commit 7a957bd1f758ead4a8df68ac0d39c5c0e5195232
author elburrito <elburrito@google.com> Tue Sep 05 17:59:45 2023 -0700
committer Copybara-Service <copybara-worker@google.com> Tue Sep 05 18:00:46 2023 -0700
tree a4d2827cdae06f8dc2aa91ad8830ddfbd4a6a59a
parent fb6a170e739431dee8d7c5dfac832a7f1884736c

Add BlindSignAuthOptions proto to BlindSignAuth constructor. This options proto will allow callers to configure BlindSignAuth with new features.

PiperOrigin-RevId: 562945128

build/source_list.bzl

diff --git a/build/source_list.bzl b/build/source_list.bzl
index 10d593d..16ab6f1 100644
--- a/build/source_list.bzl
+++ b/build/source_list.bzl
@@ -1624,6 +1624,7 @@
     "blind_sign_auth/proto/any.proto",
     "blind_sign_auth/proto/attestation.proto",
     "blind_sign_auth/proto/auth_and_sign.proto",
+    "blind_sign_auth/proto/blind_sign_auth_options.proto",
     "blind_sign_auth/proto/get_initial_data.proto",
     "blind_sign_auth/proto/key_services.proto",
     "blind_sign_auth/proto/public_metadata.proto",

build/source_list.gni

diff --git a/build/source_list.gni b/build/source_list.gni
index 5060516..fe4b25e 100644
--- a/build/source_list.gni
+++ b/build/source_list.gni
@@ -1629,6 +1629,7 @@
     "src/quiche/blind_sign_auth/proto/any.proto",
     "src/quiche/blind_sign_auth/proto/attestation.proto",
     "src/quiche/blind_sign_auth/proto/auth_and_sign.proto",
+    "src/quiche/blind_sign_auth/proto/blind_sign_auth_options.proto",
     "src/quiche/blind_sign_auth/proto/get_initial_data.proto",
     "src/quiche/blind_sign_auth/proto/key_services.proto",
     "src/quiche/blind_sign_auth/proto/public_metadata.proto",

build/source_list.json

diff --git a/build/source_list.json b/build/source_list.json
index 3be1a6b..c3dd079 100644
--- a/build/source_list.json
+++ b/build/source_list.json
@@ -1628,6 +1628,7 @@
     "quiche/blind_sign_auth/proto/any.proto",
     "quiche/blind_sign_auth/proto/attestation.proto",
     "quiche/blind_sign_auth/proto/auth_and_sign.proto",
+    "quiche/blind_sign_auth/proto/blind_sign_auth_options.proto",
     "quiche/blind_sign_auth/proto/get_initial_data.proto",
     "quiche/blind_sign_auth/proto/key_services.proto",
     "quiche/blind_sign_auth/proto/public_metadata.proto",

quiche/blind_sign_auth/blind_sign_auth.cc

diff --git a/quiche/blind_sign_auth/blind_sign_auth.cc b/quiche/blind_sign_auth/blind_sign_auth.cc
index f44df72..d321074 100644
--- a/quiche/blind_sign_auth/blind_sign_auth.cc
+++ b/quiche/blind_sign_auth/blind_sign_auth.cc
@@ -35,6 +35,12 @@
 
 void BlindSignAuth::GetTokens(std::string oauth_token, int num_tokens,
                               SignedTokenCallback callback) {
+  // Check whether Privacy Pass crypto is enabled.
+  if (auth_options_.enable_privacy_pass()) {
+    std::move(callback)(
+        absl::UnimplementedError("Privacy Pass is not supported."));
+    return;
+  }
   // Create GetInitialData RPC.
   privacy::ppn::GetInitialDataRequest request;
   request.set_use_attestation(false);

quiche/blind_sign_auth/blind_sign_auth.h

diff --git a/quiche/blind_sign_auth/blind_sign_auth.h b/quiche/blind_sign_auth/blind_sign_auth.h
index 0a617f7..87fbfeb 100644
--- a/quiche/blind_sign_auth/blind_sign_auth.h
+++ b/quiche/blind_sign_auth/blind_sign_auth.h
@@ -23,8 +23,9 @@
 // BlindSignAuth provides signed, unblinded tokens to callers.
 class QUICHE_EXPORT BlindSignAuth : public BlindSignAuthInterface {
  public:
-  explicit BlindSignAuth(BlindSignHttpInterface* http_fetcher)
-      : http_fetcher_(http_fetcher) {}
+  explicit BlindSignAuth(BlindSignHttpInterface* http_fetcher,
+                         privacy::ppn::BlindSignAuthOptions auth_options)
+      : http_fetcher_(http_fetcher), auth_options_(std::move(auth_options)) {}
 
   // Returns signed unblinded tokens and their expiration time in a callback.
   // Tokens are single-use.
@@ -55,6 +56,7 @@
   absl::StatusCode HttpCodeToStatusCode(int http_code);
 
   BlindSignHttpInterface* http_fetcher_ = nullptr;
+  privacy::ppn::BlindSignAuthOptions auth_options_;
 };
 
 }  // namespace quiche

quiche/blind_sign_auth/blind_sign_auth_protos.h

diff --git a/quiche/blind_sign_auth/blind_sign_auth_protos.h b/quiche/blind_sign_auth/blind_sign_auth_protos.h
index 8d6ff8d..8927731 100644
--- a/quiche/blind_sign_auth/blind_sign_auth_protos.h
+++ b/quiche/blind_sign_auth/blind_sign_auth_protos.h
@@ -3,6 +3,7 @@
 
 #include "quiche/blind_sign_auth/proto/timestamp.pb.h"  // IWYU pragma: export
 #include "quiche/blind_sign_auth/proto/auth_and_sign.pb.h"  // IWYU pragma: export
+#include "quiche/blind_sign_auth/proto/blind_sign_auth_options.pb.h"  // IWYU pragma: export
 #include "quiche/blind_sign_auth/proto/get_initial_data.pb.h"  // IWYU pragma: export
 #include "quiche/blind_sign_auth/proto/key_services.pb.h"  // IWYU pragma: export
 #include "quiche/blind_sign_auth/proto/public_metadata.pb.h"  // IWYU pragma: export

quiche/blind_sign_auth/blind_sign_auth_test.cc

diff --git a/quiche/blind_sign_auth/blind_sign_auth_test.cc b/quiche/blind_sign_auth/blind_sign_auth_test.cc
index 6330d35..fc90bee 100644
--- a/quiche/blind_sign_auth/blind_sign_auth_test.cc
+++ b/quiche/blind_sign_auth/blind_sign_auth_test.cc
@@ -76,7 +76,12 @@
         public_metadata_info_;
     fake_get_initial_data_response_ = fake_get_initial_data_response;
 
-    blind_sign_auth_ = std::make_unique<BlindSignAuth>(&mock_http_interface_);
+    // Create BlindSignAuthOptions.
+    privacy::ppn::BlindSignAuthOptions options;
+    options.set_enable_privacy_pass(false);
+
+    blind_sign_auth_ =
+        std::make_unique<BlindSignAuth>(&mock_http_interface_, options);
   }
 
   void TearDown() override {
@@ -290,6 +295,23 @@
   done.WaitForNotification();
 }
 
+TEST_F(BlindSignAuthTest, TestGetTokensFailedPrivacyPass) {
+  privacy::ppn::BlindSignAuthOptions options;
+  options.set_enable_privacy_pass(true);
+  blind_sign_auth_ =
+      std::make_unique<BlindSignAuth>(&mock_http_interface_, options);
+
+  int num_tokens = 1;
+  QuicheNotification done;
+  SignedTokenCallback callback =
+      [&done](absl::StatusOr<absl::Span<BlindSignToken>> tokens) {
+        EXPECT_THAT(tokens.status().code(), absl::StatusCode::kUnimplemented);
+        done.Notify();
+      };
+  blind_sign_auth_->GetTokens(oauth_token_, num_tokens, std::move(callback));
+  done.WaitForNotification();
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quiche

quiche/blind_sign_auth/proto/blind_sign_auth_options.proto

diff --git a/quiche/blind_sign_auth/proto/blind_sign_auth_options.proto b/quiche/blind_sign_auth/proto/blind_sign_auth_options.proto
new file mode 100644
index 0000000..794a925
--- /dev/null
+++ b/quiche/blind_sign_auth/proto/blind_sign_auth_options.proto
@@ -0,0 +1,22 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS-IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package privacy.ppn;
+
+message BlindSignAuthOptions {
+  // Use Privacy Pass crypto library and token formats instead of RSA BSSA.
+  bool enable_privacy_pass = 1;
+}