source: trip-planner-front/node_modules/http-signature/lib/signer.js@ 6fe77af

Last change on this file since 6fe77af was 6a3a178, checked in by Ema <ema_spirova@…>, 3 years ago

initial commit

  • Property mode set to 100644
File size: 12.7 KB
Line 
1// Copyright 2012 Joyent, Inc. All rights reserved.
2
3var assert = require('assert-plus');
4var crypto = require('crypto');
5var http = require('http');
6var util = require('util');
7var sshpk = require('sshpk');
8var jsprim = require('jsprim');
9var utils = require('./utils');
10
11var sprintf = require('util').format;
12
13var HASH_ALGOS = utils.HASH_ALGOS;
14var PK_ALGOS = utils.PK_ALGOS;
15var InvalidAlgorithmError = utils.InvalidAlgorithmError;
16var HttpSignatureError = utils.HttpSignatureError;
17var validateAlgorithm = utils.validateAlgorithm;
18
19///--- Globals
20
21var AUTHZ_FMT =
22 'Signature keyId="%s",algorithm="%s",headers="%s",signature="%s"';
23
24///--- Specific Errors
25
26function MissingHeaderError(message) {
27 HttpSignatureError.call(this, message, MissingHeaderError);
28}
29util.inherits(MissingHeaderError, HttpSignatureError);
30
31function StrictParsingError(message) {
32 HttpSignatureError.call(this, message, StrictParsingError);
33}
34util.inherits(StrictParsingError, HttpSignatureError);
35
36/* See createSigner() */
37function RequestSigner(options) {
38 assert.object(options, 'options');
39
40 var alg = [];
41 if (options.algorithm !== undefined) {
42 assert.string(options.algorithm, 'options.algorithm');
43 alg = validateAlgorithm(options.algorithm);
44 }
45 this.rs_alg = alg;
46
47 /*
48 * RequestSigners come in two varieties: ones with an rs_signFunc, and ones
49 * with an rs_signer.
50 *
51 * rs_signFunc-based RequestSigners have to build up their entire signing
52 * string within the rs_lines array and give it to rs_signFunc as a single
53 * concat'd blob. rs_signer-based RequestSigners can add a line at a time to
54 * their signing state by using rs_signer.update(), thus only needing to
55 * buffer the hash function state and one line at a time.
56 */
57 if (options.sign !== undefined) {
58 assert.func(options.sign, 'options.sign');
59 this.rs_signFunc = options.sign;
60
61 } else if (alg[0] === 'hmac' && options.key !== undefined) {
62 assert.string(options.keyId, 'options.keyId');
63 this.rs_keyId = options.keyId;
64
65 if (typeof (options.key) !== 'string' && !Buffer.isBuffer(options.key))
66 throw (new TypeError('options.key for HMAC must be a string or Buffer'));
67
68 /*
69 * Make an rs_signer for HMACs, not a rs_signFunc -- HMACs digest their
70 * data in chunks rather than requiring it all to be given in one go
71 * at the end, so they are more similar to signers than signFuncs.
72 */
73 this.rs_signer = crypto.createHmac(alg[1].toUpperCase(), options.key);
74 this.rs_signer.sign = function () {
75 var digest = this.digest('base64');
76 return ({
77 hashAlgorithm: alg[1],
78 toString: function () { return (digest); }
79 });
80 };
81
82 } else if (options.key !== undefined) {
83 var key = options.key;
84 if (typeof (key) === 'string' || Buffer.isBuffer(key))
85 key = sshpk.parsePrivateKey(key);
86
87 assert.ok(sshpk.PrivateKey.isPrivateKey(key, [1, 2]),
88 'options.key must be a sshpk.PrivateKey');
89 this.rs_key = key;
90
91 assert.string(options.keyId, 'options.keyId');
92 this.rs_keyId = options.keyId;
93
94 if (!PK_ALGOS[key.type]) {
95 throw (new InvalidAlgorithmError(key.type.toUpperCase() + ' type ' +
96 'keys are not supported'));
97 }
98
99 if (alg[0] !== undefined && key.type !== alg[0]) {
100 throw (new InvalidAlgorithmError('options.key must be a ' +
101 alg[0].toUpperCase() + ' key, was given a ' +
102 key.type.toUpperCase() + ' key instead'));
103 }
104
105 this.rs_signer = key.createSign(alg[1]);
106
107 } else {
108 throw (new TypeError('options.sign (func) or options.key is required'));
109 }
110
111 this.rs_headers = [];
112 this.rs_lines = [];
113}
114
115/**
116 * Adds a header to be signed, with its value, into this signer.
117 *
118 * @param {String} header
119 * @param {String} value
120 * @return {String} value written
121 */
122RequestSigner.prototype.writeHeader = function (header, value) {
123 assert.string(header, 'header');
124 header = header.toLowerCase();
125 assert.string(value, 'value');
126
127 this.rs_headers.push(header);
128
129 if (this.rs_signFunc) {
130 this.rs_lines.push(header + ': ' + value);
131
132 } else {
133 var line = header + ': ' + value;
134 if (this.rs_headers.length > 0)
135 line = '\n' + line;
136 this.rs_signer.update(line);
137 }
138
139 return (value);
140};
141
142/**
143 * Adds a default Date header, returning its value.
144 *
145 * @return {String}
146 */
147RequestSigner.prototype.writeDateHeader = function () {
148 return (this.writeHeader('date', jsprim.rfc1123(new Date())));
149};
150
151/**
152 * Adds the request target line to be signed.
153 *
154 * @param {String} method, HTTP method (e.g. 'get', 'post', 'put')
155 * @param {String} path
156 */
157RequestSigner.prototype.writeTarget = function (method, path) {
158 assert.string(method, 'method');
159 assert.string(path, 'path');
160 method = method.toLowerCase();
161 this.writeHeader('(request-target)', method + ' ' + path);
162};
163
164/**
165 * Calculate the value for the Authorization header on this request
166 * asynchronously.
167 *
168 * @param {Func} callback (err, authz)
169 */
170RequestSigner.prototype.sign = function (cb) {
171 assert.func(cb, 'callback');
172
173 if (this.rs_headers.length < 1)
174 throw (new Error('At least one header must be signed'));
175
176 var alg, authz;
177 if (this.rs_signFunc) {
178 var data = this.rs_lines.join('\n');
179 var self = this;
180 this.rs_signFunc(data, function (err, sig) {
181 if (err) {
182 cb(err);
183 return;
184 }
185 try {
186 assert.object(sig, 'signature');
187 assert.string(sig.keyId, 'signature.keyId');
188 assert.string(sig.algorithm, 'signature.algorithm');
189 assert.string(sig.signature, 'signature.signature');
190 alg = validateAlgorithm(sig.algorithm);
191
192 authz = sprintf(AUTHZ_FMT,
193 sig.keyId,
194 sig.algorithm,
195 self.rs_headers.join(' '),
196 sig.signature);
197 } catch (e) {
198 cb(e);
199 return;
200 }
201 cb(null, authz);
202 });
203
204 } else {
205 try {
206 var sigObj = this.rs_signer.sign();
207 } catch (e) {
208 cb(e);
209 return;
210 }
211 alg = (this.rs_alg[0] || this.rs_key.type) + '-' + sigObj.hashAlgorithm;
212 var signature = sigObj.toString();
213 authz = sprintf(AUTHZ_FMT,
214 this.rs_keyId,
215 alg,
216 this.rs_headers.join(' '),
217 signature);
218 cb(null, authz);
219 }
220};
221
222///--- Exported API
223
224module.exports = {
225 /**
226 * Identifies whether a given object is a request signer or not.
227 *
228 * @param {Object} object, the object to identify
229 * @returns {Boolean}
230 */
231 isSigner: function (obj) {
232 if (typeof (obj) === 'object' && obj instanceof RequestSigner)
233 return (true);
234 return (false);
235 },
236
237 /**
238 * Creates a request signer, used to asynchronously build a signature
239 * for a request (does not have to be an http.ClientRequest).
240 *
241 * @param {Object} options, either:
242 * - {String} keyId
243 * - {String|Buffer} key
244 * - {String} algorithm (optional, required for HMAC)
245 * or:
246 * - {Func} sign (data, cb)
247 * @return {RequestSigner}
248 */
249 createSigner: function createSigner(options) {
250 return (new RequestSigner(options));
251 },
252
253 /**
254 * Adds an 'Authorization' header to an http.ClientRequest object.
255 *
256 * Note that this API will add a Date header if it's not already set. Any
257 * other headers in the options.headers array MUST be present, or this
258 * will throw.
259 *
260 * You shouldn't need to check the return type; it's just there if you want
261 * to be pedantic.
262 *
263 * The optional flag indicates whether parsing should use strict enforcement
264 * of the version draft-cavage-http-signatures-04 of the spec or beyond.
265 * The default is to be loose and support
266 * older versions for compatibility.
267 *
268 * @param {Object} request an instance of http.ClientRequest.
269 * @param {Object} options signing parameters object:
270 * - {String} keyId required.
271 * - {String} key required (either a PEM or HMAC key).
272 * - {Array} headers optional; defaults to ['date'].
273 * - {String} algorithm optional (unless key is HMAC);
274 * default is the same as the sshpk default
275 * signing algorithm for the type of key given
276 * - {String} httpVersion optional; defaults to '1.1'.
277 * - {Boolean} strict optional; defaults to 'false'.
278 * @return {Boolean} true if Authorization (and optionally Date) were added.
279 * @throws {TypeError} on bad parameter types (input).
280 * @throws {InvalidAlgorithmError} if algorithm was bad or incompatible with
281 * the given key.
282 * @throws {sshpk.KeyParseError} if key was bad.
283 * @throws {MissingHeaderError} if a header to be signed was specified but
284 * was not present.
285 */
286 signRequest: function signRequest(request, options) {
287 assert.object(request, 'request');
288 assert.object(options, 'options');
289 assert.optionalString(options.algorithm, 'options.algorithm');
290 assert.string(options.keyId, 'options.keyId');
291 assert.optionalArrayOfString(options.headers, 'options.headers');
292 assert.optionalString(options.httpVersion, 'options.httpVersion');
293
294 if (!request.getHeader('Date'))
295 request.setHeader('Date', jsprim.rfc1123(new Date()));
296 if (!options.headers)
297 options.headers = ['date'];
298 if (!options.httpVersion)
299 options.httpVersion = '1.1';
300
301 var alg = [];
302 if (options.algorithm) {
303 options.algorithm = options.algorithm.toLowerCase();
304 alg = validateAlgorithm(options.algorithm);
305 }
306
307 var i;
308 var stringToSign = '';
309 for (i = 0; i < options.headers.length; i++) {
310 if (typeof (options.headers[i]) !== 'string')
311 throw new TypeError('options.headers must be an array of Strings');
312
313 var h = options.headers[i].toLowerCase();
314
315 if (h === 'request-line') {
316 if (!options.strict) {
317 /**
318 * We allow headers from the older spec drafts if strict parsing isn't
319 * specified in options.
320 */
321 stringToSign +=
322 request.method + ' ' + request.path + ' HTTP/' +
323 options.httpVersion;
324 } else {
325 /* Strict parsing doesn't allow older draft headers. */
326 throw (new StrictParsingError('request-line is not a valid header ' +
327 'with strict parsing enabled.'));
328 }
329 } else if (h === '(request-target)') {
330 stringToSign +=
331 '(request-target): ' + request.method.toLowerCase() + ' ' +
332 request.path;
333 } else {
334 var value = request.getHeader(h);
335 if (value === undefined || value === '') {
336 throw new MissingHeaderError(h + ' was not in the request');
337 }
338 stringToSign += h + ': ' + value;
339 }
340
341 if ((i + 1) < options.headers.length)
342 stringToSign += '\n';
343 }
344
345 /* This is just for unit tests. */
346 if (request.hasOwnProperty('_stringToSign')) {
347 request._stringToSign = stringToSign;
348 }
349
350 var signature;
351 if (alg[0] === 'hmac') {
352 if (typeof (options.key) !== 'string' && !Buffer.isBuffer(options.key))
353 throw (new TypeError('options.key must be a string or Buffer'));
354
355 var hmac = crypto.createHmac(alg[1].toUpperCase(), options.key);
356 hmac.update(stringToSign);
357 signature = hmac.digest('base64');
358
359 } else {
360 var key = options.key;
361 if (typeof (key) === 'string' || Buffer.isBuffer(key))
362 key = sshpk.parsePrivateKey(options.key);
363
364 assert.ok(sshpk.PrivateKey.isPrivateKey(key, [1, 2]),
365 'options.key must be a sshpk.PrivateKey');
366
367 if (!PK_ALGOS[key.type]) {
368 throw (new InvalidAlgorithmError(key.type.toUpperCase() + ' type ' +
369 'keys are not supported'));
370 }
371
372 if (alg[0] !== undefined && key.type !== alg[0]) {
373 throw (new InvalidAlgorithmError('options.key must be a ' +
374 alg[0].toUpperCase() + ' key, was given a ' +
375 key.type.toUpperCase() + ' key instead'));
376 }
377
378 var signer = key.createSign(alg[1]);
379 signer.update(stringToSign);
380 var sigObj = signer.sign();
381 if (!HASH_ALGOS[sigObj.hashAlgorithm]) {
382 throw (new InvalidAlgorithmError(sigObj.hashAlgorithm.toUpperCase() +
383 ' is not a supported hash algorithm'));
384 }
385 options.algorithm = key.type + '-' + sigObj.hashAlgorithm;
386 signature = sigObj.toString();
387 assert.notStrictEqual(signature, '', 'empty signature produced');
388 }
389
390 var authzHeaderName = options.authorizationHeaderName || 'Authorization';
391
392 request.setHeader(authzHeaderName, sprintf(AUTHZ_FMT,
393 options.keyId,
394 options.algorithm,
395 options.headers.join(' '),
396 signature));
397
398 return true;
399 }
400
401};
Note: See TracBrowser for help on using the repository browser.