New issue
Advanced search Search tips

Issue 851778 link

Starred by 1 user
Status: Fixed
Owner:
ksakamoto@chromium.org
Closed: Jul 11
Cc:
kinuko@chromium.org
kouhei@chromium.org
horo@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 803774



Sign in to add a comment

Signed Exchange: Require X.509 extension for signing certificate

Project Member Reported by ksakamoto@chromium.org, Jun 12 2018 
https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#cross-origin-cert-req

"We define a new X.509 extension, CanSignHttpExchanges to be used in the certificate when the certificate permits the usage of signed exchanges. When this extension is not present the client MUST NOT accept a signature from the certificate as proof that a signed exchange is authoritative for a domain covered by the certificate."


Note: It will take some time until CAs support CanSignHttpExchanges extension. For people who want to try SignedExchange now, we may want to add a (temporary) flag that lets SignedExchangeHandler accept certificates without the extension.
Project Member

Comment 1 by bugdroid1@chromium.org, Jun 22 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1aed13d794de1fc3ac6b074047148d69b8e96c57

commit 1aed13d794de1fc3ac6b074047148d69b8e96c57
Author: Kunihiko Sakamoto <ksakamoto@chromium.org>
Date: Fri Jun 22 02:36:01 2018

Add asn1::HasTestCanSignHttpExchangesExtension()

This will be used by SignedExchangeHandler to verify that certificates
for signed exchanges have the testCanSignHttpExchanges extension.

Bug:  851778 
Change-Id: Ib32a00246da5176b3077e7fcf70ad283a8511b98
Reviewed-on: https://chromium-review.googlesource.com/1103430
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#569514}
[modify] https://crrev.com/1aed13d794de1fc3ac6b074047148d69b8e96c57/net/BUILD.gn
[modify] https://crrev.com/1aed13d794de1fc3ac6b074047148d69b8e96c57/net/cert/asn1_util.cc
[modify] https://crrev.com/1aed13d794de1fc3ac6b074047148d69b8e96c57/net/cert/asn1_util.h
[modify] https://crrev.com/1aed13d794de1fc3ac6b074047148d69b8e96c57/net/cert/x509_certificate_unittest.cc
[add] https://crrev.com/1aed13d794de1fc3ac6b074047148d69b8e96c57/net/data/ssl/certificates/test_can_sign_http_exchanges_extension.pem
[modify] https://crrev.com/1aed13d794de1fc3ac6b074047148d69b8e96c57/net/data/ssl/scripts/ee.cnf
[modify] https://crrev.com/1aed13d794de1fc3ac6b074047148d69b8e96c57/net/data/ssl/scripts/generate-test-certs.sh
Project Member

Comment 2 by bugdroid1@chromium.org, Jun 26 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/97cfcf51025d806fd77da73ed05371c8492eba77

commit 97cfcf51025d806fd77da73ed05371c8492eba77
Author: Kunihiko Sakamoto <ksakamoto@chromium.org>
Date: Tue Jun 26 03:08:22 2018

Rename testCanSignHttpExchanges to canSignHttpExchangesDraft

The name of draft canSignHttpExchanges extension OID has renamed from
id-ce-testCanSignHttpExchanges to id-ce-canSignHttpExchangesDraft in
https://github.com/WICG/webpackage/pull/231.

Bug:  851778 
Change-Id: I1d6940d9f9028ea55d0ee2e86c854a02a9dd3b47
Reviewed-on: https://chromium-review.googlesource.com/1112894
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#570316}
[modify] https://crrev.com/97cfcf51025d806fd77da73ed05371c8492eba77/net/BUILD.gn
[modify] https://crrev.com/97cfcf51025d806fd77da73ed05371c8492eba77/net/cert/asn1_util.cc
[modify] https://crrev.com/97cfcf51025d806fd77da73ed05371c8492eba77/net/cert/asn1_util.h
[modify] https://crrev.com/97cfcf51025d806fd77da73ed05371c8492eba77/net/cert/x509_certificate_unittest.cc
[rename] https://crrev.com/97cfcf51025d806fd77da73ed05371c8492eba77/net/data/ssl/certificates/can_sign_http_exchanges_draft_extension.pem
[modify] https://crrev.com/97cfcf51025d806fd77da73ed05371c8492eba77/net/data/ssl/scripts/ee.cnf
[modify] https://crrev.com/97cfcf51025d806fd77da73ed05371c8492eba77/net/data/ssl/scripts/generate-test-certs.sh
Project Member

Comment 3 by bugdroid1@chromium.org, Jun 30 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b0f7ee7dfea5ecef6850808aefd4beebc753bd06

commit b0f7ee7dfea5ecef6850808aefd4beebc753bd06
Author: Kunihiko Sakamoto <ksakamoto@chromium.org>
Date: Sat Jun 30 08:47:23 2018

SignedExchange: Add a test that uses real CertVerifier

- Add a browser test case that uses real (not mocked) CertVerifier.
- Re-generate test certificates removing the critical flag of
  CanSignHttpExchangesDraft extension, since the extension is not known to
  the OS cert verifiers.

Bug:  851778 
Change-Id: Ic43319229feddcbaa0349a4f81c995011e63bc7b
Reviewed-on: https://chromium-review.googlesource.com/1116406
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#571770}
[modify] https://crrev.com/b0f7ee7dfea5ecef6850808aefd4beebc753bd06/content/browser/web_package/signed_exchange_request_handler_browsertest.cc
[modify] https://crrev.com/b0f7ee7dfea5ecef6850808aefd4beebc753bd06/content/test/data/htxg/prime256v1-sha256.public.pem
[modify] https://crrev.com/b0f7ee7dfea5ecef6850808aefd4beebc753bd06/content/test/data/htxg/test.example.com_invalid_test.htxg
[modify] https://crrev.com/b0f7ee7dfea5ecef6850808aefd4beebc753bd06/content/test/data/htxg/test.example.org.public.pem.cbor
[modify] https://crrev.com/b0f7ee7dfea5ecef6850808aefd4beebc753bd06/content/test/data/htxg/test.example.org_hello.txt.htxg
[modify] https://crrev.com/b0f7ee7dfea5ecef6850808aefd4beebc753bd06/content/test/data/htxg/test.example.org_test.htxg
[modify] https://crrev.com/b0f7ee7dfea5ecef6850808aefd4beebc753bd06/content/test/data/htxg/x509.ext
[modify] https://crrev.com/b0f7ee7dfea5ecef6850808aefd4beebc753bd06/net/data/ssl/certificates/can_sign_http_exchanges_draft_extension.pem
[modify] https://crrev.com/b0f7ee7dfea5ecef6850808aefd4beebc753bd06/net/data/ssl/scripts/ee.cnf
Project Member

Comment 4 by bugdroid1@chromium.org, Jul 9 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/17c8880108d4be8bd6b13e9c4273ac27f1b9f34b

commit 17c8880108d4be8bd6b13e9c4273ac27f1b9f34b
Author: Kunihiko Sakamoto <ksakamoto@chromium.org>
Date: Mon Jul 09 05:59:01 2018

SignedExchange: Do not mark CanSignHttpExchangesDraft as critical

This updates test certificates for layout tests removing the critical
flag of CanSignHttpExchangesDraft extension.

Context: https://github.com/WICG/webpackage/issues/238

Bug:  851778 
Change-Id: I1cca7d55a4eebd898db45cc212265674a7e9be5a
Reviewed-on: https://chromium-review.googlesource.com/1119725
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kent Tamura <tkent@chromium.org>
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#573225}
[modify] https://crrev.com/17c8880108d4be8bd6b13e9c4273ac27f1b9f34b/third_party/WebKit/LayoutTests/http/tests/loading/htxg/resources/127.0.0.1.sxg.pem.cbor
[modify] https://crrev.com/17c8880108d4be8bd6b13e9c4273ac27f1b9f34b/third_party/WebKit/LayoutTests/http/tests/loading/htxg/resources/htxg-cert-not-found.sxg
[modify] https://crrev.com/17c8880108d4be8bd6b13e9c4273ac27f1b9f34b/third_party/WebKit/LayoutTests/http/tests/loading/htxg/resources/htxg-invalid-validity-url.sxg
[modify] https://crrev.com/17c8880108d4be8bd6b13e9c4273ac27f1b9f34b/third_party/WebKit/LayoutTests/http/tests/loading/htxg/resources/htxg-location.sxg
[modify] https://crrev.com/17c8880108d4be8bd6b13e9c4273ac27f1b9f34b/third_party/blink/tools/blinkpy/third_party/wpt/certs/127.0.0.1.sxg.ext
[modify] https://crrev.com/17c8880108d4be8bd6b13e9c4273ac27f1b9f34b/third_party/blink/tools/blinkpy/third_party/wpt/certs/127.0.0.1.sxg.pem
Project Member

Comment 5 by bugdroid1@chromium.org, Jul 10 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4d4079814f598cefeea9cf6b1513465a86ad6804

commit 4d4079814f598cefeea9cf6b1513465a86ad6804
Author: Kunihiko Sakamoto <ksakamoto@chromium.org>
Date: Tue Jul 10 04:56:29 2018

Signed Exchange: Require CanSignHttpExchangesDraft cert extension

After this patch, certificates for signed exchanges must have the
CanSignHttpExchangesDraft extension [1]. Since currently there's no CA
supporting this extension, this patch also adds a flag to ignore this
error, so that people can test signed exchanges using their existing
certificates.

[1] https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#cross-origin-cert-req

Bug:  851778 
Change-Id: I184ab6533fb4cc172ff91b090626cac5dc45274c
Reviewed-on: https://chromium-review.googlesource.com/1111485
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#573614}
[modify] https://crrev.com/4d4079814f598cefeea9cf6b1513465a86ad6804/chrome/browser/about_flags.cc
[modify] https://crrev.com/4d4079814f598cefeea9cf6b1513465a86ad6804/chrome/browser/flag_descriptions.cc
[modify] https://crrev.com/4d4079814f598cefeea9cf6b1513465a86ad6804/chrome/browser/flag_descriptions.h
[modify] https://crrev.com/4d4079814f598cefeea9cf6b1513465a86ad6804/content/browser/web_package/signed_exchange_handler.cc
[modify] https://crrev.com/4d4079814f598cefeea9cf6b1513465a86ad6804/content/browser/web_package/signed_exchange_handler.h
[modify] https://crrev.com/4d4079814f598cefeea9cf6b1513465a86ad6804/content/browser/web_package/signed_exchange_handler_unittest.cc
[modify] https://crrev.com/4d4079814f598cefeea9cf6b1513465a86ad6804/content/public/common/content_features.cc
[modify] https://crrev.com/4d4079814f598cefeea9cf6b1513465a86ad6804/content/public/common/content_features.h
[modify] https://crrev.com/4d4079814f598cefeea9cf6b1513465a86ad6804/content/test/data/htxg/README
[add] https://crrev.com/4d4079814f598cefeea9cf6b1513465a86ad6804/content/test/data/htxg/prime256v1-sha256-noext.public.pem
[add] https://crrev.com/4d4079814f598cefeea9cf6b1513465a86ad6804/content/test/data/htxg/test.example.org-noext.public.pem.cbor
[add] https://crrev.com/4d4079814f598cefeea9cf6b1513465a86ad6804/content/test/data/htxg/test.example.org_noext_test.htxg
[modify] https://crrev.com/4d4079814f598cefeea9cf6b1513465a86ad6804/tools/metrics/histograms/enums.xml

Comment 6 by ksakamoto@chromium.org, Jul 11

Status: Fixed (was: Assigned)
Closing. See Issue 862003 for #allow-sxg-certs-without-extension flag removal.
Project Member

Comment 7 by bugdroid1@chromium.org, Aug 27 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/933f39b8d511d145b8b51db63b37a6230fb70e12

commit 933f39b8d511d145b8b51db63b37a6230fb70e12
Author: David Benjamin <davidben@chromium.org>
Date: Mon Aug 27 14:59:18 2018

Parse the body of the CanSignHttpExchanges extension.

The spec says the body is a NULL, so we should enforce it. Otherwise
implementations may accidentally produce certificates that get this wrong,
and then other consumers will need to mimic our laxness.

https://tools.ietf.org/html/draft-iab-protocol-maintenance-00

Bug:  851778 
Change-Id: I0bcfd076d94743ab285ce0a6938182b9a32b0e36
Reviewed-on: https://chromium-review.googlesource.com/1189061
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#586262}
[modify] https://crrev.com/933f39b8d511d145b8b51db63b37a6230fb70e12/net/BUILD.gn
[modify] https://crrev.com/933f39b8d511d145b8b51db63b37a6230fb70e12/net/cert/asn1_util.cc
[modify] https://crrev.com/933f39b8d511d145b8b51db63b37a6230fb70e12/net/cert/x509_certificate_unittest.cc
[add] https://crrev.com/933f39b8d511d145b8b51db63b37a6230fb70e12/net/data/ssl/certificates/can_sign_http_exchanges_draft_extension_invalid.pem
[modify] https://crrev.com/933f39b8d511d145b8b51db63b37a6230fb70e12/net/data/ssl/scripts/ee.cnf
[modify] https://crrev.com/933f39b8d511d145b8b51db63b37a6230fb70e12/net/data/ssl/scripts/generate-test-certs.sh

Sign in to add a comment