Trust Tokens: Add more browser tests covering request signing

This change expands the Trust Tokens browser tests to cover additional signing-related cases: - issuance and redemption against one issuer, then signing against a different issuer -> should fail - signing includes timestamp header if requested - gamut of signRequestData parameter: `omit` should lead to no signature, `headers-only` to signature over SRR, ... - non-OK header in additionalSignedHeaders -> should error Previous changes (crrev.com/c/2308860, crrev.com/c/2309007) added more tests covering issuance and redemption. Bug: 1071293 Change-Id: I702e0f3e3d17c703239e66781af2c64bc0cb0fea Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2308866Reviewed-by: Charlie Harrison <csharrison@chromium.org> Commit-Queue: David Van Cleve <davidvc@chromium.org> Cr-Commit-Position: refs/heads/master@{#826016}

Trust Tokens: Add more browser tests covering request signing
This change expands the Trust Tokens browser tests to cover additional signing-related cases: - issuance and redemption against one issuer, then signing against a different issuer -> should fail - signing includes timestamp header if requested - gamut of signRequestData parameter: `omit` should lead to no signature, `headers-only` to signature over SRR, ... - non-OK header in additionalSignedHeaders -> should error Previous changes (crrev.com/c/2308860, crrev.com/c/2309007) added more tests covering issuance and redemption. Bug: 1071293 Change-Id: I702e0f3e3d17c703239e66781af2c64bc0cb0fea Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2308866Reviewed-by: Charlie Harrison <csharrison@chromium.org> Commit-Queue: David Van Cleve <davidvc@chromium.org> Cr-Commit-Position: refs/heads/master@{#826016}
9183f02d · David Van Cleve · Commit Bot · b762d3ac · 9183f02d · 9183f02d
Commit 9183f02d authored Nov 10, 2020 by David Van Cleve Committed by Commit Bot Nov 10, 2020
5 changed files
--- a/content/test/trust_token_browsertest.cc
+++ b/content/test/trust_token_browsertest.cc
--- a/services/network/trust_tokens/test/signed_request_verification_util.cc
+++ b/services/network/trust_tokens/test/signed_request_verification_util.cc
@@ -16,7 +16,6 @@
 #include "net/http/http_request_headers.h"
 #include "net/http/structured_headers.h"
 #include "services/network/public/cpp/trust_token_http_headers.h"
-#include "services/network/public/mojom/trust_tokens.mojom-shared.h"
 #include "services/network/trust_tokens/ed25519_trust_token_request_signer.h"
 #include "services/network/trust_tokens/signed_redemption_record_serialization.h"
 #include "services/network/trust_tokens/trust_token_parameterization.h"
@@ -299,7 +298,8 @@ bool ReconstructSigningDataAndVerifySignatures(
                                 base::span<const uint8_t> verification_key,
                                 const std::string& sig_alg)> verifier,
    std::string* error_out,
-    std::map<std::string, std::string>* verification_keys_out) {
+    std::map<std::string, std::string>* verification_keys_out,
+    mojom::TrustTokenSignRequestData* sign_request_data_out) {
  // Make it possible to set the error without needing to check for
  // |error_out|'s presence.
  std::string dummy_error;
@@ -330,6 +330,8 @@ bool ReconstructSigningDataAndVerifySignatures(
          &sig_alg, error_out)) {
    return false;
  }
+  if (sign_request_data_out)
+    *sign_request_data_out = sign_request_data;
  for (net::structured_headers::ParameterizedItem& issuer_and_parameters :
       issuers_and_parameters) {

--- a/services/network/trust_tokens/test/signed_request_verification_util.h
+++ b/services/network/trust_tokens/test/signed_request_verification_util.h
@@ -12,6 +12,7 @@
 #include "base/optional.h"
 #include "base/strings/string_piece.h"
 #include "net/http/http_request_headers.h"
+#include "services/network/public/mojom/trust_tokens.mojom-shared.h"
 #include "services/network/trust_tokens/suitable_trust_token_origin.h"
 #include "url/gurl.h"
@@ -57,7 +58,8 @@ bool ReconstructSigningDataAndVerifySignatures(
                                 const std::string& sig_alg)> verifier =
        {},  // defaults to Ed25519
    std::string* error_out = nullptr,
-    std::map<std::string, std::string>* verification_keys_out = nullptr);
+    std::map<std::string, std::string>* verification_keys_out = nullptr,
+    mojom::TrustTokenSignRequestData* sign_request_data_out = nullptr);
 // Returns true if |rr_body| a valid CBOR encoding of an "SRR body" struct, as
 // defined in the design doc. Otherwise, returns false and, if |error_out| is

--- a/services/network/trust_tokens/test/trust_token_request_handler.cc
+++ b/services/network/trust_tokens/test/trust_token_request_handler.cc
@@ -66,6 +66,9 @@ bool HasKeyPairExpired(const IssuanceKeyPair& p) {
 }  // namespace
+TrustTokenRequestHandler::Options::Options() = default;
+TrustTokenRequestHandler::Options::~Options() = default;
 struct TrustTokenRequestHandler::Rep {
  // The protocol version to use.
  std::string protocol_version;

--- a/services/network/trust_tokens/test/trust_token_request_handler.h
+++ b/services/network/trust_tokens/test/trust_token_request_handler.h
@@ -54,7 +54,10 @@ class TrustTokenRequestHandler {
    kUnconditionalFailure,
  };
-  struct Options {
+  struct Options final {
+    Options();
+    ~Options();
    // The number of issuance key pairs to provide via key commitment results.
    int num_keys = 1;
@@ -64,10 +67,11 @@ class TrustTokenRequestHandler {
    // the expected request.
    SigningOutcome client_signing_outcome = SigningOutcome::kSuccess;
-    // The protocol version to use.
+    // The protocol version with which to parameterize the server-side
+    // cryptographic logic. We return this value in key commitment results.
    std::string protocol_version = "TrustTokenV1";
-    // The commitment ID to use.
+    // The key commitment ID.
    int id = 1;
    // The number of tokens to sign per issuance operation; this value is also