search

TritonDataCenter / node-http-signature

Reference implementation of Joyent's HTTP Signature Scheme
https://tritondatacenter.com
MIT License
404 stars 118 forks source link

allow hs2019 algorithm in signing and verifying #105

Open blacktemplar opened 4 years ago

blacktemplar commented 4 years ago

Resolves #106.

This allows the recommended use of "hs2019" as algorithm, that effectively hides the used algorithm from the signature to avoid attacks, see Appendix E.2 in https://tools.ietf.org/html/draft-cavage-http-signatures-12.

For signing there is an option hideAlgorithm that defaults to false and if true writes "hs2019" into the authentication header.

For verifying one has to pass an overriddenAlgorithm to verify that basically overrides the algorithm "hs2019" for verification. The overriddenAlgorithm has to be determined by metadata of the clientId (after parsing the signature the clientId is known).

gabek commented 3 years ago

Hi there. Is there going to be any progress made on this front?