Bug 1990581 [wpt PR 55048] - Update JWT contents for DBSC, a=testonly

marco-c · marco-c · commit 2476ce2c3d81 · 2025-10-08T10:25:01.000Z
Automatic update from web-platform-tests Update JWT contents for DBSC This CL splits the header and payload functions in session_binding_utils.h in order to allow for three different JWT schemas for DBSC: - OTFeedback disabled (both registration and refresh) - OTFeedback enabled, registration - OTFeedback enabled, refresh We can clean up the Legacy* functions when removing the OTFeedback flag. Fixed: 442623885 Change-Id: If6700157859aaa669d4fd7a7775687654b6d025a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6977530 Commit-Queue: Daniel Rubery <druberychromium.org> Reviewed-by: thefrog <thefrogchromium.org> Cr-Commit-Position: refs/heads/main{#1520715} -- wpt-commits: 5ca066a68da1ca0bccbc955d2725d922bb699405 wpt-pr: 55048 UltraBlame original commit: 7bc605a49417ce338e2717352bf664792fe9c1e3
diff --git a/testing/web-platform/tests/device-bound-session-credentials/jwt_helper.py b/testing/web-platform/tests/device-bound-session-credentials/jwt_helper.py
@@ -22,7 +22,7 @@ def decode_jwt(token, key=None):
         
         
         if key == None:
-            key = decoded_payload.get('key')
+            key = decoded_header.get('jwk')
         public_key = serialization.load_pem_public_key(jwk_to_pem(key))
         
         verify_rs256_signature(header, payload, signature, public_key)
@@ -74,3 +74,27 @@ def decode_base64(encoded_data):
 
 def decode_base64_json(encoded_data):
     return json.loads(decode_base64(encoded_data))
+
+def thumbprint_for_jwk(jwk):
+    filtered_jwk = None
+    if jwk['kty'] == 'RSA':
+        filtered_jwk = dict()
+        filtered_jwk['kty'] = jwk['kty']
+        filtered_jwk['n'] = jwk['n']
+        filtered_jwk['e'] = jwk['e']
+    elif jwk['kty'] == 'EC':
+        filtered_jwk = dict()
+        filtered_jwk['kty'] = jwk['kty']
+        filtered_jwk['crv'] = jwk['crv']
+        filtered_jwk['x'] = jwk['x']
+        filtered_jwk['y'] = jwk['y']
+    else:
+        return None
+
+    serialized_jwk = json.dumps(filtered_jwk, sort_keys=True, separators=(',',':'))
+
+    digest = hashes.Hash(hashes.SHA256())
+    digest.update(serialized_jwk.encode("utf-8"))
+
+    thumbprint_base64 = base64.b64encode(digest.finalize(), altchars=b"-_").rstrip(b"=")
+    return thumbprint_base64.decode('ascii')
diff --git a/testing/web-platform/tests/device-bound-session-credentials/refresh_session.py b/testing/web-platform/tests/device-bound-session-credentials/refresh_session.py
@@ -41,7 +41,4 @@ def main(request, response):
         if not verified or jwt_payload.get("jti") != challenge:
             return (400, response.headers, "")
 
-        if jwt_payload.get("sub") != session_id_header:
-            return (400, response.headers, "")
-
     return test_session_manager.get_session_instructions_response(session_id, request)
diff --git a/testing/web-platform/tests/device-bound-session-credentials/start_session.py b/testing/web-platform/tests/device-bound-session-credentials/start_session.py
@@ -11,7 +11,7 @@ def main(request, response):
 
     jwt_header, jwt_payload, verified = jwt_helper.decode_jwt(request.headers.get("Secure-Session-Response").decode('utf-8'))
     session_id = test_session_manager.create_new_session()
-    test_session_manager.set_session_key(session_id, jwt_payload.get('key'))
+    test_session_manager.set_session_key(session_id, jwt_header.get('jwk'))
 
     if not verified or jwt_payload.get("jti") != "login_challenge_value":
         return (400, response.headers, "")
