Bug 222019 - PCM: Generate secret token and corresponding unlinkable token
Summary: PCM: Generate secret token and corresponding unlinkable token
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Jiewen Tan
URL:
Keywords: InRadar
Depends on:
Blocks: 221291
  Show dependency treegraph
 
Reported: 2021-02-16 19:14 PST by Jiewen Tan
Modified: 2021-02-19 15:18 PST (History)
12 users (show)

See Also:


Attachments
Patch (23.69 KB, patch)
2021-02-16 19:26 PST, Jiewen Tan
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (24.76 KB, patch)
2021-02-16 19:58 PST, Jiewen Tan
no flags Details | Formatted Diff | Diff
Patch (24.76 KB, patch)
2021-02-16 21:21 PST, Jiewen Tan
no flags Details | Formatted Diff | Diff
Patch (33.12 KB, patch)
2021-02-16 23:56 PST, Jiewen Tan
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (30.49 KB, patch)
2021-02-17 00:38 PST, Jiewen Tan
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (30.52 KB, patch)
2021-02-17 01:14 PST, Jiewen Tan
no flags Details | Formatted Diff | Diff
Patch (40.33 KB, patch)
2021-02-17 16:07 PST, Jiewen Tan
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (41.40 KB, patch)
2021-02-17 16:50 PST, Jiewen Tan
no flags Details | Formatted Diff | Diff
Patch (41.48 KB, patch)
2021-02-17 19:46 PST, Jiewen Tan
no flags Details | Formatted Diff | Diff
Patch (48.89 KB, patch)
2021-02-19 01:43 PST, Jiewen Tan
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (48.98 KB, patch)
2021-02-19 02:29 PST, Jiewen Tan
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (49.51 KB, patch)
2021-02-19 02:36 PST, Jiewen Tan
no flags Details | Formatted Diff | Diff
Patch (48.98 KB, patch)
2021-02-19 02:39 PST, Jiewen Tan
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (49.17 KB, patch)
2021-02-19 02:59 PST, Jiewen Tan
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (49.09 KB, patch)
2021-02-19 03:02 PST, Jiewen Tan
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (49.17 KB, patch)
2021-02-19 03:29 PST, Jiewen Tan
no flags Details | Formatted Diff | Diff
Patch (50.10 KB, patch)
2021-02-19 11:09 PST, Jiewen Tan
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jiewen Tan 2021-02-16 19:14:09 PST
Generate secret token and corresponding unlinkable token.
Comment 1 Jiewen Tan 2021-02-16 19:14:21 PST
<rdar://problem/73581412>
Comment 2 Jiewen Tan 2021-02-16 19:14:47 PST Comment hidden (obsolete)
Comment 3 Jiewen Tan 2021-02-16 19:26:58 PST
Created attachment 420582 [details]
Patch
Comment 4 Jiewen Tan 2021-02-16 19:58:41 PST
Created attachment 420585 [details]
Patch
Comment 5 Jiewen Tan 2021-02-16 21:21:17 PST
Created attachment 420592 [details]
Patch
Comment 6 Jiewen Tan 2021-02-16 23:56:02 PST
Created attachment 420605 [details]
Patch
Comment 7 Jiewen Tan 2021-02-17 00:38:45 PST
Created attachment 420609 [details]
Patch
Comment 8 Jiewen Tan 2021-02-17 01:14:05 PST
Created attachment 420615 [details]
Patch
Comment 9 John Wilander 2021-02-17 11:28:26 PST
Comment on attachment 420615 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=420615&action=review

r=me with comments.

> Source/WebCore/loader/PrivateClickMeasurement.cpp:150
> +#if HAVE(RSA_BSSA)

These don't have to be behind RSA_BSSA, right? That will only make testing harder since EWS bots will be behind.

> Source/WebCore/loader/PrivateClickMeasurement.h:274
> +#if HAVE(RSA_BSSA)

Again, EphemeralSourceNonce doesn't have to be behind RSA_BSSA. Or am I missing something?

> Source/WebCore/loader/PrivateClickMeasurement.h:319
> +    BlindedToken m_blindedToken;

This should be optional too and it needs to have "source" be part of its name since there will eventually be a token for the attribute-on site too.

> Source/WebCore/loader/cocoa/PrivateClickMeasurementCocoa.mm:58
> +    blindedSecret->setString("click_nonce"_s, m_ephemeralSourceNonce->nonce);

Let's call it source_nonce.

This is how I've set it up in my patch:
    reportDetails->setString("source_engagement_type"_s, "click"_s);
    reportDetails->setString("source_nonce"_s, m_ephemeralSourceNonce->nonce);
    reportDetails->setString("unlinkable_token"_s, "TODO"_s);
    reportDetails->setInteger("version"_s, 2);

> Source/WebCore/loader/cocoa/PrivateClickMeasurementCocoa.mm:59
> +    blindedSecret->setString("blinded_secret"_s, WTF::base64URLEncode([m_blindedToken.waitingToken blindedMessage].bytes, [m_blindedToken.waitingToken blindedMessage].length));

We should try to use unlinkable_token in any developer facing parts so that we are not tied to blinded signatures as the crypto underpinning. Could even be unlinkable_token_to_sign.

> Tools/TestWebKitAPI/Tests/WebCore/PrivateClickMeasurement.cpp:150
> +    EXPECT_STREQ(blindedSecret->getString("click_nonce"_s).utf8().data(), "ABCDEFabcdef0123456789");

source_nonce

> Tools/TestWebKitAPI/Tests/WebCore/PrivateClickMeasurement.cpp:151
> +    EXPECT_FALSE(blindedSecret->getString("blinded_secret"_s).isEmpty());

unlinkable_token or unlinkable_token_to_sign.
Comment 10 Jiewen Tan 2021-02-17 13:03:41 PST
Comment on attachment 420615 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=420615&action=review

>> Source/WebCore/loader/PrivateClickMeasurement.cpp:150
>> +#if HAVE(RSA_BSSA)
> 
> These don't have to be behind RSA_BSSA, right? That will only make testing harder since EWS bots will be behind.

I think the testing concern is not that big of deal. You still have coverage from internal bots. It's more important to group the whole feature together. Otherwise, this may end up with part of it dangling on down level OS.

>> Source/WebCore/loader/PrivateClickMeasurement.h:319
>> +    BlindedToken m_blindedToken;
> 
> This should be optional too and it needs to have "source" be part of its name since there will eventually be a token for the attribute-on site too.

It doesn't matter given all the member are pointers. Will change the name.

>> Source/WebCore/loader/cocoa/PrivateClickMeasurementCocoa.mm:58
>> +    blindedSecret->setString("click_nonce"_s, m_ephemeralSourceNonce->nonce);
> 
> Let's call it source_nonce.
> 
> This is how I've set it up in my patch:
>     reportDetails->setString("source_engagement_type"_s, "click"_s);
>     reportDetails->setString("source_nonce"_s, m_ephemeralSourceNonce->nonce);
>     reportDetails->setString("unlinkable_token"_s, "TODO"_s);
>     reportDetails->setInteger("version"_s, 2);

Right, however this is not the actual token. This is the blinded message that the server needs to sign. Will change the nonce name.

>> Source/WebCore/loader/cocoa/PrivateClickMeasurementCocoa.mm:59
>> +    blindedSecret->setString("blinded_secret"_s, WTF::base64URLEncode([m_blindedToken.waitingToken blindedMessage].bytes, [m_blindedToken.waitingToken blindedMessage].length));
> 
> We should try to use unlinkable_token in any developer facing parts so that we are not tied to blinded signatures as the crypto underpinning. Could even be unlinkable_token_to_sign.

Okay, unlinkable_token_to_sign seems good.

>> Tools/TestWebKitAPI/Tests/WebCore/PrivateClickMeasurement.cpp:150
>> +    EXPECT_STREQ(blindedSecret->getString("click_nonce"_s).utf8().data(), "ABCDEFabcdef0123456789");
> 
> source_nonce

Will fix.

>> Tools/TestWebKitAPI/Tests/WebCore/PrivateClickMeasurement.cpp:151
>> +    EXPECT_FALSE(blindedSecret->getString("blinded_secret"_s).isEmpty());
> 
> unlinkable_token or unlinkable_token_to_sign.

Will fix.
Comment 11 Jiewen Tan 2021-02-17 16:07:05 PST
Created attachment 420748 [details]
Patch
Comment 12 Jiewen Tan 2021-02-17 16:50:56 PST
Created attachment 420760 [details]
Patch
Comment 13 Jiewen Tan 2021-02-17 19:46:03 PST
Created attachment 420786 [details]
Patch
Comment 14 Jiewen Tan 2021-02-19 01:43:23 PST
Created attachment 420942 [details]
Patch
Comment 15 Jiewen Tan 2021-02-19 02:29:13 PST
Created attachment 420945 [details]
Patch
Comment 16 Jiewen Tan 2021-02-19 02:36:06 PST
Created attachment 420946 [details]
Patch
Comment 17 Jiewen Tan 2021-02-19 02:39:14 PST
Created attachment 420947 [details]
Patch
Comment 18 Jiewen Tan 2021-02-19 02:59:02 PST
Created attachment 420948 [details]
Patch
Comment 19 Jiewen Tan 2021-02-19 03:02:28 PST
Created attachment 420949 [details]
Patch
Comment 20 Jiewen Tan 2021-02-19 03:29:20 PST
Created attachment 420952 [details]
Patch
Comment 21 Jiewen Tan 2021-02-19 11:09:23 PST
Created attachment 420994 [details]
Patch
Comment 22 Jiewen Tan 2021-02-19 15:17:23 PST
Committed r273167 (234362@main): <https://commits.webkit.org/234362@main>