Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support of RSA in request signing and request check middleware #2467

Merged
merged 16 commits into from
Nov 21, 2019

Conversation

komalsukhani
Copy link
Contributor

@komalsukhani komalsukhani commented Aug 23, 2019

Fixes #2452

Added new fields in below structure

Session

  1. EnableHTTPSignatureValidation bool
    This field should be used to enable signature validation for both HMAC and RSA.
    Note: HMACEnabled field will still be supported for backward compatibility, but will be deprecated in future.

  2. RSACertificateId string
    Public key certificate ID/path to be used for RSA signature validation.

Policy
1. EnableHTTPSignatureValidation bool

Request Signing Middleware

  1. CertificateId string
    Public key certificate ID/path to be used for RSA signature generation.
  2. HeaderList []string
    Optinal field. List of headers to be used for generating signature

Added RSA support in Request Checker middleware

You can now validate HTTP message signature signed using RSA private key.
You need to set EnableHTTPSignatureValidation to true and RSACertificateId to uploaded RSA Public key certificate or to the path of public key pem file.

Added RSA support in Request Signing middleware

Now user can sign requests using RSA key pair. They need to set CertificateId to uploaded RSA certificate ID or to the path of certificate file itself.

Specify Header List to be used while signing the request

Earlier request signing middleware considered below headers while generating signature string
All the headers of the request + (request-target) + date

Now you can specify headers to be used by setting HeaderList field of request signing middleware.

Cases

  • If an header is specified in HeaderList but is not set in the request, then that header is ignored.

  • If non of the header from the HeaderList is set, then below headers are used for signing request

                   `(request-target) + date`
    
  • If HeaderList is empty, then below headers are used for signing request

            ` All the headers of the request + (request-target) + date `
    

apidef/api_definitions.go Outdated Show resolved Hide resolved
@buger
Copy link
Member

buger commented Aug 23, 2019

I do not think that we need RSAEnabled boolean fields inside policy or session since in general, it is just part of HMAC in our case.

rsa_certificate_id in session object can be renamed to hmac_public_key_id (and if it set to non empty it just repaces RSAEnabled field.

@komalsukhani
Copy link
Contributor Author

RSA is not part of HMAC. If HMAC is enabled, we are signing data using HMAC algorithm while if RSA is enabled, we are signing it using RSA algorithm.

Using HMACEnabled field for RSA might cause confusion.
I thought of renaming the HMACEnabled field to something generic but then it will break backward compatibilty.

@buger
Copy link
Member

buger commented Oct 28, 2019

/update

@tykbot
Copy link

tykbot bot commented Oct 28, 2019

@buger Base does not exist

@komalsukhani komalsukhani force-pushed the Add_RSA_Request_Signing_Validation branch from ae8bba9 to db36076 Compare October 29, 2019 12:13
@komalsukhani
Copy link
Contributor Author

@buger Updated with latest master

@buger buger merged commit f8a474e into master Nov 21, 2019
@buger
Copy link
Member

buger commented Nov 21, 2019

/release to release-2.9

@buger buger deleted the Add_RSA_Request_Signing_Validation branch November 21, 2019 08:45
@tykbot
Copy link

tykbot bot commented Nov 21, 2019

Working on it! Note that it can take a few minutes.

@tykbot
Copy link

tykbot bot commented Nov 21, 2019

@buger Seems like there is conflict and it require manual merge.

buger pushed a commit that referenced this pull request Nov 21, 2019
…2467)

Fixes #2452

 ### **Added new fields in below structure**

**Session**
1. _EnableHTTPSignatureValidation bool_
            This field should be used to enable signature validation for both `HMAC` and `RSA`.
**Note**: `HMACEnabled` field will still be supported for backward compatibility, but will be deprecated in future.

2. _RSACertificateId string_
            Public key certificate ID/path to be used for RSA signature validation.

**Policy**
_1. EnableHTTPSignatureValidation bool_

**Request Signing Middleware**
1. _CertificateId string_
      Public key certificate ID/path to be used for RSA signature generation.
2. _HeaderList []string_
      Optinal field. List of headers to be used for generating signature

You can now validate HTTP message signature signed using RSA private key.
You need to set `EnableHTTPSignatureValidation` to true and `RSACertificateId` to uploaded RSA Public key certificate or to the path of public key pem file.

Now user can sign requests using RSA key pair. They need to set `CertificateId` to uploaded RSA certificate ID or to the path of certificate file itself.

Earlier request signing middleware considered below headers while generating signature string
          ` All the headers of the request + (request-target) + date `

Now you can specify headers to be used by setting `HeaderList` field of request signing middleware.

**Cases**

- If an header is specified in HeaderList but is not set in the request, then that header is ignored.

- If non of the header from the HeaderList is set, then below headers are used for signing request

                     `(request-target) + date`

- If HeaderList is empty, then below headers are used for signing request

              ` All the headers of the request + (request-target) + date `
komalsukhani added a commit that referenced this pull request Nov 22, 2019
…2467)

Fixes #2452

 ### **Added new fields in below structure**

**Session**
1. _EnableHTTPSignatureValidation bool_
            This field should be used to enable signature validation for both `HMAC` and `RSA`.
**Note**: `HMACEnabled` field will still be supported for backward compatibility, but will be deprecated in future.

2. _RSACertificateId string_
            Public key certificate ID/path to be used for RSA signature validation.

**Policy**
_1. EnableHTTPSignatureValidation bool_

**Request Signing Middleware**
1. _CertificateId string_
      Public key certificate ID/path to be used for RSA signature generation.
2. _HeaderList []string_
      Optinal field. List of headers to be used for generating signature

You can now validate HTTP message signature signed using RSA private key.
You need to set `EnableHTTPSignatureValidation` to true and `RSACertificateId` to uploaded RSA Public key certificate or to the path of public key pem file.

Now user can sign requests using RSA key pair. They need to set `CertificateId` to uploaded RSA certificate ID or to the path of certificate file itself.

Earlier request signing middleware considered below headers while generating signature string
          ` All the headers of the request + (request-target) + date `

Now you can specify headers to be used by setting `HeaderList` field of request signing middleware.

**Cases**

- If an header is specified in HeaderList but is not set in the request, then that header is ignored.

- If non of the header from the HeaderList is set, then below headers are used for signing request

                     `(request-target) + date`

- If HeaderList is empty, then below headers are used for signing request

              ` All the headers of the request + (request-target) + date `
komalsukhani added a commit that referenced this pull request Nov 22, 2019
…eware (#2467)". Same PR was pushed twice

This reverts commit d5c6321.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add support of RSA in request signing middleware
2 participants