blinkpy: Add a script to update self-signed certificates for WPT.

Change-Id: Ibc19664d191f8bee18711170e5feeedc26fa0362
Reviewed-on: https://chromium-review.googlesource.com/1094820
Commit-Queue: Kent Tamura <tkent@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org>
Reviewed-by: Quinten Yearsley <qyearsley@chromium.org>
Cr-Commit-Position: refs/heads/master@{#566713}

third_party/blink/tools/blinkpy/third_party/wpt/README.chromium

@@ -53,56 +53,21 @@ dependency.
 These certificates will expire in January 2025. Here is an instruction to
 re-generate them:
 
-1. Add "openssl" command to PATH.
-2. Apply the following change locally:
-
-diff --git a/third_party/blink/tools/blinkpy/third_party/wpt/wpt.config.json b/third_party/blink/tools/blinkpy/third_party/wpt/wpt.config.json
-index 6243954..84fd3f4 100644
---- a/third_party/blink/tools/blinkpy/third_party/wpt/wpt.config.json
-+++ b/third_party/blink/tools/blinkpy/third_party/wpt/wpt.config.json
-@@ -9,13 +9,5 @@
-     "https": [8444],
-     "ws": [9001],
-     "wss": [9444]
--  },
--  "ssl": {
--    "type": "pregenerated",
--    "encrypt_after_connect": false,
--    "pregenerated": {
--      "host_key_path": "../certs/127.0.0.1.key",
--      "host_cert_path": "../certs/127.0.0.1.pem"
--    }
-   }
- }
-diff --git a/third_party/blink/tools/blinkpy/third_party/wpt/wpt/tools/sslutils/openssl.py b/third_party/blink/tools/blinkpy/third_party/wpt/wpt/tools/sslutils/openssl.py
-index 5b571c0..223a18b 100644
---- a/third_party/blink/tools/blinkpy/third_party/wpt/wpt/tools/sslutils/openssl.py
-+++ b/third_party/blink/tools/blinkpy/third_party/wpt/wpt/tools/sslutils/openssl.py
-@@ -207,7 +207,7 @@ class OpenSSLEnvironment(object):
-
-     def __init__(self, logger, openssl_binary="openssl", base_path=None,
-                  password="web-platform-tests", force_regenerate=False,
--                 duration=30, base_conf_path=None):
-+                 duration=3000, base_conf_path=None):
-         """SSL environment that creates a local CA and host certificate using OpenSSL.
-
-         By default this will look in base_path for existing certificates that are still
-
-3. Run third_party/blink/tools/run_blink_wptserve.py
-4. Type Enter key to terminate it.
-5. Revert the local change.  e.g. git reset --hard HEAD
-6. Replace certs/ with wpt/_certs/
-   % rm -fr certs
-   % mv wpt/_certs certs
-7. Look at *.pem, and update "January 2025" in this document and expiration_date
-   in wptserve.py to new expiration date.
-8. git commit -a
-9. git cl upload, etc.
-
-Please refer to third_party/WebKit/LayoutTests/http/tests/loading/htxg/resources/README.md
-for how to update the 127.0.0.1.sxg.* files.
-
-TODO(tkent): Make a script to re-generate keys and certificates.
+1. Make sure the following commands are in $PATH.
+ - base64
+ - git
+ - grep
+ - openssl
+ - sed
+2. Run update_certs.py
+3. Look at the "Not After" date in the output of the command, and update
+  "January 2025" in this document and expiration_date in wptserve.py to new
+  expiration date.
+4. Update certs/127.0.0.1.sxg.*.
+  Please refer to
+  third_party/WebKit/LayoutTests/http/tests/loading/htxg/resources/README.md
+5. git commit
+6. git cl upload, etc.
 
 **
 

third_party/blink/tools/blinkpy/third_party/wpt/update_certs.py

+#!/usr/bin/env vpython
+# Copyright 2018 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+import logging
+import os
+import subprocess
+import sys
+
+_THIS_DIR = os.path.dirname(__file__)
+sys.path.append(os.path.join(_THIS_DIR, 'wpt', 'tools', 'wptserve', 'wptserve'))
+from sslutils.openssl import OpenSSLEnvironment
+
+
+_DOMAIN = '127.0.0.1'
+
+def main():
+    cert_dir = os.path.join(_THIS_DIR, 'certs')
+
+    print '===> Removing old files...'
+    old_files = filter(lambda filename: '.sxg.' not in filename,
+                       os.listdir(cert_dir))
+    old_files = [os.path.join(cert_dir, fn) for fn in old_files]
+    if subprocess.call(['git', 'rm'] + old_files) != 0:
+        sys.exit(1)
+
+    print '\n===> Regenerating keys and certificates...'
+    env = OpenSSLEnvironment(logging.getLogger(__name__),
+                             base_path=cert_dir,
+                             force_regenerate=True,
+                             duration=3000)
+    with env:
+        key_path, pem_path = env.host_cert_path(
+            [_DOMAIN,
+             # See '_subdomains' in wpt/tools/serve/serve.py.
+             'www.' + _DOMAIN,
+             'www1.' + _DOMAIN,
+             'www2.' + _DOMAIN,
+             'xn--n8j6ds53lwwkrqhv28a.' + _DOMAIN,
+             'xn--lve-6lad.' + _DOMAIN])
+        if subprocess.call('git add -v ' + os.path.join(cert_dir, '*'), shell=True) != 0:
+            sys.exit(1)
+
+        print '\n===> Updating wpt.config.json and base.py...'
+        key_basename = os.path.basename(key_path)
+        pem_basename = os.path.basename(pem_path)
+        config_path = os.path.join(_THIS_DIR, 'wpt.config.json')
+        if subprocess.call(['sed', '-i', '', '-E',
+                            's%/[^/]+[.]key%/{key}%g;s%/[^/]+[.]pem%/{pem}%g'.format(
+                                key=key_basename, pem=pem_basename),
+                            config_path]) != 0:
+            sys.exit(1)
+        base_py_path = os.path.join(_THIS_DIR, '..', '..',
+                                    'web_tests', 'port', 'base.py')
+        proc = subprocess.Popen('openssl x509 -noout -pubkey -in ' + pem_path +
+                                ' | openssl pkey -pubin -outform der'
+                                ' | openssl dgst -sha256 -binary'
+                                ' | base64', shell=True, stdout=subprocess.PIPE)
+        base64, _ = proc.communicate()
+        if subprocess.call(['sed', '-i', '', '-E',
+                            's%WPT_FINGERPRINT = \'.*\'%WPT_FINGERPRINT = \'' +
+                            base64.strip() + '\'%', base_py_path]) != 0:
+            sys.exit(1)
+        if subprocess.call(['git', 'add', '-v', config_path, base_py_path]) != 0:
+            sys.exit(1)
+
+        print '\n===> Certificate validity:'
+        subprocess.call(['grep', 'Not After', pem_path])
+
+
+if __name__ == "__main__":
+    main()

third_party/blink/tools/blinkpy/web_tests/port/base.py

@@ -96,6 +96,13 @@ FONT_FILES = [
     [[CONTENT_SHELL_FONTS_DIR], 'Tinos-Regular.ttf', None],
 ]
 
+# This is the fingerprint of wpt's certificate found in
+# blinkpy/third_party/wpt/certs.  The following line is updated by
+# update_cert.py.
+WPT_FINGERPRINT = 'Nxvaj3+bY3oVrTc+Jp7m3E3sB1n3lXtnMDCyBsqEXiY='
+# One for 127.0.0.1.sxg.pem
+SXG_FINGERPRINT = '55qC1nKu2A88ESbFmk5sTPQS/ScG+8DD7P+2bgFA9iM='
+
 
 class Port(object):
     """Abstract class for Port-specific hooks for the layout_test package."""
@@ -242,20 +249,10 @@ class Port(object):
         if flags and flags[0] == self.primary_driver_flag():
             flags = flags[1:]
         if self.driver_name() == self.CONTENT_SHELL_NAME:
-            # This is the fingerprint of wpt's certificate found in
-            # blinkpy/third_party/wpt/certs.  To regenerate, use:
-            #
-            #   openssl x509 -noout -pubkey -in 127.0.0.1.pem |
-            #   openssl pkey -pubin -outform der |
-            #   openssl dgst -sha256 -binary |
-            #   base64
-            #
-            fingerprint = 'Nxvaj3+bY3oVrTc+Jp7m3E3sB1n3lXtnMDCyBsqEXiY='
-            # Add one for 127.0.0.1.sxg.pem
-            fingerprint += ',55qC1nKu2A88ESbFmk5sTPQS/ScG+8DD7P+2bgFA9iM='
             flags += [
                 '--run-web-tests',
-                '--ignore-certificate-errors-spki-list=' + fingerprint,
+                '--ignore-certificate-errors-spki-list=' + WPT_FINGERPRINT +
+                ',' + SXG_FINGERPRINT,
                 '--user-data-dir']
         return flags