Signed Exchange: Add scripts to generate test data

Bug: 803774
Change-Id: I9c9f9ff1a070b0bcf86312f6a80c56146b9d475b
Reviewed-on: https://chromium-review.googlesource.com/1143095Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#576751}

content/browser/web_package/signed_exchange_signature_verifier_unittest.cc

@@ -63,46 +63,11 @@ TEST(SignedExchangeSignatureVerifier, EncodeCanonicalExchangeHeaders) {
 const uint64_t kSignatureHeaderDate = 1517892341;
 const uint64_t kSignatureHeaderExpires = 1517895941;
 
-// See content/testdata/sxg/README on how to generate this data.
+// See content/testdata/sxg/README on how to generate these data.
 // clang-format off
-constexpr char kSignatureHeaderRSA[] =
-    "label; "
-    "sig=*RBFZPtl5xPDQyZuq4TcXY9fPkso5Edl7NofpdA9Bylwhvdsd7uCBAmOYx0BvXjrg8UVj"
-    "axIHeVNavLzTU42NZgSBd3po1qrT4TZb6piN/BMqmBWtaxEFxLaLZyBgrQpXN/l+OkWSvCF30"
-    "J9QEhqaI749SlVrrV37121Ik/WBIuo6Peo88HRP9292FEsrgwH3ggTJcTvkBbOIttO3UddEtN"
-    "3hQNNowNhsUCr3fXn0lIMW8Gyp0V6TVedIhgT7zqUxRqJRjedQzY+Bm7F01/jKzvD1etAcw7r"
-    "CidWFISmcyWjsLG1dlNtiZynO9gyyZduOSzBwEb9QcMTHekFsnmzFtg==*; "
-    "validity-url=\"https://example.com/resource.validity.msg\"; "
-    "integrity=\"mi-draft2\"; "
-    "cert-url=\"https://example.com/cert.msg\"; "
-    "cert-sha256=*tJGJP8ej7KCEW8VnVK3bKwpBza/oLrtWA75z5ZPptuc=*; "
-    "date=1517892341; expires=1517895941";
-// clang-format on
-
-// See content/testdata/sxg/README on how to generate this data.
-// clang-format off
-constexpr char kSignatureHeaderECDSAP256[] =
-    "label; "
-    "sig=*MEYCIQDtLdwjyge6hN35wF7SOgO2aHFYnVYqQvTguZmpZ2WncgIhAO22vzcYGuRXqnAX"
-    "3Bv/llls9DeQ2ecD8btESjxmRBmQ*; "
-    "validity-url=\"https://example.com/resource.validity.msg\"; "
-    "integrity=\"mi-draft2\"; "
-    "cert-url=\"https://example.com/cert.msg\"; "
-    "cert-sha256=*KX+BYLSMgDOON8Ju65RoId39Qvajxa12HO+WnD4HpS0=*; "
-    "date=1517892341; expires=1517895941";
-// clang-format on
-
-// See content/testdata/sxg/README on how to generate this data.
-// clang-format off
-constexpr char kSignatureHeaderECDSAP384[] =
-    "label; "
-    "sig=*MGUCMQDoljLI4+cdxPYk0e33WlIBILYN92fpDXG6tBs4GSW3NGcbnwaGxV8qRgg3PQdUZ"
-    "B4CMGe4bAef8YlOErfrfV6UdbAGNeBveoY4rMkDDaPCxt1aCCb/6BYzuFJn6maGOpDN5w==*; "
-    "validity-url=\"https://example.com/resource.validity.msg\"; "
-    "integrity=\"mi-draft2\"; "
-    "cert-url=\"https://example.com/cert.msg\"; "
-    "cert-sha256=*8X8y8nj8vDJHSSa0cxn+TCu+8zGpIJfbdzAnd5cW+jA=*; "
-    "date=1517892341; expires=1517895941";
+constexpr char kSignatureHeaderRSA[] = R"(label; sig=*yYFb09i7VXuqsGBxc3RuJzGL4XMD9bZ20kXWSv1JObEf7KIG0MznSE1nu1fE+7DrgWQxH7FQfSWjyseOAvxsBOfkptmCCi/Ffklz3N1UU8LfwfaLWj80oBqDeofiIYwevSSpsaRKBYie7KjiVOjslFLOGe82MmHyF2utFRKY/i6UAHgMrg2FGfbwBaJsxEgtpPcN8/QnFKgt1la+JjwvYbMHpJhHTedDqx9GCxJOzbJjKRL1E2tIBvhDfK2m3eJv/nqvgWkK3MOd/Xp4FkndciS3eNyZZjwvJ6IL/3x4e0AZ36KvglpS092ZftiE4lKQWnHmVeDRmEHW6qOyv1Q3+w==*; validity-url="https://example.com/resource.validity.msg"; integrity="mi-draft2"; cert-url="https://example.com/cert.msg"; cert-sha256=*tJGJP8ej7KCEW8VnVK3bKwpBza/oLrtWA75z5ZPptuc=*; date=1517892341; expires=1517895941)";
+constexpr char kSignatureHeaderECDSAP256[] = R"(label; sig=*MEQCIA0w6auOuWGT6//MO/h43/xkXBchJUOp53GU5dmA8U+/AiAe0FggCblVxzosT2Ow9rrC2Q8zO0DZPLSNbcu29xYP6g==*; validity-url="https://example.com/resource.validity.msg"; integrity="mi-draft2"; cert-url="https://example.com/cert.msg"; cert-sha256=*KX+BYLSMgDOON8Ju65RoId39Qvajxa12HO+WnD4HpS0=*; date=1517892341; expires=1517895941)";
+constexpr char kSignatureHeaderECDSAP384[] = R"(label; sig=*MGYCMQC/P8m0ZnPrIMlI3I412MixcK9cQSirIECUNR7pOIlTiLaH95L72KXqq2aL+lxxKIICMQDU3s/BhoWtR61eKG9SqgGHd0ZtUJVY24xaJ2yHiYWxZU/QhOr5ZArSj3x1khivpRg=*; validity-url="https://example.com/resource.validity.msg"; integrity="mi-draft2"; cert-url="https://example.com/cert.msg"; cert-sha256=*8X8y8nj8vDJHSSa0cxn+TCu+8zGpIJfbdzAnd5cW+jA=*; date=1517892341; expires=1517895941)";
 // clang-format on
 
 // |expires| (1518497142) is more than 7 days (604800 seconds) after |date|

content/test/data/sxg/README.md

+The key and certificate files (`*.key`, `*.csr`, `*.pem`) are
+generated by `generate-test-certs.sh` in this directory. It requires `openssl`
+be installed.
+
+The certificate cbor files (`*.cbor`) and the signed exchange files (`*.sxg`) in
+this directory are generated using `generate-test-sxgs.sh`.
+
+`generate-test-sxgs.sh` requires command-line tools in the
+[webpackage repository](https://github.com/WICG/webpackage). To install them,
+run:
+
+```
+go get -u github.com/WICG/webpackage/go/signedexchange/cmd/...
+```
+
+The revision of the tools used to generate the test files is `d4b8ed9`.

content/test/data/sxg/generate-test-certs.sh

+#!/bin/sh
+
+# Copyright 2018 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+set -e
+
+# Generate a "secp256r1 (== prime256v1) ecdsa with sha256" key/cert pair
+openssl ecparam -out prime256v1.key -name prime256v1 -genkey
+
+openssl req -new -sha256 -key prime256v1.key -out prime256v1-sha256.csr \
+  -subj '/CN=test.example.org/O=Test/C=US'
+
+openssl x509 -req -days 360 -in prime256v1-sha256.csr \
+  -CA ../../../../net/data/ssl/certificates/root_ca_cert.pem \
+  -out prime256v1-sha256.public.pem -set_serial 1 \
+  -extfile x509.ext
+
+openssl x509 -req -days 360 -in prime256v1-sha256.csr \
+  -CA ../../../../net/data/ssl/certificates/root_ca_cert.pem \
+  -out prime256v1-sha256-noext.public.pem -set_serial 1
+
+# Generate a "secp384r1 ecdsa with sha256" key/cert pair for negative test
+openssl ecparam -out secp384r1.key -name secp384r1 -genkey
+
+openssl req -new -sha256 -key secp384r1.key -out secp384r1-sha256.csr \
+  --subj '/CN=test.example.org/O=Test/C=US'
+
+openssl x509 -req -days 360 -in secp384r1-sha256.csr \
+  -CA ../../../../net/data/ssl/certificates/root_ca_cert.pem \
+  -out secp384r1-sha256.public.pem -set_serial 1
+
+echo
+echo "Update the test certs in signed_exchange_signature_verifier_unittest.cc"
+echo "with the followings:"
+echo "===="
+
+echo 'constexpr char kCertPEMRSA[] = R"('
+sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
+  ../../../../net/data/ssl/certificates/wildcard.pem
+echo ')";'
+echo 'constexpr char kCertPEMECDSAP256[] = R"('
+cat ./prime256v1-sha256.public.pem
+echo ')";'
+echo 'constexpr char kCertPEMECDSAP384[] = R"('
+cat ./secp384r1-sha256.public.pem
+echo ')";'
+
+echo "===="

content/test/data/sxg/README → content/test/data/sxg/generate-test-sxgs.sh

-The certificate message files (*.msg) and the signed exchange files (*.sxg) in
-this directory are generated using the following commands.
+#!/bin/sh
 
-gen-certurl and gen-signedexchange are available in [webpackage repository][1].
-Revision cf19833 is used to generate these files.
+# Copyright 2018 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
 
- [1] https://github.com/WICG/webpackage
+set -e
 
-# Install gen-certurl command.
-go get -v -u github.com/WICG/webpackage/go/signedexchange/cmd/gen-certurl
+for cmd in gen-signedexchange gen-certurl dump-signedexchange; do
+    if ! command -v $cmd > /dev/null 2>&1; then
+        echo "$cmd is not installed. Please run:"
+        echo "  go get -u github.com/WICG/webpackage/go/signedexchange/cmd/..."
+        exit 1
+    fi
+done
 
-# Install gen-signedexchange command.
-go get -v -u github.com/WICG/webpackage/go/signedexchange/cmd/gen-signedexchange
-
-# Generate a "secp256r1 (== prime256v1) ecdsa with sha256" key/cert pair
-openssl ecparam -out prime256v1.key -name prime256v1 -genkey
-
-openssl req -new -sha256 -key prime256v1.key -out prime256v1-sha256.csr \
-  -subj '/CN=test.example.org/O=Test/C=US'
-
-openssl x509 -req -days 360 -in prime256v1-sha256.csr \
-  -CA ../../../../net/data/ssl/certificates/root_ca_cert.pem \
-  -out prime256v1-sha256.public.pem -set_serial 1 \
-  -extfile x509.ext
-
-openssl x509 -req -days 360 -in prime256v1-sha256.csr \
-  -CA ../../../../net/data/ssl/certificates/root_ca_cert.pem \
-  -out prime256v1-sha256-noext.public.pem -set_serial 1
+tmpdir=$(mktemp -d)
 
 # Make dummy OCSP and SCT data for cbor certificate chains.
-echo -n OCSP >/tmp/ocsp; echo -n SCT >/tmp/sct
+echo -n OCSP >$tmpdir/ocsp; echo -n SCT >$tmpdir/sct
 
 # Generate the certificate chain of "*.example.org".
 gen-certurl -pem prime256v1-sha256.public.pem \
-  -ocsp /tmp/ocsp -sct /tmp/sct > test.example.org.public.pem.cbor
+  -ocsp $tmpdir/ocsp -sct $tmpdir/sct > test.example.org.public.pem.cbor
 
 # Generate the certificate chain of "*.example.org", without
 # CanSignHttpExchangesDraft extension.
 gen-certurl -pem prime256v1-sha256-noext.public.pem \
-  -ocsp /tmp/ocsp -sct /tmp/sct > test.example.org-noext.public.pem.cbor
+  -ocsp $tmpdir/ocsp -sct $tmpdir/sct > test.example.org-noext.public.pem.cbor
 
 # Generate the signed exchange file.
 gen-signedexchange \
@@ -91,34 +80,58 @@ gen-signedexchange \
   -date 2018-03-12T05:53:20Z \
   -o test.example.org_hello.txt.sxg
 
-# Generate a "secp384r1 ecdsa with sha256" key/cert pair for negative test
-openssl ecparam -out secp384r1.key -name secp384r1 -genkey
+echo "Update the test signatures in "
+echo "signed_exchange_signature_verifier_unittest.cc with the followings:"
+echo "===="
 
-openssl req -new -sha256 -key secp384r1.key -out secp384r1-sha256.csr \
-  --subj '/CN=test.example.org/O=Test/C=US'
-
-openssl x509 -req -days 360 -in secp384r1-sha256.csr \
-  -CA ../../../../net/data/ssl/certificates/root_ca_cert.pem \
-  -out secp384r1-sha256.public.pem -set_serial 1
-
-# Generate test signatures in signed_exchange_signature_verifier_unittest.cc
+sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' \
+  ../../../../net/data/ssl/certificates/wildcard.pem \
+  > $tmpdir/wildcard_example.org.private.pem
+sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
+  ../../../../net/data/ssl/certificates/wildcard.pem \
+  > $tmpdir/wildcard_example.org.public.pem
 gen-signedexchange \
   -uri https://test.example.org/test/ \
   -content test.html \
-  -certificate ./prime256v1-sha256.public.pem \
-  -privateKey ./prime256v1.key \
-  -date 2018-02-06T04:45:41Z
+  -certificate $tmpdir/wildcard_example.org.public.pem \
+  -privateKey $tmpdir/wildcard_example.org.private.pem \
+  -date 2018-02-06T04:45:41Z \
+  -o $tmpdir/out.htxg
+
+echo -n 'constexpr char kSignatureHeaderRSA[] = R"('
+dump-signedexchange -i $tmpdir/out.htxg | \
+    sed -n 's/^signature: //p' | \
+    tr -d '\n'
+echo ')";'
 
 gen-signedexchange \
   -uri https://test.example.org/test/ \
   -content test.html \
   -certificate ./prime256v1-sha256.public.pem \
   -privateKey ./prime256v1.key \
-  -date 2018-02-06T04:45:41Z
+  -date 2018-02-06T04:45:41Z \
+  -o $tmpdir/out.htxg
+
+echo -n 'constexpr char kSignatureHeaderECDSAP256[] = R"('
+dump-signedexchange -i $tmpdir/out.htxg | \
+    sed -n 's/^signature: //p' | \
+    tr -d '\n'
+echo ')";'
 
 gen-signedexchange \
   -uri https://test.example.org/test/ \
   -content test.html \
   -certificate ./secp384r1-sha256.public.pem \
   -privateKey ./secp384r1.key \
-  -date 2018-02-06T04:45:41Z
+  -date 2018-02-06T04:45:41Z \
+  -o $tmpdir/out.htxg
+
+echo -n 'constexpr char kSignatureHeaderECDSAP384[] = R"('
+dump-signedexchange -i $tmpdir/out.htxg | \
+    sed -n 's/^signature: //p' | \
+    tr -d '\n'
+echo ')";'
+
+echo "===="
+
+rm -fr $tmpdir