[SRI Message Signatures] Add an issue for integrity mismatches.

We're now emitting a devtools issue when blocking a response due to
signature-based integrity mismatches. This CL allows devtools to render
those issues when they appear.

This is the Devtools side of a two-sided patch:

1.  (Chromium) https://crrev.com/c/6394978
2.  (Devtools) https://crrev.com/c/6396680 [You are here]

Bug: 406424762
Change-Id: Iab6817bc42e96ddb080324183c8ba8668b773b41
Reviewed-on: https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/6396680
Reviewed-by: Simon Zünd <[email protected]>
Commit-Queue: Mike West <[email protected]>

Author: mikewest

config/gni/devtools_grd_files.gni

@@ -558,6 +558,7 @@ grd_files_release_sources = [
   "front_end/models/issues_manager/descriptions/sriSignatureInputHeaderMissingRequiredParameters.md",
   "front_end/models/issues_manager/descriptions/sriSignatureInputHeaderValueMissingComponents.md",
   "front_end/models/issues_manager/descriptions/sriSignatureInputHeaderValueNotInnerList.md",
+  "front_end/models/issues_manager/descriptions/sriValidationFailedIntegrityMismatch.md",
   "front_end/models/issues_manager/descriptions/sriValidationFailedInvalidLength.md",
   "front_end/models/issues_manager/descriptions/sriValidationFailedSignatureExpired.md",
   "front_end/models/issues_manager/descriptions/sriValidationFailedSignatureMismatch.md",

front_end/core/host/UserMetrics.ts

@@ -1131,8 +1131,9 @@ export enum IssueCreated {
   'SRIMessageSignatureIssue::ValidationFailedInvalidLength' = 109,
   'SRIMessageSignatureIssue::ValidationFailedSignatureMismatch' = 110,
   'CorsIssue::LocalNetworkAccessPermissionDenied' = 111,
+  'SRIMessageSignatureIssue::ValidationFailedIntegrityMismatch' = 112,
   /* eslint-enable @typescript-eslint/naming-convention */
-  MAX_VALUE = 112,
+  MAX_VALUE = 113,
 }
 
 export const enum DeveloperResourceLoaded {

front_end/models/issues_manager/BUILD.gn

@@ -216,25 +216,26 @@ devtools_issue_description_files = [
   "sharedDictionaryWriteErrorShuttingDown.md",
   "sharedDictionaryWriteErrorTooLongIdField.md",
   "sharedDictionaryWriteErrorUnsupportedType.md",
-  "sriMissingSignatureHeader.md",
-  "sriMissingSignatureInputHeader.md",
   "sriInvalidSignatureHeader.md",
   "sriInvalidSignatureInputHeader.md",
+  "sriMissingSignatureHeader.md",
+  "sriMissingSignatureInputHeader.md",
+  "sriSignatureHeaderValueIsIncorrectLength.md",
   "sriSignatureHeaderValueIsNotByteSequence.md",
   "sriSignatureHeaderValueIsParameterized.md",
-  "sriSignatureHeaderValueIsIncorrectLength.md",
-  "sriSignatureInputHeaderMissingLabel.md",
-  "sriSignatureInputHeaderValueNotInnerList.md",
-  "sriSignatureInputHeaderValueMissingComponents.md",
-  "sriSignatureInputHeaderInvalidComponentType.md",
   "sriSignatureInputHeaderInvalidComponentName.md",
-  "sriSignatureInputHeaderInvalidHeaderComponentParameter.md",
+  "sriSignatureInputHeaderInvalidComponentType.md",
   "sriSignatureInputHeaderInvalidDerivedComponentParameter.md",
-  "sriSignatureInputHeaderKeyIdLength.md",
+  "sriSignatureInputHeaderInvalidHeaderComponentParameter.md",
   "sriSignatureInputHeaderInvalidParameter.md",
+  "sriSignatureInputHeaderKeyIdLength.md",
+  "sriSignatureInputHeaderMissingLabel.md",
   "sriSignatureInputHeaderMissingRequiredParameters.md",
-  "sriValidationFailedSignatureExpired.md",
+  "sriSignatureInputHeaderValueMissingComponents.md",
+  "sriSignatureInputHeaderValueNotInnerList.md",
+  "sriValidationFailedIntegrityMismatch.md",
   "sriValidationFailedInvalidLength.md",
+  "sriValidationFailedSignatureExpired.md",
   "sriValidationFailedSignatureMismatch.md",
   "placeholderDescriptionForInvisibleIssues.md",
   "fetchingPartitionedBlobURL.md",

front_end/models/issues_manager/SRIMessageSignatureIssue.test.ts

@@ -41,6 +41,7 @@ describeWithLocale('SRIMessageSignatureIssue', () => {
       Protocol.Audits.SRIMessageSignatureError.ValidationFailedSignatureExpired,
       Protocol.Audits.SRIMessageSignatureError.ValidationFailedInvalidLength,
       Protocol.Audits.SRIMessageSignatureError.ValidationFailedSignatureMismatch,
+      Protocol.Audits.SRIMessageSignatureError.ValidationFailedIntegrityMismatch,
     ];
     for (const errorReason of errorReasons) {
       const issueDetails = {

front_end/models/issues_manager/SRIMessageSignatureIssue.ts

@@ -64,7 +64,7 @@ export const enum IssueCode {
   VALIDATION_FAILED_INTEGRITY_MISMATCH = 'SRIMessageSignatureIssue::ValidationFailedIntegrityMismatch',
 }
 
-function getIssueCode(details: Protocol.Audits.SRIMessageSignatureIssueDetails): IssueCode {
+function errorToIssueCode(details: Protocol.Audits.SRIMessageSignatureIssueDetails): IssueCode {
   switch (details.error) {
     case Protocol.Audits.SRIMessageSignatureError.MissingSignatureHeader:
       return IssueCode.MISSING_SIGNATURE_HEADER;
@@ -111,15 +111,28 @@ function getIssueCode(details: Protocol.Audits.SRIMessageSignatureIssueDetails):
   }
 }
 
+function generateGroupingIssueCode(details: Protocol.Audits.SRIMessageSignatureIssueDetails): string {
+  const issueCode = errorToIssueCode(details);
+  if (details.error === Protocol.Audits.SRIMessageSignatureError.ValidationFailedSignatureMismatch) {
+    // Signature mismatch errors should be grouped by "signature base".
+    return issueCode + details.signatureBase;
+  }
+  if (details.error === Protocol.Audits.SRIMessageSignatureError.ValidationFailedIntegrityMismatch) {
+    // Integrity mismatch errors should be grouped by integrity assertion.
+    return issueCode + details.integrityAssertions.join();
+  }
+
+  // Otherwise, simply group by issue type:
+  return issueCode;
+}
+
 export class SRIMessageSignatureIssue extends Issue {
   readonly #issueDetails: Protocol.Audits.SRIMessageSignatureIssueDetails;
 
   constructor(issueDetails: Protocol.Audits.SRIMessageSignatureIssueDetails, issuesModel: SDK.IssuesModel.IssuesModel) {
     super(
         {
-          // Append the signature base to the enum's code in order to prevent
-          // distinct error details from coalescing in the issues panel.
-          code: getIssueCode(issueDetails) + issueDetails.signatureBase,
+          code: generateGroupingIssueCode(issueDetails),
           umaCode: [
             Protocol.Audits.InspectorIssueCode.SRIMessageSignatureIssue,
             issueDetails.error,
@@ -151,6 +164,10 @@ export class SRIMessageSignatureIssue extends Issue {
     }
     if (this.#issueDetails.signatureBase !== '') {
       description.substitutions = new Map([['PLACEHOLDER_signatureBase', () => this.#issueDetails.signatureBase]]);
+    } else if (this.#issueDetails.integrityAssertions.length) {
+      description.substitutions = new Map([
+        ['PLACEHOLDER_integrityAssertions', () => '\n<li>' + this.#issueDetails.integrityAssertions.join('\n<li>')]
+      ]);
     }
     return resolveLazyDescription(description);
   }
@@ -308,6 +325,13 @@ const issueDescriptions = new Map<Protocol.Audits.SRIMessageSignatureError, Lazy
       links: specLinks,
     },
   ],
+  [
+    Protocol.Audits.SRIMessageSignatureError.ValidationFailedIntegrityMismatch,
+    {
+      file: 'sriValidationFailedIntegrityMismatch.md',
+      links: specLinks,
+    },
+  ],
   [
     Protocol.Audits.SRIMessageSignatureError.ValidationFailedSignatureMismatch,
     {

front_end/models/issues_manager/descriptions/sriValidationFailedIntegrityMismatch.md

@@ -0,0 +1,12 @@
+# Integrity verification failed.
+
+The signature associated with a response could be successfully verified, but the
+public keys asserted in the [`signature-input`](signatureInputHeader)
+header's [`keyid` parameter](signatureParameters) do not match the integrity
+assertions made by the request's initiator. Verificiation failed.
+
+The following are the keys specified by the request's initiator:
+
+<ul>
+  {PLACEHOLDER_integrityAssertions}
+</ul>