tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 894daf4bf03c9efa62cb36fe7a5a38cec9dcba00
parent 27b6671b59fb85f606a3abdab605900a9b061f04
Author: Daniel Rubery <drubery@chromium.org>
Date:   Fri,  3 Oct 2025 08:57:58 +0000

Bug 1990581 [wpt PR 55048] - Update JWT contents for DBSC, a=testonly

Automatic update from web-platform-tests
Update JWT contents for DBSC

This CL splits the header and payload functions in
session_binding_utils.h in order to allow for three different JWT schemas
for DBSC:
- OTFeedback disabled (both registration and refresh)
- OTFeedback enabled, registration
- OTFeedback enabled, refresh

We can clean up the Legacy* functions when removing the OTFeedback flag.

Fixed: 442623885
Change-Id: If6700157859aaa669d4fd7a7775687654b6d025a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6977530
Commit-Queue: Daniel Rubery <drubery@chromium.org>
Reviewed-by: thefrog <thefrog@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1520715}

--

wpt-commits: 5ca066a68da1ca0bccbc955d2725d922bb699405
wpt-pr: 55048

Diffstat:

Mtesting/web-platform/tests/device-bound-session-credentials/jwt_helper.py | 2+-


Mtesting/web-platform/tests/device-bound-session-credentials/refresh_session.py | 3---


Mtesting/web-platform/tests/device-bound-session-credentials/start_session.py | 2+-


3 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/testing/web-platform/tests/device-bound-session-credentials/jwt_helper.py b/testing/web-platform/tests/device-bound-session-credentials/jwt_helper.py
@@ -22,7 +22,7 @@ def decode_jwt(token, key=None):
         # If there is a key passed in (for refresh), use that for checking the signature below.
         # Otherwise (for registration), use the key sent within the JWT to check the signature.
         if key == None:
-            key = decoded_payload.get('key')
+            key = decoded_header.get('jwk')
         public_key = serialization.load_pem_public_key(jwk_to_pem(key))
         # Verifying the signature will throw an exception if it fails.
         verify_rs256_signature(header, payload, signature, public_key)
diff --git a/testing/web-platform/tests/device-bound-session-credentials/refresh_session.py b/testing/web-platform/tests/device-bound-session-credentials/refresh_session.py
@@ -41,7 +41,4 @@ def main(request, response):
         if not verified or jwt_payload.get("jti") != challenge:
             return (400, response.headers, "")
 
-        if jwt_payload.get("sub") != session_id_header:
-            return (400, response.headers, "")
-
     return test_session_manager.get_session_instructions_response(session_id, request)
diff --git a/testing/web-platform/tests/device-bound-session-credentials/start_session.py b/testing/web-platform/tests/device-bound-session-credentials/start_session.py
@@ -11,7 +11,7 @@ def main(request, response):
 
     jwt_header, jwt_payload, verified = jwt_helper.decode_jwt(request.headers.get("Secure-Session-Response").decode('utf-8'))
     session_id = test_session_manager.create_new_session()
-    test_session_manager.set_session_key(session_id, jwt_payload.get('key'))
+    test_session_manager.set_session_key(session_id, jwt_header.get('jwk'))
 
     if not verified or jwt_payload.get("jti") != "login_challenge_value":
         return (400, response.headers, "")