Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Adds RSA-SHA1 Support #43

Closed
wants to merge 1 commit into from

5 participants

@jeffv

We needed RSA-SHA1 signatures for api.xero.com.
So we added them.

Jeffrey D. Van Alstine Adds RSA-SHA1 signature method
(thanks Sean)
b6ccb02
@ciaranj
Owner

Nice, thank you. Any chance of a test, if so I'll pull it straight in ?

I'll see what I can do when time permits.
For some reason the library I built over top of my hack started failing to sign its POST requests (and only its post requests) so I have to dig into that first.

Owner

Odd. Did you get to the bottom of this ?

Yes. It turned out that if you send it as a querystring instead of an object the string used for the signature doesn't get the POST params added to it like it should. If you use an object everything is fine.

Can we get this added in? Xero still has the same requirement in some places.

@wraithgar

As-is this pull request does not work. New line 169 refers to this._privateKey, which isn't defined anywhere.

I did some googling and this appears to be the way most people are self-patching this library to support rsa-sha1. For instance if you want to use oauth with JIRA and follow their examples:

https://bitbucket.org/rmanalan/atlassian-oauth-examples/src/807992a74230/nodejs/app.js?at=default

You are directed to a fork of node-oauth:

https://github.com/sladey/node-oauth

... that does something similarly. However one issue w/ the sladey fork is that it mucks about w/ the parameter count, which would break existing deploys of node-oauth who upgraded.

I even have my own branch:

https://github.com/wraithgar/node-oauth

... in which I repurposed the consumerSecret parameter to be interpreted as the private key if the signatureMethod was in fact rsa-sha1. I think this is probably the safest approach, as it doesn't mess w/ the parameter count or order so existing deploys of node-oauth wouldn't break.

In the case of tests, unfortunately it's stated as 'outside the scope' of the core 1.0 examples:

http://oauth.net/core/1.0/#sig_base_example

So I'm not 100% on how to construct a test for it. Otherwise I'd have already submitted a pull request from my fork. I think this is an important addition, since rsa-sha1 signing is the method used by most 'enterprise' implementations of oauth, being the more secure method. Can we please revisit this, either in this pull request or in a new issue? What do you need in order to get this into node-oauth?

@knechtandreas knechtandreas referenced this pull request
Merged

Add RSA-SHA1 support #121

@knechtandreas

I've created a new pull request that adds a test to https://github.com/wraithgar/node-oauth 's work:
#121

This pull request can probably be closed if 121 goes ahead.

@ciaranj
Owner

Closing, as merging in #121

@ciaranj ciaranj closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Apr 28, 2011
  1. Adds RSA-SHA1 signature method

    Jeffrey D. Van Alstine authored
    (thanks Sean)
This page is out of date. Refresh to see the latest.
Showing with 5 additions and 1 deletion.
  1. +5 −1 lib/oauth.js
View
6 lib/oauth.js
@@ -18,7 +18,7 @@ exports.OAuth= function(requestUrl, accessUrl, consumerKey, consumerSecret, vers
this._authorize_callback= authorize_callback;
}
- if( signatureMethod != "PLAINTEXT" && signatureMethod != "HMAC-SHA1")
+ if( signatureMethod != "PLAINTEXT" && signatureMethod != "HMAC-SHA1" && signatureMethod != "RSA-SHA1" )
throw new Error("Un-supported signature method: " + signatureMethod )
this._signatureMethod= signatureMethod;
this._nonceSize= nonceSize || 32;
@@ -165,6 +165,10 @@ exports.OAuth.prototype._createSignature= function(signatureBase, tokenSecret) {
if( this._signatureMethod == "PLAINTEXT" ) {
hash= this._encodeData(key);
}
+ else if (this._signatureMethod == "RSA-SHA1") {
+ key = this._privateKey;
+ hash= crypto.createSign("RSA-SHA1").update(signatureBase).sign(key, 'base64');
+ }
else {
if( crypto.Hmac ) {
hash = crypto.createHmac("sha1", key).update(signatureBase).digest("base64");
Something went wrong with that request. Please try again.