Bug 1956065 [wpt PR 51557] - [SRI Message Signatures] Support the @scheme derived component., a=testonly

Automatic update from web-platform-tests
[SRI Message Signatures] Support the `@scheme` derived component.

This CL adds support for the `@scheme` derived component, as defined in
https://www.rfc-editor.org/rfc/rfc9421.html#name-scheme

Bug: 383409584
Change-Id: I09d197a33da89c2a789f44b83e179ed85922fddc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6387436
Reviewed-by: Joe DeBlasio <[email protected]>
Commit-Queue: Mike West <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1436909}

--

wpt-commits: b3b205f6855e3caaad112845efb93610e3ef391a
wpt-pr: 51557

Author: mikewest

testing/web-platform/tests/subresource-integrity/signatures/tentative/client-initiated.cross-origin.window.js

@@ -26,14 +26,14 @@
 // Unsigned responses are blocked when integrity is asserted:
 generate_fetch_test({},
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       integrity: `ed25519-${kValidKeys['rfc']}`,
                     },
                     EXPECT_BLOCKED,
                     "No signature, valid integrity check, w/o cors: blocked.");
 generate_fetch_test({ cors: true },
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       mode: 'cors',
                       integrity: `ed25519-${kValidKeys['rfc']}`,
                     },
@@ -51,23 +51,23 @@ const kRequestWithValidSignature = {
 };
 generate_fetch_test(kRequestWithValidSignature,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       integrity: `ed25519-${kValidKeys['rfc']}`,
                     },
                     EXPECT_BLOCKED,
                     "Valid signature, matching integrity check, no cors: blocked.");
 
 generate_fetch_test(kRequestWithValidSignature,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       integrity: `ed25519-${kInvalidKey}`,
                     },
                     EXPECT_BLOCKED,
                     "Valid signature, mismatched integrity check, no cors: blocked.");
 
 generate_fetch_test(kRequestWithValidSignature,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       integrity:`ed25519-${kValidKeys['rfc']} ed25519-${kInvalidKey}`
                     },
                     EXPECT_BLOCKED,
@@ -83,7 +83,7 @@ const kRequestWithValidSignatureAndCORS = {
 };
 generate_fetch_test(kRequestWithValidSignatureAndCORS,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       mode: "cors",
                       integrity: `ed25519-${kValidKeys['rfc']}`,
                     },
@@ -92,7 +92,7 @@ generate_fetch_test(kRequestWithValidSignatureAndCORS,
 
 generate_fetch_test(kRequestWithValidSignatureAndCORS,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       mode: "cors",
                       integrity: `ed25519-${kInvalidKey}`,
                     },
@@ -101,7 +101,7 @@ generate_fetch_test(kRequestWithValidSignatureAndCORS,
 
 generate_fetch_test(kRequestWithValidSignatureAndCORS,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       mode: "cors",
                       integrity:`ed25519-${kValidKeys['rfc']} ed25519-${kInvalidKey}`
                     },
@@ -118,23 +118,23 @@ const kRequestWithInvalidSignature = {
 };
 generate_fetch_test(kRequestWithInvalidSignature,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       integrity: `ed25519-${kValidKeys['rfc']}`,
                     },
                     EXPECT_BLOCKED,
                     "Invalid signature, matching integrity check, no cors: blocked.");
 
 generate_fetch_test(kRequestWithInvalidSignature,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       integrity: `ed25519-${kInvalidKey}`,
                     },
                     EXPECT_BLOCKED,
                     "Invalid signature, mismatched integrity check, no cors: blocked.");
 
 generate_fetch_test(kRequestWithInvalidSignature,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       integrity:`ed25519-${kValidKeys['rfc']} ed25519-${kInvalidKey}`
                     },
                     EXPECT_BLOCKED,
@@ -149,7 +149,7 @@ const kRequestWithInvalidSignatureAndCORS = {
 };
 generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       integrity: `ed25519-${kValidKeys['rfc']}`,
                       mode: "cors",
                     },
@@ -158,7 +158,7 @@ generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
 
 generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       integrity: `ed25519-${kInvalidKey}`,
                       mode: "cors",
                     },
@@ -167,7 +167,7 @@ generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
 
 generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       integrity:`ed25519-${kValidKeys['rfc']} ed25519-${kInvalidKey}`,
                       mode: "cors",
                     },

testing/web-platform/tests/subresource-integrity/signatures/tentative/helper.js

@@ -53,15 +53,12 @@ const kAcceptSignature = "accept-signature";
 // Given `{ digest: "...", body: "...", cors: true, type: "..." }`, generates
 // the URL to a script resource that has the given characteristics.
 let counter = 0;
-function resourceURL(data, host) {
+function resourceURL(data, server_origin) {
   counter++;
   data.type ??= "application/javascript";
   data.counter = counter;
   let params = new URLSearchParams(data);
-  let result = new URL("/subresource-integrity/signatures/resource.py?" + params.toString(), self.location);
-  if (host) {
-    result.host = host;
-  }
+  let result = new URL("/subresource-integrity/signatures/resource.py?" + params.toString(), server_origin ?? self.location.origin);
   return result.href;
 }
 
@@ -92,10 +89,12 @@ async function signSignatureBase(signatureBase, privateKeyJWK) {
 
 function generate_fetch_test(request_data, options, expectation, description) {
   promise_test(test => {
-    const url = resourceURL(request_data, options.host);
+    const url = resourceURL(request_data, options.origin);
     let fetch_options = {};
     if (options.mode) {
       fetch_options.mode = options.mode;
+    } else if (options.origin) {
+      fetch_options.mode = "cors";
     }
     if (options.integrity) {
       fetch_options.integrity = options.integrity;

testing/web-platform/tests/subresource-integrity/signatures/tentative/scheme.window.js

@@ -0,0 +1,73 @@
+// META: script=/common/get-host-info.sub.js
+// META: script=helper.js
+
+// The following tests validate the behavior of the `@scheme` derived component.
+// They'll all be rooted in the following response, generated using the steps at
+// https://wicg.github.io/signature-based-sri/#examples, relying on the test
+// key from https://www.rfc-editor.org/rfc/rfc9421.html#name-example-ed25519-test-key:
+//
+// ```
+// NOTE: '\' line wrapping per RFC 8792
+//
+// HTTP/1.1 200 OK
+// Date: Tue, 20 Apr 2021 02:07:56 GMT
+// Content-Type: application/json
+// Unencoded-Digest: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
+// Content-Length: 18
+// Signature-Input: signature=("unencoded-digest";sf "@scheme";req); \
+//                  keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";       \
+//                  tag="sri"
+// Signature: signature=:oVQ+s/OqXLAVdfvgZ3HaPiyzkpNXZSit9l6e1FB/gOOL3t8FOrIRDV \
+//                       CkcIEcJjd3MA1mROn39/WQShTmnKmlDg==:
+//
+//
+// window.hello = `world`;
+// ```
+
+const test_cases = [
+  // ```
+  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
+  // "@scheme";req: http
+  // "@signature-params": ("unencoded-digest";sf "@scheme";req);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
+  // ```
+  {
+    origin: get_host_info().HTTP_REMOTE_ORIGIN,
+    signature: `signature=:WZp87p7X3ELfgIKL/qxsY/CT6XArMvZRaxcJ3uy1QklEcLf0c8tol2+W2pvaXX4jnd7hGevFVkzWE77rCOIzAA==:`,
+  },
+  // ```
+  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
+  // "@scheme";req: https
+  // "@signature-params": ("unencoded-digest";sf "@scheme";req);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
+  // ```
+  {
+    origin: get_host_info().HTTPS_REMOTE_ORIGIN,
+    signature: `signature=:lMzR8lIXYG0Iz0MmTXcRTcBfNw6TgBAPfaNLAU1LzsxWC5dlez8SNe7aCW7avHTWKgaqTGBCMW1LgxkHlijgDA==:`,
+  }
+]
+
+// Valid signatures depend upon integrity checks.
+//
+// We're testing our handling of malformed and multiple keys generally in
+// the broader `client-initiated.*` tests. Here we'll just focus on ensuring
+// that responses with `@scheme` components load at all (no integrity check),
+// load when integrity checks match, and fail when integrity checks mismatch.
+for (const test_case of test_cases) {
+    const request = {
+      cors: true,
+      body: "window.hello = `world`;",
+      digest: "sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:",
+      signatureInput: `signature=("unencoded-digest";sf "@scheme";req);keyid="${kValidKeys['rfc']}";tag="sri"`,
+      signature: test_case.signature
+    };
+
+    // fetch():
+    generate_fetch_test(request, {origin: test_case.origin}, EXPECT_LOADED,
+                        `Valid signature (${request.signature}), no integrity check: loads.`);
+    generate_fetch_test(request, {origin: test_case.origin,
+                                  integrity:`ed25519-${kValidKeys['rfc']}`}, EXPECT_LOADED,
+                        `Valid signature (${request.signature}), matching integrity check: loads.`);
+
+    generate_fetch_test(request, {origin: test_case.origin,
+                                  integrity:`ed25519-${kInvalidKey}`}, EXPECT_BLOCKED,
+                        `Valid signature (${request.signature}), mismatched integrity check: blocked.`);
+}

testing/web-platform/tests/subresource-integrity/signatures/tentative/server-initiated.window.js

@@ -38,14 +38,14 @@ generate_fetch_test(kRequestWithValidSignature,
                     "Valid signature, same-origin: loads.");
 generate_fetch_test(kRequestWithValidSignature,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       mode: "no-cors",
                     },
                     EXPECT_LOADED,
                     "Valid signature, cross-origin w/o cors, mode: no-cors: loads.");
 generate_fetch_test(kRequestWithValidSignature,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       mode: "cors",
                     },
                     EXPECT_BLOCKED,
@@ -65,14 +65,14 @@ generate_fetch_test(kRequestWithValidSignatureAndCORS,
                     "Valid signature, same-origin w/ cors: loads.");
 generate_fetch_test(kRequestWithValidSignatureAndCORS,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       mode: "no-cors",
                     },
                     EXPECT_LOADED,
                     "Valid signature, cross-origin w/ cors, mode: no-cors: loads.");
 generate_fetch_test(kRequestWithValidSignatureAndCORS,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       mode: "cors",
                     },
                     EXPECT_LOADED,
@@ -91,14 +91,14 @@ generate_fetch_test(kRequestWithInvalidSignature,
                     "Invalid signature, same-origin: blocked.");
 generate_fetch_test(kRequestWithInvalidSignature,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       mode: "no-cors",
                     },
                     EXPECT_BLOCKED,
                     "Invalid signature, cross-origin w/o cors, mode: no-cors: blocked.");
 generate_fetch_test(kRequestWithInvalidSignature,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       mode: "cors",
                     },
                     EXPECT_BLOCKED,
@@ -118,14 +118,14 @@ generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
                     "Invalid signature, same-origin w/ cors: blocked.");
 generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       mode: "no-cors",
                     },
                     EXPECT_BLOCKED,
                     "Invalid signature, cross-origin w/ cors, mode: no-cors: blocked.");
 generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
                     {
-                      host: get_host_info().REMOTE_HOST,
+                      origin: get_host_info().REMOTE_ORIGIN,
                       mode: "cors",
                     },
                     EXPECT_BLOCKED,