From cb1de097292d3d13388d46af007493d2c3f15b40 Mon Sep 17 00:00:00 2001
From: Thiébaud Weksteen <tweek@google.com>
Date: Tue, 14 Jan 2025 13:29:00 +1100
Subject: Fix NetworkSecurityConfigTest tests

Update the intermediate certificate pin reference (WR2).

Other tests were failing because HttpsURLConnection was trying to follow
the HTTP 301 returned by android.com to www.android.com. Update
TestUtils to not follow any HTTP redirection.

Test: atest NetworkSecurityConfigTest
Bug: 259406200
Change-Id: I570b12b1d665270aeddb38379f4bc10abbe674e6
---
 tests/NetworkSecurityConfigTest/res/xml/domain_whitespace.xml         | 2 +-
 tests/NetworkSecurityConfigTest/res/xml/nested_domains.xml            | 2 +-
 tests/NetworkSecurityConfigTest/res/xml/pins1.xml                     | 2 +-
 .../src/android/security/net/config/NetworkSecurityConfigTests.java   | 4 ++--
 .../src/android/security/net/config/TestUtils.java                    | 2 ++
 5 files changed, 7 insertions(+), 5 deletions(-)

(limited to 'tests')

diff --git a/tests/NetworkSecurityConfigTest/res/xml/domain_whitespace.xml b/tests/NetworkSecurityConfigTest/res/xml/domain_whitespace.xml
index 99106ad37783..5d488410aef7 100644
--- a/tests/NetworkSecurityConfigTest/res/xml/domain_whitespace.xml
+++ b/tests/NetworkSecurityConfigTest/res/xml/domain_whitespace.xml
@@ -5,7 +5,7 @@
     </domain>
     <domain>   developer.android.com    </domain>
     <pin-set>
-      <pin digest="SHA-256">  zCTnfLwLKbS9S2sbp+uFz4KZOocFvXxkV06Ce9O5M2w=  </pin>
+      <pin digest="SHA-256"> YPtHaftLw6/0vnc2BnNKGF54xiCA28WFcccjkA4ypCM=  </pin>
     </pin-set>
   </domain-config>
 </network-security-config>
diff --git a/tests/NetworkSecurityConfigTest/res/xml/nested_domains.xml b/tests/NetworkSecurityConfigTest/res/xml/nested_domains.xml
index 232f88ff6cc9..731f0f041042 100644
--- a/tests/NetworkSecurityConfigTest/res/xml/nested_domains.xml
+++ b/tests/NetworkSecurityConfigTest/res/xml/nested_domains.xml
@@ -9,7 +9,7 @@
       <domain-config>
           <domain>developer.android.com</domain>
           <pin-set>
-              <pin digest="SHA-256">zCTnfLwLKbS9S2sbp+uFz4KZOocFvXxkV06Ce9O5M2w=</pin>
+              <pin digest="SHA-256">YPtHaftLw6/0vnc2BnNKGF54xiCA28WFcccjkA4ypCM=</pin>
           </pin-set>
       </domain-config>
     </domain-config>
diff --git a/tests/NetworkSecurityConfigTest/res/xml/pins1.xml b/tests/NetworkSecurityConfigTest/res/xml/pins1.xml
index 7cc81b0101f1..2e49188ec4dc 100644
--- a/tests/NetworkSecurityConfigTest/res/xml/pins1.xml
+++ b/tests/NetworkSecurityConfigTest/res/xml/pins1.xml
@@ -3,7 +3,7 @@
   <domain-config>
     <domain>android.com</domain>
     <pin-set>
-      <pin digest="SHA-256">zCTnfLwLKbS9S2sbp+uFz4KZOocFvXxkV06Ce9O5M2w=</pin>
+      <pin digest="SHA-256">YPtHaftLw6/0vnc2BnNKGF54xiCA28WFcccjkA4ypCM=</pin>
     </pin-set>
   </domain-config>
 </network-security-config>
diff --git a/tests/NetworkSecurityConfigTest/src/android/security/net/config/NetworkSecurityConfigTests.java b/tests/NetworkSecurityConfigTest/src/android/security/net/config/NetworkSecurityConfigTests.java
index c6fe06858e3f..6207a6295ebf 100644
--- a/tests/NetworkSecurityConfigTest/src/android/security/net/config/NetworkSecurityConfigTests.java
+++ b/tests/NetworkSecurityConfigTest/src/android/security/net/config/NetworkSecurityConfigTests.java
@@ -40,9 +40,9 @@ public class NetworkSecurityConfigTests extends ActivityUnitTestCase<Activity> {
         super(Activity.class);
     }
 
-    // SHA-256 of the GTS intermediate CA (CN = GTS CA 1C3) for android.com (as of 09/2023).
+    // SHA-256 of the GTS intermediate CA (CN = WR2) for android.com (as of 01/2025).
     private static final byte[] GTS_INTERMEDIATE_SPKI_SHA256 =
-        hexToBytes("cc24e77cbc0b29b4bd4b6b1ba7eb85cf82993a8705bd7c64574e827bd3b9336c");
+        hexToBytes("60fb4769fb4bc3aff4be773606734a185e78c62080dbc58571c723900e32a423");
 
     private static final byte[] TEST_CA_BYTES
             = hexToBytes(
diff --git a/tests/NetworkSecurityConfigTest/src/android/security/net/config/TestUtils.java b/tests/NetworkSecurityConfigTest/src/android/security/net/config/TestUtils.java
index 39b5cb4c4f0d..e140d1a0a94c 100644
--- a/tests/NetworkSecurityConfigTest/src/android/security/net/config/TestUtils.java
+++ b/tests/NetworkSecurityConfigTest/src/android/security/net/config/TestUtils.java
@@ -55,6 +55,7 @@ public final class TestUtils {
             throws Exception {
         URL url = new URL("https://" + host + ":" + port);
         HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
+        connection.setInstanceFollowRedirects(false);
         connection.setSSLSocketFactory(context.getSocketFactory());
         try {
             connection.getInputStream();
@@ -68,6 +69,7 @@ public final class TestUtils {
             throws Exception {
         URL url = new URL("https://" + host + ":" + port);
         HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
+        connection.setInstanceFollowRedirects(false);
         connection.setSSLSocketFactory(context.getSocketFactory());
         connection.getInputStream();
     }
-- 
cgit v1.2.3-59-g8ed1b