commit 43dcce8bc1451019ca9e00f89d7098f6617f72cd
author Kunihiko Sakamoto <ksakamoto@chromium.org> Fri Jul 20 01:43:26 2018
committer Commit Bot <commit-bot@chromium.org> Fri Jul 20 01:43:26 2018
tree dba0f7944c36032d6ace0e21285e0fa5ab32039f
parent 4552e231b5d08f9c327e346c92681b9399530612

Signed Exchange: Add scripts to generate test data

Bug: 803774
Change-Id: I9c9f9ff1a070b0bcf86312f6a80c56146b9d475b
Reviewed-on: https://chromium-review.googlesource.com/1143095
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#576751}

content/browser/web_package/signed_exchange_signature_verifier_unittest.cc

diff --git a/content/browser/web_package/signed_exchange_signature_verifier_unittest.cc b/content/browser/web_package/signed_exchange_signature_verifier_unittest.cc
index 6b01bb4..9dbab4e6 100644
--- a/content/browser/web_package/signed_exchange_signature_verifier_unittest.cc
+++ b/content/browser/web_package/signed_exchange_signature_verifier_unittest.cc
@@ -63,46 +63,11 @@
 const uint64_t kSignatureHeaderDate = 1517892341;
 const uint64_t kSignatureHeaderExpires = 1517895941;
 
-// See content/testdata/sxg/README on how to generate this data.
+// See content/testdata/sxg/README on how to generate these data.
 // clang-format off
-constexpr char kSignatureHeaderRSA[] =
-    "label; "
-    "sig=*RBFZPtl5xPDQyZuq4TcXY9fPkso5Edl7NofpdA9Bylwhvdsd7uCBAmOYx0BvXjrg8UVj"
-    "axIHeVNavLzTU42NZgSBd3po1qrT4TZb6piN/BMqmBWtaxEFxLaLZyBgrQpXN/l+OkWSvCF30"
-    "J9QEhqaI749SlVrrV37121Ik/WBIuo6Peo88HRP9292FEsrgwH3ggTJcTvkBbOIttO3UddEtN"
-    "3hQNNowNhsUCr3fXn0lIMW8Gyp0V6TVedIhgT7zqUxRqJRjedQzY+Bm7F01/jKzvD1etAcw7r"
-    "CidWFISmcyWjsLG1dlNtiZynO9gyyZduOSzBwEb9QcMTHekFsnmzFtg==*; "
-    "validity-url=\"https://example.com/resource.validity.msg\"; "
-    "integrity=\"mi-draft2\"; "
-    "cert-url=\"https://example.com/cert.msg\"; "
-    "cert-sha256=*tJGJP8ej7KCEW8VnVK3bKwpBza/oLrtWA75z5ZPptuc=*; "
-    "date=1517892341; expires=1517895941";
-// clang-format on
-
-// See content/testdata/sxg/README on how to generate this data.
-// clang-format off
-constexpr char kSignatureHeaderECDSAP256[] =
-    "label; "
-    "sig=*MEYCIQDtLdwjyge6hN35wF7SOgO2aHFYnVYqQvTguZmpZ2WncgIhAO22vzcYGuRXqnAX"
-    "3Bv/llls9DeQ2ecD8btESjxmRBmQ*; "
-    "validity-url=\"https://example.com/resource.validity.msg\"; "
-    "integrity=\"mi-draft2\"; "
-    "cert-url=\"https://example.com/cert.msg\"; "
-    "cert-sha256=*KX+BYLSMgDOON8Ju65RoId39Qvajxa12HO+WnD4HpS0=*; "
-    "date=1517892341; expires=1517895941";
-// clang-format on
-
-// See content/testdata/sxg/README on how to generate this data.
-// clang-format off
-constexpr char kSignatureHeaderECDSAP384[] =
-    "label; "
-    "sig=*MGUCMQDoljLI4+cdxPYk0e33WlIBILYN92fpDXG6tBs4GSW3NGcbnwaGxV8qRgg3PQdUZ"
-    "B4CMGe4bAef8YlOErfrfV6UdbAGNeBveoY4rMkDDaPCxt1aCCb/6BYzuFJn6maGOpDN5w==*; "
-    "validity-url=\"https://example.com/resource.validity.msg\"; "
-    "integrity=\"mi-draft2\"; "
-    "cert-url=\"https://example.com/cert.msg\"; "
-    "cert-sha256=*8X8y8nj8vDJHSSa0cxn+TCu+8zGpIJfbdzAnd5cW+jA=*; "
-    "date=1517892341; expires=1517895941";
+constexpr char kSignatureHeaderRSA[] = R"(label; sig=*yYFb09i7VXuqsGBxc3RuJzGL4XMD9bZ20kXWSv1JObEf7KIG0MznSE1nu1fE+7DrgWQxH7FQfSWjyseOAvxsBOfkptmCCi/Ffklz3N1UU8LfwfaLWj80oBqDeofiIYwevSSpsaRKBYie7KjiVOjslFLOGe82MmHyF2utFRKY/i6UAHgMrg2FGfbwBaJsxEgtpPcN8/QnFKgt1la+JjwvYbMHpJhHTedDqx9GCxJOzbJjKRL1E2tIBvhDfK2m3eJv/nqvgWkK3MOd/Xp4FkndciS3eNyZZjwvJ6IL/3x4e0AZ36KvglpS092ZftiE4lKQWnHmVeDRmEHW6qOyv1Q3+w==*; validity-url="https://example.com/resource.validity.msg"; integrity="mi-draft2"; cert-url="https://example.com/cert.msg"; cert-sha256=*tJGJP8ej7KCEW8VnVK3bKwpBza/oLrtWA75z5ZPptuc=*; date=1517892341; expires=1517895941)";
+constexpr char kSignatureHeaderECDSAP256[] = R"(label; sig=*MEQCIA0w6auOuWGT6//MO/h43/xkXBchJUOp53GU5dmA8U+/AiAe0FggCblVxzosT2Ow9rrC2Q8zO0DZPLSNbcu29xYP6g==*; validity-url="https://example.com/resource.validity.msg"; integrity="mi-draft2"; cert-url="https://example.com/cert.msg"; cert-sha256=*KX+BYLSMgDOON8Ju65RoId39Qvajxa12HO+WnD4HpS0=*; date=1517892341; expires=1517895941)";
+constexpr char kSignatureHeaderECDSAP384[] = R"(label; sig=*MGYCMQC/P8m0ZnPrIMlI3I412MixcK9cQSirIECUNR7pOIlTiLaH95L72KXqq2aL+lxxKIICMQDU3s/BhoWtR61eKG9SqgGHd0ZtUJVY24xaJ2yHiYWxZU/QhOr5ZArSj3x1khivpRg=*; validity-url="https://example.com/resource.validity.msg"; integrity="mi-draft2"; cert-url="https://example.com/cert.msg"; cert-sha256=*8X8y8nj8vDJHSSa0cxn+TCu+8zGpIJfbdzAnd5cW+jA=*; date=1517892341; expires=1517895941)";
 // clang-format on
 
 // |expires| (1518497142) is more than 7 days (604800 seconds) after |date|

content/test/data/sxg/README

diff --git a/content/test/data/sxg/README b/content/test/data/sxg/README
deleted file mode 100644
index e542c7d..0000000
--- a/content/test/data/sxg/README
+++ /dev/null
@@ -1,124 +0,0 @@
-The certificate message files (*.msg) and the signed exchange files (*.sxg) in
-this directory are generated using the following commands.
-
-gen-certurl and gen-signedexchange are available in [webpackage repository][1].
-Revision cf19833 is used to generate these files.
-
- [1] https://github.com/WICG/webpackage
-
-# Install gen-certurl command.
-go get -v -u github.com/WICG/webpackage/go/signedexchange/cmd/gen-certurl
-
-# Install gen-signedexchange command.
-go get -v -u github.com/WICG/webpackage/go/signedexchange/cmd/gen-signedexchange
-
-# Generate a "secp256r1 (== prime256v1) ecdsa with sha256" key/cert pair
-openssl ecparam -out prime256v1.key -name prime256v1 -genkey
-
-openssl req -new -sha256 -key prime256v1.key -out prime256v1-sha256.csr \
-  -subj '/CN=test.example.org/O=Test/C=US'
-
-openssl x509 -req -days 360 -in prime256v1-sha256.csr \
-  -CA ../../../../net/data/ssl/certificates/root_ca_cert.pem \
-  -out prime256v1-sha256.public.pem -set_serial 1 \
-  -extfile x509.ext
-
-openssl x509 -req -days 360 -in prime256v1-sha256.csr \
-  -CA ../../../../net/data/ssl/certificates/root_ca_cert.pem \
-  -out prime256v1-sha256-noext.public.pem -set_serial 1
-
-# Make dummy OCSP and SCT data for cbor certificate chains.
-echo -n OCSP >/tmp/ocsp; echo -n SCT >/tmp/sct
-
-# Generate the certificate chain of "*.example.org".
-gen-certurl -pem prime256v1-sha256.public.pem \
-  -ocsp /tmp/ocsp -sct /tmp/sct > test.example.org.public.pem.cbor
-
-# Generate the certificate chain of "*.example.org", without
-# CanSignHttpExchangesDraft extension.
-gen-certurl -pem prime256v1-sha256-noext.public.pem \
-  -ocsp /tmp/ocsp -sct /tmp/sct > test.example.org-noext.public.pem.cbor
-
-# Generate the signed exchange file.
-gen-signedexchange \
-  -uri https://test.example.org/test/ \
-  -status 200 \
-  -content test.html \
-  -certificate prime256v1-sha256.public.pem \
-  -certUrl https://cert.example.org/cert.msg \
-  -validityUrl https://test.example.org/resource.validity.msg \
-  -privateKey prime256v1.key \
-  -date 2018-03-12T05:53:20Z \
-  -o test.example.org_test.sxg \
-  -miRecordSize 100
-
-# Generate the signed exchange file with noext certificate
-gen-signedexchange \
-  -uri https://test.example.org/test/ \
-  -status 200 \
-  -content test.html \
-  -certificate prime256v1-sha256-noext.public.pem \
-  -certUrl https://cert.example.org/cert.msg \
-  -validityUrl https://test.example.org/resource.validity.msg \
-  -privateKey prime256v1.key \
-  -date 2018-03-12T05:53:20Z \
-  -o test.example.org_noext_test.sxg \
-  -miRecordSize 100
-
-# Generate the signed exchange file with invalid URL.
-gen-signedexchange \
-  -uri https://test.example.com/test/ \
-  -status 200 \
-  -content test.html \
-  -certificate prime256v1-sha256.public.pem \
-  -certUrl https://cert.example.org/cert.msg \
-  -validityUrl https://test.example.org/resource.validity.msg \
-  -privateKey prime256v1.key \
-  -date 2018-03-12T05:53:20Z \
-  -o test.example.com_invalid_test.sxg \
-  -miRecordSize 100
-
-# Generate the signed exchange for a plain text file.
-gen-signedexchange \
-  -uri https://test.example.org/hello.txt \
-  -status 200 \
-  -content hello.txt \
-  -certificate prime256v1-sha256.public.pem \
-  -certUrl https://cert.example.org/cert.msg \
-  -validityUrl https://test.example.org/resource.validity.msg \
-  -privateKey prime256v1.key \
-  -responseHeader 'Content-Type: text/plain; charset=iso-8859-1' \
-  -date 2018-03-12T05:53:20Z \
-  -o test.example.org_hello.txt.sxg
-
-# Generate a "secp384r1 ecdsa with sha256" key/cert pair for negative test
-openssl ecparam -out secp384r1.key -name secp384r1 -genkey
-
-openssl req -new -sha256 -key secp384r1.key -out secp384r1-sha256.csr \
-  --subj '/CN=test.example.org/O=Test/C=US'
-
-openssl x509 -req -days 360 -in secp384r1-sha256.csr \
-  -CA ../../../../net/data/ssl/certificates/root_ca_cert.pem \
-  -out secp384r1-sha256.public.pem -set_serial 1
-
-# Generate test signatures in signed_exchange_signature_verifier_unittest.cc
-gen-signedexchange \
-  -uri https://test.example.org/test/ \
-  -content test.html \
-  -certificate ./prime256v1-sha256.public.pem \
-  -privateKey ./prime256v1.key \
-  -date 2018-02-06T04:45:41Z
-
-gen-signedexchange \
-  -uri https://test.example.org/test/ \
-  -content test.html \
-  -certificate ./prime256v1-sha256.public.pem \
-  -privateKey ./prime256v1.key \
-  -date 2018-02-06T04:45:41Z
-
-gen-signedexchange \
-  -uri https://test.example.org/test/ \
-  -content test.html \
-  -certificate ./secp384r1-sha256.public.pem \
-  -privateKey ./secp384r1.key \
-  -date 2018-02-06T04:45:41Z

content/test/data/sxg/README.md

diff --git a/content/test/data/sxg/README.md b/content/test/data/sxg/README.md
new file mode 100644
index 0000000..372cd60
--- /dev/null
+++ b/content/test/data/sxg/README.md
@@ -0,0 +1,16 @@
+The key and certificate files (`*.key`, `*.csr`, `*.pem`) are
+generated by `generate-test-certs.sh` in this directory. It requires `openssl`
+be installed.
+
+The certificate cbor files (`*.cbor`) and the signed exchange files (`*.sxg`) in
+this directory are generated using `generate-test-sxgs.sh`.
+
+`generate-test-sxgs.sh` requires command-line tools in the
+[webpackage repository](https://github.com/WICG/webpackage). To install them,
+run:
+
+```
+go get -u github.com/WICG/webpackage/go/signedexchange/cmd/...
+```
+
+The revision of the tools used to generate the test files is `d4b8ed9`.

content/test/data/sxg/generate-test-certs.sh

diff --git a/content/test/data/sxg/generate-test-certs.sh b/content/test/data/sxg/generate-test-certs.sh
new file mode 100755
index 0000000..6d13ba1
--- /dev/null
+++ b/content/test/data/sxg/generate-test-certs.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# Copyright 2018 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+set -e
+
+# Generate a "secp256r1 (== prime256v1) ecdsa with sha256" key/cert pair
+openssl ecparam -out prime256v1.key -name prime256v1 -genkey
+
+openssl req -new -sha256 -key prime256v1.key -out prime256v1-sha256.csr \
+  -subj '/CN=test.example.org/O=Test/C=US'
+
+openssl x509 -req -days 360 -in prime256v1-sha256.csr \
+  -CA ../../../../net/data/ssl/certificates/root_ca_cert.pem \
+  -out prime256v1-sha256.public.pem -set_serial 1 \
+  -extfile x509.ext
+
+openssl x509 -req -days 360 -in prime256v1-sha256.csr \
+  -CA ../../../../net/data/ssl/certificates/root_ca_cert.pem \
+  -out prime256v1-sha256-noext.public.pem -set_serial 1
+
+# Generate a "secp384r1 ecdsa with sha256" key/cert pair for negative test
+openssl ecparam -out secp384r1.key -name secp384r1 -genkey
+
+openssl req -new -sha256 -key secp384r1.key -out secp384r1-sha256.csr \
+  --subj '/CN=test.example.org/O=Test/C=US'
+
+openssl x509 -req -days 360 -in secp384r1-sha256.csr \
+  -CA ../../../../net/data/ssl/certificates/root_ca_cert.pem \
+  -out secp384r1-sha256.public.pem -set_serial 1
+
+echo
+echo "Update the test certs in signed_exchange_signature_verifier_unittest.cc"
+echo "with the followings:"
+echo "===="
+
+echo 'constexpr char kCertPEMRSA[] = R"('
+sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
+  ../../../../net/data/ssl/certificates/wildcard.pem
+echo ')";'
+echo 'constexpr char kCertPEMECDSAP256[] = R"('
+cat ./prime256v1-sha256.public.pem
+echo ')";'
+echo 'constexpr char kCertPEMECDSAP384[] = R"('
+cat ./secp384r1-sha256.public.pem
+echo ')";'
+
+echo "===="

content/test/data/sxg/generate-test-sxgs.sh

diff --git a/content/test/data/sxg/generate-test-sxgs.sh b/content/test/data/sxg/generate-test-sxgs.sh
new file mode 100755
index 0000000..039006e
--- /dev/null
+++ b/content/test/data/sxg/generate-test-sxgs.sh
@@ -0,0 +1,137 @@
+#!/bin/sh
+
+# Copyright 2018 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+set -e
+
+for cmd in gen-signedexchange gen-certurl dump-signedexchange; do
+    if ! command -v $cmd > /dev/null 2>&1; then
+        echo "$cmd is not installed. Please run:"
+        echo "  go get -u github.com/WICG/webpackage/go/signedexchange/cmd/..."
+        exit 1
+    fi
+done
+
+tmpdir=$(mktemp -d)
+
+# Make dummy OCSP and SCT data for cbor certificate chains.
+echo -n OCSP >$tmpdir/ocsp; echo -n SCT >$tmpdir/sct
+
+# Generate the certificate chain of "*.example.org".
+gen-certurl -pem prime256v1-sha256.public.pem \
+  -ocsp $tmpdir/ocsp -sct $tmpdir/sct > test.example.org.public.pem.cbor
+
+# Generate the certificate chain of "*.example.org", without
+# CanSignHttpExchangesDraft extension.
+gen-certurl -pem prime256v1-sha256-noext.public.pem \
+  -ocsp $tmpdir/ocsp -sct $tmpdir/sct > test.example.org-noext.public.pem.cbor
+
+# Generate the signed exchange file.
+gen-signedexchange \
+  -uri https://test.example.org/test/ \
+  -status 200 \
+  -content test.html \
+  -certificate prime256v1-sha256.public.pem \
+  -certUrl https://cert.example.org/cert.msg \
+  -validityUrl https://test.example.org/resource.validity.msg \
+  -privateKey prime256v1.key \
+  -date 2018-03-12T05:53:20Z \
+  -o test.example.org_test.sxg \
+  -miRecordSize 100
+
+# Generate the signed exchange file with noext certificate
+gen-signedexchange \
+  -uri https://test.example.org/test/ \
+  -status 200 \
+  -content test.html \
+  -certificate prime256v1-sha256-noext.public.pem \
+  -certUrl https://cert.example.org/cert.msg \
+  -validityUrl https://test.example.org/resource.validity.msg \
+  -privateKey prime256v1.key \
+  -date 2018-03-12T05:53:20Z \
+  -o test.example.org_noext_test.sxg \
+  -miRecordSize 100
+
+# Generate the signed exchange file with invalid URL.
+gen-signedexchange \
+  -uri https://test.example.com/test/ \
+  -status 200 \
+  -content test.html \
+  -certificate prime256v1-sha256.public.pem \
+  -certUrl https://cert.example.org/cert.msg \
+  -validityUrl https://test.example.org/resource.validity.msg \
+  -privateKey prime256v1.key \
+  -date 2018-03-12T05:53:20Z \
+  -o test.example.com_invalid_test.sxg \
+  -miRecordSize 100
+
+# Generate the signed exchange for a plain text file.
+gen-signedexchange \
+  -uri https://test.example.org/hello.txt \
+  -status 200 \
+  -content hello.txt \
+  -certificate prime256v1-sha256.public.pem \
+  -certUrl https://cert.example.org/cert.msg \
+  -validityUrl https://test.example.org/resource.validity.msg \
+  -privateKey prime256v1.key \
+  -responseHeader 'Content-Type: text/plain; charset=iso-8859-1' \
+  -date 2018-03-12T05:53:20Z \
+  -o test.example.org_hello.txt.sxg
+
+echo "Update the test signatures in "
+echo "signed_exchange_signature_verifier_unittest.cc with the followings:"
+echo "===="
+
+sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' \
+  ../../../../net/data/ssl/certificates/wildcard.pem \
+  > $tmpdir/wildcard_example.org.private.pem
+sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
+  ../../../../net/data/ssl/certificates/wildcard.pem \
+  > $tmpdir/wildcard_example.org.public.pem
+gen-signedexchange \
+  -uri https://test.example.org/test/ \
+  -content test.html \
+  -certificate $tmpdir/wildcard_example.org.public.pem \
+  -privateKey $tmpdir/wildcard_example.org.private.pem \
+  -date 2018-02-06T04:45:41Z \
+  -o $tmpdir/out.htxg
+
+echo -n 'constexpr char kSignatureHeaderRSA[] = R"('
+dump-signedexchange -i $tmpdir/out.htxg | \
+    sed -n 's/^signature: //p' | \
+    tr -d '\n'
+echo ')";'
+
+gen-signedexchange \
+  -uri https://test.example.org/test/ \
+  -content test.html \
+  -certificate ./prime256v1-sha256.public.pem \
+  -privateKey ./prime256v1.key \
+  -date 2018-02-06T04:45:41Z \
+  -o $tmpdir/out.htxg
+
+echo -n 'constexpr char kSignatureHeaderECDSAP256[] = R"('
+dump-signedexchange -i $tmpdir/out.htxg | \
+    sed -n 's/^signature: //p' | \
+    tr -d '\n'
+echo ')";'
+
+gen-signedexchange \
+  -uri https://test.example.org/test/ \
+  -content test.html \
+  -certificate ./secp384r1-sha256.public.pem \
+  -privateKey ./secp384r1.key \
+  -date 2018-02-06T04:45:41Z \
+  -o $tmpdir/out.htxg
+
+echo -n 'constexpr char kSignatureHeaderECDSAP384[] = R"('
+dump-signedexchange -i $tmpdir/out.htxg | \
+    sed -n 's/^signature: //p' | \
+    tr -d '\n'
+echo ')";'
+
+echo "===="
+
+rm -fr $tmpdir