[Cronet-iOS] Public-Key-Pinning Tests

components/cronet/ios/Cronet.mm

Index: components/cronet/ios/Cronet.mm
diff --git a/components/cronet/ios/Cronet.mm b/components/cronet/ios/Cronet.mm
index 567d4085b0bb5b78e7ca38c57d0715181fbf10ec..caee74151420f79330071e89364690556ceacd8e 100644
--- a/components/cronet/ios/Cronet.mm
+++ b/components/cronet/ios/Cronet.mm
@@ -41,11 +41,13 @@ NSString* gExperimentalOptions = @"{}";
 NSString* gUserAgent = nil;
 BOOL gUserAgentPartial = NO;
 NSString* gSslKeyLogFileName = nil;
+ScopedVector<cronet::URLRequestContextConfig::Pkp> gPkpList = {};
 RequestFilterBlock gRequestFilterBlock = nil;
 base::LazyInstance<std::unique_ptr<CronetHttpProtocolHandlerDelegate>>::Leaky
     gHttpProtocolHandlerDelegate = LAZY_INSTANCE_INITIALIZER;
 NSURLCache* gPreservedSharedURLCache = nil;
 BOOL gEnableTestCertVerifierForTesting = FALSE;
+std::unique_ptr<net::CertVerifier> gMockCertVerifier;
 NSString* gAcceptLanguages = nil;
 
 // CertVerifier, which allows any certificates for testing.
@@ -117,6 +119,9 @@ class CronetHttpProtocolHandlerDelegate
         base::MakeUnique<TestCertVerifier>();
     cronetEnvironment->set_mock_cert_verifier(std::move(test_cert_verifier));
   }
+  if (gMockCertVerifier) {
+    gChromeNet.Get()->set_mock_cert_verifier(std::move(gMockCertVerifier));
+  }
 }
 
 + (NSString*)getAcceptLanguagesFromPreferredLanguages:
@@ -210,6 +215,27 @@ class CronetHttpProtocolHandlerDelegate
     gRequestFilterBlock = block;
 }
 
++ (void)addPublicKeyPinsForHost:(NSString*)host
+                      pinHashes:(NSSet<NSData*>*)pinHashes
+              includeSubdomains:(BOOL)includeSubdomains
+                 expirationDate:(NSDate*)expirationDate {
+  [self checkNotStarted];
+
+  auto pkp = base::MakeUnique<cronet::URLRequestContextConfig::Pkp>(
+      base::SysNSStringToUTF8(host), includeSubdomains,
+      base::Time::FromCFAbsoluteTime(
+          [expirationDate timeIntervalSinceReferenceDate]));
+
+  for (NSData* hash in pinHashes) {
+    net::SHA256HashValue hashValue;
+    DCHECK_EQ(sizeof(hashValue.data), hash.length)

[mef, 2017/06/12 22:25:23]

I'm not sure whether DCHECK is good enough here.
What if app gets pins from the server and messes up the size?
Release version will not have any guards and may read uninitialized memory
beyond the end of hashValue.data.

[kapishnikov, 2017/06/16 20:11:04]

Good catch. Changed it to CHECK_EQ.

+        << "The length of PKP SHA256 hash should be 256 bits";
+    memcpy((void*)(hashValue.data), [hash bytes], sizeof(hashValue.data));
+    pkp->pin_hashes.push_back(net::HashValue(hashValue));
+  }
+  gPkpList.push_back(std::move(pkp));
+}
+
 + (void)startInternal {
   std::string user_agent = base::SysNSStringToUTF8(gUserAgent);
 
@@ -226,6 +252,7 @@ class CronetHttpProtocolHandlerDelegate
   gChromeNet.Get()->set_http_cache(gHttpCache);
   gChromeNet.Get()->set_ssl_key_log_file_name(
       base::SysNSStringToUTF8(gSslKeyLogFileName));
+  gChromeNet.Get()->set_pkp_list(std::move(gPkpList));
   for (const auto* quicHint : gQuicHints) {
     gChromeNet.Get()->AddQuicHint(quicHint->host, quicHint->port,
                                   quicHint->alternate_port);
@@ -339,6 +366,10 @@ class CronetHttpProtocolHandlerDelegate
   gEnableTestCertVerifierForTesting = YES;
 }
 
++ (void)setMockCertVerifier:(std::unique_ptr<net::CertVerifier>)certVerifier {

[mef, 2017/06/12 22:25:23]

Should this also have ForTesting: suffix?
Passing std::unique_ptr as argument is interesting.
I guess its ok because this method is not in header files?

[kapishnikov, 2017/06/16 20:11:04]

Added the suffix. I think it should be okay since it is not a part of the public
API and used only for testing.

+  gMockCertVerifier = std::move(certVerifier);
+}
+
 + (void)setHostResolverRulesForTesting:(NSString*)hostResolverRulesForTesting {
   DCHECK(gChromeNet.Get().get());
   gChromeNet.Get()->SetHostResolverRules(