Arshavir/ic asset certification

Cargo.toml

@@ -28,7 +28,8 @@ ic-cdk = "0.16"
 ic-cdk-macros = "0.16"
 ic-cdk-timers = "0.10"
 ic-certification = "2.6"
-ic-http-certification = "2.6"
+ic-http-certification = "3.0.3"
+ic-asset-certification = "3.0.3"
 ic-metrics-encoder = "1"
 ic-representation-independent-hash = "2.6"
 ic-response-verification = "2.6"

src/internet_identity/Cargo.toml

@@ -41,12 +41,13 @@ ic-metrics-encoder.workspace = true
 ic-stable-structures.workspace = true
 ic-canister-sig-creation.workspace = true
 ic-verifiable-credentials.workspace = true
+ic-http-certification.workspace = true
+ic-asset-certification.workspace = true
 
 [target.'cfg(all(target_arch = "wasm32", target_vendor = "unknown", target_os = "unknown"))'.dependencies]
 getrandom = { version = "0.2", features = ["custom"] }
 
 [dev-dependencies]
-ic-http-certification.workspace = true
 pocket-ic.workspace = true
 candid_parser.workspace = true
 canister_tests.workspace = true

src/internet_identity/src/assets.rs

@@ -2,18 +2,62 @@
 //
 // This file describes which assets are used and how (content, content type and content encoding).
 use crate::http::security_headers;
-use crate::state;
+use crate::state::{
+    self, CertifiedHttpResponse, ASSET_CEL_EXPR_DEF, HTTP_TREE, OPTIONS_REQUEST_PATH,
+    OPTIONS_TREE_PATH, RESPONSES,
+};
 use asset_util::{collect_assets, Asset, CertifiedAssets, ContentEncoding, ContentType};
 use base64::engine::general_purpose::STANDARD as BASE64;
 use base64::Engine;
 use candid::Encode;
 use ic_cdk::api;
+use ic_http_certification::{
+    HttpCertification, HttpCertificationTreeEntry, StatusCode, CERTIFICATE_EXPRESSION_HEADER_NAME,
+};
 use include_dir::{include_dir, Dir};
 use internet_identity_interface::internet_identity::types::InternetIdentityInit;
 use serde_json::json;
 use sha2::Digest;
 
-// used both in init and post_upgrade
+pub fn certify_options_response() {
+    // TODO: Restrict origin to just the II-specific origins.
+    let headers = vec![
+        ("Access-Control-Allow-Origin".to_string(), "*".to_string()),
+        (
+            CERTIFICATE_EXPRESSION_HEADER_NAME.to_string(),
+            ASSET_CEL_EXPR_DEF.to_string(),
+        ),
+    ];
+
+    let response = ic_http_certification::HttpResponseBuilder::new()
+        .with_status_code(StatusCode::NO_CONTENT)
+        .with_headers(headers)
+        .build();
+
+    let certification =
+        HttpCertification::response_only(&ASSET_CEL_EXPR_DEF, &response, None).unwrap();
+
+    HTTP_TREE.with_borrow_mut(|http_tree| {
+        // add the certification to the certification tree
+        http_tree.insert(&HttpCertificationTreeEntry::new(
+            &*OPTIONS_TREE_PATH,
+            &certification,
+        ));
+    });
+
+    RESPONSES.with_borrow_mut(|responses| {
+        // store the response for later retrieval
+        responses.insert(
+            OPTIONS_REQUEST_PATH.to_string(),
+            CertifiedHttpResponse {
+                response,
+                certification,
+            },
+        );
+    });
+}
+
+/// Used in both http_options_requesthttp_options_request and post_upgrade.
 pub fn init_assets(config: &InternetIdentityInit) {
     state::assets_mut(|certified_assets| {
         let assets = get_static_assets(config);
@@ -38,6 +82,8 @@ pub fn init_assets(config: &InternetIdentityInit) {
             &security_headers(integrity_hashes, config.related_origins.clone()),
         );
     });
+
+    certify_options_response();
 }
 
 // Fix up HTML pages, by injecting canister ID and canister config
@@ -87,6 +133,14 @@ pub fn get_static_assets(config: &InternetIdentityInit) -> Vec<Asset> {
         content_type: ContentType::OCTETSTREAM,
     });
 
+    // Special asset for responding to OPTIONS requests.
+    // assets.push(Asset {
+    //     url_path: "/".to_string(),
+    //     content: vec![],
+    //     encoding: ContentEncoding::Identity,
+    //     content_type: ContentType::OCTETSTREAM,
+    // });
+
     if let Some(related_origins) = &config.related_origins {
         // Required to share passkeys with the different domains. Maximum of 5 labels.
         // See https://web.dev/articles/webauthn-related-origin-requests#step_2_set_up_your_well-knownwebauthn_json_file_in_site-1

src/internet_identity/src/http.rs

@@ -1,24 +1,47 @@
 use crate::http::metrics::metrics;
-use crate::state;
+use crate::state::{
+    self, CertifiedHttpResponse, HTTP_TREE, OPTIONS_REQUEST_PATH, OPTIONS_TREE_PATH, RESPONSES,
+};
 use ic_canister_sig_creation::signature_map::LABEL_SIG;
+use ic_cdk::api::data_certificate;
+use ic_cdk::trap;
 use ic_certification::{labeled_hash, pruned};
+use ic_http_certification::utils::add_v2_certificate_header;
+use ic_http_certification::HttpCertificationTreeEntry;
 use internet_identity_interface::http_gateway::{HeaderField, HttpRequest, HttpResponse};
 use serde_bytes::ByteBuf;
 
 mod metrics;
 
 fn http_options_request() -> HttpResponse {
-    // TODO: Restrict origin to just the II-specific origins.
-    let headers = vec![("Access-Control-Allow-Origin".to_string(), "*".to_string())];
+    let Some(CertifiedHttpResponse {
+        mut response,
+        certification,
+    }) = RESPONSES.with_borrow(|responses| responses.get(*OPTIONS_REQUEST_PATH).cloned())
+    else {
+        trap("OPTIONS response not found");
+    };
 
-    HttpResponse {
-        // Indicates success without any additional content to be sent in the response content.
-        status_code: 204,
-        headers,
-        body: ByteBuf::from(vec![]),
-        upgrade: None,
-        streaming_strategy: None,
-    }
+    HTTP_TREE.with_borrow(|http_tree| {
+        add_v2_certificate_header(
+            &data_certificate().expect("No data certificate available"),
+            &mut response,
+            &http_tree
+                .witness(
+                    &HttpCertificationTreeEntry::new(&*OPTIONS_TREE_PATH, certification),
+                    &*OPTIONS_REQUEST_PATH,
+                )
+                .unwrap_or_else(|err| {
+                    trap(&format!(
+                        "Failed to create witness for OPTIONS response: {:?}",
+                        err
+                    ))
+                }),
+            &*OPTIONS_TREE_PATH.to_expr_path(),
+        );
+    });
+
+    HttpResponse::from(response)
 }
 
 fn http_get_request(url: String, certificate_version: Option<u16>) -> HttpResponse {
@@ -81,17 +104,9 @@ fn method_not_allowed(unsupported_method: &str) -> HttpResponse {
 }
 
 pub fn http_request(req: HttpRequest) -> HttpResponse {
-    let HttpRequest {
-        method,
-        url,
-        certificate_version,
-        headers: _,
-        body: _,
-    } = req;
-
-    match method.as_str() {
+    match req.method.as_str() {
         "OPTIONS" => http_options_request(),
-        "GET" => http_get_request(url, certificate_version),
+        "GET" => http_get_request(req.url, req.certificate_version),
         unsupported_method => method_not_allowed(unsupported_method),
     }
 }