Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Allow hs2019 algorithm in signing and verifying (rebased, improved, tests, squashed) #116

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

ashpieboop
Copy link
Contributor

Resolves #106

From #105:

This allows the recommended use of "hs2019" as algorithm, that effectively hides the used algorithm from the signature to avoid attacks, see Appendix E.2 in https://tools.ietf.org/html/draft-cavage-http-signatures-12.

For signing there is an option hideAlgorithm that defaults to false and if true writes "hs2019" into the authentication header.

For verifying one has to pass an overriddenAlgorithm to verify that basically overrides the algorithm "hs2019" for verification. The overriddenAlgorithm has to be determined by metadata of the clientId (after parsing the signature the clientId is known).


I removed the manual algorithm override from original PR as it's supposed to be determined by the key metadata (aka public key type) for hs2019.

Also, hash algo is supposed to be sha512 so it is forced in validateAlgorithm().

@ashpieboop ashpieboop changed the title Allow hs2019 algorithm in signing and verifying (rebased, improved, tests) Allow hs2019 algorithm in signing and verifying (rebased, improved, tests, squashed) Sep 21, 2020
Fix lint issues


Add missing parameter validation to verifySignature()


g


g
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support hs2019 algorithm
2 participants