Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2015 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package android.security.net.config; |
| 18 | |
| 19 | import android.content.Context; |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 20 | import android.content.pm.ApplicationInfo; |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 21 | import android.test.AndroidTestCase; |
| 22 | import android.test.MoreAsserts; |
| 23 | import android.util.ArraySet; |
| 24 | import android.util.Pair; |
| 25 | import java.io.IOException; |
Chad Brubaker | dd586a4 | 2015-12-10 18:32:40 -0800 | [diff] [blame] | 26 | import java.net.InetAddress; |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 27 | import java.net.Socket; |
| 28 | import java.net.URL; |
Chad Brubaker | 5a1078f | 2015-11-10 12:26:18 -0800 | [diff] [blame] | 29 | import java.security.KeyStore; |
| 30 | import java.security.Provider; |
| 31 | import java.security.Security; |
| 32 | import java.security.cert.X509Certificate; |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 33 | import java.util.ArrayList; |
| 34 | import java.util.Collections; |
Chad Brubaker | 08d3620 | 2015-11-09 13:38:51 -0800 | [diff] [blame] | 35 | import java.util.Set; |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 36 | import javax.net.ssl.HttpsURLConnection; |
| 37 | import javax.net.ssl.SSLContext; |
| 38 | import javax.net.ssl.SSLHandshakeException; |
Chad Brubaker | dd586a4 | 2015-12-10 18:32:40 -0800 | [diff] [blame] | 39 | import javax.net.ssl.SSLSocket; |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 40 | import javax.net.ssl.TrustManager; |
Chad Brubaker | 5a1078f | 2015-11-10 12:26:18 -0800 | [diff] [blame] | 41 | import javax.net.ssl.TrustManagerFactory; |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 42 | |
| 43 | public class XmlConfigTests extends AndroidTestCase { |
| 44 | |
Chad Brubaker | 08d3620 | 2015-11-09 13:38:51 -0800 | [diff] [blame] | 45 | private final static String DEBUG_CA_SUBJ = "O=AOSP, CN=Test debug CA"; |
| 46 | |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 47 | public void testEmptyConfigFile() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 48 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.empty_config, |
| 49 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 50 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 51 | assertFalse(appConfig.hasPerDomainConfigs()); |
| 52 | NetworkSecurityConfig config = appConfig.getConfigForHostname(""); |
| 53 | assertNotNull(config); |
| 54 | // Check defaults. |
| 55 | assertTrue(config.isCleartextTrafficPermitted()); |
| 56 | assertFalse(config.isHstsEnforced()); |
| 57 | assertFalse(config.getTrustAnchors().isEmpty()); |
| 58 | PinSet pinSet = config.getPins(); |
| 59 | assertTrue(pinSet.pins.isEmpty()); |
| 60 | // Try some connections. |
| 61 | SSLContext context = TestUtils.getSSLContext(source); |
| 62 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 63 | TestUtils.assertConnectionSucceeds(context, "developer.android.com", 443); |
| 64 | TestUtils.assertUrlConnectionSucceeds(context, "google.com", 443); |
| 65 | } |
| 66 | |
| 67 | public void testEmptyAnchors() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 68 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.empty_trust, |
| 69 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 70 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 71 | assertFalse(appConfig.hasPerDomainConfigs()); |
| 72 | NetworkSecurityConfig config = appConfig.getConfigForHostname(""); |
| 73 | assertNotNull(config); |
| 74 | // Check defaults. |
| 75 | assertTrue(config.isCleartextTrafficPermitted()); |
| 76 | assertFalse(config.isHstsEnforced()); |
| 77 | assertTrue(config.getTrustAnchors().isEmpty()); |
| 78 | PinSet pinSet = config.getPins(); |
| 79 | assertTrue(pinSet.pins.isEmpty()); |
| 80 | SSLContext context = TestUtils.getSSLContext(source); |
| 81 | TestUtils.assertConnectionFails(context, "android.com", 443); |
| 82 | TestUtils.assertConnectionFails(context, "developer.android.com", 443); |
| 83 | TestUtils.assertUrlConnectionFails(context, "google.com", 443); |
| 84 | } |
| 85 | |
| 86 | public void testBasicDomainConfig() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 87 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.domain1, |
| 88 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 89 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 90 | assertTrue(appConfig.hasPerDomainConfigs()); |
| 91 | NetworkSecurityConfig config = appConfig.getConfigForHostname(""); |
| 92 | assertNotNull(config); |
| 93 | // Check defaults. |
| 94 | assertTrue(config.isCleartextTrafficPermitted()); |
| 95 | assertFalse(config.isHstsEnforced()); |
| 96 | assertTrue(config.getTrustAnchors().isEmpty()); |
| 97 | PinSet pinSet = config.getPins(); |
| 98 | assertTrue(pinSet.pins.isEmpty()); |
| 99 | // Check android.com. |
| 100 | config = appConfig.getConfigForHostname("android.com"); |
| 101 | assertTrue(config.isCleartextTrafficPermitted()); |
| 102 | assertFalse(config.isHstsEnforced()); |
| 103 | assertFalse(config.getTrustAnchors().isEmpty()); |
| 104 | pinSet = config.getPins(); |
| 105 | assertTrue(pinSet.pins.isEmpty()); |
| 106 | // Try connections. |
| 107 | SSLContext context = TestUtils.getSSLContext(source); |
| 108 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 109 | TestUtils.assertConnectionFails(context, "developer.android.com", 443); |
| 110 | TestUtils.assertUrlConnectionFails(context, "google.com", 443); |
| 111 | TestUtils.assertUrlConnectionSucceeds(context, "android.com", 443); |
Chad Brubaker | dd586a4 | 2015-12-10 18:32:40 -0800 | [diff] [blame] | 112 | // Check that sockets created without the hostname fail with per-domain configs |
| 113 | SSLSocket socket = (SSLSocket) context.getSocketFactory() |
| 114 | .createSocket(InetAddress.getByName("android.com"), 443); |
| 115 | try { |
| 116 | socket.startHandshake(); |
| 117 | socket.getInputStream(); |
| 118 | fail(); |
| 119 | } catch (IOException expected) { |
| 120 | } |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 121 | } |
| 122 | |
| 123 | public void testBasicPinning() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 124 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.pins1, |
| 125 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 126 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 127 | assertTrue(appConfig.hasPerDomainConfigs()); |
| 128 | // Check android.com. |
| 129 | NetworkSecurityConfig config = appConfig.getConfigForHostname("android.com"); |
| 130 | PinSet pinSet = config.getPins(); |
| 131 | assertFalse(pinSet.pins.isEmpty()); |
| 132 | // Try connections. |
| 133 | SSLContext context = TestUtils.getSSLContext(source); |
| 134 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 135 | TestUtils.assertUrlConnectionSucceeds(context, "android.com", 443); |
| 136 | TestUtils.assertConnectionSucceeds(context, "google.com", 443); |
| 137 | } |
| 138 | |
| 139 | public void testExpiredPin() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 140 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.expired_pin, |
| 141 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 142 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 143 | assertTrue(appConfig.hasPerDomainConfigs()); |
| 144 | // Check android.com. |
| 145 | NetworkSecurityConfig config = appConfig.getConfigForHostname("android.com"); |
| 146 | PinSet pinSet = config.getPins(); |
| 147 | assertFalse(pinSet.pins.isEmpty()); |
| 148 | // Try connections. |
| 149 | SSLContext context = TestUtils.getSSLContext(source); |
| 150 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 151 | TestUtils.assertUrlConnectionSucceeds(context, "android.com", 443); |
| 152 | } |
| 153 | |
| 154 | public void testOverridesPins() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 155 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.override_pins, |
| 156 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 157 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 158 | assertTrue(appConfig.hasPerDomainConfigs()); |
| 159 | // Check android.com. |
| 160 | NetworkSecurityConfig config = appConfig.getConfigForHostname("android.com"); |
| 161 | PinSet pinSet = config.getPins(); |
| 162 | assertFalse(pinSet.pins.isEmpty()); |
| 163 | // Try connections. |
| 164 | SSLContext context = TestUtils.getSSLContext(source); |
| 165 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 166 | TestUtils.assertUrlConnectionSucceeds(context, "android.com", 443); |
| 167 | } |
| 168 | |
| 169 | public void testBadPin() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 170 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.bad_pin, |
| 171 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 172 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 173 | assertTrue(appConfig.hasPerDomainConfigs()); |
| 174 | // Check android.com. |
| 175 | NetworkSecurityConfig config = appConfig.getConfigForHostname("android.com"); |
| 176 | PinSet pinSet = config.getPins(); |
| 177 | assertFalse(pinSet.pins.isEmpty()); |
| 178 | // Try connections. |
| 179 | SSLContext context = TestUtils.getSSLContext(source); |
| 180 | TestUtils.assertConnectionFails(context, "android.com", 443); |
| 181 | TestUtils.assertUrlConnectionFails(context, "android.com", 443); |
| 182 | TestUtils.assertConnectionSucceeds(context, "google.com", 443); |
| 183 | } |
| 184 | |
| 185 | public void testMultipleDomains() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 186 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.multiple_domains, |
| 187 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 188 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 189 | assertTrue(appConfig.hasPerDomainConfigs()); |
| 190 | NetworkSecurityConfig config = appConfig.getConfigForHostname("android.com"); |
| 191 | assertTrue(config.isCleartextTrafficPermitted()); |
| 192 | assertFalse(config.isHstsEnforced()); |
| 193 | assertFalse(config.getTrustAnchors().isEmpty()); |
| 194 | PinSet pinSet = config.getPins(); |
| 195 | assertTrue(pinSet.pins.isEmpty()); |
| 196 | // Both android.com and google.com should use the same config |
| 197 | NetworkSecurityConfig other = appConfig.getConfigForHostname("google.com"); |
| 198 | assertEquals(config, other); |
| 199 | // Try connections. |
| 200 | SSLContext context = TestUtils.getSSLContext(source); |
| 201 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 202 | TestUtils.assertConnectionSucceeds(context, "google.com", 443); |
| 203 | TestUtils.assertConnectionFails(context, "developer.android.com", 443); |
| 204 | TestUtils.assertUrlConnectionSucceeds(context, "android.com", 443); |
| 205 | } |
| 206 | |
| 207 | public void testMultipleDomainConfigs() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 208 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.multiple_configs, |
| 209 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 210 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 211 | assertTrue(appConfig.hasPerDomainConfigs()); |
| 212 | // Should be two different config objects |
| 213 | NetworkSecurityConfig config = appConfig.getConfigForHostname("android.com"); |
| 214 | NetworkSecurityConfig other = appConfig.getConfigForHostname("google.com"); |
| 215 | MoreAsserts.assertNotEqual(config, other); |
| 216 | // Try connections. |
| 217 | SSLContext context = TestUtils.getSSLContext(source); |
| 218 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 219 | TestUtils.assertConnectionSucceeds(context, "google.com", 443); |
| 220 | TestUtils.assertUrlConnectionSucceeds(context, "android.com", 443); |
| 221 | } |
| 222 | |
| 223 | public void testIncludeSubdomains() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 224 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.subdomains, |
| 225 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 226 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 227 | assertTrue(appConfig.hasPerDomainConfigs()); |
| 228 | // Try connections. |
| 229 | SSLContext context = TestUtils.getSSLContext(source); |
| 230 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 231 | TestUtils.assertConnectionSucceeds(context, "developer.android.com", 443); |
| 232 | TestUtils.assertUrlConnectionSucceeds(context, "android.com", 443); |
| 233 | TestUtils.assertUrlConnectionSucceeds(context, "developer.android.com", 443); |
| 234 | TestUtils.assertConnectionFails(context, "google.com", 443); |
| 235 | } |
| 236 | |
| 237 | public void testAttributes() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 238 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.attributes, |
| 239 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 240 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 241 | assertFalse(appConfig.hasPerDomainConfigs()); |
| 242 | NetworkSecurityConfig config = appConfig.getConfigForHostname(""); |
| 243 | assertTrue(config.isHstsEnforced()); |
| 244 | assertFalse(config.isCleartextTrafficPermitted()); |
| 245 | } |
| 246 | |
| 247 | public void testResourcePemCertificateSource() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 248 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.resource_anchors_pem, |
| 249 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 250 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 251 | // Check android.com. |
| 252 | NetworkSecurityConfig config = appConfig.getConfigForHostname("android.com"); |
| 253 | assertTrue(config.isCleartextTrafficPermitted()); |
| 254 | assertFalse(config.isHstsEnforced()); |
| 255 | assertEquals(2, config.getTrustAnchors().size()); |
| 256 | // Try connections. |
| 257 | SSLContext context = TestUtils.getSSLContext(source); |
| 258 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 259 | TestUtils.assertConnectionFails(context, "developer.android.com", 443); |
| 260 | TestUtils.assertUrlConnectionFails(context, "google.com", 443); |
| 261 | TestUtils.assertUrlConnectionSucceeds(context, "android.com", 443); |
| 262 | } |
| 263 | |
| 264 | public void testResourceDerCertificateSource() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 265 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.resource_anchors_der, |
| 266 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 267 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 268 | // Check android.com. |
| 269 | NetworkSecurityConfig config = appConfig.getConfigForHostname("android.com"); |
| 270 | assertTrue(config.isCleartextTrafficPermitted()); |
| 271 | assertFalse(config.isHstsEnforced()); |
| 272 | assertEquals(2, config.getTrustAnchors().size()); |
| 273 | // Try connections. |
| 274 | SSLContext context = TestUtils.getSSLContext(source); |
| 275 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 276 | TestUtils.assertConnectionFails(context, "developer.android.com", 443); |
| 277 | TestUtils.assertUrlConnectionFails(context, "google.com", 443); |
| 278 | TestUtils.assertUrlConnectionSucceeds(context, "android.com", 443); |
| 279 | } |
| 280 | |
Chad Brubaker | bd173c2 | 2015-11-06 23:02:37 -0800 | [diff] [blame] | 281 | public void testNestedDomainConfigs() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 282 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.nested_domains, |
| 283 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | bd173c2 | 2015-11-06 23:02:37 -0800 | [diff] [blame] | 284 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 285 | assertTrue(appConfig.hasPerDomainConfigs()); |
| 286 | NetworkSecurityConfig parent = appConfig.getConfigForHostname("android.com"); |
| 287 | NetworkSecurityConfig child = appConfig.getConfigForHostname("developer.android.com"); |
| 288 | MoreAsserts.assertNotEqual(parent, child); |
| 289 | MoreAsserts.assertEmpty(parent.getPins().pins); |
| 290 | MoreAsserts.assertNotEmpty(child.getPins().pins); |
| 291 | // Check that the child inherited the cleartext value and anchors. |
| 292 | assertFalse(child.isCleartextTrafficPermitted()); |
| 293 | MoreAsserts.assertNotEmpty(child.getTrustAnchors()); |
| 294 | // Test connections. |
| 295 | SSLContext context = TestUtils.getSSLContext(source); |
| 296 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 297 | TestUtils.assertConnectionSucceeds(context, "developer.android.com", 443); |
| 298 | } |
| 299 | |
| 300 | public void testNestedDomainConfigsOverride() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 301 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.nested_domains_override, |
| 302 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | bd173c2 | 2015-11-06 23:02:37 -0800 | [diff] [blame] | 303 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 304 | assertTrue(appConfig.hasPerDomainConfigs()); |
| 305 | NetworkSecurityConfig parent = appConfig.getConfigForHostname("android.com"); |
| 306 | NetworkSecurityConfig child = appConfig.getConfigForHostname("developer.android.com"); |
| 307 | MoreAsserts.assertNotEqual(parent, child); |
| 308 | assertTrue(parent.isCleartextTrafficPermitted()); |
| 309 | assertFalse(child.isCleartextTrafficPermitted()); |
| 310 | } |
| 311 | |
Chad Brubaker | 08d3620 | 2015-11-09 13:38:51 -0800 | [diff] [blame] | 312 | public void testDebugOverridesDisabled() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 313 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.debug_basic, |
| 314 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 08d3620 | 2015-11-09 13:38:51 -0800 | [diff] [blame] | 315 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 316 | NetworkSecurityConfig config = appConfig.getConfigForHostname(""); |
| 317 | Set<TrustAnchor> anchors = config.getTrustAnchors(); |
| 318 | MoreAsserts.assertEmpty(anchors); |
| 319 | SSLContext context = TestUtils.getSSLContext(source); |
| 320 | TestUtils.assertConnectionFails(context, "android.com", 443); |
| 321 | TestUtils.assertConnectionFails(context, "developer.android.com", 443); |
| 322 | } |
| 323 | |
| 324 | public void testBasicDebugOverrides() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 325 | ApplicationInfo info = TestUtils.makeApplicationInfo(); |
| 326 | info.flags |= ApplicationInfo.FLAG_DEBUGGABLE; |
| 327 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.debug_basic, info); |
Chad Brubaker | 08d3620 | 2015-11-09 13:38:51 -0800 | [diff] [blame] | 328 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 329 | NetworkSecurityConfig config = appConfig.getConfigForHostname(""); |
| 330 | Set<TrustAnchor> anchors = config.getTrustAnchors(); |
| 331 | MoreAsserts.assertNotEmpty(anchors); |
| 332 | for (TrustAnchor anchor : anchors) { |
| 333 | assertTrue(anchor.overridesPins); |
| 334 | } |
| 335 | SSLContext context = TestUtils.getSSLContext(source); |
| 336 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 337 | TestUtils.assertConnectionSucceeds(context, "developer.android.com", 443); |
| 338 | } |
| 339 | |
| 340 | public void testDebugOverridesWithDomain() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 341 | ApplicationInfo info = TestUtils.makeApplicationInfo(); |
| 342 | info.flags |= ApplicationInfo.FLAG_DEBUGGABLE; |
| 343 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.debug_domain, info); |
Chad Brubaker | 08d3620 | 2015-11-09 13:38:51 -0800 | [diff] [blame] | 344 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 345 | NetworkSecurityConfig config = appConfig.getConfigForHostname("android.com"); |
| 346 | Set<TrustAnchor> anchors = config.getTrustAnchors(); |
| 347 | boolean foundDebugCA = false; |
| 348 | for (TrustAnchor anchor : anchors) { |
| 349 | if (anchor.certificate.getSubjectDN().toString().equals(DEBUG_CA_SUBJ)) { |
| 350 | foundDebugCA = true; |
| 351 | assertTrue(anchor.overridesPins); |
| 352 | } |
| 353 | } |
| 354 | assertTrue(foundDebugCA); |
| 355 | SSLContext context = TestUtils.getSSLContext(source); |
| 356 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 357 | TestUtils.assertConnectionSucceeds(context, "developer.android.com", 443); |
| 358 | } |
| 359 | |
| 360 | public void testDebugInherit() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 361 | ApplicationInfo info = TestUtils.makeApplicationInfo(); |
| 362 | info.flags |= ApplicationInfo.FLAG_DEBUGGABLE; |
| 363 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.debug_domain, info); |
Chad Brubaker | 08d3620 | 2015-11-09 13:38:51 -0800 | [diff] [blame] | 364 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 365 | NetworkSecurityConfig config = appConfig.getConfigForHostname("android.com"); |
| 366 | Set<TrustAnchor> anchors = config.getTrustAnchors(); |
| 367 | boolean foundDebugCA = false; |
| 368 | for (TrustAnchor anchor : anchors) { |
| 369 | if (anchor.certificate.getSubjectDN().toString().equals(DEBUG_CA_SUBJ)) { |
| 370 | foundDebugCA = true; |
| 371 | assertTrue(anchor.overridesPins); |
| 372 | } |
| 373 | } |
| 374 | assertTrue(foundDebugCA); |
| 375 | assertTrue(anchors.size() > 1); |
| 376 | SSLContext context = TestUtils.getSSLContext(source); |
| 377 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 378 | TestUtils.assertConnectionSucceeds(context, "developer.android.com", 443); |
| 379 | } |
| 380 | |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 381 | private void testBadConfig(int configId) throws Exception { |
| 382 | try { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 383 | XmlConfigSource source = new XmlConfigSource(getContext(), configId, |
| 384 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 385 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 386 | appConfig.getConfigForHostname("android.com"); |
| 387 | fail("Bad config " + getContext().getResources().getResourceName(configId) |
| 388 | + " did not fail to parse"); |
| 389 | } catch (RuntimeException e) { |
| 390 | MoreAsserts.assertAssignableFrom(XmlConfigSource.ParserException.class, |
| 391 | e.getCause()); |
| 392 | } |
| 393 | } |
| 394 | |
| 395 | public void testBadConfig0() throws Exception { |
| 396 | testBadConfig(R.xml.bad_config0); |
| 397 | } |
| 398 | |
| 399 | public void testBadConfig1() throws Exception { |
| 400 | testBadConfig(R.xml.bad_config1); |
| 401 | } |
| 402 | |
| 403 | public void testBadConfig2() throws Exception { |
| 404 | testBadConfig(R.xml.bad_config2); |
| 405 | } |
| 406 | |
| 407 | public void testBadConfig3() throws Exception { |
| 408 | testBadConfig(R.xml.bad_config3); |
| 409 | } |
| 410 | |
| 411 | public void testBadConfig4() throws Exception { |
| 412 | testBadConfig(R.xml.bad_config4); |
| 413 | } |
| 414 | |
| 415 | public void testBadConfig5() throws Exception { |
| 416 | testBadConfig(R.xml.bad_config4); |
| 417 | } |
Chad Brubaker | 5a1078f | 2015-11-10 12:26:18 -0800 | [diff] [blame] | 418 | |
| 419 | public void testTrustManagerKeystore() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 420 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.bad_pin, |
| 421 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 5a1078f | 2015-11-10 12:26:18 -0800 | [diff] [blame] | 422 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 423 | Provider provider = new NetworkSecurityConfigProvider(); |
| 424 | TrustManagerFactory tmf = |
| 425 | TrustManagerFactory.getInstance("PKIX", provider); |
| 426 | KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); |
| 427 | keystore.load(null); |
| 428 | int i = 0; |
| 429 | for (X509Certificate cert : SystemCertificateSource.getInstance().getCertificates()) { |
| 430 | keystore.setEntry(String.valueOf(i), |
| 431 | new KeyStore.TrustedCertificateEntry(cert), |
| 432 | null); |
| 433 | i++; |
| 434 | } |
| 435 | tmf.init(keystore); |
| 436 | TrustManager[] tms = tmf.getTrustManagers(); |
| 437 | SSLContext context = SSLContext.getInstance("TLS"); |
| 438 | context.init(null, tms, null); |
| 439 | TestUtils.assertConnectionSucceeds(context, "android.com" , 443); |
| 440 | } |
Chad Brubaker | d3af962 | 2015-11-16 10:48:20 -0800 | [diff] [blame] | 441 | |
| 442 | public void testDebugDedup() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 443 | ApplicationInfo info = TestUtils.makeApplicationInfo(); |
| 444 | info.flags |= ApplicationInfo.FLAG_DEBUGGABLE; |
| 445 | XmlConfigSource source = new XmlConfigSource(getContext(), R.xml.override_dedup, info); |
Chad Brubaker | d3af962 | 2015-11-16 10:48:20 -0800 | [diff] [blame] | 446 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 447 | assertTrue(appConfig.hasPerDomainConfigs()); |
| 448 | // Check android.com. |
| 449 | NetworkSecurityConfig config = appConfig.getConfigForHostname("android.com"); |
| 450 | PinSet pinSet = config.getPins(); |
| 451 | assertFalse(pinSet.pins.isEmpty()); |
| 452 | // Check that all TrustAnchors come from the override pins debug source. |
| 453 | for (TrustAnchor anchor : config.getTrustAnchors()) { |
| 454 | assertTrue(anchor.overridesPins); |
| 455 | } |
| 456 | // Try connections. |
| 457 | SSLContext context = TestUtils.getSSLContext(source); |
| 458 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 459 | TestUtils.assertUrlConnectionSucceeds(context, "android.com", 443); |
| 460 | } |
Chad Brubaker | 567f6f24 | 2016-02-29 14:02:32 -0800 | [diff] [blame] | 461 | |
| 462 | public void testExtraDebugResource() throws Exception { |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 463 | ApplicationInfo info = TestUtils.makeApplicationInfo(); |
| 464 | info.flags |= ApplicationInfo.FLAG_DEBUGGABLE; |
Chad Brubaker | 567f6f24 | 2016-02-29 14:02:32 -0800 | [diff] [blame] | 465 | XmlConfigSource source = |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 466 | new XmlConfigSource(getContext(), R.xml.extra_debug_resource, info); |
Chad Brubaker | 567f6f24 | 2016-02-29 14:02:32 -0800 | [diff] [blame] | 467 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 468 | assertFalse(appConfig.hasPerDomainConfigs()); |
| 469 | NetworkSecurityConfig config = appConfig.getConfigForHostname(""); |
| 470 | MoreAsserts.assertNotEmpty(config.getTrustAnchors()); |
| 471 | |
| 472 | // Check that the _debug file is ignored if debug is false. |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 473 | source = new XmlConfigSource(getContext(), R.xml.extra_debug_resource, |
| 474 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 567f6f24 | 2016-02-29 14:02:32 -0800 | [diff] [blame] | 475 | appConfig = new ApplicationConfig(source); |
| 476 | assertFalse(appConfig.hasPerDomainConfigs()); |
| 477 | config = appConfig.getConfigForHostname(""); |
| 478 | MoreAsserts.assertEmpty(config.getTrustAnchors()); |
| 479 | } |
| 480 | |
| 481 | public void testExtraDebugResourceIgnored() throws Exception { |
| 482 | // Verify that parsing the extra debug config resource fails only when debugging is true. |
| 483 | XmlConfigSource source = |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 484 | new XmlConfigSource(getContext(), R.xml.bad_extra_debug_resource, |
| 485 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 567f6f24 | 2016-02-29 14:02:32 -0800 | [diff] [blame] | 486 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 487 | // Force parsing the config file. |
| 488 | appConfig.getConfigForHostname(""); |
| 489 | |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 490 | ApplicationInfo info = TestUtils.makeApplicationInfo(); |
| 491 | info.flags |= ApplicationInfo.FLAG_DEBUGGABLE; |
| 492 | source = new XmlConfigSource(getContext(), R.xml.bad_extra_debug_resource, info); |
Chad Brubaker | 567f6f24 | 2016-02-29 14:02:32 -0800 | [diff] [blame] | 493 | appConfig = new ApplicationConfig(source); |
| 494 | try { |
| 495 | appConfig.getConfigForHostname(""); |
| 496 | fail("Bad extra debug resource did not fail to parse"); |
| 497 | } catch (RuntimeException expected) { |
| 498 | } |
| 499 | } |
Chad Brubaker | 7cc736d | 2016-03-23 14:59:14 -0700 | [diff] [blame] | 500 | |
| 501 | public void testDomainWhitespaceTrimming() throws Exception { |
| 502 | XmlConfigSource source = |
Chad Brubaker | 5ac2ea1 | 2017-10-18 10:35:04 -0700 | [diff] [blame] | 503 | new XmlConfigSource(getContext(), R.xml.domain_whitespace, |
| 504 | TestUtils.makeApplicationInfo()); |
Chad Brubaker | 7cc736d | 2016-03-23 14:59:14 -0700 | [diff] [blame] | 505 | ApplicationConfig appConfig = new ApplicationConfig(source); |
| 506 | NetworkSecurityConfig defaultConfig = appConfig.getConfigForHostname(""); |
| 507 | MoreAsserts.assertNotEqual(defaultConfig, appConfig.getConfigForHostname("developer.android.com")); |
| 508 | MoreAsserts.assertNotEqual(defaultConfig, appConfig.getConfigForHostname("android.com")); |
| 509 | SSLContext context = TestUtils.getSSLContext(source); |
| 510 | TestUtils.assertConnectionSucceeds(context, "android.com", 443); |
| 511 | TestUtils.assertConnectionSucceeds(context, "developer.android.com", 443); |
| 512 | } |
Chad Brubaker | 5f96702 | 2015-11-04 23:55:29 -0800 | [diff] [blame] | 513 | } |