Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
http-signature
Advanced tools
http-signature - npm Package Compare versions
Comparing version 0.10.0 to 0.10.1
@@ -20,3 +20,3 @@ # Abstract | ||
| employed on the Internet today. However, it is common place that the burdens of | ||
| PKI prevent web service operators from deploying that methodoloy, and so many | ||
| PKI prevent web service operators from deploying that methodology, and so many | ||
| fall back to Basic authentication, which has poor security characteristics. | ||
@@ -113,3 +113,3 @@ | ||
| name followed with an ASCII colon `:` and an ASCII space ` `. | ||
| 2. If the header name is `request-line` then appened the HTTP request line, | ||
| 2. If the header name is `request-line` then append the HTTP request line, | ||
| otherwise append the header value. | ||
@@ -121,3 +121,3 @@ 3. If value is not the last value then append an ASCII newline `\n`. The string | ||
| All requests refer to the following request (body ommitted): | ||
| All requests refer to the following request (body omitted): | ||
@@ -188,3 +188,3 @@ POST /foo HTTP/1.1 | ||
| scheme over a non-secure transport will leave the request vulnerable to | ||
| spoofing, tampering, replay/repudiaton, and integrity violations (if using the | ||
| spoofing, tampering, replay/repudiation, and integrity violations (if using the | ||
| STRIDE threat-modeling methodology). | ||
@@ -202,3 +202,3 @@ | ||
| Nonces are out of scope for this document simply because many service providers | ||
| fail to implement them correctly, or do not adopt security specfiications | ||
| fail to implement them correctly, or do not adopt security specifications | ||
| because of the infrastructure complexity. Given the `header` parameterization, | ||
@@ -242,8 +242,8 @@ a service provider is fully enabled to add nonce semantics into this scheme by | ||
| -----BEGIN PUBLIC KEY----- | ||
| MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCFENGw33yGihy92pDjZQhl0C3 | ||
| 6rPJj+CvfSC8+q28hxA161QFNUd13wuCTUcq0Qd2qsBe/2hFyc2DCJJg0h1L78+6 | ||
| Z4UMR7EOcpfdUE9Hf3m/hs+FUR45uBJeDK1HSFHD8bHKD6kv8FPGfJTotc+2xjJw | ||
| oYi+1hqp1fIekaxsyQIDAQAB | ||
| -----END PUBLIC KEY----- | ||
| -----BEGIN PUBLIC KEY----- | ||
| MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCFENGw33yGihy92pDjZQhl0C3 | ||
| 6rPJj+CvfSC8+q28hxA161QFNUd13wuCTUcq0Qd2qsBe/2hFyc2DCJJg0h1L78+6 | ||
| Z4UMR7EOcpfdUE9Hf3m/hs+FUR45uBJeDK1HSFHD8bHKD6kv8FPGfJTotc+2xjJw | ||
| oYi+1hqp1fIekaxsyQIDAQAB | ||
| -----END PUBLIC KEY----- | ||
@@ -285,3 +285,3 @@ -----BEGIN RSA PRIVATE KEY----- | ||
| Authorization: Signature keyId="Test",algorithm="rsa-sha256",signature="JldXnt8W9t643M2Sce10gqCh/+E7QIYLiI+bSjnFBGCti7s+mPPvOjVb72sbd1FjeOUwPTDpKbrQQORrm+xBYfAwCxF3LBSSzORvyJ5nRFCFxfJ3nlQD6Kdxhw8wrVZX5nSem4A/W3C8qH5uhFTRwF4ruRjh+ENHWuovPgO/HGQ=" | ||
| Authorization: Signature keyId="Test",algorithm="rsa-sha256",signature="ATp0r26dbMIxOopqw0OfABDT7CKMIoENumuruOtarj8n/97Q3htHFYpH8yOSQk3Z5zh8UxUym6FYTb5+A0Nz3NRsXJibnYi7brE/4tx5But9kkFGzG+xpUmimN4c3TMN7OFH//+r8hBf7BT9/GmHDUVZT2JzWGLZES2xDOUuMtA=" | ||
@@ -302,3 +302,3 @@ ### All Headers | ||
| Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="request-line host date content-type content-md5 content-length",signature="Gm7W/r+e90REDpWytALMrft4MqZxCmslOTOvwJX17ViEBA5E65QqvWI0vIH3l/vSsGiaMVmuUgzYsJLYMLcm5dGrv1+a+0fCoUdVKPZWHyImQEqpLkopVwqEH67LVECFBqFTAKlQgBn676zrfXQbb+b/VebAsNUtvQMe6cTjnDY=" | ||
| Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="request-line host date content-type content-md5 content-length",signature="H/AaTDkJvLELy4i1RujnKlS6dm8QWiJvEpn9cKRMi49kKF+mohZ15z1r+mF+XiKS5kOOscyS83olfBtsVhYjPg2Ei3/D9D4Mvb7bFm9IaLJgYTFFuQCghrKQQFPiqJN320emjHxFowpIm1BkstnEU7lktH/XdXVBo8a6Uteiztw=" | ||
@@ -22,2 +22,3 @@ // Copyright 2011 Joyent, Inc. All rights reserved. | ||
| sshKeyFingerprint: util.fingerprint, | ||
| pemToRsaSSHKey: util.pemToRsaSSHKey, | ||
@@ -24,0 +25,0 @@ verify: verify.verifySignature, |
@@ -149,3 +149,2 @@ // Copyright 2012 Joyent, Inc. All rights reserved. | ||
| } else { | ||
| value = | ||
| stringToSign += | ||
@@ -152,0 +151,0 @@ request.method + ' ' + request.path + ' HTTP/' + options.httpVersion; |
@@ -246,5 +246,60 @@ // Copyright 2012 Joyent, Inc. All rights reserved. | ||
| return fp; | ||
| } | ||
| }, | ||
| /** | ||
| * Converts a PKGCS#8 PEM file to an OpenSSH public key (rsa) | ||
| * | ||
| * The reverse of the above function. | ||
| */ | ||
| pemToRsaSSHKey: function pemToRsaSSHKey(pem, comment) { | ||
| assert.equal('string', typeof pem, 'typeof pem'); | ||
| // chop off the BEGIN PUBLIC KEY and END PUBLIC KEY portion | ||
| var cleaned = pem.split('\n').slice(1, -2).join(''); | ||
| var buf = new Buffer(cleaned, 'base64'); | ||
| var der = new asn1.BerReader(buf); | ||
| der.readSequence(); | ||
| der.readSequence(); | ||
| var oid = der.readOID(); | ||
| assert.equal(oid, '1.2.840.113549.1.1.1', 'pem not in RSA format'); | ||
| // Null -- XXX this probably isn't good practice | ||
| der.readByte(); | ||
| der.readByte(); | ||
| // bit string sequence | ||
| der.readSequence(0x03); | ||
| der.readByte(); | ||
| der.readSequence(); | ||
| // modulus | ||
| assert.equal(der.peek(), asn1.Ber.Integer, 'modulus not an integer'); | ||
| der._offset = der.readLength(der.offset + 1); | ||
| var modulus = der._buf.slice(der.offset, der.offset + der.length); | ||
| der._offset += der.length; | ||
| // exponent | ||
| assert.equal(der.peek(), asn1.Ber.Integer, 'exponent not an integer'); | ||
| der._offset = der.readLength(der.offset + 1); | ||
| var exponent = der._buf.slice(der.offset, der.offset + der.length); | ||
| der._offset += der.length; | ||
| // now, make the key | ||
| var type = new Buffer('ssh-rsa'); | ||
| var buffer = new Buffer(4 + type.length + 4 + modulus.length + 4 + exponent.length); | ||
| var i = 0; | ||
| buffer.writeUInt32BE(type.length, i); i += 4; | ||
| type.copy(buffer, i); i += type.length; | ||
| buffer.writeUInt32BE(exponent.length, i); i += 4; | ||
| exponent.copy(buffer, i); i += exponent.length; | ||
| buffer.writeUInt32BE(modulus.length, i); i += 4; | ||
| modulus.copy(buffer, i); i += modulus.length; | ||
| var s = type.toString() + ' ' + buffer.toString('base64') + ' ' + (comment || ''); | ||
| return s; | ||
| } | ||
| }; |
| { | ||
| "name": "http-signature", | ||
| "description": "Reference implementation of Joyent's HTTP Signature scheme.", | ||
| "version": "0.10.1", | ||
| "license": "MIT", | ||
| "author": "Joyent, Inc", | ||
| "name": "http-signature", | ||
| "description": "Reference implementation of Joyent's HTTP Signature Scheme", | ||
| "version": "0.10.0", | ||
| "contributors": [ | ||
| "Mark Cavage <mcavage@gmail.com>", | ||
| "David I. Lehn <dil@lehn.org>" | ||
| ], | ||
| "repository": { | ||
@@ -10,2 +15,8 @@ "type": "git", | ||
| }, | ||
| "homepage": "https://github.com/joyent/node-http-signature/", | ||
| "bugs": "https://github.com/joyent/node-http-signature/issues", | ||
| "keywords": [ | ||
| "https", | ||
| "request" | ||
| ], | ||
| "engines": { | ||
@@ -16,13 +27,13 @@ "node": ">=0.8" | ||
| "scripts": { | ||
| "test": "./node_modules/.bin/tap tst/*.js" | ||
| "test": "tap test/*.js" | ||
| }, | ||
| "dependencies": { | ||
| "assert-plus": "0.1.2", | ||
| "assert-plus": "^0.1.5", | ||
| "asn1": "0.1.11", | ||
| "ctype": "0.5.2" | ||
| "ctype": "0.5.3" | ||
| }, | ||
| "devDependencies": { | ||
| "node-uuid": "1.4.0", | ||
| "node-uuid": "^1.4.1", | ||
| "tap": "0.4.2" | ||
| } | ||
| } |
@@ -9,3 +9,3 @@ # node-http-signature | ||
| Note the example below signs a request with the same key/cert used to start an | ||
| HTTP server. This is almost certainly not what you actaully want, but is just | ||
| HTTP server. This is almost certainly not what you actually want, but is just | ||
| used to illustrate the API calls; you will need to provide your own key | ||
@@ -16,51 +16,55 @@ management in addition to this library. | ||
| var fs = require('fs'); | ||
| var https = require('https'); | ||
| var httpSignature = require('http-signature'); | ||
| ```js | ||
| var fs = require('fs'); | ||
| var https = require('https'); | ||
| var httpSignature = require('http-signature'); | ||
| var key = fs.readFileSync('./key.pem', 'ascii'); | ||
| var key = fs.readFileSync('./key.pem', 'ascii'); | ||
| var options = { | ||
| host: 'localhost', | ||
| port: 8443, | ||
| path: '/', | ||
| method: 'GET', | ||
| headers: {} | ||
| }; | ||
| var options = { | ||
| host: 'localhost', | ||
| port: 8443, | ||
| path: '/', | ||
| method: 'GET', | ||
| headers: {} | ||
| }; | ||
| // Adds a 'Date' header in, signs it, and adds the | ||
| // 'Authorization' header in. | ||
| var req = https.request(options, function(res) { | ||
| console.log(res.statusCode); | ||
| }); | ||
| // Adds a 'Date' header in, signs it, and adds the | ||
| // 'Authorization' header in. | ||
| var req = https.request(options, function(res) { | ||
| console.log(res.statusCode); | ||
| }); | ||
| httpSignature.sign(req, { | ||
| key: key, | ||
| keyId: './cert.pem' | ||
| }); | ||
| httpSignature.sign(req, { | ||
| key: key, | ||
| keyId: './cert.pem' | ||
| }); | ||
| req.end(); | ||
| req.end(); | ||
| ``` | ||
| ### Server | ||
| var fs = require('fs'); | ||
| var https = require('https'); | ||
| var httpSignature = require('http-signature'); | ||
| ```js | ||
| var fs = require('fs'); | ||
| var https = require('https'); | ||
| var httpSignature = require('http-signature'); | ||
| var options = { | ||
| key: fs.readFileSync('./key.pem'), | ||
| cert: fs.readFileSync('./cert.pem') | ||
| }; | ||
| var options = { | ||
| key: fs.readFileSync('./key.pem'), | ||
| cert: fs.readFileSync('./cert.pem') | ||
| }; | ||
| https.createServer(options, function (req, res) { | ||
| var rc = 200; | ||
| var parsed = httpSignature.parseRequest(req); | ||
| var pub = fs.readFileSync(parsed.keyId, 'ascii'); | ||
| if (!httpSignature.verifySignature(parsed, pub)) | ||
| rc = 401; | ||
| https.createServer(options, function (req, res) { | ||
| var rc = 200; | ||
| var parsed = httpSignature.parseRequest(req); | ||
| var pub = fs.readFileSync(parsed.keyId, 'ascii'); | ||
| if (!httpSignature.verifySignature(parsed, pub)) | ||
| rc = 401; | ||
| res.writeHead(rc); | ||
| res.end(); | ||
| }).listen(8443); | ||
| res.writeHead(rc); | ||
| res.end(); | ||
| }).listen(8443); | ||
| ``` | ||
@@ -67,0 +71,0 @@ ## Installation |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
No bug tracker
MaintenancePackage does not have a linked bug tracker in package.json.
Found 1 instance in 1 package
No website
QualityPackage does not have a website.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by5.76%
38278
- Lines of code
- increased by7.25%
666
- Number of low quality alerts
- decreased by-50%
1
- Number of lines in readme file
- increased by5.26%
80
Worsened metrics
- Number of medium supply chain risk alerts
- increased by100%
2
Dependency changes
+ Addedassert-plus@0.1.5(transitive)
+ Addedctype@0.5.3(transitive)
- Removedassert-plus@0.1.2(transitive)
- Removedctype@0.5.2(transitive)
Updatedassert-plus@^0.1.5
Updatedctype@0.5.3