[Cronet-iOS] Public-Key-Pinning Tests

components/cronet/ios/Cronet.mm

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import "components/cronet/ios/Cronet.h"
 
 #include <memory>
 
 #include "base/lazy_instance.h"
 #include "base/logging.h"
@@ skipping 23 matching lines @@
 
 BOOL gHttp2Enabled = YES;
 BOOL gQuicEnabled = NO;
 cronet::URLRequestContextConfig::HttpCacheType gHttpCache =
     cronet::URLRequestContextConfig::HttpCacheType::DISK;
 ScopedVector<cronet::URLRequestContextConfig::QuicHint> gQuicHints;
 NSString* gExperimentalOptions = @"{}";
 NSString* gUserAgent = nil;
 BOOL gUserAgentPartial = NO;
 NSString* gSslKeyLogFileName = nil;
+ScopedVector<cronet::URLRequestContextConfig::Pkp> gPkpList = {};
 RequestFilterBlock gRequestFilterBlock = nil;
 base::LazyInstance<std::unique_ptr<CronetHttpProtocolHandlerDelegate>>::Leaky
     gHttpProtocolHandlerDelegate = LAZY_INSTANCE_INITIALIZER;
 NSURLCache* gPreservedSharedURLCache = nil;
 BOOL gEnableTestCertVerifierForTesting = FALSE;
+std::unique_ptr<net::CertVerifier> gMockCertVerifier;
 NSString* gAcceptLanguages = nil;
 
 // CertVerifier, which allows any certificates for testing.
 class TestCertVerifier : public net::CertVerifier {
   int Verify(const RequestParams& params,
              net::CRLSet* crl_set,
              net::CertVerifyResult* verify_result,
              const net::CompletionCallback& callback,
              std::unique_ptr<Request>* out_req,
              const net::NetLogWithSource& net_log) override {
@@ skipping 51 matching lines @@
 
 @implementation Cronet
 
 + (void)configureCronetEnvironmentForTesting:
     (cronet::CronetEnvironment*)cronetEnvironment {
   if (gEnableTestCertVerifierForTesting) {
     std::unique_ptr<TestCertVerifier> test_cert_verifier =
         base::MakeUnique<TestCertVerifier>();
     cronetEnvironment->set_mock_cert_verifier(std::move(test_cert_verifier));
   }
+  if (gMockCertVerifier) {
+    gChromeNet.Get()->set_mock_cert_verifier(std::move(gMockCertVerifier));
+  }
 }
 
 + (NSString*)getAcceptLanguagesFromPreferredLanguages:
     (NSArray<NSString*>*)languages {
   NSMutableArray* acceptLanguages = [NSMutableArray new];
   for (NSString* lang_region in languages) {
     NSString* lang = [lang_region componentsSeparatedByString:@"-"][0];
     NSString* localeAcceptLangs = acceptLangs[lang_region] ?: acceptLangs[lang];
     if (localeAcceptLangs)
       [acceptLanguages
@@ skipping 73 matching lines @@
   }
 }
 
 + (void)setRequestFilterBlock:(RequestFilterBlock)block {
   if (gHttpProtocolHandlerDelegate.Get().get())
     gHttpProtocolHandlerDelegate.Get().get()->SetRequestFilterBlock(block);
   else
     gRequestFilterBlock = block;
 }
 
++ (BOOL)addPublicKeyPinsForHost:(NSString*)host
+                      pinHashes:(NSSet<NSData*>*)pinHashes
+              includeSubdomains:(BOOL)includeSubdomains
+                 expirationDate:(NSDate*)expirationDate
+                          error:(NSError**)outError {
+  [self checkNotStarted];
+
+  auto pkp = base::MakeUnique<cronet::URLRequestContextConfig::Pkp>(
+      base::SysNSStringToUTF8(host), includeSubdomains,
+      base::Time::FromCFAbsoluteTime(
+          [expirationDate timeIntervalSinceReferenceDate]));
+
+  for (NSData* hash in pinHashes) {
+    net::SHA256HashValue hashValue = net::SHA256HashValue();
+    if (sizeof(hashValue.data) != hash.length) {
+      *outError =
+          [self createIllegalArgumentErrorWithArgument:@"pinHashes"
+                                                reason:
+                                                    @"The length of PKP SHA256 "
+                                                    @"hash should be 256 bits"];
+      return NO;
+    }
+    memcpy((void*)(hashValue.data), [hash bytes], sizeof(hashValue.data));
+    pkp->pin_hashes.push_back(net::HashValue(hashValue));
+  }
+  gPkpList.push_back(std::move(pkp));
+  if (outError) {
+    *outError = nil;
+  }
+  return YES;
+}
+
 + (void)startInternal {
   std::string user_agent = base::SysNSStringToUTF8(gUserAgent);
 
   gChromeNet.Get().reset(
       new cronet::CronetEnvironment(user_agent, gUserAgentPartial));
 
   gChromeNet.Get()->set_accept_language(
       base::SysNSStringToUTF8(gAcceptLanguages ?: [self getAcceptLanguages]));
 
   gChromeNet.Get()->set_http2_enabled(gHttp2Enabled);
   gChromeNet.Get()->set_quic_enabled(gQuicEnabled);
   gChromeNet.Get()->set_experimental_options(
       base::SysNSStringToUTF8(gExperimentalOptions));
   gChromeNet.Get()->set_http_cache(gHttpCache);
   gChromeNet.Get()->set_ssl_key_log_file_name(
       base::SysNSStringToUTF8(gSslKeyLogFileName));
+  gChromeNet.Get()->set_pkp_list(std::move(gPkpList));
   for (const auto* quicHint : gQuicHints) {
     gChromeNet.Get()->AddQuicHint(quicHint->host, quicHint->port,
                                   quicHint->alternate_port);
   }
 
   [self configureCronetEnvironmentForTesting:gChromeNet.Get().get()];
   gChromeNet.Get()->Start();
   gHttpProtocolHandlerDelegate.Get().reset(
       new CronetHttpProtocolHandlerDelegate(
           gChromeNet.Get()->GetURLRequestContextGetter(), gRequestFilterBlock));
@@ skipping 93 matching lines @@
     return nil;
   }
   std::vector<uint8_t> deltas(gChromeNet.Get()->GetHistogramDeltas());
   return [NSData dataWithBytes:deltas.data() length:deltas.size()];
 }
 
 + (void)enableTestCertVerifierForTesting {
   gEnableTestCertVerifierForTesting = YES;
 }
 
++ (void)setMockCertVerifierForTesting:
+    (std::unique_ptr<net::CertVerifier>)certVerifier {
+  gMockCertVerifier = std::move(certVerifier);
+}
+
 + (void)setHostResolverRulesForTesting:(NSString*)hostResolverRulesForTesting {
   DCHECK(gChromeNet.Get().get());
   gChromeNet.Get()->SetHostResolverRules(
       base::SysNSStringToUTF8(hostResolverRulesForTesting));
 }
 
 // This is a non-public dummy method that prevents the linker from stripping out
 // the otherwise non-referenced methods from 'bidirectional_stream.cc'.
 + (void)preventStrippingCronetBidirectionalStream {
   bidirectional_stream_create(NULL, 0, 0);
 }
 
++ (NSError*)createIllegalArgumentErrorWithArgument:(NSString*)argumentName
+                                            reason:(NSString*)reason {
+  NSMutableDictionary* errorDictionary =
+      [[NSMutableDictionary alloc] initWithDictionary:@{
+        NSLocalizedDescriptionKey :
+            [NSString stringWithFormat:@"Invalid argument: %@", argumentName],
+        CRNInvalidArgumentKey : argumentName
+      }];
+  if (reason) {
+    errorDictionary[NSLocalizedFailureReasonErrorKey] = reason;
+  }
+  return [self createCronetErrorWith:CRNErrorInvalidArgument
+                            userInfo:errorDictionary];
+}
+
++ (NSError*)createCronetErrorWith:(int)errorCode
+                         userInfo:(NSDictionary*)userInfo {
+  return [NSError errorWithDomain:CRNCronetErrorDomain
+                             code:errorCode
+                         userInfo:userInfo];
+}
+
 @end