Trust Tokens: Add NetworkContextClient support for local issuance

The Trust Token API (https://github.com/wicg/trust-token-api) adds Web Platform support for executing certain cryptographic operations alongside resource requests. We're implementing an expansion, "platform-issued trust tokens," where one of these operations ("issuance") can be executed against OS-mediated providers (e.g. registered by some kind of system service). This CL expands NetworkContextClient's interface to provide a method that can answer Trust Tokens issuance requests locally. This will subsequently be implemented by querying an embedder-provided Mojo remote. This change's child (crrev.com/c/2491300) wires this interface to the network service Trust Tokens implementation. Design doc: bit.ly/platform-provided-trust-tokens Bug: 1130273 Change-Id: Iea07b36cdd3369ca51a667e0f4f0cada05c2aad9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2433104 Commit-Queue: David Van Cleve <davidvc@chromium.org> Reviewed-by: Robert Ogden <robertogden@chromium.org> Reviewed-by: Matthew Denton <mpdenton@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Cr-Commit-Position: refs/heads/master@{#820346}
Denger-Network · Oct 23, 2020 · 7e58eb0 · 7e58eb0
1 parent dd11628
commit 7e58eb0
Show file tree

Hide file tree

Showing 8 changed files with 52 additions and 0 deletions.
diff --git a/chrome/browser/prerender/isolated/isolated_prerender_network_context_client.cc b/chrome/browser/prerender/isolated/isolated_prerender_network_context_client.cc
@@ -97,3 +97,13 @@ void IsolatedPrerenderNetworkContextClient::OnGenerateHttpNegotiateAuthToken(
 #if defined(OS_CHROMEOS)
 void IsolatedPrerenderNetworkContextClient::OnTrustAnchorUsed() {}
 #endif
+
+void IsolatedPrerenderNetworkContextClient::
+    OnTrustTokenIssuanceDivertedToSystem(
+        network::mojom::FulfillTrustTokenIssuanceRequestPtr request,
+        OnTrustTokenIssuanceDivertedToSystemCallback callback) {
+  auto response = network::mojom::FulfillTrustTokenIssuanceAnswer::New();
+  response->status =
+      network::mojom::FulfillTrustTokenIssuanceAnswer::Status::kNotFound;
+  std::move(callback).Run(std::move(response));
+}
diff --git a/chrome/browser/prerender/isolated/isolated_prerender_network_context_client.h b/chrome/browser/prerender/isolated/isolated_prerender_network_context_client.h
@@ -72,6 +72,9 @@ class IsolatedPrerenderNetworkContextClient
 #if defined(OS_CHROMEOS)
   void OnTrustAnchorUsed() override;
 #endif
+  void OnTrustTokenIssuanceDivertedToSystem(
+      network::mojom::FulfillTrustTokenIssuanceRequestPtr request,
+      OnTrustTokenIssuanceDivertedToSystemCallback callback) override;
 };
 
 #endif  // CHROME_BROWSER_PRERENDER_ISOLATED_ISOLATED_PRERENDER_NETWORK_CONTEXT_CLIENT_H_
diff --git a/content/browser/network_context_client_base_impl.cc b/content/browser/network_context_client_base_impl.cc
@@ -167,4 +167,13 @@ void NetworkContextClientBase::OnGenerateHttpNegotiateAuthToken(
 void NetworkContextClientBase::OnTrustAnchorUsed() {}
 #endif
 
+void NetworkContextClientBase::OnTrustTokenIssuanceDivertedToSystem(
+    network::mojom::FulfillTrustTokenIssuanceRequestPtr request,
+    OnTrustTokenIssuanceDivertedToSystemCallback callback) {
+  auto response = network::mojom::FulfillTrustTokenIssuanceAnswer::New();
+  response->status =
+      network::mojom::FulfillTrustTokenIssuanceAnswer::Status::kNotFound;
+  std::move(callback).Run(std::move(response));
+}
+
 }  // namespace content
diff --git a/content/browser/storage_partition_impl.cc b/content/browser/storage_partition_impl.cc
@@ -1891,6 +1891,17 @@ void StoragePartitionImpl::OnTrustAnchorUsed() {
 }
 #endif
 
+void StoragePartitionImpl::OnTrustTokenIssuanceDivertedToSystem(
+    network::mojom::FulfillTrustTokenIssuanceRequestPtr request,
+    OnTrustTokenIssuanceDivertedToSystemCallback callback) {
+  // TODO(crbug.com/1130272): Implement logic that allows executing Trust
+  // Tokens operations when available, rather than failing unconditionally.
+  auto response = network::mojom::FulfillTrustTokenIssuanceAnswer::New();
+  response->status =
+      network::mojom::FulfillTrustTokenIssuanceAnswer::Status::kNotFound;
+  std::move(callback).Run(std::move(response));
+}
+
 void StoragePartitionImpl::ClearDataImpl(
     uint32_t remove_mask,
     uint32_t quota_storage_remove_mask,

diff --git a/content/browser/storage_partition_impl.h b/content/browser/storage_partition_impl.h
@@ -54,6 +54,7 @@
 #include "services/network/public/mojom/cookie_manager.mojom.h"
 #include "services/network/public/mojom/network_context.mojom.h"
 #include "services/network/public/mojom/network_service.mojom.h"
+#include "services/network/public/mojom/trust_tokens.mojom.h"
 #include "storage/browser/quota/special_storage_policy.h"
 #include "third_party/blink/public/mojom/dom_storage/dom_storage.mojom.h"
 
@@ -277,6 +278,9 @@ class CONTENT_EXPORT StoragePartitionImpl
 #if defined(OS_CHROMEOS)
   void OnTrustAnchorUsed() override;
 #endif
+  void OnTrustTokenIssuanceDivertedToSystem(
+      network::mojom::FulfillTrustTokenIssuanceRequestPtr request,
+      OnTrustTokenIssuanceDivertedToSystemCallback callback) override;
 
   scoped_refptr<URLLoaderFactoryGetter> url_loader_factory_getter() {
     return url_loader_factory_getter_;

diff --git a/content/public/browser/network_context_client_base.h b/content/public/browser/network_context_client_base.h
@@ -75,6 +75,9 @@ class CONTENT_EXPORT NetworkContextClientBase
 #if defined(OS_CHROMEOS)
   void OnTrustAnchorUsed() override;
 #endif
+  void OnTrustTokenIssuanceDivertedToSystem(
+      network::mojom::FulfillTrustTokenIssuanceRequestPtr request,
+      OnTrustTokenIssuanceDivertedToSystemCallback callback) override;
 };
 
 }  // namespace content

diff --git a/services/network/public/mojom/network_context.mojom b/services/network/public/mojom/network_context.mojom
@@ -845,6 +845,15 @@ interface NetworkContextClient {
   // Notification that a trust anchor was used for the given user.
   [EnableIf=is_chromeos]
   OnTrustAnchorUsed();
+
+  // If it's supported by the implementation, attempts to provide a response to
+  // the given Trust Tokens issuance request through some kind of local
+  // mediation---i.e., probably by a method other than sending a web request
+  // directly to the issuer's server. In situations where it's not possible to
+  // answer the request, returns a status of kNotFound (see the request and
+  // response structs' comments for more information).
+  OnTrustTokenIssuanceDivertedToSystem(FulfillTrustTokenIssuanceRequest request)
+    => (FulfillTrustTokenIssuanceAnswer response);
 };
 
 // Represents a distinct context for making network requests, with its own

diff --git a/services/network/test/test_network_context_client.h b/services/network/test/test_network_context_client.h
@@ -83,6 +83,9 @@ class TestNetworkContextClient : public network::mojom::NetworkContextClient {
 #endif
 #if BUILDFLAG(IS_CT_SUPPORTED)
 #endif
+  void OnTrustTokenIssuanceDivertedToSystem(
+      mojom::FulfillTrustTokenIssuanceRequestPtr request,
+      OnTrustTokenIssuanceDivertedToSystemCallback callback) override {}
 
  private:
   mojo::Receiver<mojom::NetworkContextClient> receiver_;