Skip to content

Handle Invalid Digest header algorithm #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Mar 4, 2024
Merged

Handle Invalid Digest header algorithm #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2f50128
Handle Invalid Digest header algorithm Fix #7
mei23 Mar 4, 2024
b8c851a
lint
mei23 Mar 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion dist/index.cjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -838,7 +838,18 @@ async function verifyRFC3230DigestHeader(request, rawBody, failOnNoDigest = true
errorLogger(`Invalid Digest header algorithm: ${match[1]}`);
return false;
}
const hash = await createBase64Digest(rawBody, algo);
let hash;
try {
hash = await createBase64Digest(rawBody, algo);
} catch (e) {
if (e.name === "NotSupportedError") {
if (errorLogger)
errorLogger(`Invalid Digest header algorithm: ${algo}`);
return false;
}
throw e;
}
;
if (hash !== value) {
if (errorLogger)
errorLogger(`Digest header hash mismatch`);
Expand Down
13 changes: 12 additions & 1 deletion dist/index.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -741,7 +741,18 @@ async function verifyRFC3230DigestHeader(request, rawBody, failOnNoDigest = true
errorLogger(`Invalid Digest header algorithm: ${match[1]}`);
return false;
}
const hash = await createBase64Digest(rawBody, algo);
let hash;
try {
hash = await createBase64Digest(rawBody, algo);
} catch (e) {
if (e.name === "NotSupportedError") {
if (errorLogger)
errorLogger(`Invalid Digest header algorithm: ${algo}`);
return false;
}
throw e;
}
;
if (hash !== value) {
if (errorLogger)
errorLogger(`Digest header hash mismatch`);
Expand Down
2 changes: 0 additions & 2 deletions dist/pem/pkcs8.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@ export declare class Pkcs8ParseError extends Error {
export type ParsedPkcs8 = ParsedAlgorithmIdentifierBase & {
/**
* DER
*
* (Somehow crypto.createPublicKey will cause `error:1E08010C:DECODER routines::unsupported`)
*/
der: ArrayBuffer;
attributesRaw: ArrayBuffer | null;
Expand Down
11 changes: 10 additions & 1 deletion dist/pem/spki.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ export declare class SpkiParseError extends Error {
* Get algorithm name from OID
* https://datatracker.ietf.org/doc/html/rfc3279#section-2.3
* https://datatracker.ietf.org/doc/html/rfc8420#appendix-A
* @param oidStr e.g. '1.2.840.113549.1.1.1' or SpkiParsedAlgorithmIdentifier.algorithm
* @param oidStr e.g. '1.2.840.113549.1.1.1' or ParsedAlgorithmIdentifier.algorithm
* @returns e.g. 'RSASSA-PKCS1-v1_5'
*/
export declare function getPublicKeyAlgorithmNameFromOid(oidStr: string): KeyAlgorithmName;
Expand Down Expand Up @@ -78,6 +78,15 @@ export declare function parseAlgorithmIdentifier(input: ASN1): ParsedAlgorithmId
export declare function parseSpki(input: ASN1.StreamOrBinary): SpkiParsedAlgorithmIdentifier;
/**
* Parse X.509 SubjectPublicKeyInfo (SPKI) public key
*
* In Node.js, `createPublicKey(publicKey)` does not need any information,
* but `crypto.subtle.importKey` needs to be provided by us for the key type.
*
* So, this function parses the SPKI and parses the type of key stored.
*
* If the key is PKCS#1, the function wraps it in SPKI. In that case,
* it assumes that the algorithm is `RSASSA-PKCS1-v1_5`.
*
* @param input SPKI public key PEM or DER
* @returns parsed object
*/
Expand Down
8 changes: 8 additions & 0 deletions src/digest/digest-rfc3230.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,14 @@ describe('rfc3230', () => {
} as any;
expect(await verifyRFC3230DigestHeader(request, 'foo')).toBe(true);
});
test('Unrecognized algorithm name', async () => {
const request = {
headers: {
'digest': `FOO=${await createBase64Digest('foo', 'SHA-256')}`,
},
} as any;
expect(await verifyRFC3230DigestHeader(request, 'foo')).toBe(false);
});
});
});

Expand Down
12 changes: 11 additions & 1 deletion src/digest/digest-rfc3230.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,17 @@ export async function verifyRFC3230DigestHeader(
return false;
}

const hash = await createBase64Digest(rawBody, algo);
let hash: string;
try {
hash = await createBase64Digest(rawBody, algo);
} catch (e: any) {
if (e.name === 'NotSupportedError') {
if (errorLogger) errorLogger(`Invalid Digest header algorithm: ${algo}`);
return false;
}
throw e;
}

if (hash !== value) {
if (errorLogger) errorLogger(`Digest header hash mismatch`);
return false;
Expand Down