Skip to content

Commit

Permalink
[SRI Message Signatures] Drop the alg parameter.
Browse files Browse the repository at this point in the history
As per WICG/signature-based-sri#33, the plan
is to reject the `alg` parameter entirely, rather than locking it to a
single value.

Bug: 385160702
Change-Id: Iba57570fd8d0136b1d68e143a2fde5f48cd69806
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6110599
Reviewed-by: Kenichi Ishibashi <bashi@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Yoav Weiss (@Shopify) <yoavweiss@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1399650}
  • Loading branch information
mikewest authored and chromium-wpt-export-bot committed Dec 22, 2024
1 parent 099359f commit 863b1ec
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 25 deletions.
8 changes: 4 additions & 4 deletions subresource-integrity/signatures/tentative/fetch.any.js
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
// Content-Type: application/json
// Identity-Digest: sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:
// Content-Length: 18
// Signature-Input: signature=("identity-digest";sf);alg="ed25519"; \
// Signature-Input: signature=("identity-digest";sf); \
// keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs="; \
// tag="sri"
// Signature: signature=:TUznBT2ikFq6VrtoZeC5znRtZugu1U8OHJWoBkOLDTJA2FglSR34Q \
Expand All @@ -26,16 +26,16 @@
const kRequestWithValidSignature = {
body: `{"hello": "world"}`,
digest: `sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:`,
signature: `signature=:TUznBT2ikFq6VrtoZeC5znRtZugu1U8OHJWoBkOLDTJA2FglSR34QY9j+BwN79PT4H0p8aIosnv4rXSKfIZVDA==:`,
signatureInput: `signature=("identity-digest";sf);alg="ed25519";keyid="${kValidKeys['rfc']}";tag="sri"`
signature: `signature=:eTKYITprfJYJmsOZlRTmu0szHbt0yLxHYBU0oXDdkx8najLl59IPO0zUofe5T23RGuquHLdZx177tBX45CUcAg==:`,
signatureInput: `signature=("identity-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri"`
};

// Metadata from the response above, but with an incorrect signature:
const kRequestWithInvalidSignature = {
body: `{"hello": "world"}`,
digest: `sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:`,
signature: `signature=:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==:`,
signatureInput: `signature=("identity-digest";sf);alg="ed25519";keyid="${kValidKeys['rfc']}";tag="sri"`
signatureInput: `signature=("identity-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri"`
};

generate_fetch_test({}, "", EXPECT_LOADED,
Expand Down
14 changes: 7 additions & 7 deletions subresource-integrity/signatures/tentative/path.window.js
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
// Content-Type: application/json
// Identity-Digest: sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:
// Content-Length: 18
// Signature-Input: signature=("identity-digest";sf "@path";req);alg="ed25519"; \
// Signature-Input: signature=("identity-digest";sf "@path";req); \
// keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs="; \
// tag="sri"
// Signature: signature=:oVQ+s/OqXLAVdfvgZ3HaPiyzkpNXZSit9l6e1FB/gOOL3t8FOrIRDV \
Expand All @@ -33,26 +33,26 @@ const kRequestsWithValidSignature = [
// ```
// "identity-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
// "@path";req: /subresource-integrity/signatures/tentative/resource.py
// "@signature-params": ("identity-digest";sf "@path";req);alg="ed25519";keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
// "@signature-params": ("identity-digest";sf "@path";req);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
// ```
{
body: "window.hello = `world`;",
digest: "sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:",
signature: `signature=:AEW2XbDmmBK71KBle0Dx1JAWAO7B4QdEH2Tw71c9nntjUmx8xF5t8xbsETRHFwULrvJ4STBFtdMVm5a7QIw5Cw==:`,
signatureInput: `signature=("identity-digest";sf "@path";req);alg="ed25519";keyid="${kValidKeys['rfc']}";tag="sri"`
signature: `signature=:W54PPjO6aWHvhTmDICG4EGLs461FrwYxXE/UkBH7dz9V5lnCtv3N6ZTmOxPRMkmADhRilem6W/Zq5SH9tVoxAg==:`,
signatureInput: `signature=("identity-digest";sf "@path";req);keyid="${kValidKeys['rfc']}";tag="sri"`
},
// `@path` then `identity-digest`, with the following signature base:
//
// ```
// "@path";req: /subresource-integrity/signatures/tentative/resource.py
// "identity-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
// "@signature-params": ("@path";req "identity-digest";sf);alg="ed25519";keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
// "@signature-params": ("@path";req "identity-digest";sf);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
// ```
{
body: "window.hello = `world`;",
digest: "sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:",
signature: `signature=:NEmnhhW1aKxO+ReWQmmSF17i49ZEdtDC4lRI2CJDw2E/rz9j2a8f8kIwVk7W/BIuQ6kejTAQ2FReGmmkREXPDg==:`,
signatureInput: `signature=("@path";req "identity-digest";sf);alg="ed25519";keyid="${kValidKeys['rfc']}";tag="sri"`
signature: `signature=:qF/RJ9L8bCpRx5cm6QW9qvqw7nU0ziwi6lLD6KkhT/ZgLS2c6O9s4UFXieM9+waU71YtNfTXQAQ4PeMSAVKlDQ==:`,
signatureInput: `signature=("@path";req "identity-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri"`
}
];

Expand Down
28 changes: 14 additions & 14 deletions subresource-integrity/signatures/tentative/script.window.js
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,15 @@ const kScriptToExecute = {
signatures: {
// ```
// "identity-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
// "@signature-params": ("identity-digest";sf);alg="ed25519";keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
// "@signature-params": ("identity-digest";sf);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
// ```
rfc: "pRcIRwdXaZL4XqkAo1a7mXIlzETMgG93JWWgqDlx6XhWe8mC8umiEgbI3afULpzT1Buro4ZJfzEXwy8tC5HaCA==",
rfc: "lDlqBb5/GLDB8GnVt3DqiytUJwFj4OPA7pO9eXBowN0qpqa2uNIHZz5IR+IdwOLKe5tBTLvmiMCsnvku3ecUAQ==",

// ```
// "identity-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
// "@signature-params": ("identity-digest";sf);alg="ed25519";keyid="xDnP380zcL4rJ76rXYjeHlfMyPZEOqpJYjsjEppbuXE=";tag="sri"
// "@signature-params": ("identity-digest";sf);keyid="xDnP380zcL4rJ76rXYjeHlfMyPZEOqpJYjsjEppbuXE=";tag="sri"
// ```
arbitrary: "6zUKqibVA3CzFvQj6a+irKnOB9ZY2ky5opG7TMpFF0BtvJ1oAjoVjW3uObPlD/PBOrmkXFNRNwv3PVerE12FDQ=="
arbitrary: "kTzkz6pMEMAOWxI7JPhcNGsPVdIeM1dLEGVIVDdHELY0KDp4TQILxmTElrWGib68KgalaV2oQMz3+XA2sk/ICA=="
}
};

Expand All @@ -32,15 +32,15 @@ const kScriptToBlock = {
signatures: {
// ```
// "identity-digest";sf: sha-256=:FUSFR1N3vTmSGbI7q9jaMbHq+ogNeBfpznOIufaIfpc=:
// "@signature-params": ("identity-digest";sf);alg="ed25519";keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
// "@signature-params": ("identity-digest";sf);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
// ```
rfc: "mXbPPr9LIwClnGOoPM/7mlRT3PfgCHnF4E5te6LocGWplqcxS6qKQoUPo/rnU8BxCY56/nI4BuGtgyjPr2lQCg==",
rfc: "IhHp/w0zpKnHvYStc2QuURfHyQBzgOHELlTt6RwspfvL23p/1CUzAnIu2WCKWtAFlZv6aZfggjLmiHJAHiWxAw==",

// ```
// "identity-digest";sf: sha-256=:FUSFR1N3vTmSGbI7q9jaMbHq+ogNeBfpznOIufaIfpc=:
// "@signature-params": ("identity-digest";sf);alg="ed25519";keyid="xDnP380zcL4rJ76rXYjeHlfMyPZEOqpJYjsjEppbuXE";tag="sri"
// "@signature-params": ("identity-digest";sf);keyid="xDnP380zcL4rJ76rXYjeHlfMyPZEOqpJYjsjEppbuXE";tag="sri"
// ```
arbitrary: "FGQbZOeQIqXQLbooOWExK2M756WCcT4rcszNsXX6+Z6Wdofh4GKuXoFcFSdiYiGNamFMHEW6/BRMoVVjtnGwAg=="
arbitrary: "ghFEMST5TCy9a+cY7igV/RpdbOt26F9iJGNu7QTGQbJ1bZeaiqnH0WHWcfqRriFuzg1R7YAE3taZ94TA8K4ECg=="
}
};

Expand All @@ -63,13 +63,13 @@ generate_script_test(kUnsigned, `ed25519-${kValidKeys['rfc']}`, EXPECT_BLOCKED,
const kSignedShouldExecute = {
body: kScriptToExecute['body'],
digest: `sha-256=:${kScriptToExecute['hash']}:`,
signatureInput: `signature=("identity-digest";sf);alg="ed25519";keyid="${kValidKeys['rfc']}";tag="sri"`,
signatureInput: `signature=("identity-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri"`,
signature: `signature=:${kScriptToExecute['signatures']['rfc']}:`
};
const kSignedShouldBlock = {
body: kScriptToBlock['body'],
digest: `sha-256=:${kScriptToBlock['hash']}:`,
signatureInput: `signature=("identity-digest";sf);alg="ed25519";keyid="${kValidKeys['rfc']}";tag="sri"`,
signatureInput: `signature=("identity-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri"`,
signature: `signature=:${kScriptToBlock['signatures']['rfc']}:`
};

Expand All @@ -91,16 +91,16 @@ generate_script_test(kSignedShouldBlock, `ed25519-${kValidKeys['arbitrary']}`, E
const kMultiplySignedShouldExecute = {
body: kScriptToExecute['body'],
digest: `sha-256=:${kScriptToExecute['hash']}:`,
signatureInput: `signature1=("identity-digest";sf);alg="ed25519";keyid="${kValidKeys['rfc']}";tag="sri", ` +
`signature2=("identity-digest";sf);alg="ed25519";keyid="${kValidKeys['arbitrary']}";tag="sri"`,
signatureInput: `signature1=("identity-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri", ` +
`signature2=("identity-digest";sf);keyid="${kValidKeys['arbitrary']}";tag="sri"`,
signature: `signature1=:${kScriptToExecute['signatures']['rfc']}:, ` +
`signature2=:${kScriptToExecute['signatures']['arbitrary']}:`
};
const kMultiplySignedShouldBlock = {
body: kScriptToBlock['body'],
digest: `sha-256=:${kScriptToBlock['hash']}:`,
signatureInput: `signature1=("identity-digest";sf);alg="ed25519";keyid="${kValidKeys['rfc']}";tag="sri", ` +
`signature2=("identity-digest";sf);alg="ed25519";keyid="${kValidKeys['arbitrary']}";tag="sri"`,
signatureInput: `signature1=("identity-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri", ` +
`signature2=("identity-digest";sf);keyid="${kValidKeys['arbitrary']}";tag="sri"`,
signature: `signature1=:${kScriptToBlock['signatures']['rfc']}:, ` +
`signature2=:${kScriptToBlock['signatures']['arbitrary']}:`
};
Expand Down

0 comments on commit 863b1ec

Please sign in to comment.