Merge pull request #6 from adamcin/feature/issue-5-request-target

Added "(request-target): " header prefix, with tests and deprecations

Author: adamcin

api/src/main/java/net/adamcin/httpsig/api/DefaultVerifier.java

@@ -45,18 +45,32 @@ public final class DefaultVerifier implements Verifier {
     private final KeyId keyId;
     private final long skew;
 
+    // this parameter is not long for the world. Do not expose to API.
+    private final boolean strictRequestTarget;
+
     public DefaultVerifier(Keychain keychain) {
-        this(keychain, null, DEFAULT_SKEW);
+        this(keychain, null, DEFAULT_SKEW, false);
+    }
+
+    // Package-private constructor to prevent external API usage of strictRequestTarget parameter.
+    DefaultVerifier(Keychain keychain, boolean strictRequestTarget) {
+        this(keychain, null, DEFAULT_SKEW, strictRequestTarget);
     }
 
     public DefaultVerifier(Keychain keychain, KeyId keyId) {
-        this(keychain, keyId, DEFAULT_SKEW);
+        this(keychain, keyId, DEFAULT_SKEW, false);
     }
 
     public DefaultVerifier(Keychain keychain, KeyId keyId, long skew) {
+        this(keychain, keyId, skew, false);
+    }
+
+    // private constructor to prevent external API usage of strictRequestTarget parameter.
+    private DefaultVerifier(Keychain keychain, KeyId keyId, long skew, boolean strictRequestTarget) {
         this.keychain = keychain != null ? new KeychainGuard(keychain) : new KeychainGuard(new DefaultKeychain());
         this.keyId = new CanVerifyId(keyId != null ? keyId : Constants.DEFAULT_KEY_IDENTIFIER);
         this.skew = skew;
+        this.strictRequestTarget = strictRequestTarget;
     }
 
     public Keychain getKeychain() {
@@ -139,9 +153,18 @@ public VerifyResult verifyWithResult(Challenge challenge, RequestContent request
         }
 
         if (key.verify(authorization.getAlgorithm(),
-                                      requestContent.getContent(authorization.getHeaders(), Constants.CHARSET),
+                                      requestContent.getBytesToSign(authorization.getHeaders(), Constants.CHARSET),
                                       authorization.getSignatureBytes())) {
             return VerifyResult.SUCCESS;
+        } else if (!this.strictRequestTarget
+                && authorization.getHeaders().contains(Constants.HEADER_REQUEST_TARGET)) {
+            if (key.verify(authorization.getAlgorithm(),
+                    requestContent.getContent(authorization.getHeaders(),
+                    Constants.CHARSET), authorization.getSignatureBytes())) {
+                return VerifyResult.SUCCESS;
+            } else {
+                return VerifyResult.FAILED_KEY_VERIFY;
+            }
         } else {
             return VerifyResult.FAILED_KEY_VERIFY;
         }

api/src/main/java/net/adamcin/httpsig/api/Key.java

@@ -52,7 +52,7 @@ public interface Key {
     /**
      * Verifies the {@code signatureBytes} against the {@code challengeHash} using an underlying public key
      * @param algorithm the selected Signature {@link Algorithm}
-     * @param contentBytes the result of {@link RequestContent#getContent(java.util.List, java.nio.charset.Charset)}
+     * @param contentBytes the result of {@link RequestContent#getBytesToSign(java.util.List, java.nio.charset.Charset)}
      * @param signatureBytes the result of {@link net.adamcin.httpsig.api.Authorization#getSignatureBytes()}
      * @return true if signature is valid
      */
@@ -66,7 +66,7 @@ public interface Key {
     /**
      * Signs the {@code challengeHash} using the specified signature {@link Algorithm}
      * @param algorithm the selected Signature {@link Algorithm}
-     * @param contentBytes the result of {@link RequestContent#getContent(java.util.List, java.nio.charset.Charset)}
+     * @param contentBytes the result of {@link RequestContent#getBytesToSign(java.util.List, java.nio.charset.Charset)}
      * @return byte array containing the challengeHash signature or null if a signature could not be generated.
      */
     byte[] sign(Algorithm algorithm, byte[] contentBytes);

api/src/main/java/net/adamcin/httpsig/api/RequestContent.java

@@ -53,7 +53,7 @@ public final class RequestContent implements Serializable {
 
     private static final List<String> SUPPORTED_DATE_FORMATS = Arrays.asList(DATE_FORMAT_RFC1123, DATE_FORMAT);
 
-    private static final long serialVersionUID = -2968642080214687631L;
+    private static final long serialVersionUID = -2968642080214687632L;
 
     @Deprecated
     private final String requestLine;
@@ -181,7 +181,10 @@ public RequestContent build() {
      * @param headers the list of headers to be included in the signed content
      * @param charset charset for decoding the content
      * @return the result of {@link #getContentString(java.util.List)} encoded using the provided {@link Charset}
+     * @deprecated use {@link #getBytesToSign(List, Charset)} to include the {@link Constants#HEADER_REQUEST_TARGET}
+     *              prefix in signature content
      */
+    @Deprecated
     public byte[] getContent(List<String> headers, Charset charset) {
         return getContentString(headers).getBytes(charset);
     }
@@ -191,8 +194,42 @@ public byte[] getContent(List<String> headers, Charset charset) {
      *
      * @param headers the list of headers to be included in the signed content
      * @return formatted content to be signed
+     * @deprecated use {@link #getStringToSign(List)} to include the {@link Constants#HEADER_REQUEST_TARGET}
+     *              prefix in signature content
      */
+    @Deprecated
     public String getContentString(List<String> headers) {
+        return getStringToSign(headers, true);
+    }
+
+    /**
+     * Returns the request content as a String for generating a signature.
+     *
+     * @param headers the list of headers to be included in the signed content
+     * @return formatted content to be signed
+     */
+    public String getStringToSign(List<String> headers) {
+        return getStringToSign(headers, false);
+    }
+
+    /**
+     * Returns the request content as a byte array for generating a signature.
+     *
+     * @param headers the list of headers to be included in the signed content
+     * @param charset charset for decoding the content
+     * @return the result of {@link #getStringToSign(List)} encoded using the provided {@link Charset}
+     */
+    public byte[] getBytesToSign(List<String> headers, Charset charset) {
+        return getStringToSign(headers).getBytes(charset);
+    }
+
+    /**
+     * Method created for backwards compatibility.
+     * @param headers the list of headers to be included in the signed content.
+     * @param suppressRequestTargetPrefix true to remove "(request-target): " from the content.
+     * @return formatted content String to be signed.
+     */
+    private String getStringToSign(List<String> headers, boolean suppressRequestTargetPrefix) {
         StringBuilder hashBuilder = new StringBuilder();
         if (headers != null) {
             for (String header : headers) {
@@ -204,6 +241,9 @@ public String getContentString(List<String> headers) {
                         }
                     } else if (Constants.HEADER_REQUEST_TARGET.equals(_header)) {
                         if (this.getRequestTarget() != null) {
+                            if (!suppressRequestTargetPrefix) {
+                                hashBuilder.append(Constants.HEADER_REQUEST_TARGET).append(": ");
+                            }
                             hashBuilder.append(this.getRequestTarget()).append('\n');
                         }
                     } else {
@@ -219,7 +259,7 @@ public String getContentString(List<String> headers) {
 
     @Override
     public String toString() {
-        return getContentString(this.getHeaderNames());
+        return getStringToSign(this.getHeaderNames());
     }
 
     /**

api/src/main/java/net/adamcin/httpsig/api/Signer.java

@@ -163,7 +163,7 @@ public Authorization sign(RequestContent requestContent, List<String> electiveHe
 
             List<String> headers = new ArrayList<String>(signHeaders);
 
-            byte[] signature = key.sign(algo, requestContent.getContent(headers, Constants.CHARSET));
+            byte[] signature = key.sign(algo, requestContent.getBytesToSign(headers, Constants.CHARSET));
 
             if (signature != null) {
                 return new Authorization(this.keyId.getId(key), Base64.toBase64String(signature), headers, algo);

api/src/test/java/net/adamcin/httpsig/api/DefaultVerifierTest.java

@@ -28,12 +28,14 @@
 package net.adamcin.httpsig.api;
 
 
-import net.adamcin.commons.testing.junit.TestBody;
-import org.junit.Test;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
 
 import java.util.Arrays;
+import java.util.List;
 
-import static org.junit.Assert.*;
+import net.adamcin.commons.testing.junit.TestBody;
+import org.junit.Test;
 
 public class DefaultVerifierTest {
 
@@ -57,4 +59,33 @@ public void testVerify() {
     }
 
 
+    @Test
+    public void testStrictVerify() {
+        TestBody.test(new TestBody() {
+            @Override protected void execute() throws Exception {
+                String fingerprint = "fingerprint";
+
+                Keychain identities = new MockKeychain(fingerprint);
+                DefaultVerifier v = new DefaultVerifier(identities);
+                DefaultVerifier strictV = new DefaultVerifier(identities, true);
+                RequestContent requestContent = new RequestContent.Builder().setRequestTarget("get", "index.html").addDateNow().build();
+                List<String> headers = Arrays.asList(Constants.HEADER_REQUEST_TARGET, Constants.HEADER_DATE);
+                Challenge c = new Challenge(DefaultVerifierTest.class.getName(),
+                        headers,
+                        Arrays.asList( Algorithm.SSH_RSA ));
+
+                byte[] content = requestContent.getContent(headers, Constants.CHARSET);
+                byte[] strictContent = requestContent.getBytesToSign(headers, Constants.CHARSET);
+                Authorization authz = new Authorization(fingerprint, MockKey.mockSignBase64(content), headers, Algorithm.SSH_RSA);
+                Authorization strictAuthz = new Authorization(fingerprint, MockKey.mockSignBase64(strictContent), headers, Algorithm.SSH_RSA);
+
+                assertTrue("default verifier should verify default mock signature ", v.verify(c, requestContent, authz));
+                assertTrue("default verifier should verify strict mock signature ", v.verify(c, requestContent, strictAuthz));
+                assertTrue("strict verifier should verify strict mock signature ", strictV.verify(c, requestContent, strictAuthz));
+                assertFalse("strict verifier should not verify default mock signature ", strictV.verify(c, requestContent, authz));
+            }
+        });
+    }
+
+
 }

hmac/src/main/java/net/adamcin/httpsig/hmac/HmacKey.java

@@ -94,7 +94,7 @@ public boolean canVerify() {
     /**
      * Verifies the {@code signatureBytes} against the {@code challengeHash} using an underlying public key
      * @param algorithm the selected Signature {@link net.adamcin.httpsig.api.Algorithm}
-     * @param contentBytes the result of {@link net.adamcin.httpsig.api.RequestContent#getContent(java.util.List, java.nio.charset.Charset)}
+     * @param contentBytes the result of {@link net.adamcin.httpsig.api.RequestContent#getBytesToSign(java.util.List, java.nio.charset.Charset)}
      * @param signatureBytes the result of {@link net.adamcin.httpsig.api.Authorization#getSignatureBytes()}
      * @return true if signature is valid
      */
@@ -133,7 +133,7 @@ public boolean canSign() {
     /**
      * Signs the {@code challengeHash} using the specified signature {@link net.adamcin.httpsig.api.Algorithm}
      * @param algorithm the selected Signature {@link net.adamcin.httpsig.api.Algorithm}
-     * @param contentBytes the result of {@link net.adamcin.httpsig.api.RequestContent#getContent(java.util.List, java.nio.charset.Charset)}
+     * @param contentBytes the result of {@link net.adamcin.httpsig.api.RequestContent#getBytesToSign(java.util.List, java.nio.charset.Charset)}
      * @return byte array containing the challengeHash signature or null if a signature could not be generated.
      */
     public byte[] sign(Algorithm algorithm, byte[] contentBytes) {

mvnvm.properties

@@ -0,0 +1 @@
+mvn_version=3.3.9

ssh-jsch/src/main/java/net/adamcin/httpsig/ssh/jsch/JschKey.java

@@ -79,7 +79,7 @@ public Set<Algorithm> getAlgorithms() {
     /**
      * {@inheritDoc}
      * @param algorithm the selected Signature {@link Algorithm}
-     * @param challengeHash the result of {@link net.adamcin.httpsig.api.RequestContent#getContent(java.util.List, java.nio.charset.Charset)}
+     * @param challengeHash the result of {@link net.adamcin.httpsig.api.RequestContent#getBytesToSign(java.util.List, java.nio.charset.Charset)}
      * @param signatureBytes the result of {@link net.adamcin.httpsig.api.Authorization#getSignatureBytes()}
      * @return true if verified
      */
@@ -147,7 +147,7 @@ private Signature getSignature(byte[] challengeHash) throws Exception {
     /**
      * {@inheritDoc}
      * @param algorithm the selected Signature {@link Algorithm}
-     * @param challengeHash the result of {@link net.adamcin.httpsig.api.RequestContent#getContent(java.util.List, java.nio.charset.Charset)}
+     * @param challengeHash the result of {@link net.adamcin.httpsig.api.RequestContent#getBytesToSign(java.util.List, java.nio.charset.Charset)}
      * @return the generated signature
      */
     public byte[] sign(Algorithm algorithm, byte[] challengeHash) {