Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[signatures] Include example of "@query-params" in list of covered components #1981

Closed
tyler-ham opened this issue Feb 18, 2022 · 2 comments · Fixed by #2143
Closed

[signatures] Include example of "@query-params" in list of covered components #1981

tyler-ham opened this issue Feb 18, 2022 · 2 comments · Fixed by #2143
Labels
signatures

Comments

@tyler-ham
Copy link
Contributor

When composing a list of covered components in the @signature-params value, it wasn't clear to me if there should be multiple instances of "@query-params", one for each distinct name.

In Signature Parameters, 3., I see

Serialize the component identifiers of the covered components, including all parameters...

And in the HTTP Message Components section:

Component identifiers, including component identifiers with parameters, MUST NOT be repeated within a single list of covered components. Component identifiers with different parameter values MAY be repeated within a single list of covered components.

Both of these sound to me like "@query-params" should be repeated as shown below, once for each distinct name parameter. For example:

NOTE: '\' line wrapping per RFC 8792

("@path" "@authority" "@query-params";name="baz" \
  "@query-params";name="qux" "@query-params";name="param")\
  ;keyid="test-key-rsa-pss";alg="rsa-pss-sha512";\
  created=1618884475;expires=1618884775

Is this correct?

If so, would you be open to expanding at least one example to show that use of "@query-params" in a list of covered components?
@tyler-ham tyler-ham changed the title Include example of "@query-params" in list of covered components [signatures] Include example of "@query-params" in list of covered components Feb 18, 2022
@jricher
Copy link
Contributor

jricher commented Mar 8, 2022

Yes, there should be one instance of every @query-params used in the input list, with all of the parameters attached. Practically speaking, these are the same exact values as used in the generation of the signature base, on the left hand side of each line:

"@query-params";name="baz": batman
"@query-params";name="qux":
"@query-params";name="param": value

Would lead to a signature input of:

("@query-params";name="baz" "@query-params";name="qux" "@query-params";name="param")

Each one is considered its own separate component identifier. This pattern is true for all component identifiers.

We can add an example of an actual signature using this in the appendix section, and if you have suggestions on how we could make this more clear in the discussion on component identifiers or the signature params construct, we'd welcome suggestions on the text!

@tyler-ham
Copy link
Contributor Author

Thank you! I am working on putting together some thoughts for the discussion on component identifiers.

Would you be open to a pull request adding this to an existing example, such as hmac-sha256? I'm happy to do some legwork if it is helpful, and I could make the corresponding change in http_sig_examples.py.

@tyler-ham tyler-ham mentioned this issue Mar 18, 2022
Closed
jricher added a commit that referenced this issue Jun 1, 2022
@jricher
add query-param example, closes #1981
4bee5d5
@jricher jricher mentioned this issue Jun 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
signatures
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Clean up signature references and text httpwg/http-extensions
3 participants
@jricher @ioggstream @tyler-ham