[Cronet-iOS] Public-Key-Pinning Tests

components/cronet/ios/Cronet.h

Index: components/cronet/ios/Cronet.h
diff --git a/components/cronet/ios/Cronet.h b/components/cronet/ios/Cronet.h
index f7f6cbe13fc94214cf0095bde6f6cedd5d330432..41feb279eb7a9c24c82eb91457a7cdc36154afae 100644
--- a/components/cronet/ios/Cronet.h
+++ b/components/cronet/ios/Cronet.h
@@ -73,6 +73,41 @@ GRPC_SUPPORT_EXPORT
 // captures. This method only has any effect before |start| is called.
 + (void)setSslKeyLogFileName:(NSString*)sslKeyLogFileName;
 
+/// Pins a set of public keys for a given host. This method only has any effect

[mef, 2017/06/12 22:25:22]

We should probably make other comments in this header documentable the same way.
Different CL though.

[kapishnikov, 2017/06/16 20:11:04]

Acknowledged. Filed http://crbug.com/732888

+/// before |start| is called. By pinning a set of public keys,
+/// |pinsSha256|, communication with |hostName| is required to
+/// authenticate with a certificate with a public key from the set of pinned
+/// ones. An app can pin the public key of the root certificate, any of the
+/// intermediate certificates or the end-entry certificate. Authentication will
+/// fail and secure communication will not be established if none of the public
+/// keys is present in the host's certificate chain, even if the host attempts
+/// to authenticate with a certificate allowed by the device's trusted store of
+/// certificates.
+///
+/// Calling this method multiple times with the same host name overrides the
+/// previously set pins for the host.
+///
+/// More information about the public key pinning can be found in
+/// [RFC 7469](https://tools.ietf.org/html/rfc7469).
+///
+/// @param hostName name of the host to which the public keys should be pinned.

[mef, 2017/06/12 22:25:22]

Need to match actual param names:

hostName <-> host
pinsSha356 <-> pinHashes

[kapishnikov, 2017/06/16 20:11:04]

Done.

+///                 A host that consists only of digits and the dot character
+///                 is treated as invalid.
+/// @param pinsSha256 a set of pins. Each pin is the SHA-256 cryptographic
+///                   hash of the DER-encoded ASN.1 representation of the
+///                   Subject Public Key Info (SPKI) of the host's X.509
+///                   certificate. Although, the method does not mandate the
+///                   presence of the backup pin that can be used if the control
+///                   of the primary private key has been lost, it is highly
+///                   recommended to supply one.
+/// @param includeSubdomains indicates whether the pinning policy should be
+///                          applied to subdomains of |hostName|.
+/// @param expirationDate specifies the expiration date for the pins.
++ (void)addPublicKeyPinsForHost:(NSString*)host
+                      pinHashes:(NSSet<NSData*>*)pinHashes
+              includeSubdomains:(BOOL)includeSubdomains
+                 expirationDate:(NSDate*)expirationDate;
+
 // Sets the block used to determine whether or not Cronet should handle the
 // request. If the block is not set, Cronet will handle all requests. Cronet
 // retains strong reference to the block, which can be released by calling this