我需要为我的站点实施 SXG(签名交换)。目标是允许 Google 预取该网站。我遵循此说明https://github.com/WICG/webpackage/tree/main/go/signedexchange#creating-our-first-signed-exchange(用于测试自签名证书)。以防万一这是我使用的命令:
1. Save main page of the site (available at https://my.site.com) via 'Save page as' as index.html
2. Prepare a certificate and private key
$ openssl ecparam -out priv.key -name prime256v1 -genkey
$ openssl req -new -sha256 -key priv.key -out cert.csr -subj '/CN=my.site.com/O=Test/C=US'
$ openssl x509 -req -days 90 -in cert.csr -signkey priv.key -out cert.pem -extfile <(echo -e "1.3.6.1.4.1.11129.2.1.22 = ASN1:NULL\nsubjectAltName=DNS:my.site.com")
3. Convert the PEM certificate to application/cert-chain+cbor format
$ gen-certurl -pem cert.pem -ocsp <(echo ocsp) > cert.cbor
The file is accessible at https://my.site.com/cert.cbor (Content-Type: application/cert-chain+cbor)
4. Generate the signed exchange
$ gen-signedexchange -uri https://my.site.com -content ./index.html -certificate cert.pem -privateKey priv.key -certUrl https://my.site.com/cert.cbor -validityUrl https://my.site.com/resource.validity.msg -o my.site.com.sxg
The file is accessible at https://my.site.com/my.site.com.sxg (Content-Type: application/signed-exchange;v=b3)
我尝试使用以下命令测试该功能:
$ chromium-browser --user-data-dir=/tmp/udd --ignore-certificate-errors-spki-list=`openssl x509 -noout -pubkey -in cert.pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64` https://my.site.com/my.site.com.sxg
响应内容类型为 application/signed-exchange;v=b3 但响应本身不正常 - 存在以下错误:
Failed to decode Value. CBOR error: Trailing data bytes are not allowed.
Failed to parse SignedExchange header.
谁能告诉我我做错了什么以及如何获得正确的 SXG?