Split up verify functions for HMAC and signature

lib/index.js

@@ -1,4 +1,4 @@
-// Copyright 2011 Joyent, Inc.  All rights reserved.
+// Copyright 2015 Joyent, Inc.
 
 var parser = require('./parser');
 var signer = require('./signer');
@@ -22,5 +22,6 @@ module.exports = {
   pemToRsaSSHKey: util.pemToRsaSSHKey,
 
   verify: verify.verifySignature,
-  verifySignature: verify.verifySignature
+  verifySignature: verify.verifySignature,
+  verifyHMAC: verify.verifyHMAC
 };

lib/verify.js

@@ -1,4 +1,4 @@
-// Copyright 2011 Joyent, Inc.  All rights reserved.
+// Copyright 2015 Joyent, Inc.
 
 var assert = require('assert-plus');
 var crypto = require('crypto');
@@ -8,35 +8,49 @@ var crypto = require('crypto');
 ///--- Exported API
 
 module.exports = {
-
   /**
-   * Simply wraps up the node crypto operations for you, and returns
-   * true or false.  You are expected to pass in an object that was
-   * returned from `parse()`.
+   * Verify RSA/DSA signature against public key.  You are expected to pass in
+   * an object that was returned from `parse()`.
    *
    * @param {Object} parsedSignature the object you got from `parse`.
-   * @param {String} key either an RSA private key PEM or HMAC secret.
+   * @param {String} pubkey RSA/DSA private key PEM.
    * @return {Boolean} true if valid, false otherwise.
    * @throws {TypeError} if you pass in bad arguments.
    */
-  verifySignature: function verifySignature(parsedSignature, key) {
+  verifySignature: function verifySignature(parsedSignature, pubkey) {
     assert.object(parsedSignature, 'parsedSignature');
-    assert.string(key, 'key');
+    assert.string(pubkey, 'pubkey');
 
-    var alg = parsedSignature.algorithm.match(/(HMAC|RSA|DSA)-(\w+)/);
+    var alg = parsedSignature.algorithm.match(/^(RSA|DSA)-(\w+)/);
     if (!alg || alg.length !== 3)
       throw new TypeError('parsedSignature: unsupported algorithm ' +
                           parsedSignature.algorithm);
 
-    if (alg[1] === 'HMAC') {
-      var hmac = crypto.createHmac(alg[2].toUpperCase(), key);
-      hmac.update(parsedSignature.signingString);
-      return (hmac.digest('base64') === parsedSignature.params.signature);
-    } else {
-      var verify = crypto.createVerify(alg[0]);
-      verify.update(parsedSignature.signingString);
-      return verify.verify(key, parsedSignature.params.signature, 'base64');
-    }
-  }
+    var verify = crypto.createVerify(alg[0]);
+    verify.update(parsedSignature.signingString);
+    return verify.verify(pubkey, parsedSignature.params.signature, 'base64');
+  },
 
+  /**
+   * Verify HMAC against shared secret.  You are expected to pass in an object
+   * that was returned from `parse()`.
+   *
+   * @param {Object} parsedSignature the object you got from `parse`.
+   * @param {String} secret HMAC shared secret.
+   * @return {Boolean} true if valid, false otherwise.
+   * @throws {TypeError} if you pass in bad arguments.
+   */
+  verifyHMAC: function verifyHMAC(parsedSignature, secret) {
+    assert.object(parsedSignature, 'parsedHMAC');
+    assert.string(secret, 'secret');
+
+    var alg = parsedSignature.algorithm.match(/^HMAC-(\w+)/);
+    if (!alg || alg.length !== 2)
+      throw new TypeError('parsedSignature: unsupported algorithm ' +
+                          parsedSignature.algorithm);
+
+    var hmac = crypto.createHmac(alg[1].toUpperCase(), secret);
+    hmac.update(parsedSignature.signingString);
+    return (hmac.digest('base64') === parsedSignature.params.signature);
+  }
 };

test/verify.test.js

@@ -89,7 +89,7 @@ test('setup', function(t) {
 test('invalid hmac', function(t) {
   server.tester = function(req, res) {
     var parsed = httpSignature.parseRequest(req);
-    t.ok(!httpSignature.verify(parsed, hmacKey));
+    t.ok(!httpSignature.verifyHMAC(parsed, hmacKey));
 
     res.writeHead(200);
     res.write(JSON.stringify(parsed, null, 2));
@@ -111,7 +111,7 @@ test('invalid hmac', function(t) {
 test('valid hmac', function(t) {
   server.tester = function(req, res) {
     var parsed = httpSignature.parseRequest(req);
-    t.ok(httpSignature.verify(parsed, hmacKey));
+    t.ok(httpSignature.verifyHMAC(parsed, hmacKey));
 
     res.writeHead(200);
     res.write(JSON.stringify(parsed, null, 2));