15:02:33]

pinHashes

[kapishnikov, 2017/06/19 18:32:48]

Done.

[kapishnikov, 2017/06/19 18:32:48]

Done.

+/// authenticate with a certificate with a public key from the set of pinned
+/// ones. An app can pin the public key of the root certificate, any of the
+/// intermediate certificates or the end-entry certificate. Authentication will
+/// fail and secure communication will not be established if none of the public
+/// keys is present in the host's certificate chain, even if the host attempts
+/// to authenticate with a certificate allowed by the device's trusted store of
+/// certificates.
+///
+/// Calling this method multiple times with the same host name overrides the
+/// previously set pins for the host.
+///
+/// More information about the public key pinning can be found in
+/// [RFC 7469](https://tools.ietf.org/html/rfc7469).
+///
+/// @param host name of the host to which the public keys should be pinned.
+///             A host that consists only of digits and the dot character
+///             is treated as invalid.
+/// @param pinHashes a set of pins. Each pin is the SHA-256 cryptographic
+///                  hash of the DER-encoded ASN.1 representation of the
+///                  Subject Public Key Info (SPKI) of the host's X.509
+///                  certificate. Although, the method does not mandate the
+///                  presence of the backup pin that can be used if the control
+///                  of the primary private key has been lost, it is highly
+///                  recommended to supply one.
+/// @param includeSubdomains indicates whether the pinning policy should be
+///                          applied to subdomains of |hostName|.
+/// @param expirationDate specifies the expiration date for the pins.
+/// @param outError on return, if the pin cannot be added, a pointer to an
+///                 error object that encapsulates the reason for the error.
+/// @return returns |YES| if the pins were added successfully; |NO|, otherwise.
++ (BOOL)addPublicKeyPinsForHost:(NSString*)host
+                      pinHashes:(NSSet<NSData*>*)pinHashes
+              includeSubdomains:(BOOL)includeSubdomains
+                 expirationDate:(NSDate*)expirationDate
+                          error:(NSError**)outError;
+
 // Sets the block used to determine whether or not Cronet should handle the
 // request. If the block is not set, Cronet will handle all requests. Cronet
 // retains strong reference to the block, which can be released by calling this
 // method with nil block.
 + (void)setRequestFilterBlock:(RequestFilterBlock)block;
 
 // Starts CronetEngine. It is recommended to call this method on the application
 // main thread. If the method is called on any thread other than the main one,
 // the method will internally try to execute synchronously using the main GCD
 // queue. Please make sure that the main thread is not blocked by a job
@@ skipping 51 matching lines @@
 
 // Sets Host Resolver Rules for testing.
 // This method must be called after |start| has been called.
 + (void)setHostResolverRulesForTesting:(NSString*)hostResolverRulesForTesting;
 
 // Enables TestCertVerifier which accepts all certificates for testing.
 // This method only has any effect before |start| is called.
 + (void)enableTestCertVerifierForTesting;
 
 @end