add setter for enable_pkp_bypass_etc

components/cronet/ios/Cronet.mm

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import "components/cronet/ios/Cronet.h"
 
 #include <memory>
 #include <vector>
 
 #include "base/lazy_instance.h"
@@ skipping 30 matching lines @@
 QuicHintVector gQuicHints;
 NSString* gExperimentalOptions = @"{}";
 NSString* gUserAgent = nil;
 BOOL gUserAgentPartial = NO;
 NSString* gSslKeyLogFileName = nil;
 std::vector<std::unique_ptr<cronet::URLRequestContextConfig::Pkp>> gPkpList;
 RequestFilterBlock gRequestFilterBlock = nil;
 base::LazyInstance<std::unique_ptr<CronetHttpProtocolHandlerDelegate>>::Leaky
     gHttpProtocolHandlerDelegate = LAZY_INSTANCE_INITIALIZER;
 NSURLCache* gPreservedSharedURLCache = nil;
-BOOL gEnableTestCertVerifierForTesting = FALSE;
+BOOL gEnableTestCertVerifierForTesting = NO;
 std::unique_ptr<net::CertVerifier> gMockCertVerifier;
 NSString* gAcceptLanguages = nil;
+BOOL gEnablePKPBypassForLocalTrustAnchors = YES;
 
 // CertVerifier, which allows any certificates for testing.
 class TestCertVerifier : public net::CertVerifier {
   int Verify(const RequestParams& params,
              net::CRLSet* crl_set,
              net::CertVerifyResult* verify_result,
              const net::CompletionCallback& callback,
              std::unique_ptr<Request>* out_req,
              const net::NetLogWithSource& net_log) override {
     net::Error result = net::OK;
@@ skipping 154 matching lines @@
     gRequestFilterBlock = block;
 }
 
 + (BOOL)addPublicKeyPinsForHost:(NSString*)host
                       pinHashes:(NSSet<NSData*>*)pinHashes
               includeSubdomains:(BOOL)includeSubdomains
                  expirationDate:(NSDate*)expirationDate
                           error:(NSError**)outError {
   [self checkNotStarted];
 
+  // Pinning a key only makes sense if pin bypassing has been disabled
+  if (gEnablePKPBypassForLocalTrustAnchors) {
+    *outError =
+        [self createUnsupportedConfigurationError:
+                  @"Cannot pin keys while public key pinning is bypassed"];
+    return NO;
+  }
+
   auto pkp = base::MakeUnique<cronet::URLRequestContextConfig::Pkp>(
       base::SysNSStringToUTF8(host), includeSubdomains,
       base::Time::FromCFAbsoluteTime(
           [expirationDate timeIntervalSinceReferenceDate]));
 
   for (NSData* hash in pinHashes) {
     net::SHA256HashValue hashValue = net::SHA256HashValue();
     if (sizeof(hashValue.data) != hash.length) {
       *outError =
           [self createIllegalArgumentErrorWithArgument:@"pinHashes"
                                                 reason:
                                                     @"The length of PKP SHA256 "
                                                     @"hash should be 256 bits"];
       return NO;
     }
     memcpy((void*)(hashValue.data), [hash bytes], sizeof(hashValue.data));
     pkp->pin_hashes.push_back(net::HashValue(hashValue));
   }
   gPkpList.push_back(std::move(pkp));
   if (outError) {
     *outError = nil;
   }
   return YES;
 }
 
++ (void)setEnablePublicKeyPinningBypassForLocalTrustAnchors:(BOOL)enable {
+  gEnablePKPBypassForLocalTrustAnchors = enable;
+}
+
 + (void)startInternal {
   std::string user_agent = base::SysNSStringToUTF8(gUserAgent);
 
   gChromeNet.Get().reset(
       new cronet::CronetEnvironment(user_agent, gUserAgentPartial));
 
   gChromeNet.Get()->set_accept_language(
       base::SysNSStringToUTF8(gAcceptLanguages ?: [self getAcceptLanguages]));
 
   gChromeNet.Get()->set_http2_enabled(gHttp2Enabled);
   gChromeNet.Get()->set_quic_enabled(gQuicEnabled);
   gChromeNet.Get()->set_experimental_options(
       base::SysNSStringToUTF8(gExperimentalOptions));
   gChromeNet.Get()->set_http_cache(gHttpCache);
   gChromeNet.Get()->set_ssl_key_log_file_name(
       base::SysNSStringToUTF8(gSslKeyLogFileName));
   gChromeNet.Get()->set_pkp_list(std::move(gPkpList));
+  gChromeNet.Get()
+      ->set_enable_public_key_pinning_bypass_for_local_trust_anchors(
+          gEnablePKPBypassForLocalTrustAnchors);
   for (const auto& quicHint : gQuicHints) {
     gChromeNet.Get()->AddQuicHint(quicHint->host, quicHint->port,
                                   quicHint->alternate_port);
   }
 
   [self configureCronetEnvironmentForTesting:gChromeNet.Get().get()];
   gChromeNet.Get()->Start();
   gHttpProtocolHandlerDelegate.Get().reset(
       new CronetHttpProtocolHandlerDelegate(
           gChromeNet.Get()->GetURLRequestContextGetter(), gRequestFilterBlock));
@@ skipping 125 matching lines @@
             [NSString stringWithFormat:@"Invalid argument: %@", argumentName],
         CRNInvalidArgumentKey : argumentName
       }];
   if (reason) {
     errorDictionary[NSLocalizedFailureReasonErrorKey] = reason;
   }
   return [self createCronetErrorWith:CRNErrorInvalidArgument
                             userInfo:errorDictionary];
 }
 
++ (NSError*)createUnsupportedConfigurationError:(NSString*)contradiction {
+  NSMutableDictionary* errorDictionary =

[kapishnikov, 2017/06/28 15:32:23]

Could we also add |NSLocalizedFailureReasonErrorKey| saying something like:
"Setting public-key-pinning with local anchor bypass turned on is currently not
supported"?

[lilyhoughton, 2017/06/28 15:52:06]

Done.

+      [[NSMutableDictionary alloc] initWithDictionary:@{
+        NSLocalizedDescriptionKey : @"Unsupported configuration",
+        NSLocalizedRecoverySuggestionErrorKey :
+            @"Try disabling Public Key Pinning Bypass before pinning keys.",
+      }];
+  if (contradiction) {
+    errorDictionary[NSLocalizedFailureReasonErrorKey] = contradiction;
+  }
+
+  return [self createCronetErrorWith:CRNErrorUnsupportedConfig
+                            userInfo:errorDictionary];
+}
+
 + (NSError*)createCronetErrorWith:(int)errorCode

[kapishnikov, 2017/06/28 15:32:24]

Could you rename this method from "createCronetErrorWith" to
"createCronetErrorWithCode"?

[lilyhoughton, 2017/06/28 15:52:06]

Done.

                          userInfo:(NSDictionary*)userInfo {
   return [NSError errorWithDomain:CRNCronetErrorDomain
                              code:errorCode
                          userInfo:userInfo];
 }
 
 @end