Socket
Socket
Sign inDemoInstall

http-signature

Package Overview
Dependencies
3
Maintainers
2
Versions
28
Alerts
File Explorer

Advanced tools

npm Scripts

Install Socket

Detect and block malicious and high-risk dependencies

Install

Comparing version 0.10.0 to 0.10.1

26

http_signing.md

@@ -20,3 +20,3 @@ # Abstract

employed on the Internet today. However, it is common place that the burdens of
PKI prevent web service operators from deploying that methodoloy, and so many
PKI prevent web service operators from deploying that methodology, and so many
fall back to Basic authentication, which has poor security characteristics.

@@ -113,3 +113,3 @@

name followed with an ASCII colon `:` and an ASCII space ` `.
2. If the header name is `request-line` then appened the HTTP request line,
2. If the header name is `request-line` then append the HTTP request line,
otherwise append the header value.

@@ -121,3 +121,3 @@ 3. If value is not the last value then append an ASCII newline `\n`. The string

All requests refer to the following request (body ommitted):
All requests refer to the following request (body omitted):

@@ -188,3 +188,3 @@ POST /foo HTTP/1.1

scheme over a non-secure transport will leave the request vulnerable to
spoofing, tampering, replay/repudiaton, and integrity violations (if using the
spoofing, tampering, replay/repudiation, and integrity violations (if using the
STRIDE threat-modeling methodology).

@@ -202,3 +202,3 @@

Nonces are out of scope for this document simply because many service providers
fail to implement them correctly, or do not adopt security specfiications
fail to implement them correctly, or do not adopt security specifications
because of the infrastructure complexity. Given the `header` parameterization,

@@ -242,8 +242,8 @@ a service provider is fully enabled to add nonce semantics into this scheme by

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCFENGw33yGihy92pDjZQhl0C3
6rPJj+CvfSC8+q28hxA161QFNUd13wuCTUcq0Qd2qsBe/2hFyc2DCJJg0h1L78+6
Z4UMR7EOcpfdUE9Hf3m/hs+FUR45uBJeDK1HSFHD8bHKD6kv8FPGfJTotc+2xjJw
oYi+1hqp1fIekaxsyQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCFENGw33yGihy92pDjZQhl0C3
6rPJj+CvfSC8+q28hxA161QFNUd13wuCTUcq0Qd2qsBe/2hFyc2DCJJg0h1L78+6
Z4UMR7EOcpfdUE9Hf3m/hs+FUR45uBJeDK1HSFHD8bHKD6kv8FPGfJTotc+2xjJw
oYi+1hqp1fIekaxsyQIDAQAB
-----END PUBLIC KEY-----

@@ -285,3 +285,3 @@ -----BEGIN RSA PRIVATE KEY-----

Authorization: Signature keyId="Test",algorithm="rsa-sha256",signature="JldXnt8W9t643M2Sce10gqCh/+E7QIYLiI+bSjnFBGCti7s+mPPvOjVb72sbd1FjeOUwPTDpKbrQQORrm+xBYfAwCxF3LBSSzORvyJ5nRFCFxfJ3nlQD6Kdxhw8wrVZX5nSem4A/W3C8qH5uhFTRwF4ruRjh+ENHWuovPgO/HGQ="
Authorization: Signature keyId="Test",algorithm="rsa-sha256",signature="ATp0r26dbMIxOopqw0OfABDT7CKMIoENumuruOtarj8n/97Q3htHFYpH8yOSQk3Z5zh8UxUym6FYTb5+A0Nz3NRsXJibnYi7brE/4tx5But9kkFGzG+xpUmimN4c3TMN7OFH//+r8hBf7BT9/GmHDUVZT2JzWGLZES2xDOUuMtA="

@@ -302,3 +302,3 @@ ### All Headers

Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="request-line host date content-type content-md5 content-length",signature="Gm7W/r+e90REDpWytALMrft4MqZxCmslOTOvwJX17ViEBA5E65QqvWI0vIH3l/vSsGiaMVmuUgzYsJLYMLcm5dGrv1+a+0fCoUdVKPZWHyImQEqpLkopVwqEH67LVECFBqFTAKlQgBn676zrfXQbb+b/VebAsNUtvQMe6cTjnDY="
Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="request-line host date content-type content-md5 content-length",signature="H/AaTDkJvLELy4i1RujnKlS6dm8QWiJvEpn9cKRMi49kKF+mohZ15z1r+mF+XiKS5kOOscyS83olfBtsVhYjPg2Ei3/D9D4Mvb7bFm9IaLJgYTFFuQCghrKQQFPiqJN320emjHxFowpIm1BkstnEU7lktH/XdXVBo8a6Uteiztw="

1

lib/index.js

@@ -22,2 +22,3 @@ // Copyright 2011 Joyent, Inc. All rights reserved.

sshKeyFingerprint: util.fingerprint,
pemToRsaSSHKey: util.pemToRsaSSHKey,

@@ -24,0 +25,0 @@ verify: verify.verifySignature,

1

lib/signer.js

@@ -149,3 +149,2 @@ // Copyright 2012 Joyent, Inc. All rights reserved.

} else {
value =
stringToSign +=

@@ -152,0 +151,0 @@ request.method + ' ' + request.path + ' HTTP/' + options.httpVersion;

57

lib/util.js

@@ -246,5 +246,60 @@ // Copyright 2012 Joyent, Inc. All rights reserved.

return fp;
}
},
/**
* Converts a PKGCS#8 PEM file to an OpenSSH public key (rsa)
*
* The reverse of the above function.
*/
pemToRsaSSHKey: function pemToRsaSSHKey(pem, comment) {
assert.equal('string', typeof pem, 'typeof pem');
// chop off the BEGIN PUBLIC KEY and END PUBLIC KEY portion
var cleaned = pem.split('\n').slice(1, -2).join('');
var buf = new Buffer(cleaned, 'base64');
var der = new asn1.BerReader(buf);
der.readSequence();
der.readSequence();
var oid = der.readOID();
assert.equal(oid, '1.2.840.113549.1.1.1', 'pem not in RSA format');
// Null -- XXX this probably isn't good practice
der.readByte();
der.readByte();
// bit string sequence
der.readSequence(0x03);
der.readByte();
der.readSequence();
// modulus
assert.equal(der.peek(), asn1.Ber.Integer, 'modulus not an integer');
der._offset = der.readLength(der.offset + 1);
var modulus = der._buf.slice(der.offset, der.offset + der.length);
der._offset += der.length;
// exponent
assert.equal(der.peek(), asn1.Ber.Integer, 'exponent not an integer');
der._offset = der.readLength(der.offset + 1);
var exponent = der._buf.slice(der.offset, der.offset + der.length);
der._offset += der.length;
// now, make the key
var type = new Buffer('ssh-rsa');
var buffer = new Buffer(4 + type.length + 4 + modulus.length + 4 + exponent.length);
var i = 0;
buffer.writeUInt32BE(type.length, i); i += 4;
type.copy(buffer, i); i += type.length;
buffer.writeUInt32BE(exponent.length, i); i += 4;
exponent.copy(buffer, i); i += exponent.length;
buffer.writeUInt32BE(modulus.length, i); i += 4;
modulus.copy(buffer, i); i += modulus.length;
var s = type.toString() + ' ' + buffer.toString('base64') + ' ' + (comment || '');
return s;
}
};

25

package.json
{
"name": "http-signature",
"description": "Reference implementation of Joyent's HTTP Signature scheme.",
"version": "0.10.1",
"license": "MIT",
"author": "Joyent, Inc",
"name": "http-signature",
"description": "Reference implementation of Joyent's HTTP Signature Scheme",
"version": "0.10.0",
"contributors": [
"Mark Cavage <mcavage@gmail.com>",
"David I. Lehn <dil@lehn.org>"
],
"repository": {

@@ -10,2 +15,8 @@ "type": "git",

},
"homepage": "https://github.com/joyent/node-http-signature/",
"bugs": "https://github.com/joyent/node-http-signature/issues",
"keywords": [
"https",
"request"
],
"engines": {

@@ -16,13 +27,13 @@ "node": ">=0.8"

"scripts": {
"test": "./node_modules/.bin/tap tst/*.js"
"test": "tap test/*.js"
},
"dependencies": {
"assert-plus": "0.1.2",
"assert-plus": "^0.1.5",
"asn1": "0.1.11",
"ctype": "0.5.2"
"ctype": "0.5.3"
},
"devDependencies": {
"node-uuid": "1.4.0",
"node-uuid": "^1.4.1",
"tap": "0.4.2"
}
}

80

README.md

@@ -9,3 +9,3 @@ # node-http-signature

Note the example below signs a request with the same key/cert used to start an
HTTP server. This is almost certainly not what you actaully want, but is just
HTTP server. This is almost certainly not what you actually want, but is just
used to illustrate the API calls; you will need to provide your own key

@@ -16,51 +16,55 @@ management in addition to this library.

var fs = require('fs');
var https = require('https');
var httpSignature = require('http-signature');
```js
var fs = require('fs');
var https = require('https');
var httpSignature = require('http-signature');
var key = fs.readFileSync('./key.pem', 'ascii');
var key = fs.readFileSync('./key.pem', 'ascii');
var options = {
host: 'localhost',
port: 8443,
path: '/',
method: 'GET',
headers: {}
};
var options = {
host: 'localhost',
port: 8443,
path: '/',
method: 'GET',
headers: {}
};
// Adds a 'Date' header in, signs it, and adds the
// 'Authorization' header in.
var req = https.request(options, function(res) {
console.log(res.statusCode);
});
// Adds a 'Date' header in, signs it, and adds the
// 'Authorization' header in.
var req = https.request(options, function(res) {
console.log(res.statusCode);
});
httpSignature.sign(req, {
key: key,
keyId: './cert.pem'
});
httpSignature.sign(req, {
key: key,
keyId: './cert.pem'
});
req.end();
req.end();
```
### Server
var fs = require('fs');
var https = require('https');
var httpSignature = require('http-signature');
```js
var fs = require('fs');
var https = require('https');
var httpSignature = require('http-signature');
var options = {
key: fs.readFileSync('./key.pem'),
cert: fs.readFileSync('./cert.pem')
};
var options = {
key: fs.readFileSync('./key.pem'),
cert: fs.readFileSync('./cert.pem')
};
https.createServer(options, function (req, res) {
var rc = 200;
var parsed = httpSignature.parseRequest(req);
var pub = fs.readFileSync(parsed.keyId, 'ascii');
if (!httpSignature.verifySignature(parsed, pub))
rc = 401;
https.createServer(options, function (req, res) {
var rc = 200;
var parsed = httpSignature.parseRequest(req);
var pub = fs.readFileSync(parsed.keyId, 'ascii');
if (!httpSignature.verifySignature(parsed, pub))
rc = 401;
res.writeHead(rc);
res.end();
}).listen(8443);
res.writeHead(rc);
res.end();
}).listen(8443);
```

@@ -67,0 +71,0 @@ ## Installation

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc