Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support for ECDSA keys to be used with SubtleCrypto.prototype.sign and SubtleCrypto.prototype.verify #667

Merged
merged 10 commits into from
Sep 21, 2023
Merged

feat: add support for ECDSA keys to be used with SubtleCrypto.prototype.sign and SubtleCrypto.prototype.verify #667

merged 10 commits into from
Sep 21, 2023

Conversation

JakeChampion
Copy link
Member

@JakeChampion JakeChampion commented Sep 21, 2023
edited
Loading

In the last release we added support for importing an ECDSA key with SubtleCrypto.prototype.importKey. This patch adds the ability to use these keys to sign data and to verify data was signed with the same underlying key.

With this patch, Fastly Compute customers are now able to validate signatures provided by Fastly Fanout requests

fixes #663

Here is an example of how a Fastly Customer can verify Fastly Fanout requests:
https://fanout-cf.edgecompute.app/

/// <reference types="@fastly/js-compute" />

import { createFanoutHandoff } from "fastly:fanout";
import { env } from 'fastly:env';
import { importJWK, jwtVerify } from "jose";

// A JWK version of the public key documented on https://developer.fastly.com/learning/concepts/real-time-messaging/fanout/#validating-grip-requests
const fanoutJWK = importJWK({
  kty: "EC",
  crv: "P-256",
  x: "CKo5A1ebyFcnmVV8SE5On-8G81JyBjSvcrx4VLetWCg",
  y: "7gwJqaU6N8TP88--twjkwoB36f-pT3QsmI46nPhjO7M",
}, "ES256");

async function app(event) {
  console.log('FASTLY_SERVICE_VERSION', env('FASTLY_SERVICE_VERSION'));

  const request = event.request;

  // Request might be from Fanout
  if (request.headers.has('Grip-Sig')) {
    try {
      const { payload, protectedHeader } = await jwtVerify(request.headers.get('Grip-Sig'), await fanoutJWK)

      return Response.json({ payload, protectedHeader }, { 'headers': { 'content-type': 'application/json' } });
    } catch (error) {
      return Response.json({ error }, { status: 500 });
    }
  } else {
    // Not from Fanout, hand it off to Fanout to manage
    return createFanoutHandoff(request, 'self');
  }
}

addEventListener('fetch', event => event.respondWith(app(event)))

@JakeChampion JakeChampion force-pushed the jake/fanout-key branch 3 times, most recently from ec498c0 to 416a57e Compare September 21, 2023 14:54
JakeChampion and others added 10 commits September 22, 2023 00:17
@JakeChampion
feat: add support for ECDSA keys to be used with SubtleCrypto.prototy…
71beec6 
…pe.sign and SubtleCrypto.prototype.verify

In the last release we added support for importing an ECDSA key with SubtleCrypto.prototype.importKey. This patch adds the ability to use these keys to sign data and to verify data was signed with the same underlying key.

With this patch, Fastly Compute customers are now able to validate signatures provided by Fastly Fanout requests
@JakeChampion
fix: within fastly_compute_at_edge_http_resp_header_names_get do not …
d339154 
…realloc if the new size is going to be 0

realloc with 0 causes a MOZ_ASSERT to fail within js_arena_realloc. js_arena_realloc has this to say:
>// realloc() with zero size is not portable, as some implementations may
>// return nullptr on success and free |p| for this.  We assume nullptr
>// indicates failure and that |p| is still valid.
>MOZ_ASSERT(bytes != 0);
@JakeChampion @elliottt
use std:fill_n
4adb051 
Co-authored-by: Trevor Elliott <telliott@fastly.com>
@JakeChampion @elliottt
Update runtime/js-compute-runtime/builtins/crypto-algorithm.cpp
cee1c1a 
Co-authored-by: Trevor Elliott <telliott@fastly.com>
@JakeChampion @elliottt
Update runtime/js-compute-runtime/builtins/crypto-algorithm.cpp
0ffdc03 
Co-authored-by: Trevor Elliott <telliott@fastly.com>
@JakeChampion
Apply suggestions from code review
4b5b5e4
@JakeChampion
no longer return a std::optional for convertToBytesExpand
794b58a
@JakeChampion
use std::move on the .get() so we don't need to manually release
cacc7e6
@JakeChampion @elliottt
Update runtime/js-compute-runtime/builtins/crypto-algorithm.cpp
b8a5fa2 
Co-authored-by: Trevor Elliott <telliott@fastly.com>
@JakeChampion @elliottt
Update runtime/js-compute-runtime/builtins/crypto-algorithm.cpp
fe40bc8 
Co-authored-by: Trevor Elliott <telliott@fastly.com>
elliottt
elliottt approved these changes Sep 21, 2023
View reviewed changes
Copy link
Contributor

@elliottt elliottt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@JakeChampion JakeChampion merged commit 51bb170 into main Sep 21, 2023
81 checks passed
@JakeChampion JakeChampion deleted the jake/fanout-key branch September 21, 2023 23:58
@JakeChampion JakeChampion mentioned this pull request Sep 21, 2023
Merged
@guybedford guybedford mentioned this pull request May 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elliottt elliottt elliottt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Incorrect implementation for ECDSA verification
2 participants
@JakeChampion @elliottt