Trust Tokens: Expand key commitments to support local issuance

This change expands the definition of a Trust Tokens key commitment
struct to accept a list of operating systems on which to redirect
issuance operations (for the issuer hosting the key commitment) to the
operating system, rather than sending these issuance requests directly
via an HTTP request.

It's the first step in implementing on-device ("platform-issued") trust
token issuance support.

Fixed: 1130249
Change-Id: I9eec53ecf2c3eb611e547b78ee60cbdc800e0c6b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2432445Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Commit-Queue: David Van Cleve <davidvc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#819208}

services/network/public/mojom/trust_tokens.mojom

@@ -190,5 +190,31 @@ struct TrustTokenKeyCommitmentResult {
   // can be used to verify Signed Redemption Record (SRR) signatures
   // subsequently provided by the issuer.
   string signed_redemption_record_verification_key;
+
+  // |request_issuance_locally_on| specifies operating systems on which to
+  // divert issuance requests for this issuer to the system (i.e. to request
+  // "platform-provided" tokens)
+  enum Os {
+    kAndroid,
+  };
+  array<Os> request_issuance_locally_on;
+
+  // When specifying that the browser should attempt local issuance on at least
+  // one operating system, issuers could benefit from a couple different
+  // fallback behaviors depending on their particular requirements.
+  //
+  // |unavailable_local_issuance_fallback|'s value specifies what action to take
+  // when both of the following hold simultaneously:
+  // (1) local issuance is specified on at least one OS (i.e.
+  // |request_issuance_locally_on| is nonempty) and
+  // (2) we're not on any of the specified OSes.
+  enum UnavailableLocalIssuanceFallback {
+    // If we're not on a matching OS, instead attempt a standard web
+    // issuance request against the issuance request's destination URL.
+    kWebIssuance,
+    // If we're not on a matching OS, just fail the issuance request.
+    kReturnWithError,
+  };
+  UnavailableLocalIssuanceFallback unavailable_local_issuance_fallback;
 };
 

services/network/trust_tokens/test/trust_token_key_commitment_parser_fuzzer.dict

@@ -36,3 +36,7 @@
 "Y"
 "expiry"
 "https"
+"protocol_version"
+"id"
+"unavailable_local_issuance_fallback"
+"request_issuance_locally_on"

services/network/trust_tokens/trust_token_key_commitment_parser.cc

@@ -7,15 +7,30 @@
 #include "base/base64.h"
 #include "base/json/json_reader.h"
 #include "base/numerics/safe_conversions.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_piece.h"
 #include "base/values.h"
-#include "services/network/public/mojom/trust_tokens.mojom-forward.h"
 #include "services/network/public/mojom/trust_tokens.mojom.h"
 #include "services/network/trust_tokens/suitable_trust_token_origin.h"
 
 namespace network {
 
+const char kTrustTokenKeyCommitmentProtocolVersionField[] = "protocol_version";
+const char kTrustTokenKeyCommitmentIDField[] = "id";
+const char kTrustTokenKeyCommitmentBatchsizeField[] = "batchsize";
+const char kTrustTokenKeyCommitmentSrrkeyField[] = "srrkey";
+const char kTrustTokenKeyCommitmentExpiryField[] = "expiry";
+const char kTrustTokenKeyCommitmentKeyField[] = "Y";
+const char kTrustTokenKeyCommitmentRequestIssuanceLocallyOnField[] =
+    "request_issuance_locally_on";
+const char kTrustTokenLocalIssuanceOsAndroid[] = "android";
+const char kTrustTokenKeyCommitmentUnavailableLocalIssuanceFallbackField[] =
+    "unavailable_local_issuance_fallback";
+const char kTrustTokenLocalIssuanceFallbackWebIssuance[] = "web_issuance";
+const char kTrustTokenLocalIssuanceFallbackReturnWithError[] =
+    "return_with_error";
+
 namespace {
 
 // Parses a single key label. If |in| is the string representation of an integer
@@ -71,6 +86,82 @@ ParseKeyResult ParseSingleKeyExceptLabel(
   return ParseKeyResult::kSucceed;
 }
 
+base::Optional<mojom::TrustTokenKeyCommitmentResult::Os> ParseOs(
+    base::StringPiece os_string) {
+  if (os_string == kTrustTokenLocalIssuanceOsAndroid)
+    return mojom::TrustTokenKeyCommitmentResult::Os::kAndroid;
+  return base::nullopt;
+}
+
+// Attempts to parse a string representation of a member of the
+// UnavailableLocalIssuanceFallback enum, returning true on success and false on
+// failure.
+bool ParseUnavailableLocalIssuanceFallback(
+    base::StringPiece fallback_string,
+    mojom::TrustTokenKeyCommitmentResult::UnavailableLocalIssuanceFallback*
+        fallback_out) {
+  if (fallback_string == kTrustTokenLocalIssuanceFallbackWebIssuance) {
+    *fallback_out = mojom::TrustTokenKeyCommitmentResult::
+        UnavailableLocalIssuanceFallback::kWebIssuance;
+    return true;
+  }
+  if (fallback_string == kTrustTokenLocalIssuanceFallbackReturnWithError) {
+    *fallback_out = mojom::TrustTokenKeyCommitmentResult::
+        UnavailableLocalIssuanceFallback::kReturnWithError;
+    return true;
+  }
+  return false;
+}
+
+// Given a per-issuer key commitment dictionary, looks for the local Trust
+// Tokens issuance-related fields request_issuance_locally_on and
+// unavailable_local_issuance_fallback.
+//
+// Returns true if both are absent, or if both are present and well-formed; in
+// the latter case, updates |result| to with their parsed values. Otherwise,
+// returns false.
+bool ParseLocalIssuanceFieldsIfPresent(
+    const base::Value& value,
+    mojom::TrustTokenKeyCommitmentResult* result) {
+  const base::Value* maybe_request_issuance_locally_on =
+      value.FindKey(kTrustTokenKeyCommitmentRequestIssuanceLocallyOnField);
+
+  // The local issuance field is optional...
+  if (!maybe_request_issuance_locally_on)
+    return true;
+
+  // ...but needs to be the right type if it's provided.
+  if (!maybe_request_issuance_locally_on->is_list())
+    return false;
+
+  for (const base::Value& maybe_os_value :
+       maybe_request_issuance_locally_on->GetList()) {
+    if (!maybe_os_value.is_string())
+      return false;
+    base::Optional<mojom::TrustTokenKeyCommitmentResult::Os> maybe_os =
+        ParseOs(maybe_os_value.GetString());
+    if (!maybe_os)
+      return false;
+    result->request_issuance_locally_on.push_back(*maybe_os);
+  }
+
+  // Deduplicate the OS values:
+  auto& oses = result->request_issuance_locally_on;
+  base::ranges::sort(oses);
+  auto to_remove = base::ranges::unique(oses);
+  oses.erase(to_remove, oses.end());
+
+  const std::string* maybe_fallback = value.FindStringKey(
+      kTrustTokenKeyCommitmentUnavailableLocalIssuanceFallbackField);
+  if (!maybe_fallback ||
+      !ParseUnavailableLocalIssuanceFallback(
+          *maybe_fallback, &result->unavailable_local_issuance_fallback)) {
+    return false;
+  }
+
+  return true;
+}
+
 mojom::TrustTokenKeyCommitmentResultPtr ParseSingleIssuer(
     const base::Value& value) {
   if (!value.is_dict())
@@ -113,6 +204,9 @@ mojom::TrustTokenKeyCommitmentResultPtr ParseSingleIssuer(
     return nullptr;
   }
 
+  if (!ParseLocalIssuanceFieldsIfPresent(value, result.get()))
+    return nullptr;
+
   // Parse the key commitments in the result (these are exactly the
   // key-value pairs in the dictionary with dictionary-typed values).
   for (const auto& kv : value.DictItems()) {
@@ -155,13 +249,6 @@ mojom::TrustTokenKeyCommitmentResultPtr& commitment(Entry& e) {
 
 }  // namespace
 
-const char kTrustTokenKeyCommitmentProtocolVersionField[] = "protocol_version";
-const char kTrustTokenKeyCommitmentIDField[] = "id";
-const char kTrustTokenKeyCommitmentBatchsizeField[] = "batchsize";
-const char kTrustTokenKeyCommitmentSrrkeyField[] = "srrkey";
-const char kTrustTokenKeyCommitmentExpiryField[] = "expiry";
-const char kTrustTokenKeyCommitmentKeyField[] = "Y";
-
 // https://docs.google.com/document/d/1TNnya6B8pyomDK2F1R9CL3dY10OAmqWlnCxsWyOBDVQ/edit#bookmark=id.6wh9crbxdizi
 // {
 //   "protocol_version" : ..., // Protocol Version; value of type string.
@@ -170,6 +257,12 @@ const char kTrustTokenKeyCommitmentKeyField[] = "Y";
 //   "srrkey" : ...,           // Required Signed Redemption Record (SRR)
 //                             // verification key, in base64.
 //
+//   // Optional operating systems on which to request issuance via system
+//   // mediation (valid values are: "android"), and (required if at least one
+//   // OS is specified) fallback behavior on other operating systems:
+//   "request_issuance_locally_on": [<os 1>, ..., <os N>],
+//   "unavailable_local_issuance_fallback": "web_issuance" | "return_with_error"
+//
 //   "1" : {                   // Key label, a number in uint32_t range; ignored
 //                             // except for checking that it is present and
 //                             // type-safe.

services/network/trust_tokens/trust_token_key_commitment_parser.h

@@ -14,41 +14,48 @@
 
 namespace network {
 
-// Field names from the key commitment JSON format specified in the Trust Tokens
-// design doc
-// (https://docs.google.com/document/d/1TNnya6B8pyomDK2F1R9CL3dY10OAmqWlnCxsWyOBDVQ/edit#bookmark=id.6wh9crbxdizi):
-// - "protocol_version" (version of Trust Token used for this commitment)
+// These field names are from the key commitment JSON format specified in the
+// Trust Tokens design doc
+// (https://docs.google.com/document/d/1TNnya6B8pyomDK2F1R9CL3dY10OAmqWlnCxsWyOBDVQ/edit#bookmark=id.6wh9crbxdizi).
+// "protocol version" (version of Trust Token used for this commitment):
 extern const char kTrustTokenKeyCommitmentProtocolVersionField[];
-// - "id" (ID for this key commitment)
+// This commitment's ID, used for mediating between concurrencyID for this key
+// commitment):
 extern const char kTrustTokenKeyCommitmentIDField[];
-// - "batch size" (number of blinded tokens to provide per issuance request)
+// "Batch size" (number of blinded tokens to provide per issuance request):
 extern const char kTrustTokenKeyCommitmentBatchsizeField[];
-// - verification key for the signatures the issuer provides over its Signed
-// Redemption Records (SRRs)
+// Verification key for the signatures the issuer provides over its Signed
+// Redemption Records (SRRs):
 extern const char kTrustTokenKeyCommitmentSrrkeyField[];
-// - each issuance key's expiry timestamp
+// Each issuance key's expiry timestamp:
 extern const char kTrustTokenKeyCommitmentExpiryField[];
-// - each issuance key's key material
+// Each issuance key's key material:
 extern const char kTrustTokenKeyCommitmentKeyField[];
 
+// The operating systems on which to request issuance via system mediation
+// rather than through a request to the issuer's website:
+extern const char kTrustTokenKeyCommitmentRequestIssuanceLocallyOnField[];
+extern const char kTrustTokenKeyCommitmentOsAndroid[];
+
+// The desired fallback behavior when local issuance isn't available on the
+// requested operating system:
+extern const char
+    kTrustTokenKeyCommitmentUnavailableLocalIssuanceFallbackField[];
+extern const char kTrustTokenLocalIssuanceFallbackWebIssuance[];
+extern const char kTrustTokenLocalIssuanceFallbackReturnWithError[];
+
 class TrustTokenKeyCommitmentParser
     : public TrustTokenKeyCommitmentController::Parser {
  public:
   TrustTokenKeyCommitmentParser() = default;
   ~TrustTokenKeyCommitmentParser() override = default;
 
-  // Parses a JSON key commitment response.
+  // Parses a JSON key commitment response, returning nullptr if the input is
+  // not a valid representation of a JSON dictionary containing all required
+  // fields listed in the Trust Tokens design doc, the current normative source
+  // for key commitment responses' format:
   //
-  // This method returns nullptr unless:
-  // - the input is valid JSON; and
-  // - the JSON represents a nonempty dictionary; and
-  // - within this inner dictionary (which stores metadata like batch size, as
-  // well as more dictionaries denoting keys' information):
-  //   - every dictionary-type value has an expiry field
-  //   (|kTrustTokenKeyCommitmentExpiryField| above) and a key body field
-  //   (|kTrustTokenKeyCommitmentKeyField|), and
-  //   - the expiry field is a positive integer (microseconds since the Unix
-  //   epoch) storing a time in the future.
+  // https://docs.google.com/document/d/1TNnya6B8pyomDK2F1R9CL3dY10OAmqWlnCxsWyOBDVQ/edit#heading=h.wkezf6pcskvh
   mojom::TrustTokenKeyCommitmentResultPtr Parse(
       base::StringPiece response_body) override;
 

services/network/trust_tokens/trust_token_key_commitment_parser_unittest.cc

@@ -429,6 +429,8 @@ TEST(TrustTokenKeyCommitmentParser, ParsesBatchSize) {
      "protocol_version": "TrustTokenV1", "id": 1, "batchsize": 5,
      "srrkey": "aaaa"
    })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
 
   mojom::TrustTokenKeyCommitmentResultPtr result =
       TrustTokenKeyCommitmentParser().Parse(input);
@@ -440,8 +442,10 @@ TEST(TrustTokenKeyCommitmentParser, ParsesBatchSize) {
 TEST(TrustTokenKeyCommitmentParser, RejectsMissingBatchSize) {
   std::string input =
       R"({
-     "protocol_version": "TrustTokenV1", "id": 1, "srrkey": "aaaa",
+     "protocol_version": "TrustTokenV1", "id": 1, "srrkey": "aaaa"
    })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
 
   mojom::TrustTokenKeyCommitmentResultPtr result =
       TrustTokenKeyCommitmentParser().Parse(input);
@@ -452,8 +456,10 @@ TEST(TrustTokenKeyCommitmentParser, RejectsNonpositiveBatchSize) {
   std::string input =
       R"({
      "protocol_version": "TrustTokenV1", "id": 1, "srrkey": "aaaa",
-     "batchsize": "0",
+     "batchsize": 0
    })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
 
   mojom::TrustTokenKeyCommitmentResultPtr result =
       TrustTokenKeyCommitmentParser().Parse(input);
@@ -466,18 +472,234 @@ TEST(TrustTokenKeyCommitmentParser, RejectsTypeUnsafeBatchSize) {
      "protocol_version": "TrustTokenV1", "id": 1, "srrkey": "aaaa",
      "batchsize": "not a number"
    })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
+
+  mojom::TrustTokenKeyCommitmentResultPtr result =
+      TrustTokenKeyCommitmentParser().Parse(input);
+  EXPECT_FALSE(result);
+}
+
+TEST(TrustTokenKeyCommitmentParser, RequestIssuanceLocallyOn) {
+  std::string input =
+      R"({
+     "srrkey": "aaaa",
+     "batchsize": 1,
+     "protocol_version": "TrustTokenV1",
+     "id": 1,
+     "request_issuance_locally_on": ["android"],
+     "unavailable_local_issuance_fallback": "web_issuance"
+   })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
+
+  mojom::TrustTokenKeyCommitmentResultPtr result =
+      TrustTokenKeyCommitmentParser().Parse(input);
+  ASSERT_TRUE(result);
+  EXPECT_THAT(result->request_issuance_locally_on,
+              ElementsAre(mojom::TrustTokenKeyCommitmentResult::Os::kAndroid));
+}
+
+TEST(TrustTokenKeyCommitmentParser, DeduplicatesRequestIssuanceLocallyOn) {
+  std::string input =
+      R"({
+     "srrkey": "aaaa",
+     "batchsize": 1,
+     "protocol_version": "TrustTokenV1",
+     "id": 1,
+     "request_issuance_locally_on": ["android", "android", "android"],
+     "unavailable_local_issuance_fallback": "web_issuance"
+   })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
+
+  mojom::TrustTokenKeyCommitmentResultPtr result =
+      TrustTokenKeyCommitmentParser().Parse(input);
+  ASSERT_TRUE(result);
+  EXPECT_THAT(result->request_issuance_locally_on,
+              ElementsAre(mojom::TrustTokenKeyCommitmentResult::Os::kAndroid));
+}
+
+TEST(TrustTokenKeyCommitmentParser, NoRequestIssuanceLocallyOn) {
+  std::string input =
+      R"({
+     "srrkey": "aaaa",
+     "batchsize": 1,
+     "protocol_version": "TrustTokenV1",
+     "id": 1
+   })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
+
+  mojom::TrustTokenKeyCommitmentResultPtr result =
+      TrustTokenKeyCommitmentParser().Parse(input);
+  ASSERT_TRUE(result);
+  EXPECT_TRUE(result->request_issuance_locally_on.empty());
+}
+
+TEST(TrustTokenKeyCommitmentParser, RejectsTypeUnsafeRequestIssuanceLocallyOn) {
+  std::string input =
+      R"({
+     "srrkey": "aaaa",
+     "batchsize": 1,
+     "protocol_version": "TrustTokenV1",
+     "id": 1,
+     "request_issuance_locally_on": "not an array",
+     "unavailable_local_issuance_fallback": "web_issuance"
+   })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
+
+  mojom::TrustTokenKeyCommitmentResultPtr result =
+      TrustTokenKeyCommitmentParser().Parse(input);
+  EXPECT_FALSE(result);
+}
+
+TEST(TrustTokenKeyCommitmentParser,
+     RejectsTypeUnsafeRequestIssuanceLocallyOnMember) {
+  std::string input =
+      R"({
+     "srrkey": "aaaa",
+     "batchsize": 1,
+     "protocol_version": "TrustTokenV1",
+     "id": 1,
+     "request_issuance_locally_on": ["android", 47],
+     "unavailable_local_issuance_fallback": "web_issuance"
+   })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
+
+  mojom::TrustTokenKeyCommitmentResultPtr result =
+      TrustTokenKeyCommitmentParser().Parse(input);
+  EXPECT_FALSE(result);
+}
+
+TEST(TrustTokenKeyCommitmentParser,
+     RejectsUnrecognizedOsInRequestIssuanceLocallyOn) {
+  std::string input =
+      R"({
+     "srrkey": "aaaa",
+     "batchsize": 1,
+     "protocol_version": "TrustTokenV1",
+     "id": 1,
+     "request_issuance_locally_on": ["android", "imaginaryOS"],
+     "unavailable_local_issuance_fallback": "web_issuance"
+   })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
+
+  mojom::TrustTokenKeyCommitmentResultPtr result =
+      TrustTokenKeyCommitmentParser().Parse(input);
+  EXPECT_FALSE(result);
+}
+
+TEST(TrustTokenKeyCommitmentParser,
+     ProvidingLocalIssuanceOsRequiresSpecifyingIssuanceFallback) {
+  std::string input =
+      R"({
+     "srrkey": "aaaa",
+     "batchsize": 1,
+     "protocol_version": "TrustTokenV1",
+     "id": 1,
+     "request_issuance_locally_on": ["android"]
+   })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
+
+  mojom::TrustTokenKeyCommitmentResultPtr result =
+      TrustTokenKeyCommitmentParser().Parse(input);
+  EXPECT_FALSE(result);
+}
+
+TEST(TrustTokenKeyCommitmentParser,
+     RejectsTypeUnsafeUnavailableLocalIssuanceFallback) {
+  std::string input =
+      R"({
+     "srrkey": "aaaa",
+     "batchsize": 1,
+     "protocol_version": "TrustTokenV1",
+     "id": 1,
+     "request_issuance_locally_on": ["android"],
+     "unavailable_local_issuance_fallback": 57
+   })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
+
+  mojom::TrustTokenKeyCommitmentResultPtr result =
+      TrustTokenKeyCommitmentParser().Parse(input);
+  EXPECT_FALSE(result);
+}
+
+TEST(TrustTokenKeyCommitmentParser,
+     RejectsUnrecognizedUnavailableLocalIssuanceFallback) {
+  std::string input =
+      R"({
+     "srrkey": "aaaa",
+     "batchsize": 1,
+     "protocol_version": "TrustTokenV1",
+     "id": 1,
+     "request_issuance_locally_on": ["android"],
+     "unavailable_local_issuance_fallback": "not a valid enum value"
+   })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
 
   mojom::TrustTokenKeyCommitmentResultPtr result =
       TrustTokenKeyCommitmentParser().Parse(input);
   EXPECT_FALSE(result);
 }
 
+TEST(TrustTokenKeyCommitmentParser, ParsesLocalIssuanceFallbackWebIssuance) {
+  std::string input =
+      R"({
+     "srrkey": "aaaa",
+     "batchsize": 1,
+     "protocol_version": "TrustTokenV1",
+     "id": 1,
+     "request_issuance_locally_on": ["android"],
+     "unavailable_local_issuance_fallback": "web_issuance"
+   })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
+
+  mojom::TrustTokenKeyCommitmentResultPtr result =
+      TrustTokenKeyCommitmentParser().Parse(input);
+  ASSERT_TRUE(result);
+  EXPECT_EQ(result->unavailable_local_issuance_fallback,
+            mojom::TrustTokenKeyCommitmentResult::
+                UnavailableLocalIssuanceFallback::kWebIssuance);
+}
+
+TEST(TrustTokenKeyCommitmentParser,
+     ParsesLocalIssuanceFallbackReturnWithError) {
+  std::string input =
+      R"({
+     "srrkey": "aaaa",
+     "batchsize": 1,
+     "protocol_version": "TrustTokenV1",
+     "id": 1,
+     "request_issuance_locally_on": ["android"],
+     "unavailable_local_issuance_fallback": "return_with_error"
+   })";
+  // Double-check that the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
+
+  mojom::TrustTokenKeyCommitmentResultPtr result =
+      TrustTokenKeyCommitmentParser().Parse(input);
+  ASSERT_TRUE(result);
+  EXPECT_EQ(result->unavailable_local_issuance_fallback,
+            mojom::TrustTokenKeyCommitmentResult::
+                UnavailableLocalIssuanceFallback::kReturnWithError);
+}
+
 TEST(TrustTokenKeyCommitmentParser, ParsesProtocolVersion) {
   std::string input =
       R"({
      "protocol_version": "TrustTokenV1", "id": 1, "batchsize": 5,
      "srrkey": "aaaa"
    })";
+  // Make sure the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
 
   mojom::TrustTokenKeyCommitmentResultPtr result =
       TrustTokenKeyCommitmentParser().Parse(input);
@@ -489,8 +711,10 @@ TEST(TrustTokenKeyCommitmentParser, ParsesProtocolVersion) {
 TEST(TrustTokenKeyCommitmentParser, RejectsMissingProtocolVersion) {
   std::string input =
       R"({
-     "id": 1, "batchsize": 5, "srrkey": "aaaa",
+     "id": 1, "batchsize": 5, "srrkey": "aaaa"
    })";
+  // Make sure the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
 
   mojom::TrustTokenKeyCommitmentResultPtr result =
       TrustTokenKeyCommitmentParser().Parse(input);
@@ -503,6 +727,8 @@ TEST(TrustTokenKeyCommitmentParser, RejectsUnknownProtocolVersion) {
      "protocol_version": "TrustTokenJunk", "id": 1, "srrkey": "aaaa",
      "batchsize": 5
    })";
+  // Make sure the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
 
   mojom::TrustTokenKeyCommitmentResultPtr result =
       TrustTokenKeyCommitmentParser().Parse(input);
@@ -515,6 +741,8 @@ TEST(TrustTokenKeyCommitmentParser, RejectsTypeUnsafeProtocolVersion) {
      "protocol_version": 5, "id": 1, "srrkey": "aaaa",
      "batchsize": 5
    })";
+  // Make sure the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
 
   mojom::TrustTokenKeyCommitmentResultPtr result =
       TrustTokenKeyCommitmentParser().Parse(input);
@@ -527,6 +755,8 @@ TEST(TrustTokenKeyCommitmentParser, ParsesID) {
      "protocol_version": "TrustTokenV1", "id": 1, "batchsize": 5,
      "srrkey": "aaaa"
    })";
+  // Make sure the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
 
   mojom::TrustTokenKeyCommitmentResultPtr result =
       TrustTokenKeyCommitmentParser().Parse(input);
@@ -538,8 +768,10 @@ TEST(TrustTokenKeyCommitmentParser, ParsesID) {
 TEST(TrustTokenKeyCommitmentParser, RejectsMissingID) {
   std::string input =
       R"({
-     "protocol_version": "TrustTokenV1", "batchsize": 5, "srrkey": "aaaa",
+     "protocol_version": "TrustTokenV1", "batchsize": 5, "srrkey": "aaaa"
    })";
+  // Make sure the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
 
   mojom::TrustTokenKeyCommitmentResultPtr result =
       TrustTokenKeyCommitmentParser().Parse(input);
@@ -552,6 +784,8 @@ TEST(TrustTokenKeyCommitmentParser, RejectsTypeUnsafeID) {
      "protocol_version": "TrustTokenV1", "id": "foo", "srrkey": "aaaa",
      "batchsize": 5
    })";
+  // Make sure the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
 
   mojom::TrustTokenKeyCommitmentResultPtr result =
       TrustTokenKeyCommitmentParser().Parse(input);
@@ -569,6 +803,8 @@ TEST(TrustTokenKeyCommitmentParserMultipleIssuers, InvalidJson) {
 
 TEST(TrustTokenKeyCommitmentParserMultipleIssuers, NotADictionary) {
   std::string input = "3";
+  // Make sure the input is actually valid JSON.
+  ASSERT_TRUE(base::JSONReader::Read(input));
 
   auto result = TrustTokenKeyCommitmentParser().ParseMultipleIssuers(input);
   EXPECT_FALSE(result);