diff options
Diffstat (limited to 'node_modules/http-signature')
| -rw-r--r-- | node_modules/http-signature/.dir-locals.el | 6 | ||||
| -rw-r--r-- | node_modules/http-signature/.npmignore | 7 | ||||
| -rw-r--r-- | node_modules/http-signature/CHANGES.md | 46 | ||||
| -rw-r--r-- | node_modules/http-signature/LICENSE | 18 | ||||
| -rw-r--r-- | node_modules/http-signature/README.md | 79 | ||||
| -rw-r--r-- | node_modules/http-signature/http_signing.md | 363 | ||||
| -rw-r--r-- | node_modules/http-signature/lib/index.js | 29 | ||||
| -rw-r--r-- | node_modules/http-signature/lib/parser.js | 315 | ||||
| -rw-r--r-- | node_modules/http-signature/lib/signer.js | 401 | ||||
| -rw-r--r-- | node_modules/http-signature/lib/utils.js | 112 | ||||
| -rw-r--r-- | node_modules/http-signature/lib/verify.js | 88 | ||||
| -rw-r--r-- | node_modules/http-signature/package.json | 39 |
12 files changed, 0 insertions, 1503 deletions
diff --git a/node_modules/http-signature/.dir-locals.el b/node_modules/http-signature/.dir-locals.el deleted file mode 100644 index 3bc9235..0000000 --- a/node_modules/http-signature/.dir-locals.el +++ /dev/null @@ -1,6 +0,0 @@ -((nil . ((indent-tabs-mode . nil) - (tab-width . 8) - (fill-column . 80))) - (js-mode . ((js-indent-level . 2) - (indent-tabs-mode . nil) - )))
\ No newline at end of file diff --git a/node_modules/http-signature/.npmignore b/node_modules/http-signature/.npmignore deleted file mode 100644 index c143fb3..0000000 --- a/node_modules/http-signature/.npmignore +++ /dev/null @@ -1,7 +0,0 @@ -.gitmodules -deps -docs -Makefile -node_modules -test -tools
\ No newline at end of file diff --git a/node_modules/http-signature/CHANGES.md b/node_modules/http-signature/CHANGES.md deleted file mode 100644 index 6f69444..0000000 --- a/node_modules/http-signature/CHANGES.md +++ /dev/null @@ -1,46 +0,0 @@ -# node-http-signature changelog - -## 1.1.1 - -- Version of dependency `assert-plus` updated: old version was missing - some license information -- Corrected examples in `http_signing.md`, added auto-tests to - automatically validate these examples - -## 1.1.0 - -- Bump version of `sshpk` dependency, remove peerDependency on it since - it now supports exchanging objects between multiple versions of itself - where possible - -## 1.0.2 - -- Bump min version of `jsprim` dependency, to include fixes for using - http-signature with `browserify` - -## 1.0.1 - -- Bump minimum version of `sshpk` dependency, to include fixes for - whitespace tolerance in key parsing. - -## 1.0.0 - -- First semver release. -- #36: Ensure verifySignature does not leak useful timing information -- #42: Bring the library up to the latest version of the spec (including the - request-target changes) -- Support for ECDSA keys and signatures. -- Now uses `sshpk` for key parsing, validation and conversion. -- Fixes for #21, #47, #39 and compatibility with node 0.8 - -## 0.11.0 - -- Split up HMAC and Signature verification to avoid vulnerabilities where a - key intended for use with one can be validated against the other method - instead. - -## 0.10.2 - -- Updated versions of most dependencies. -- Utility functions exported for PEM => SSH-RSA conversion. -- Improvements to tests and examples. diff --git a/node_modules/http-signature/LICENSE b/node_modules/http-signature/LICENSE deleted file mode 100644 index f6d947d..0000000 --- a/node_modules/http-signature/LICENSE +++ /dev/null @@ -1,18 +0,0 @@ -Copyright Joyent, Inc. All rights reserved. -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to -deal in the Software without restriction, including without limitation the -rights to use, copy, modify, merge, publish, distribute, sublicense, and/or -sell copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING -FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS -IN THE SOFTWARE. diff --git a/node_modules/http-signature/README.md b/node_modules/http-signature/README.md deleted file mode 100644 index de487d3..0000000 --- a/node_modules/http-signature/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# node-http-signature - -node-http-signature is a node.js library that has client and server components -for Joyent's [HTTP Signature Scheme](http_signing.md). - -## Usage - -Note the example below signs a request with the same key/cert used to start an -HTTP server. This is almost certainly not what you actually want, but is just -used to illustrate the API calls; you will need to provide your own key -management in addition to this library. - -### Client - -```js -var fs = require('fs'); -var https = require('https'); -var httpSignature = require('http-signature'); - -var key = fs.readFileSync('./key.pem', 'ascii'); - -var options = { - host: 'localhost', - port: 8443, - path: '/', - method: 'GET', - headers: {} -}; - -// Adds a 'Date' header in, signs it, and adds the -// 'Authorization' header in. -var req = https.request(options, function(res) { - console.log(res.statusCode); -}); - - -httpSignature.sign(req, { - key: key, - keyId: './cert.pem' -}); - -req.end(); -``` - -### Server - -```js -var fs = require('fs'); -var https = require('https'); -var httpSignature = require('http-signature'); - -var options = { - key: fs.readFileSync('./key.pem'), - cert: fs.readFileSync('./cert.pem') -}; - -https.createServer(options, function (req, res) { - var rc = 200; - var parsed = httpSignature.parseRequest(req); - var pub = fs.readFileSync(parsed.keyId, 'ascii'); - if (!httpSignature.verifySignature(parsed, pub)) - rc = 401; - - res.writeHead(rc); - res.end(); -}).listen(8443); -``` - -## Installation - - npm install http-signature - -## License - -MIT. - -## Bugs - -See <https://github.com/joyent/node-http-signature/issues>. diff --git a/node_modules/http-signature/http_signing.md b/node_modules/http-signature/http_signing.md deleted file mode 100644 index 4f24d28..0000000 --- a/node_modules/http-signature/http_signing.md +++ /dev/null @@ -1,363 +0,0 @@ -# Abstract - -This document describes a way to add origin authentication, message integrity, -and replay resistance to HTTP REST requests. It is intended to be used over -the HTTPS protocol. - -# Copyright Notice - -Copyright (c) 2011 Joyent, Inc. and the persons identified as document authors. -All rights reserved. - -Code Components extracted from this document must include MIT License text. - -# Introduction - -This protocol is intended to provide a standard way for clients to sign HTTP -requests. RFC2617 (HTTP Authentication) defines Basic and Digest authentication -mechanisms, and RFC5246 (TLS 1.2) defines client-auth, both of which are widely -employed on the Internet today. However, it is common place that the burdens of -PKI prevent web service operators from deploying that methodology, and so many -fall back to Basic authentication, which has poor security characteristics. - -Additionally, OAuth provides a fully-specified alternative for authorization -of web service requests, but is not (always) ideal for machine to machine -communication, as the key acquisition steps (generally) imply a fixed -infrastructure that may not make sense to a service provider (e.g., symmetric -keys). - -Several web service providers have invented their own schemes for signing -HTTP requests, but to date, none have been placed in the public domain as a -standard. This document serves that purpose. There are no techniques in this -proposal that are novel beyond previous art, however, this aims to be a simple -mechanism for signing these requests. - -# Signature Authentication Scheme - -The "signature" authentication scheme is based on the model that the client must -authenticate itself with a digital signature produced by either a private -asymmetric key (e.g., RSA) or a shared symmetric key (e.g., HMAC). The scheme -is parameterized enough such that it is not bound to any particular key type or -signing algorithm. However, it does explicitly assume that clients can send an -HTTP `Date` header. - -## Authorization Header - -The client is expected to send an Authorization header (as defined in RFC 2617) -with the following parameterization: - - credentials := "Signature" params - params := 1#(keyId | algorithm | [headers] | [ext] | signature) - digitalSignature := plain-string - - keyId := "keyId" "=" <"> plain-string <"> - algorithm := "algorithm" "=" <"> plain-string <"> - headers := "headers" "=" <"> 1#headers-value <"> - ext := "ext" "=" <"> plain-string <"> - signature := "signature" "=" <"> plain-string <"> - - headers-value := plain-string - plain-string = 1*( %x20-21 / %x23-5B / %x5D-7E ) - -### Signature Parameters - -#### keyId - -REQUIRED. The `keyId` field is an opaque string that the server can use to look -up the component they need to validate the signature. It could be an SSH key -fingerprint, an LDAP DN, etc. Management of keys and assignment of `keyId` is -out of scope for this document. - -#### algorithm - -REQUIRED. The `algorithm` parameter is used if the client and server agree on a -non-standard digital signature algorithm. The full list of supported signature -mechanisms is listed below. - -#### headers - -OPTIONAL. The `headers` parameter is used to specify the list of HTTP headers -used to sign the request. If specified, it should be a quoted list of HTTP -header names, separated by a single space character. By default, only one -HTTP header is signed, which is the `Date` header. Note that the list MUST be -specified in the order the values are concatenated together during signing. To -include the HTTP request line in the signature calculation, use the special -`request-line` value. While this is overloading the definition of `headers` in -HTTP linguism, the request-line is defined in RFC 2616, and as the outlier from -headers in useful signature calculation, it is deemed simpler to simply use -`request-line` than to add a separate parameter for it. - -#### extensions - -OPTIONAL. The `extensions` parameter is used to include additional information -which is covered by the request. The content and format of the string is out of -scope for this document, and expected to be specified by implementors. - -#### signature - -REQUIRED. The `signature` parameter is a `Base64` encoded digital signature -generated by the client. The client uses the `algorithm` and `headers` request -parameters to form a canonicalized `signing string`. This `signing string` is -then signed with the key associated with `keyId` and the algorithm -corresponding to `algorithm`. The `signature` parameter is then set to the -`Base64` encoding of the signature. - -### Signing String Composition - -In order to generate the string that is signed with a key, the client MUST take -the values of each HTTP header specified by `headers` in the order they appear. - -1. If the header name is not `request-line` then append the lowercased header - name followed with an ASCII colon `:` and an ASCII space ` `. -2. If the header name is `request-line` then append the HTTP request line, - otherwise append the header value. -3. If value is not the last value then append an ASCII newline `\n`. The string - MUST NOT include a trailing ASCII newline. - -# Example Requests - -All requests refer to the following request (body omitted): - - POST /foo HTTP/1.1 - Host: example.org - Date: Tue, 07 Jun 2014 20:51:35 GMT - Content-Type: application/json - Digest: SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE= - Content-Length: 18 - -The "rsa-key-1" keyId refers to a private key known to the client and a public -key known to the server. The "hmac-key-1" keyId refers to key known to the -client and server. - -## Default parameterization - -The authorization header and signature would be generated as: - - Authorization: Signature keyId="rsa-key-1",algorithm="rsa-sha256",signature="Base64(RSA-SHA256(signing string))" - -The client would compose the signing string as: - - date: Tue, 07 Jun 2014 20:51:35 GMT - -## Header List - -The authorization header and signature would be generated as: - - Authorization: Signature keyId="rsa-key-1",algorithm="rsa-sha256",headers="(request-target) date content-type digest",signature="Base64(RSA-SHA256(signing string))" - -The client would compose the signing string as (`+ "\n"` inserted for -readability): - - (request-target) post /foo + "\n" - date: Tue, 07 Jun 2011 20:51:35 GMT + "\n" - content-type: application/json + "\n" - digest: SHA-256=Base64(SHA256(Body)) - -## Algorithm - -The authorization header and signature would be generated as: - - Authorization: Signature keyId="hmac-key-1",algorithm="hmac-sha1",signature="Base64(HMAC-SHA1(signing string))" - -The client would compose the signing string as: - - date: Tue, 07 Jun 2011 20:51:35 GMT - -# Signing Algorithms - -Currently supported algorithm names are: - -* rsa-sha1 -* rsa-sha256 -* rsa-sha512 -* dsa-sha1 -* hmac-sha1 -* hmac-sha256 -* hmac-sha512 - -# Security Considerations - -## Default Parameters - -Note the default parameterization of the `Signature` scheme is only safe if all -requests are carried over a secure transport (i.e., TLS). Sending the default -scheme over a non-secure transport will leave the request vulnerable to -spoofing, tampering, replay/repudiation, and integrity violations (if using the -STRIDE threat-modeling methodology). - -## Insecure Transports - -If sending the request over plain HTTP, service providers SHOULD require clients -to sign ALL HTTP headers, and the `request-line`. Additionally, service -providers SHOULD require `Content-MD5` calculations to be performed to ensure -against any tampering from clients. - -## Nonces - -Nonces are out of scope for this document simply because many service providers -fail to implement them correctly, or do not adopt security specifications -because of the infrastructure complexity. Given the `header` parameterization, -a service provider is fully enabled to add nonce semantics into this scheme by -using something like an `x-request-nonce` header, and ensuring it is signed -with the `Date` header. - -## Clock Skew - -As the default scheme is to sign the `Date` header, service providers SHOULD -protect against logged replay attacks by enforcing a clock skew. The server -SHOULD be synchronized with NTP, and the recommendation in this specification -is to allow 300s of clock skew (in either direction). - -## Required Headers to Sign - -It is out of scope for this document to dictate what headers a service provider -will want to enforce, but service providers SHOULD at minimum include the -`Date` header. - -# References - -## Normative References - -* [RFC2616] Hypertext Transfer Protocol -- HTTP/1.1 -* [RFC2617] HTTP Authentication: Basic and Digest Access Authentication -* [RFC5246] The Transport Layer Security (TLS) Protocol Version 1.2 - -## Informative References - - Name: Mark Cavage (editor) - Company: Joyent, Inc. - Email: mark.cavage@joyent.com - URI: http://www.joyent.com - -# Appendix A - Test Values - -The following test data uses the RSA (1024b) keys, which we will refer -to as `keyId=Test` in the following samples: - - -----BEGIN PUBLIC KEY----- - MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCFENGw33yGihy92pDjZQhl0C3 - 6rPJj+CvfSC8+q28hxA161QFNUd13wuCTUcq0Qd2qsBe/2hFyc2DCJJg0h1L78+6 - Z4UMR7EOcpfdUE9Hf3m/hs+FUR45uBJeDK1HSFHD8bHKD6kv8FPGfJTotc+2xjJw - oYi+1hqp1fIekaxsyQIDAQAB - -----END PUBLIC KEY----- - - -----BEGIN RSA PRIVATE KEY----- - MIICXgIBAAKBgQDCFENGw33yGihy92pDjZQhl0C36rPJj+CvfSC8+q28hxA161QF - NUd13wuCTUcq0Qd2qsBe/2hFyc2DCJJg0h1L78+6Z4UMR7EOcpfdUE9Hf3m/hs+F - UR45uBJeDK1HSFHD8bHKD6kv8FPGfJTotc+2xjJwoYi+1hqp1fIekaxsyQIDAQAB - AoGBAJR8ZkCUvx5kzv+utdl7T5MnordT1TvoXXJGXK7ZZ+UuvMNUCdN2QPc4sBiA - QWvLw1cSKt5DsKZ8UETpYPy8pPYnnDEz2dDYiaew9+xEpubyeW2oH4Zx71wqBtOK - kqwrXa/pzdpiucRRjk6vE6YY7EBBs/g7uanVpGibOVAEsqH1AkEA7DkjVH28WDUg - f1nqvfn2Kj6CT7nIcE3jGJsZZ7zlZmBmHFDONMLUrXR/Zm3pR5m0tCmBqa5RK95u - 412jt1dPIwJBANJT3v8pnkth48bQo/fKel6uEYyboRtA5/uHuHkZ6FQF7OUkGogc - mSJluOdc5t6hI1VsLn0QZEjQZMEOWr+wKSMCQQCC4kXJEsHAve77oP6HtG/IiEn7 - kpyUXRNvFsDE0czpJJBvL/aRFUJxuRK91jhjC68sA7NsKMGg5OXb5I5Jj36xAkEA - gIT7aFOYBFwGgQAQkWNKLvySgKbAZRTeLBacpHMuQdl1DfdntvAyqpAZ0lY0RKmW - G6aFKaqQfOXKCyWoUiVknQJAXrlgySFci/2ueKlIE1QqIiLSZ8V8OlpFLRnb1pzI - 7U1yQXnTAEFYM560yJlzUpOb1V4cScGd365tiSMvxLOvTA== - -----END RSA PRIVATE KEY----- - -And all examples use this request: - -<!-- httpreq --> - - POST /foo?param=value&pet=dog HTTP/1.1 - Host: example.com - Date: Thu, 05 Jan 2014 21:31:40 GMT - Content-Type: application/json - Digest: SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE= - Content-Length: 18 - - {"hello": "world"} - -<!-- /httpreq --> - -### Default - -The string to sign would be: - -<!-- sign {"name": "Default", "options": {"keyId":"Test", "algorithm": "rsa-sha256"}} --> -<!-- signstring --> - - date: Thu, 05 Jan 2014 21:31:40 GMT - -<!-- /signstring --> - -The Authorization header would be: - -<!-- authz --> - - Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="date",signature="jKyvPcxB4JbmYY4mByyBY7cZfNl4OW9HpFQlG7N4YcJPteKTu4MWCLyk+gIr0wDgqtLWf9NLpMAMimdfsH7FSWGfbMFSrsVTHNTk0rK3usrfFnti1dxsM4jl0kYJCKTGI/UWkqiaxwNiKqGcdlEDrTcUhhsFsOIo8VhddmZTZ8w=" - -<!-- /authz --> - -### All Headers - -Parameterized to include all headers, the string to sign would be (`+ "\n"` -inserted for readability): - -<!-- sign {"name": "All Headers", "options": {"keyId":"Test", "algorithm": "rsa-sha256", "headers": ["(request-target)", "host", "date", "content-type", "digest", "content-length"]}} --> -<!-- signstring --> - - (request-target): post /foo?param=value&pet=dog - host: example.com - date: Thu, 05 Jan 2014 21:31:40 GMT - content-type: application/json - digest: SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE= - content-length: 18 - -<!-- /signstring --> - -The Authorization header would be: - -<!-- authz --> - - Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="(request-target) host date content-type digest content-length",signature="Ef7MlxLXoBovhil3AlyjtBwAL9g4TN3tibLj7uuNB3CROat/9KaeQ4hW2NiJ+pZ6HQEOx9vYZAyi+7cmIkmJszJCut5kQLAwuX+Ms/mUFvpKlSo9StS2bMXDBNjOh4Auj774GFj4gwjS+3NhFeoqyr/MuN6HsEnkvn6zdgfE2i0=" - -<!-- /authz --> - -## Generating and verifying signatures using `openssl` - -The `openssl` commandline tool can be used to generate or verify the signatures listed above. - -Compose the signing string as usual, and pipe it into the the `openssl dgst` command, then into `openssl enc -base64`, as follows: - - $ printf 'date: Thu, 05 Jan 2014 21:31:40 GMT' | \ - openssl dgst -binary -sign /path/to/private.pem -sha256 | \ - openssl enc -base64 - jKyvPcxB4JbmYY4mByyBY7cZfNl4OW9Hp... - $ - -The `-sha256` option is necessary to produce an `rsa-sha256` signature. You can select other hash algorithms such as `sha1` by changing this argument. - -To verify a signature, first save the signature data, Base64-decoded, into a file, then use `openssl dgst` again with the `-verify` option: - - $ echo 'jKyvPcxB4JbmYY4mByy...' | openssl enc -A -d -base64 > signature - $ printf 'date: Thu, 05 Jan 2014 21:31:40 GMT' | \ - openssl dgst -sha256 -verify /path/to/public.pem -signature ./signature - Verified OK - $ - -## Generating and verifying signatures using `sshpk-sign` - -You can also generate and check signatures using the `sshpk-sign` tool which is -included with the `sshpk` package in `npm`. - -Compose the signing string as above, and pipe it into `sshpk-sign` as follows: - - $ printf 'date: Thu, 05 Jan 2014 21:31:40 GMT' | \ - sshpk-sign -i /path/to/private.pem - jKyvPcxB4JbmYY4mByyBY7cZfNl4OW9Hp... - $ - -This will produce an `rsa-sha256` signature by default, as you can see using -the `-v` option: - - sshpk-sign: using rsa-sha256 with a 1024 bit key - -You can also use `sshpk-verify` in a similar manner: - - $ printf 'date: Thu, 05 Jan 2014 21:31:40 GMT' | \ - sshpk-verify -i ./public.pem -s 'jKyvPcxB4JbmYY...' - OK - $ diff --git a/node_modules/http-signature/lib/index.js b/node_modules/http-signature/lib/index.js deleted file mode 100644 index 54d4603..0000000 --- a/node_modules/http-signature/lib/index.js +++ /dev/null @@ -1,29 +0,0 @@ -// Copyright 2015 Joyent, Inc. - -var parser = require('./parser'); -var signer = require('./signer'); -var verify = require('./verify'); -var utils = require('./utils'); - - - -///--- API - -module.exports = { - - parse: parser.parseRequest, - parseRequest: parser.parseRequest, - - sign: signer.signRequest, - signRequest: signer.signRequest, - createSigner: signer.createSigner, - isSigner: signer.isSigner, - - sshKeyToPEM: utils.sshKeyToPEM, - sshKeyFingerprint: utils.fingerprint, - pemToRsaSSHKey: utils.pemToRsaSSHKey, - - verify: verify.verifySignature, - verifySignature: verify.verifySignature, - verifyHMAC: verify.verifyHMAC -}; diff --git a/node_modules/http-signature/lib/parser.js b/node_modules/http-signature/lib/parser.js deleted file mode 100644 index 5994a7e..0000000 --- a/node_modules/http-signature/lib/parser.js +++ /dev/null @@ -1,315 +0,0 @@ -// Copyright 2012 Joyent, Inc. All rights reserved. - -var assert = require('assert-plus'); -var util = require('util'); -var utils = require('./utils'); - - - -///--- Globals - -var HASH_ALGOS = utils.HASH_ALGOS; -var PK_ALGOS = utils.PK_ALGOS; -var HttpSignatureError = utils.HttpSignatureError; -var InvalidAlgorithmError = utils.InvalidAlgorithmError; -var validateAlgorithm = utils.validateAlgorithm; - -var State = { - New: 0, - Params: 1 -}; - -var ParamsState = { - Name: 0, - Quote: 1, - Value: 2, - Comma: 3 -}; - - -///--- Specific Errors - - -function ExpiredRequestError(message) { - HttpSignatureError.call(this, message, ExpiredRequestError); -} -util.inherits(ExpiredRequestError, HttpSignatureError); - - -function InvalidHeaderError(message) { - HttpSignatureError.call(this, message, InvalidHeaderError); -} -util.inherits(InvalidHeaderError, HttpSignatureError); - - -function InvalidParamsError(message) { - HttpSignatureError.call(this, message, InvalidParamsError); -} -util.inherits(InvalidParamsError, HttpSignatureError); - - -function MissingHeaderError(message) { - HttpSignatureError.call(this, message, MissingHeaderError); -} -util.inherits(MissingHeaderError, HttpSignatureError); - -function StrictParsingError(message) { - HttpSignatureError.call(this, message, StrictParsingError); -} -util.inherits(StrictParsingError, HttpSignatureError); - -///--- Exported API - -module.exports = { - - /** - * Parses the 'Authorization' header out of an http.ServerRequest object. - * - * Note that this API will fully validate the Authorization header, and throw - * on any error. It will not however check the signature, or the keyId format - * as those are specific to your environment. You can use the options object - * to pass in extra constraints. - * - * As a response object you can expect this: - * - * { - * "scheme": "Signature", - * "params": { - * "keyId": "foo", - * "algorithm": "rsa-sha256", - * "headers": [ - * "date" or "x-date", - * "digest" - * ], - * "signature": "base64" - * }, - * "signingString": "ready to be passed to crypto.verify()" - * } - * - * @param {Object} request an http.ServerRequest. - * @param {Object} options an optional options object with: - * - clockSkew: allowed clock skew in seconds (default 300). - * - headers: required header names (def: date or x-date) - * - algorithms: algorithms to support (default: all). - * - strict: should enforce latest spec parsing - * (default: false). - * @return {Object} parsed out object (see above). - * @throws {TypeError} on invalid input. - * @throws {InvalidHeaderError} on an invalid Authorization header error. - * @throws {InvalidParamsError} if the params in the scheme are invalid. - * @throws {MissingHeaderError} if the params indicate a header not present, - * either in the request headers from the params, - * or not in the params from a required header - * in options. - * @throws {StrictParsingError} if old attributes are used in strict parsing - * mode. - * @throws {ExpiredRequestError} if the value of date or x-date exceeds skew. - */ - parseRequest: function parseRequest(request, options) { - assert.object(request, 'request'); - assert.object(request.headers, 'request.headers'); - if (options === undefined) { - options = {}; - } - if (options.headers === undefined) { - options.headers = [request.headers['x-date'] ? 'x-date' : 'date']; - } - assert.object(options, 'options'); - assert.arrayOfString(options.headers, 'options.headers'); - assert.optionalFinite(options.clockSkew, 'options.clockSkew'); - - var authzHeaderName = options.authorizationHeaderName || 'authorization'; - - if (!request.headers[authzHeaderName]) { - throw new MissingHeaderError('no ' + authzHeaderName + ' header ' + - 'present in the request'); - } - - options.clockSkew = options.clockSkew || 300; - - - var i = 0; - var state = State.New; - var substate = ParamsState.Name; - var tmpName = ''; - var tmpValue = ''; - - var parsed = { - scheme: '', - params: {}, - signingString: '' - }; - - var authz = request.headers[authzHeaderName]; - for (i = 0; i < authz.length; i++) { - var c = authz.charAt(i); - - switch (Number(state)) { - - case State.New: - if (c !== ' ') parsed.scheme += c; - else state = State.Params; - break; - - case State.Params: - switch (Number(substate)) { - - case ParamsState.Name: - var code = c.charCodeAt(0); - // restricted name of A-Z / a-z - if ((code >= 0x41 && code <= 0x5a) || // A-Z - (code >= 0x61 && code <= 0x7a)) { // a-z - tmpName += c; - } else if (c === '=') { - if (tmpName.length === 0) - throw new InvalidHeaderError('bad param format'); - substate = ParamsState.Quote; - } else { - throw new InvalidHeaderError('bad param format'); - } - break; - - case ParamsState.Quote: - if (c === '"') { - tmpValue = ''; - substate = ParamsState.Value; - } else { - throw new InvalidHeaderError('bad param format'); - } - break; - - case ParamsState.Value: - if (c === '"') { - parsed.params[tmpName] = tmpValue; - substate = ParamsState.Comma; - } else { - tmpValue += c; - } - break; - - case ParamsState.Comma: - if (c === ',') { - tmpName = ''; - substate = ParamsState.Name; - } else { - throw new InvalidHeaderError('bad param format'); - } - break; - - default: - throw new Error('Invalid substate'); - } - break; - - default: - throw new Error('Invalid substate'); - } - - } - - if (!parsed.params.headers || parsed.params.headers === '') { - if (request.headers['x-date']) { - parsed.params.headers = ['x-date']; - } else { - parsed.params.headers = ['date']; - } - } else { - parsed.params.headers = parsed.params.headers.split(' '); - } - - // Minimally validate the parsed object - if (!parsed.scheme || parsed.scheme !== 'Signature') - throw new InvalidHeaderError('scheme was not "Signature"'); - - if (!parsed.params.keyId) - throw new InvalidHeaderError('keyId was not specified'); - - if (!parsed.params.algorithm) - throw new InvalidHeaderError('algorithm was not specified'); - - if (!parsed.params.signature) - throw new InvalidHeaderError('signature was not specified'); - - // Check the algorithm against the official list - parsed.params.algorithm = parsed.params.algorithm.toLowerCase(); - try { - validateAlgorithm(parsed.params.algorithm); - } catch (e) { - if (e instanceof InvalidAlgorithmError) - throw (new InvalidParamsError(parsed.params.algorithm + ' is not ' + - 'supported')); - else - throw (e); - } - - // Build the signingString - for (i = 0; i < parsed.params.headers.length; i++) { - var h = parsed.params.headers[i].toLowerCase(); - parsed.params.headers[i] = h; - - if (h === 'request-line') { - if (!options.strict) { - /* - * We allow headers from the older spec drafts if strict parsing isn't - * specified in options. - */ - parsed.signingString += - request.method + ' ' + request.url + ' HTTP/' + request.httpVersion; - } else { - /* Strict parsing doesn't allow older draft headers. */ - throw (new StrictParsingError('request-line is not a valid header ' + - 'with strict parsing enabled.')); - } - } else if (h === '(request-target)') { - parsed.signingString += - '(request-target): ' + request.method.toLowerCase() + ' ' + - request.url; - } else { - var value = request.headers[h]; - if (value === undefined) - throw new MissingHeaderError(h + ' was not in the request'); - parsed.signingString += h + ': ' + value; - } - - if ((i + 1) < parsed.params.headers.length) - parsed.signingString += '\n'; - } - - // Check against the constraints - var date; - if (request.headers.date || request.headers['x-date']) { - if (request.headers['x-date']) { - date = new Date(request.headers['x-date']); - } else { - date = new Date(request.headers.date); - } - var now = new Date(); - var skew = Math.abs(now.getTime() - date.getTime()); - - if (skew > options.clockSkew * 1000) { - throw new ExpiredRequestError('clock skew of ' + - (skew / 1000) + - 's was greater than ' + - options.clockSkew + 's'); - } - } - - options.headers.forEach(function (hdr) { - // Remember that we already checked any headers in the params - // were in the request, so if this passes we're good. - if (parsed.params.headers.indexOf(hdr.toLowerCase()) < 0) - throw new MissingHeaderError(hdr + ' was not a signed header'); - }); - - if (options.algorithms) { - if (options.algorithms.indexOf(parsed.params.algorithm) === -1) - throw new InvalidParamsError(parsed.params.algorithm + - ' is not a supported algorithm'); - } - - parsed.algorithm = parsed.params.algorithm.toUpperCase(); - parsed.keyId = parsed.params.keyId; - return parsed; - } - -}; diff --git a/node_modules/http-signature/lib/signer.js b/node_modules/http-signature/lib/signer.js deleted file mode 100644 index deb5878..0000000 --- a/node_modules/http-signature/lib/signer.js +++ /dev/null @@ -1,401 +0,0 @@ -// Copyright 2012 Joyent, Inc. All rights reserved. - -var assert = require('assert-plus'); -var crypto = require('crypto'); -var http = require('http'); -var util = require('util'); -var sshpk = require('sshpk'); -var jsprim = require('jsprim'); -var utils = require('./utils'); - -var sprintf = require('util').format; - -var HASH_ALGOS = utils.HASH_ALGOS; -var PK_ALGOS = utils.PK_ALGOS; -var InvalidAlgorithmError = utils.InvalidAlgorithmError; -var HttpSignatureError = utils.HttpSignatureError; -var validateAlgorithm = utils.validateAlgorithm; - -///--- Globals - -var AUTHZ_FMT = - 'Signature keyId="%s",algorithm="%s",headers="%s",signature="%s"'; - -///--- Specific Errors - -function MissingHeaderError(message) { - HttpSignatureError.call(this, message, MissingHeaderError); -} -util.inherits(MissingHeaderError, HttpSignatureError); - -function StrictParsingError(message) { - HttpSignatureError.call(this, message, StrictParsingError); -} -util.inherits(StrictParsingError, HttpSignatureError); - -/* See createSigner() */ -function RequestSigner(options) { - assert.object(options, 'options'); - - var alg = []; - if (options.algorithm !== undefined) { - assert.string(options.algorithm, 'options.algorithm'); - alg = validateAlgorithm(options.algorithm); - } - this.rs_alg = alg; - - /* - * RequestSigners come in two varieties: ones with an rs_signFunc, and ones - * with an rs_signer. - * - * rs_signFunc-based RequestSigners have to build up their entire signing - * string within the rs_lines array and give it to rs_signFunc as a single - * concat'd blob. rs_signer-based RequestSigners can add a line at a time to - * their signing state by using rs_signer.update(), thus only needing to - * buffer the hash function state and one line at a time. - */ - if (options.sign !== undefined) { - assert.func(options.sign, 'options.sign'); - this.rs_signFunc = options.sign; - - } else if (alg[0] === 'hmac' && options.key !== undefined) { - assert.string(options.keyId, 'options.keyId'); - this.rs_keyId = options.keyId; - - if (typeof (options.key) !== 'string' && !Buffer.isBuffer(options.key)) - throw (new TypeError('options.key for HMAC must be a string or Buffer')); - - /* - * Make an rs_signer for HMACs, not a rs_signFunc -- HMACs digest their - * data in chunks rather than requiring it all to be given in one go - * at the end, so they are more similar to signers than signFuncs. - */ - this.rs_signer = crypto.createHmac(alg[1].toUpperCase(), options.key); - this.rs_signer.sign = function () { - var digest = this.digest('base64'); - return ({ - hashAlgorithm: alg[1], - toString: function () { return (digest); } - }); - }; - - } else if (options.key !== undefined) { - var key = options.key; - if (typeof (key) === 'string' || Buffer.isBuffer(key)) - key = sshpk.parsePrivateKey(key); - - assert.ok(sshpk.PrivateKey.isPrivateKey(key, [1, 2]), - 'options.key must be a sshpk.PrivateKey'); - this.rs_key = key; - - assert.string(options.keyId, 'options.keyId'); - this.rs_keyId = options.keyId; - - if (!PK_ALGOS[key.type]) { - throw (new InvalidAlgorithmError(key.type.toUpperCase() + ' type ' + - 'keys are not supported')); - } - - if (alg[0] !== undefined && key.type !== alg[0]) { - throw (new InvalidAlgorithmError('options.key must be a ' + - alg[0].toUpperCase() + ' key, was given a ' + - key.type.toUpperCase() + ' key instead')); - } - - this.rs_signer = key.createSign(alg[1]); - - } else { - throw (new TypeError('options.sign (func) or options.key is required')); - } - - this.rs_headers = []; - this.rs_lines = []; -} - -/** - * Adds a header to be signed, with its value, into this signer. - * - * @param {String} header - * @param {String} value - * @return {String} value written - */ -RequestSigner.prototype.writeHeader = function (header, value) { - assert.string(header, 'header'); - header = header.toLowerCase(); - assert.string(value, 'value'); - - this.rs_headers.push(header); - - if (this.rs_signFunc) { - this.rs_lines.push(header + ': ' + value); - - } else { - var line = header + ': ' + value; - if (this.rs_headers.length > 0) - line = '\n' + line; - this.rs_signer.update(line); - } - - return (value); -}; - -/** - * Adds a default Date header, returning its value. - * - * @return {String} - */ -RequestSigner.prototype.writeDateHeader = function () { - return (this.writeHeader('date', jsprim.rfc1123(new Date()))); -}; - -/** - * Adds the request target line to be signed. - * - * @param {String} method, HTTP method (e.g. 'get', 'post', 'put') - * @param {String} path - */ -RequestSigner.prototype.writeTarget = function (method, path) { - assert.string(method, 'method'); - assert.string(path, 'path'); - method = method.toLowerCase(); - this.writeHeader('(request-target)', method + ' ' + path); -}; - -/** - * Calculate the value for the Authorization header on this request - * asynchronously. - * - * @param {Func} callback (err, authz) - */ -RequestSigner.prototype.sign = function (cb) { - assert.func(cb, 'callback'); - - if (this.rs_headers.length < 1) - throw (new Error('At least one header must be signed')); - - var alg, authz; - if (this.rs_signFunc) { - var data = this.rs_lines.join('\n'); - var self = this; - this.rs_signFunc(data, function (err, sig) { - if (err) { - cb(err); - return; - } - try { - assert.object(sig, 'signature'); - assert.string(sig.keyId, 'signature.keyId'); - assert.string(sig.algorithm, 'signature.algorithm'); - assert.string(sig.signature, 'signature.signature'); - alg = validateAlgorithm(sig.algorithm); - - authz = sprintf(AUTHZ_FMT, - sig.keyId, - sig.algorithm, - self.rs_headers.join(' '), - sig.signature); - } catch (e) { - cb(e); - return; - } - cb(null, authz); - }); - - } else { - try { - var sigObj = this.rs_signer.sign(); - } catch (e) { - cb(e); - return; - } - alg = (this.rs_alg[0] || this.rs_key.type) + '-' + sigObj.hashAlgorithm; - var signature = sigObj.toString(); - authz = sprintf(AUTHZ_FMT, - this.rs_keyId, - alg, - this.rs_headers.join(' '), - signature); - cb(null, authz); - } -}; - -///--- Exported API - -module.exports = { - /** - * Identifies whether a given object is a request signer or not. - * - * @param {Object} object, the object to identify - * @returns {Boolean} - */ - isSigner: function (obj) { - if (typeof (obj) === 'object' && obj instanceof RequestSigner) - return (true); - return (false); - }, - - /** - * Creates a request signer, used to asynchronously build a signature - * for a request (does not have to be an http.ClientRequest). - * - * @param {Object} options, either: - * - {String} keyId - * - {String|Buffer} key - * - {String} algorithm (optional, required for HMAC) - * or: - * - {Func} sign (data, cb) - * @return {RequestSigner} - */ - createSigner: function createSigner(options) { - return (new RequestSigner(options)); - }, - - /** - * Adds an 'Authorization' header to an http.ClientRequest object. - * - * Note that this API will add a Date header if it's not already set. Any - * other headers in the options.headers array MUST be present, or this - * will throw. - * - * You shouldn't need to check the return type; it's just there if you want - * to be pedantic. - * - * The optional flag indicates whether parsing should use strict enforcement - * of the version draft-cavage-http-signatures-04 of the spec or beyond. - * The default is to be loose and support - * older versions for compatibility. - * - * @param {Object} request an instance of http.ClientRequest. - * @param {Object} options signing parameters object: - * - {String} keyId required. - * - {String} key required (either a PEM or HMAC key). - * - {Array} headers optional; defaults to ['date']. - * - {String} algorithm optional (unless key is HMAC); - * default is the same as the sshpk default - * signing algorithm for the type of key given - * - {String} httpVersion optional; defaults to '1.1'. - * - {Boolean} strict optional; defaults to 'false'. - * @return {Boolean} true if Authorization (and optionally Date) were added. - * @throws {TypeError} on bad parameter types (input). - * @throws {InvalidAlgorithmError} if algorithm was bad or incompatible with - * the given key. - * @throws {sshpk.KeyParseError} if key was bad. - * @throws {MissingHeaderError} if a header to be signed was specified but - * was not present. - */ - signRequest: function signRequest(request, options) { - assert.object(request, 'request'); - assert.object(options, 'options'); - assert.optionalString(options.algorithm, 'options.algorithm'); - assert.string(options.keyId, 'options.keyId'); - assert.optionalArrayOfString(options.headers, 'options.headers'); - assert.optionalString(options.httpVersion, 'options.httpVersion'); - - if (!request.getHeader('Date')) - request.setHeader('Date', jsprim.rfc1123(new Date())); - if (!options.headers) - options.headers = ['date']; - if (!options.httpVersion) - options.httpVersion = '1.1'; - - var alg = []; - if (options.algorithm) { - options.algorithm = options.algorithm.toLowerCase(); - alg = validateAlgorithm(options.algorithm); - } - - var i; - var stringToSign = ''; - for (i = 0; i < options.headers.length; i++) { - if (typeof (options.headers[i]) !== 'string') - throw new TypeError('options.headers must be an array of Strings'); - - var h = options.headers[i].toLowerCase(); - - if (h === 'request-line') { - if (!options.strict) { - /** - * We allow headers from the older spec drafts if strict parsing isn't - * specified in options. - */ - stringToSign += - request.method + ' ' + request.path + ' HTTP/' + - options.httpVersion; - } else { - /* Strict parsing doesn't allow older draft headers. */ - throw (new StrictParsingError('request-line is not a valid header ' + - 'with strict parsing enabled.')); - } - } else if (h === '(request-target)') { - stringToSign += - '(request-target): ' + request.method.toLowerCase() + ' ' + - request.path; - } else { - var value = request.getHeader(h); - if (value === undefined || value === '') { - throw new MissingHeaderError(h + ' was not in the request'); - } - stringToSign += h + ': ' + value; - } - - if ((i + 1) < options.headers.length) - stringToSign += '\n'; - } - - /* This is just for unit tests. */ - if (request.hasOwnProperty('_stringToSign')) { - request._stringToSign = stringToSign; - } - - var signature; - if (alg[0] === 'hmac') { - if (typeof (options.key) !== 'string' && !Buffer.isBuffer(options.key)) - throw (new TypeError('options.key must be a string or Buffer')); - - var hmac = crypto.createHmac(alg[1].toUpperCase(), options.key); - hmac.update(stringToSign); - signature = hmac.digest('base64'); - - } else { - var key = options.key; - if (typeof (key) === 'string' || Buffer.isBuffer(key)) - key = sshpk.parsePrivateKey(options.key); - - assert.ok(sshpk.PrivateKey.isPrivateKey(key, [1, 2]), - 'options.key must be a sshpk.PrivateKey'); - - if (!PK_ALGOS[key.type]) { - throw (new InvalidAlgorithmError(key.type.toUpperCase() + ' type ' + - 'keys are not supported')); - } - - if (alg[0] !== undefined && key.type !== alg[0]) { - throw (new InvalidAlgorithmError('options.key must be a ' + - alg[0].toUpperCase() + ' key, was given a ' + - key.type.toUpperCase() + ' key instead')); - } - - var signer = key.createSign(alg[1]); - signer.update(stringToSign); - var sigObj = signer.sign(); - if (!HASH_ALGOS[sigObj.hashAlgorithm]) { - throw (new InvalidAlgorithmError(sigObj.hashAlgorithm.toUpperCase() + - ' is not a supported hash algorithm')); - } - options.algorithm = key.type + '-' + sigObj.hashAlgorithm; - signature = sigObj.toString(); - assert.notStrictEqual(signature, '', 'empty signature produced'); - } - - var authzHeaderName = options.authorizationHeaderName || 'Authorization'; - - request.setHeader(authzHeaderName, sprintf(AUTHZ_FMT, - options.keyId, - options.algorithm, - options.headers.join(' '), - signature)); - - return true; - } - -}; diff --git a/node_modules/http-signature/lib/utils.js b/node_modules/http-signature/lib/utils.js deleted file mode 100644 index bbf2aa8..0000000 --- a/node_modules/http-signature/lib/utils.js +++ /dev/null @@ -1,112 +0,0 @@ -// Copyright 2012 Joyent, Inc. All rights reserved. - -var assert = require('assert-plus'); -var sshpk = require('sshpk'); -var util = require('util'); - -var HASH_ALGOS = { - 'sha1': true, - 'sha256': true, - 'sha512': true -}; - -var PK_ALGOS = { - 'rsa': true, - 'dsa': true, - 'ecdsa': true -}; - -function HttpSignatureError(message, caller) { - if (Error.captureStackTrace) - Error.captureStackTrace(this, caller || HttpSignatureError); - - this.message = message; - this.name = caller.name; -} -util.inherits(HttpSignatureError, Error); - -function InvalidAlgorithmError(message) { - HttpSignatureError.call(this, message, InvalidAlgorithmError); -} -util.inherits(InvalidAlgorithmError, HttpSignatureError); - -function validateAlgorithm(algorithm) { - var alg = algorithm.toLowerCase().split('-'); - - if (alg.length !== 2) { - throw (new InvalidAlgorithmError(alg[0].toUpperCase() + ' is not a ' + - 'valid algorithm')); - } - - if (alg[0] !== 'hmac' && !PK_ALGOS[alg[0]]) { - throw (new InvalidAlgorithmError(alg[0].toUpperCase() + ' type keys ' + - 'are not supported')); - } - - if (!HASH_ALGOS[alg[1]]) { - throw (new InvalidAlgorithmError(alg[1].toUpperCase() + ' is not a ' + - 'supported hash algorithm')); - } - - return (alg); -} - -///--- API - -module.exports = { - - HASH_ALGOS: HASH_ALGOS, - PK_ALGOS: PK_ALGOS, - - HttpSignatureError: HttpSignatureError, - InvalidAlgorithmError: InvalidAlgorithmError, - - validateAlgorithm: validateAlgorithm, - - /** - * Converts an OpenSSH public key (rsa only) to a PKCS#8 PEM file. - * - * The intent of this module is to interoperate with OpenSSL only, - * specifically the node crypto module's `verify` method. - * - * @param {String} key an OpenSSH public key. - * @return {String} PEM encoded form of the RSA public key. - * @throws {TypeError} on bad input. - * @throws {Error} on invalid ssh key formatted data. - */ - sshKeyToPEM: function sshKeyToPEM(key) { - assert.string(key, 'ssh_key'); - - var k = sshpk.parseKey(key, 'ssh'); - return (k.toString('pem')); - }, - - - /** - * Generates an OpenSSH fingerprint from an ssh public key. - * - * @param {String} key an OpenSSH public key. - * @return {String} key fingerprint. - * @throws {TypeError} on bad input. - * @throws {Error} if what you passed doesn't look like an ssh public key. - */ - fingerprint: function fingerprint(key) { - assert.string(key, 'ssh_key'); - - var k = sshpk.parseKey(key, 'ssh'); - return (k.fingerprint('md5').toString('hex')); - }, - - /** - * Converts a PKGCS#8 PEM file to an OpenSSH public key (rsa) - * - * The reverse of the above function. - */ - pemToRsaSSHKey: function pemToRsaSSHKey(pem, comment) { - assert.equal('string', typeof (pem), 'typeof pem'); - - var k = sshpk.parseKey(pem, 'pem'); - k.comment = comment; - return (k.toString('ssh')); - } -}; diff --git a/node_modules/http-signature/lib/verify.js b/node_modules/http-signature/lib/verify.js deleted file mode 100644 index b053fd6..0000000 --- a/node_modules/http-signature/lib/verify.js +++ /dev/null @@ -1,88 +0,0 @@ -// Copyright 2015 Joyent, Inc. - -var assert = require('assert-plus'); -var crypto = require('crypto'); -var sshpk = require('sshpk'); -var utils = require('./utils'); - -var HASH_ALGOS = utils.HASH_ALGOS; -var PK_ALGOS = utils.PK_ALGOS; -var InvalidAlgorithmError = utils.InvalidAlgorithmError; -var HttpSignatureError = utils.HttpSignatureError; -var validateAlgorithm = utils.validateAlgorithm; - -///--- Exported API - -module.exports = { - /** - * Verify RSA/DSA signature against public key. You are expected to pass in - * an object that was returned from `parse()`. - * - * @param {Object} parsedSignature the object you got from `parse`. - * @param {String} pubkey RSA/DSA private key PEM. - * @return {Boolean} true if valid, false otherwise. - * @throws {TypeError} if you pass in bad arguments. - * @throws {InvalidAlgorithmError} - */ - verifySignature: function verifySignature(parsedSignature, pubkey) { - assert.object(parsedSignature, 'parsedSignature'); - if (typeof (pubkey) === 'string' || Buffer.isBuffer(pubkey)) - pubkey = sshpk.parseKey(pubkey); - assert.ok(sshpk.Key.isKey(pubkey, [1, 1]), 'pubkey must be a sshpk.Key'); - - var alg = validateAlgorithm(parsedSignature.algorithm); - if (alg[0] === 'hmac' || alg[0] !== pubkey.type) - return (false); - - var v = pubkey.createVerify(alg[1]); - v.update(parsedSignature.signingString); - return (v.verify(parsedSignature.params.signature, 'base64')); - }, - - /** - * Verify HMAC against shared secret. You are expected to pass in an object - * that was returned from `parse()`. - * - * @param {Object} parsedSignature the object you got from `parse`. - * @param {String} secret HMAC shared secret. - * @return {Boolean} true if valid, false otherwise. - * @throws {TypeError} if you pass in bad arguments. - * @throws {InvalidAlgorithmError} - */ - verifyHMAC: function verifyHMAC(parsedSignature, secret) { - assert.object(parsedSignature, 'parsedHMAC'); - assert.string(secret, 'secret'); - - var alg = validateAlgorithm(parsedSignature.algorithm); - if (alg[0] !== 'hmac') - return (false); - - var hashAlg = alg[1].toUpperCase(); - - var hmac = crypto.createHmac(hashAlg, secret); - hmac.update(parsedSignature.signingString); - - /* - * Now double-hash to avoid leaking timing information - there's - * no easy constant-time compare in JS, so we use this approach - * instead. See for more info: - * https://www.isecpartners.com/blog/2011/february/double-hmac- - * verification.aspx - */ - var h1 = crypto.createHmac(hashAlg, secret); - h1.update(hmac.digest()); - h1 = h1.digest(); - var h2 = crypto.createHmac(hashAlg, secret); - h2.update(new Buffer(parsedSignature.params.signature, 'base64')); - h2 = h2.digest(); - - /* Node 0.8 returns strings from .digest(). */ - if (typeof (h1) === 'string') - return (h1 === h2); - /* And node 0.10 lacks the .equals() method on Buffers. */ - if (Buffer.isBuffer(h1) && !h1.equals) - return (h1.toString('binary') === h2.toString('binary')); - - return (h1.equals(h2)); - } -}; diff --git a/node_modules/http-signature/package.json b/node_modules/http-signature/package.json deleted file mode 100644 index df07d53..0000000 --- a/node_modules/http-signature/package.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "name": "http-signature", - "description": "Reference implementation of Joyent's HTTP Signature scheme.", - "version": "1.2.0", - "license": "MIT", - "author": "Joyent, Inc", - "contributors": [ - "Mark Cavage <mcavage@gmail.com>", - "David I. Lehn <dil@lehn.org>", - "Patrick Mooney <patrick.f.mooney@gmail.com>" - ], - "repository": { - "type": "git", - "url": "git://github.com/joyent/node-http-signature.git" - }, - "homepage": "https://github.com/joyent/node-http-signature/", - "bugs": "https://github.com/joyent/node-http-signature/issues", - "keywords": [ - "https", - "request" - ], - "engines": { - "node": ">=0.8", - "npm": ">=1.3.7" - }, - "main": "lib/index.js", - "scripts": { - "test": "tap test/*.js" - }, - "dependencies": { - "assert-plus": "^1.0.0", - "jsprim": "^1.2.2", - "sshpk": "^1.7.0" - }, - "devDependencies": { - "tap": "0.4.2", - "uuid": "^2.0.2" - } -} |