-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signatures 007: trouble verifying §3.1_Signature #1876
Comments
I just did a quick static test in Python using all the given parameters: print('HTTPSig Static Test')
print('*' * 30)
base = '''"@method": GET
"@path": /foo
"@authority": example.org
"cache-control": max-age=60, must-revalidate
"x-empty-header":
"x-example": Example header with some whitespace.
"@signature-params": ("@method" "@path" "@authority" "cache-control" "x-empty-header" "x-example");created=1618884475;keyid="test-key-rsa-pss"'''
h = SHA512.new(base.encode('utf-8'))
signed = http_sfv.Item()
signed.parse(':P0wLUszWQjoi54udOtydf9IWTfNhy+r53jGFj9XZuP4uKwxyJo1RSHi+oEF1FuX6O29d+lbxwwBao1BAgadijW+7O/PyezlTnqAOVPWx9GlyntiCiHzC87qmSQjvu1CFyFuWSjdGa3qLYYlNm7pVaJFalQiKWnUaqfT4LyttaXyoyZW84jS8gyarxAiWI97mPXU+OVM64+HVBHmnEsS+lTeIsEQo36T3NFf2CujWARPQg53r58RmpZ+J9eKR2CD6IJQvacn5A4Ix5BUAVGqlyp8JYm+S/CWJi31PNUjRRCusCVRj05NrxABNFv3r5S9IXf2fYJK+eyW4AiGVMvMcOg==:'.encode('utf-8'))
pubKey = RSA.import_key(rsaTestKeyPssPublic)
verifier = pss.new(pubKey, mask_func=mgf512, salt_bytes=64)
try:
verified = verifier.verify(h, signed.value)
print("Verified:")
print('> YES!')
print()
except (ValueError, TypeError):
print("Verified:")
print('> NO!')
print()
print('*' * 30) And after a bit of debugging, it looks like the error is in your base string above. Namely, the construction of the We can make it easier for people to verify like you're doing, though. Ultimately we don't :need: to include the empty header in the verified example, so long as we've got an example of the empty header normalized someplace and can show the trailing space properly. I also tested against this newly-generated signature value from the generation script, which you can use for testing also:
Plugging this value into the static test above also validates, once I'd fixed the base string in my own tests also. |
Thanks. I was able to get the problematic test to compile with JS and Java (see test log) by changing the text to be signed to (see commit): val txt = """"@method": GET
|"@path": /foo
|"@authority": example.org
|"cache-control": max-age=60, must-revalidate
|"x-empty-header": \
|
|"x-example": Example header with some whitespace.
|"@signature-params": ("@method" "@path" "@authority" \
| "cache-control" "x-empty-header" "x-example");created=1618884475\
| ;keyid="test-key-rsa-pss"""".rfc8792single I.e. append |
This header has been removed from the signed examples in #1903 |
I have built a test suite for a crypto library in Scala that uses the examples from Signing HTTP Messages 07 that compiles to JS and Java. Compiling to Java all 4 examples work except the verification of example 3.1 Signature. There is another problem in JS I am still looking into, but it also has trouble verifying 3.1.
I wrote up JS code that I think duplicates my Scala-JS code for the example as that should make it easier to work out what the problem is.
The Scala code on which this is based is part of a PR 48 to the bobcats Typelevel project. Main code is:
See Java Tests suite results.
The text was updated successfully, but these errors were encountered: