Google Git
Sign in
chromium / chromium / src / 205191a32c9db91062c5342e901b2da2d67a49e5 / . / components / web_package / signed_web_bundles
tree: f48a1c12b833476c1d57aa564a87f9e4d01a1844 [path history] [tgz]
  1. attribute_map_parser.cc
  2. attribute_map_parser.h
  3. constants.h
  4. ecdsa_p256_public_key.cc
  5. ecdsa_p256_public_key.h
  6. ecdsa_p256_public_key_unittest.cc
  7. ecdsa_p256_sha256_signature.cc
  8. ecdsa_p256_sha256_signature.h
  9. ed25519_public_key.cc
  10. ed25519_public_key.h
  11. ed25519_public_key_unittest.cc
  12. ed25519_signature.cc
  13. ed25519_signature.h
  14. ed25519_signature_unittest.cc
  15. identity_validator.cc
  16. identity_validator.h
  17. integrity_block_attributes.cc
  18. integrity_block_attributes.h
  19. integrity_block_parser.cc
  20. integrity_block_parser.h
  21. OWNERS
  22. README.md
  23. signature_entry_parser.cc
  24. signature_entry_parser.h
  25. signed_web_bundle_id.cc
  26. signed_web_bundle_id.h
  27. signed_web_bundle_id_unittest.cc
  28. signed_web_bundle_integrity_block.cc
  29. signed_web_bundle_integrity_block.h
  30. signed_web_bundle_integrity_block_unittest.cc
  31. signed_web_bundle_signature_stack.cc
  32. signed_web_bundle_signature_stack.h
  33. signed_web_bundle_signature_stack_entry.cc
  34. signed_web_bundle_signature_stack_entry.h
  35. signed_web_bundle_signature_stack_entry_unittest.cc
  36. signed_web_bundle_signature_stack_unittest.cc
  37. signed_web_bundle_signature_verifier.cc
  38. signed_web_bundle_signature_verifier.h
  39. signed_web_bundle_signature_verifier_unittest.cc
  40. signed_web_bundle_utils.cc
  41. signed_web_bundle_utils.h
  42. signed_web_bundle_utils_unittest.cc
  43. types.h
components/web_package/signed_web_bundles/README.md

Signed Web Bundles

This directory contains code related to Signed Web Bundles. Signed Web Bundles are an extension of normal, unsigned Web Bundles. Signed Web Bundles are encoded as a CBOR Sequence consisting of an Integrity Block followed by a Web Bundle.

In contrast to individually signed responses and Signed Exchanges, signatures of Signed Web Bundles provide a guarantee that the entire Web Bundle was not modified, including that no responses have been added or removed.

Integrity Block

The format of the Integrity Block is described in this explainer. It contains magic bytes and version, similar to unsigned Web Bundles, as well as a signature stack. The signature stack contains one or more signatures and their corresponding public keys.

Note: Support for more than one signature is not yet fully designed and implemented (crbug.com/1366303).

Parsing

Parsing Signed Web Bundles is a three step process:

  1. Parse the Integrity Block using WebBundleParser::ParseIntegrityBlock.
  2. Verify that the signatures match using SignedWebBundleSignatureVerifier.
  3. Parse the metadata using WebBundleParser::ParseMetadata while providing the length of the Integrity Block as the offset parameter.

Due to the rule of 2, you may need to use data_decoder::SafeWebBundleParser instead of using WebBundleParser directly if your code runs in a non-sandboxed process.

Web Bundle ID

Signed Web Bundles can be identified by a Web Bundle ID (see SignedWebBundleId), which is derived from the public key of its first signature. More information about the Web Bundle ID can be found in this explainer.