rstudio · jonkeane · Mar 22, 2024 · Mar 18, 2024 · Mar 18, 2024 · Mar 22, 2024
diff --git a/DESCRIPTION b/DESCRIPTION
@@ -26,6 +26,7 @@ Imports:
     jsonlite,
     lifecycle,
     openssl (>= 2.0.0),
+    PKI,
     packrat (>= 0.6),
     renv (>= 1.0.0),
     rlang (>= 1.0.0),

diff --git a/R/http.R b/R/http.R
@@ -501,8 +501,14 @@ signatureHeaders <- function(authInfo, method, path, file = NULL) {
       der = TRUE
     )
 
-    # OpenSSL defaults to sha1 hash function (which is what we need)
-    rawsig <- openssl::signature_create(charToRaw(canonicalRequest), key = private_key)
+    # convert key into PKI format for signing, note this only accepts RSA, but
+    # that's what rsconnect generates already
+    pki_key <- PKI::PKI.load.key(strsplit(openssl::write_pem(private_key), "\n")[[1]], format = "PEM")
+
+    # use sha1 digest and then sign. digest and PKI avoid using system openssl which
+    # can be problematic in strict FIPS environments
+    digested <- digest::digest(charToRaw(canonicalRequest), "sha1", serialize = FALSE, raw = TRUE)
+    rawsig <- PKI::PKI.sign(key = pki_key, digest = digested)
     signature <- openssl::base64_encode(rawsig)
   } else {
     stop("can't sign request: no shared secret or private key")

diff --git a/tests/testthat/_snaps/http.md b/tests/testthat/_snaps/http.md
@@ -22,7 +22,7 @@
     Output
       List of 3
        $ Date              : chr "Thu, 09 Mar 2023 14:29:00 GMT"
-       $ X-Auth-Signature  : chr "tqz4HGcSmuWKIGzIj42OEkwYZQzfJBdrUynlBQKSEEok2zMFZwsgEpEzU8PzpoeMEmcX5+Cr1IuDLLASz0ivAQ=="
+       $ X-Auth-Signature  : chr "mk4e1sdK0Gy9Uex2nJMtkntdT/boQWRakSRB6iYw9hmP2zMHQjvynY+Kc5hqbGAK7tbzG52fC+5MQSOUapNKBF6GNnVe1cp2jFq4pmhEL2yhlkB"| __truncated__
        $ X-Content-Checksum: chr "1B2M2Y8AsgTpgAmY7PhCfg=="
 
 # includes body in error if available

diff --git a/tests/testthat/fake-key b/tests/testthat/fake-key
@@ -0,0 +1 @@
+MIIEpAIBAAKCAQEAv3okkAClwA7JahhrG7ELtnhIBBw9OgbVIWnlNZ77GO2urtdsaRtDgBmFoZxoUftSv96qGUEDZjdDAmVdM4bnkRLt2GqrTcF252xgqqe7bC7MdnG9k2bHJgTV5Di2odj5bAU3yJzZSq6Sh8LDLbC+8q7l8Ce+u3svCbozAKjvdI4+e4nX4ZK+CFOOxC/A4iB0zgGC3XSnv3eAC7JKBBUDN+0ifSVMGVLL89nqhFxT1eEK0vd0+/bAO0Hx+czmEyyjxA8VdFOwGFFSlmwYnlUZbtwyEH3bKl8GGMx1EfhwZcXtVaMAkuaeXOnKDS3W/kRJXEkmNhndOngYNMEqMZMk9wIDAQABAoIBAB5kIp2AnM5JCor+aTGx/ivuF3Afk1A8eWOeTTUfkLc6Mnmp05kzLJmOc3ldO+mXPGEb1F/Bw+pbZxVgRVTCWsrZ+EpbU+k5hcfhmc48ZTEclHNQRki5DW7pYZGhtsslhyEwCtSaoJqL7tIBhb0gyo32WKSvikRzntmqZiH6rlcPXegi5u7MMd9MfKhShAAnN4jPzHHPbijlp/jY1SqlFX1P/WZjcZo2fXt8JMIniNZkgYKvau35ghx5Blm1JBjKYYEcrLGiW8/m5/1s9rsHr77Xm5Ezs71rSoVBoAwcgggraidXoTwo3UY8pW+gubS28np4OUJ2Au7mSZkbBDlMDBECgYEA+j7B18CifCUZQxruBiUPXys2APgfjaNBirRrrkQw/LSaLo+a29XWbdfNVB1Fv1LYzac/I/JdUTdoD3Lv71Y8Elw3GR6Ib+HIEH0QjeO8ERBBG/yz/34cSLdh99tL4ear8HSSaBrxqCX0ebztV8rHSDwWoyIJxKOFO3GsGjX3ktUCgYEAw+FoF1G9AGLyupYIFVaoDc8cTEEVgkEhm8uESEh5Qtk6X7aWyxXa+nx7n/G8xquOtsRuTBTDBgbGxElyjVtfEAPriASA8LbWowH0OPjzbuJvtlJqfkXBrtjGKASaMYzMdNAWu+nBDBdPl/kTuM3H8GemPOvRWpKvg+65+GXrRpsCgYEAjLYLI3lDJFFsAgq7eqMOILJYfHUIsQjyir7mqafYb9BRvgqrxh9Yoo0s/LY1CN7Z39HCNEFM7aUdE0rK1aaEwsItjSdZCqhHadYZH9/FWUbthYIz6F8OImlTYh5ibdTaK6wwwu8boTQuYuG0B6CTK+/1vqceHP7hpMpHPrnHyz0CgYEAhvxPyjom4BxQH2sC2QmluBZw7s+vLdsKeR2P5GwlPH8Mbica1YsTI6kjXH6vU82oBKVrSPzJxN5onZ3r1iQQZ6374vkPjlLBqQXQsm5E+7YJvAAhqTETHxX9wFgjll/sCdfYwth8k4OA8z7Pa3xL+4zCD5uG4z7Quz+JYveBYl8CgYAU4ebT1BLxtHIWb6kU9oNL71oCRhedhQlwYo93ZzZdXjUUGGwyPoTW2WHBwihymjqA1mqmIcoy5Ok89C4S3l1gJTj+rRNlGxIItdMMmhCPRMn14NZoIh5UoPqGTAsdOU1BOj683XUuqlDiXzez92t4RBYo7I4P/hQzK/ogFc468g==
diff --git a/tests/testthat/test-http.R b/tests/testthat/test-http.R
@@ -22,8 +22,8 @@ test_that("authHeaders() picks correct method based on supplied fields", {
   )
 
   # Dummy key created with
-  # openssl::base64_encode(openssl::ed25519_keygen())
-  key <- "MC4CAQAwBQYDK2VwBCIEIDztfEgkp5CX7Jz0NCyrToaRW1L2tfmrWxNDgYyjO9bQ"
+  # openssl::base64_encode(openssl::rsa_keygen(2048L))
+  key <- readLines(test_path("fake-key"))
 
   expect_snapshot({
     str(authHeaders(list(secret = "123"), url, "GET"))