Hello community,
here is the log from the commit of package nodejs-http-signature for openSUSE:Factory checked in at 2015-07-08 06:59:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/nodejs-http-signature (Old)
and /work/SRC/openSUSE:Factory/.nodejs-http-signature.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nodejs-http-signature"
Changes:
--------
--- /work/SRC/openSUSE:Factory/nodejs-http-signature/nodejs-http-signature.changes 2015-04-27 13:01:23.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.nodejs-http-signature.new/nodejs-http-signature.changes 2015-07-08 06:59:08.000000000 +0200
@@ -1,0 +2,5 @@
+Sat Jun 27 04:40:45 UTC 2015 - i@marguerite.su
+
+- update version 0.11.0
+
+-------------------------------------------------------------------
Old:
----
http-signature-0.10.0.tgz
New:
----
http-signature-0.11.0.tgz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ nodejs-http-signature.spec ++++++
--- /var/tmp/diff_new_pack.9D3Dwv/_old 2015-07-08 06:59:09.000000000 +0200
+++ /var/tmp/diff_new_pack.9D3Dwv/_new 2015-07-08 06:59:09.000000000 +0200
@@ -19,7 +19,7 @@
%define base_name http-signature
Name: nodejs-http-signature
-Version: 0.10.0
+Version: 0.11.0
Release: 0
Summary: Reference implementation of Joyent's HTTP Signature Scheme
License: MIT
++++++ http-signature-0.10.0.tgz -> http-signature-0.11.0.tgz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/package/README.md new/package/README.md
--- old/package/README.md 2013-05-07 17:24:15.000000000 +0200
+++ new/package/README.md 2015-01-05 21:37:52.000000000 +0100
@@ -6,61 +6,65 @@
## Usage
Note the example below signs a request with the same key/cert used to start an
-HTTP server. This is almost certainly not what you actaully want, but is just
+HTTP server. This is almost certainly not what you actually want, but is just
used to illustrate the API calls; you will need to provide your own key
management in addition to this library.
### Client
- var fs = require('fs');
- var https = require('https');
- var httpSignature = require('http-signature');
-
- var key = fs.readFileSync('./key.pem', 'ascii');
-
- var options = {
- host: 'localhost',
- port: 8443,
- path: '/',
- method: 'GET',
- headers: {}
- };
-
- // Adds a 'Date' header in, signs it, and adds the
- // 'Authorization' header in.
- var req = https.request(options, function(res) {
- console.log(res.statusCode);
- });
-
-
- httpSignature.sign(req, {
- key: key,
- keyId: './cert.pem'
- });
+```js
+var fs = require('fs');
+var https = require('https');
+var httpSignature = require('http-signature');
+
+var key = fs.readFileSync('./key.pem', 'ascii');
+
+var options = {
+ host: 'localhost',
+ port: 8443,
+ path: '/',
+ method: 'GET',
+ headers: {}
+};
+
+// Adds a 'Date' header in, signs it, and adds the
+// 'Authorization' header in.
+var req = https.request(options, function(res) {
+ console.log(res.statusCode);
+});
+
+
+httpSignature.sign(req, {
+ key: key,
+ keyId: './cert.pem'
+});
- req.end();
+req.end();
+```
### Server
- var fs = require('fs');
- var https = require('https');
- var httpSignature = require('http-signature');
-
- var options = {
- key: fs.readFileSync('./key.pem'),
- cert: fs.readFileSync('./cert.pem')
- };
-
- https.createServer(options, function (req, res) {
- var rc = 200;
- var parsed = httpSignature.parseRequest(req);
- var pub = fs.readFileSync(parsed.keyId, 'ascii');
- if (!httpSignature.verifySignature(parsed, pub))
- rc = 401;
-
- res.writeHead(rc);
- res.end();
- }).listen(8443);
+```js
+var fs = require('fs');
+var https = require('https');
+var httpSignature = require('http-signature');
+
+var options = {
+ key: fs.readFileSync('./key.pem'),
+ cert: fs.readFileSync('./cert.pem')
+};
+
+https.createServer(options, function (req, res) {
+ var rc = 200;
+ var parsed = httpSignature.parseRequest(req);
+ var pub = fs.readFileSync(parsed.keyId, 'ascii');
+ if (!httpSignature.verifySignature(parsed, pub))
+ rc = 401;
+
+ res.writeHead(rc);
+ res.end();
+}).listen(8443);
+```
## Installation
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/package/http_signing.md new/package/http_signing.md
--- old/package/http_signing.md 2013-05-07 17:24:15.000000000 +0200
+++ new/package/http_signing.md 2015-01-05 21:37:52.000000000 +0100
@@ -17,7 +17,7 @@
requests. RFC2617 (HTTP Authentication) defines Basic and Digest authentication
mechanisms, and RFC5246 (TLS 1.2) defines client-auth, both of which are widely
employed on the Internet today. However, it is common place that the burdens of
-PKI prevent web service operators from deploying that methodoloy, and so many
+PKI prevent web service operators from deploying that methodology, and so many
fall back to Basic authentication, which has poor security characteristics.
Additionally, OAuth provides a fully-specified alternative for authorization
@@ -109,14 +109,14 @@
1. If the header name is not `request-line` then append the lowercased header
name followed with an ASCII colon `:` and an ASCII space ` `.
-2. If the header name is `request-line` then appened the HTTP request line,
+2. If the header name is `request-line` then append the HTTP request line,
otherwise append the header value.
3. If value is not the last value then append an ASCII newline `\n`. The string
MUST NOT include a trailing ASCII newline.
# Example Requests
-All requests refer to the following request (body ommitted):
+All requests refer to the following request (body omitted):
POST /foo HTTP/1.1
Host: example.org
@@ -182,7 +182,7 @@
Note the default parameterization of the `Signature` scheme is only safe if all
requests are carried over a secure transport (i.e., TLS). Sending the default
scheme over a non-secure transport will leave the request vulnerable to
-spoofing, tampering, replay/repudiaton, and integrity violations (if using the
+spoofing, tampering, replay/repudiation, and integrity violations (if using the
STRIDE threat-modeling methodology).
## Insecure Transports
@@ -195,7 +195,7 @@
## Nonces
Nonces are out of scope for this document simply because many service providers
-fail to implement them correctly, or do not adopt security specfiications
+fail to implement them correctly, or do not adopt security specifications
because of the infrastructure complexity. Given the `header` parameterization,
a service provider is fully enabled to add nonce semantics into this scheme by
using something like an `x-request-nonce` header, and ensuring it is signed
@@ -234,12 +234,12 @@
The following test data uses the RSA (2048b) keys, which we will refer
to as `keyId=Test` in the following samples:
- -----BEGIN PUBLIC KEY-----
- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCFENGw33yGihy92pDjZQhl0C3
- 6rPJj+CvfSC8+q28hxA161QFNUd13wuCTUcq0Qd2qsBe/2hFyc2DCJJg0h1L78+6
- Z4UMR7EOcpfdUE9Hf3m/hs+FUR45uBJeDK1HSFHD8bHKD6kv8FPGfJTotc+2xjJw
- oYi+1hqp1fIekaxsyQIDAQAB
- -----END PUBLIC KEY-----
+ -----BEGIN PUBLIC KEY-----
+ MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCFENGw33yGihy92pDjZQhl0C3
+ 6rPJj+CvfSC8+q28hxA161QFNUd13wuCTUcq0Qd2qsBe/2hFyc2DCJJg0h1L78+6
+ Z4UMR7EOcpfdUE9Hf3m/hs+FUR45uBJeDK1HSFHD8bHKD6kv8FPGfJTotc+2xjJw
+ oYi+1hqp1fIekaxsyQIDAQAB
+ -----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDCFENGw33yGihy92pDjZQhl0C36rPJj+CvfSC8+q28hxA161QF
@@ -276,7 +276,7 @@
The Authorization header would be:
- Authorization: Signature keyId="Test",algorithm="rsa-sha256",signature="JldXnt8W9t643M2Sce10gqCh/+E7QIYLiI+bSjnFBGCti7s+mPPvOjVb72sbd1FjeOUwPTDpKbrQQORrm+xBYfAwCxF3LBSSzORvyJ5nRFCFxfJ3nlQD6Kdxhw8wrVZX5nSem4A/W3C8qH5uhFTRwF4ruRjh+ENHWuovPgO/HGQ="
+ Authorization: Signature keyId="Test",algorithm="rsa-sha256",signature="ATp0r26dbMIxOopqw0OfABDT7CKMIoENumuruOtarj8n/97Q3htHFYpH8yOSQk3Z5zh8UxUym6FYTb5+A0Nz3NRsXJibnYi7brE/4tx5But9kkFGzG+xpUmimN4c3TMN7OFH//+r8hBf7BT9/GmHDUVZT2JzWGLZES2xDOUuMtA="
### All Headers
@@ -292,5 +292,5 @@
The Authorization header would be:
- Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="request-line host date content-type content-md5 content-length",signature="Gm7W/r+e90REDpWytALMrft4MqZxCmslOTOvwJX17ViEBA5E65QqvWI0vIH3l/vSsGiaMVmuUgzYsJLYMLcm5dGrv1+a+0fCoUdVKPZWHyImQEqpLkopVwqEH67LVECFBqFTAKlQgBn676zrfXQbb+b/VebAsNUtvQMe6cTjnDY="
+ Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="request-line host date content-type content-md5 content-length",signature="H/AaTDkJvLELy4i1RujnKlS6dm8QWiJvEpn9cKRMi49kKF+mohZ15z1r+mF+XiKS5kOOscyS83olfBtsVhYjPg2Ei3/D9D4Mvb7bFm9IaLJgYTFFuQCghrKQQFPiqJN320emjHxFowpIm1BkstnEU7lktH/XdXVBo8a6Uteiztw="
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/package/lib/index.js new/package/lib/index.js
--- old/package/lib/index.js 2013-05-07 17:24:15.000000000 +0200
+++ new/package/lib/index.js 2015-04-01 23:37:38.000000000 +0200
@@ -1,4 +1,4 @@
-// Copyright 2011 Joyent, Inc. All rights reserved.
+// Copyright 2015 Joyent, Inc.
var parser = require('./parser');
var signer = require('./signer');
@@ -19,7 +19,9 @@
sshKeyToPEM: util.sshKeyToPEM,
sshKeyFingerprint: util.fingerprint,
+ pemToRsaSSHKey: util.pemToRsaSSHKey,
verify: verify.verifySignature,
- verifySignature: verify.verifySignature
+ verifySignature: verify.verifySignature,
+ verifyHMAC: verify.verifyHMAC
};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/package/lib/signer.js new/package/lib/signer.js
--- old/package/lib/signer.js 2013-05-07 17:24:15.000000000 +0200
+++ new/package/lib/signer.js 2015-01-05 21:37:52.000000000 +0100
@@ -146,7 +146,6 @@
}
stringToSign += h + ': ' + value;
} else {
- value =
stringToSign +=
request.method + ' ' + request.path + ' HTTP/' + options.httpVersion;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/package/lib/util.js new/package/lib/util.js
--- old/package/lib/util.js 2013-05-07 17:24:15.000000000 +0200
+++ new/package/lib/util.js 2015-04-02 02:13:11.000000000 +0200
@@ -243,7 +243,64 @@
}
return fp;
- }
+ },
+
+ /**
+ * Converts a PKGCS#8 PEM file to an OpenSSH public key (rsa)
+ *
+ * The reverse of the above function.
+ */
+ pemToRsaSSHKey: function pemToRsaSSHKey(pem, comment) {
+ assert.equal('string', typeof (pem), 'typeof pem');
+
+ // chop off the BEGIN PUBLIC KEY and END PUBLIC KEY portion
+ var cleaned = pem.split('\n').slice(1, -2).join('');
+
+ var buf = new Buffer(cleaned, 'base64');
+
+ var der = new asn1.BerReader(buf);
+
+ der.readSequence();
+ der.readSequence();
+ var oid = der.readOID();
+ assert.equal(oid, '1.2.840.113549.1.1.1', 'pem not in RSA format');
+ // Null -- XXX this probably isn't good practice
+ der.readByte();
+ der.readByte();
+
+ // bit string sequence
+ der.readSequence(0x03);
+ der.readByte();
+ der.readSequence();
+
+ // modulus
+ assert.equal(der.peek(), asn1.Ber.Integer, 'modulus not an integer');
+ der._offset = der.readLength(der.offset + 1);
+ var modulus = der._buf.slice(der.offset, der.offset + der.length);
+ der._offset += der.length;
+
+ // exponent
+ assert.equal(der.peek(), asn1.Ber.Integer, 'exponent not an integer');
+ der._offset = der.readLength(der.offset + 1);
+ var exponent = der._buf.slice(der.offset, der.offset + der.length);
+ der._offset += der.length;
+
+ // now, make the key
+ var type = new Buffer('ssh-rsa');
+ var buffer = new Buffer(4 + type.length + 4 + modulus.length +
+ 4 + exponent.length);
+ var i = 0;
+ buffer.writeUInt32BE(type.length, i); i += 4;
+ type.copy(buffer, i); i += type.length;
+ buffer.writeUInt32BE(exponent.length, i); i += 4;
+ exponent.copy(buffer, i); i += exponent.length;
+ buffer.writeUInt32BE(modulus.length, i); i += 4;
+ modulus.copy(buffer, i); i += modulus.length;
+
+ var s = (type.toString() + ' ' + buffer.toString('base64') + ' ' +
+ (comment || ''));
+ return s;
+ }
};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/package/lib/verify.js new/package/lib/verify.js
--- old/package/lib/verify.js 2013-05-07 17:24:15.000000000 +0200
+++ new/package/lib/verify.js 2015-04-01 23:39:06.000000000 +0200
@@ -1,4 +1,4 @@
-// Copyright 2011 Joyent, Inc. All rights reserved.
+// Copyright 2015 Joyent, Inc.
var assert = require('assert-plus');
var crypto = require('crypto');
@@ -8,35 +8,49 @@
///--- Exported API
module.exports = {
-
/**
- * Simply wraps up the node crypto operations for you, and returns
- * true or false. You are expected to pass in an object that was
- * returned from `parse()`.
+ * Verify RSA/DSA signature against public key. You are expected to pass in
+ * an object that was returned from `parse()`.
*
* @param {Object} parsedSignature the object you got from `parse`.
- * @param {String} key either an RSA private key PEM or HMAC secret.
+ * @param {String} pubkey RSA/DSA private key PEM.
* @return {Boolean} true if valid, false otherwise.
* @throws {TypeError} if you pass in bad arguments.
*/
- verifySignature: function verifySignature(parsedSignature, key) {
+ verifySignature: function verifySignature(parsedSignature, pubkey) {
assert.object(parsedSignature, 'parsedSignature');
- assert.string(key, 'key');
+ assert.string(pubkey, 'pubkey');
- var alg = parsedSignature.algorithm.match(/(HMAC|RSA|DSA)-(\w+)/);
+ var alg = parsedSignature.algorithm.match(/^(RSA|DSA)-(\w+)/);
if (!alg || alg.length !== 3)
throw new TypeError('parsedSignature: unsupported algorithm ' +
parsedSignature.algorithm);
- if (alg[1] === 'HMAC') {
- var hmac = crypto.createHmac(alg[2].toUpperCase(), key);
- hmac.update(parsedSignature.signingString);
- return (hmac.digest('base64') === parsedSignature.params.signature);
- } else {
- var verify = crypto.createVerify(alg[0]);
- verify.update(parsedSignature.signingString);
- return verify.verify(key, parsedSignature.params.signature, 'base64');
- }
- }
+ var verify = crypto.createVerify(alg[0]);
+ verify.update(parsedSignature.signingString);
+ return verify.verify(pubkey, parsedSignature.params.signature, 'base64');
+ },
+ /**
+ * Verify HMAC against shared secret. You are expected to pass in an object
+ * that was returned from `parse()`.
+ *
+ * @param {Object} parsedSignature the object you got from `parse`.
+ * @param {String} secret HMAC shared secret.
+ * @return {Boolean} true if valid, false otherwise.
+ * @throws {TypeError} if you pass in bad arguments.
+ */
+ verifyHMAC: function verifyHMAC(parsedSignature, secret) {
+ assert.object(parsedSignature, 'parsedHMAC');
+ assert.string(secret, 'secret');
+
+ var alg = parsedSignature.algorithm.match(/^HMAC-(\w+)/);
+ if (!alg || alg.length !== 2)
+ throw new TypeError('parsedSignature: unsupported algorithm ' +
+ parsedSignature.algorithm);
+
+ var hmac = crypto.createHmac(alg[1].toUpperCase(), secret);
+ hmac.update(parsedSignature.signingString);
+ return (hmac.digest('base64') === parsedSignature.params.signature);
+ }
};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/package/package.json new/package/package.json
--- old/package/package.json 2013-05-07 17:26:44.000000000 +0200
+++ new/package/package.json 2015-04-02 02:15:30.000000000 +0200
@@ -1,26 +1,38 @@
{
- "author": "Joyent, Inc",
"name": "http-signature",
- "description": "Reference implementation of Joyent's HTTP Signature Scheme",
- "version": "0.10.0",
+ "description": "Reference implementation of Joyent's HTTP Signature scheme.",
+ "version": "0.11.0",
+ "license": "MIT",
+ "author": "Joyent, Inc",
+ "contributors": [
+ "Mark Cavage