-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support of RSA in request signing and request check middleware #2467
Conversation
I do not think that we need
|
RSA is not part of HMAC. If HMAC is enabled, we are signing data using HMAC algorithm while if RSA is enabled, we are signing it using RSA algorithm. Using |
/update |
@buger Base does not exist |
1. RSAEnabled 2. RSACertificateId
1. RSAEnabled
1.HeaderList 2.CertificateId
2. Added a way to specify headers list to used for request signing
Add EnableHTTPSignatureValidation field in session and policy
ae8bba9
to
db36076
Compare
@buger Updated with latest master |
/release to release-2.9 |
Working on it! Note that it can take a few minutes. |
@buger Seems like there is conflict and it require manual merge. |
…2467) Fixes #2452 ### **Added new fields in below structure** **Session** 1. _EnableHTTPSignatureValidation bool_ This field should be used to enable signature validation for both `HMAC` and `RSA`. **Note**: `HMACEnabled` field will still be supported for backward compatibility, but will be deprecated in future. 2. _RSACertificateId string_ Public key certificate ID/path to be used for RSA signature validation. **Policy** _1. EnableHTTPSignatureValidation bool_ **Request Signing Middleware** 1. _CertificateId string_ Public key certificate ID/path to be used for RSA signature generation. 2. _HeaderList []string_ Optinal field. List of headers to be used for generating signature You can now validate HTTP message signature signed using RSA private key. You need to set `EnableHTTPSignatureValidation` to true and `RSACertificateId` to uploaded RSA Public key certificate or to the path of public key pem file. Now user can sign requests using RSA key pair. They need to set `CertificateId` to uploaded RSA certificate ID or to the path of certificate file itself. Earlier request signing middleware considered below headers while generating signature string ` All the headers of the request + (request-target) + date ` Now you can specify headers to be used by setting `HeaderList` field of request signing middleware. **Cases** - If an header is specified in HeaderList but is not set in the request, then that header is ignored. - If non of the header from the HeaderList is set, then below headers are used for signing request `(request-target) + date` - If HeaderList is empty, then below headers are used for signing request ` All the headers of the request + (request-target) + date `
…2467) Fixes #2452 ### **Added new fields in below structure** **Session** 1. _EnableHTTPSignatureValidation bool_ This field should be used to enable signature validation for both `HMAC` and `RSA`. **Note**: `HMACEnabled` field will still be supported for backward compatibility, but will be deprecated in future. 2. _RSACertificateId string_ Public key certificate ID/path to be used for RSA signature validation. **Policy** _1. EnableHTTPSignatureValidation bool_ **Request Signing Middleware** 1. _CertificateId string_ Public key certificate ID/path to be used for RSA signature generation. 2. _HeaderList []string_ Optinal field. List of headers to be used for generating signature You can now validate HTTP message signature signed using RSA private key. You need to set `EnableHTTPSignatureValidation` to true and `RSACertificateId` to uploaded RSA Public key certificate or to the path of public key pem file. Now user can sign requests using RSA key pair. They need to set `CertificateId` to uploaded RSA certificate ID or to the path of certificate file itself. Earlier request signing middleware considered below headers while generating signature string ` All the headers of the request + (request-target) + date ` Now you can specify headers to be used by setting `HeaderList` field of request signing middleware. **Cases** - If an header is specified in HeaderList but is not set in the request, then that header is ignored. - If non of the header from the HeaderList is set, then below headers are used for signing request `(request-target) + date` - If HeaderList is empty, then below headers are used for signing request ` All the headers of the request + (request-target) + date `
Fixes #2452
Added new fields in below structure
Session
EnableHTTPSignatureValidation bool
This field should be used to enable signature validation for both
HMAC
andRSA
.Note:
HMACEnabled
field will still be supported for backward compatibility, but will be deprecated in future.RSACertificateId string
Public key certificate ID/path to be used for RSA signature validation.
Policy
1. EnableHTTPSignatureValidation bool
Request Signing Middleware
Public key certificate ID/path to be used for RSA signature generation.
Optinal field. List of headers to be used for generating signature
Added RSA support in Request Checker middleware
You can now validate HTTP message signature signed using RSA private key.
You need to set
EnableHTTPSignatureValidation
to true andRSACertificateId
to uploaded RSA Public key certificate or to the path of public key pem file.Added RSA support in Request Signing middleware
Now user can sign requests using RSA key pair. They need to set
CertificateId
to uploaded RSA certificate ID or to the path of certificate file itself.Specify Header List to be used while signing the request
Earlier request signing middleware considered below headers while generating signature string
All the headers of the request + (request-target) + date
Now you can specify headers to be used by setting
HeaderList
field of request signing middleware.Cases
If an header is specified in HeaderList but is not set in the request, then that header is ignored.
If non of the header from the HeaderList is set, then below headers are used for signing request
If HeaderList is empty, then below headers are used for signing request