Giter VIP home page Giter VIP logo

http-signatures-java's Introduction

HTTP Signatures Java Client

HTTP signatures provide a mechanism by which a shared secret key can be used to digitally "sign" a HTTP message to both verify the identity of the sender and verify that the message has not been tampered with in-transit.

This is done by contatinating the desired HTTP Headers together to form a string called a "Signing String". An encrypted hash (digitial signature) is made of the Signing String using either an asymmetric algorithm (rsa-sha256) with a public/private key pair or a symmetric algorithm (hmac-sha256) with a shared secret key.

Finally, the encrypted bytes are Base64 encoded and added to the Authorization header, along with the keyId, signing algorithm, header names, and the signature itself.

For example, the following Signing String:

digest: SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=
date: Tue, 07 Jun 2014 20:51:35 GMT
(request-target): get /foo/Bar

if encrypted using the hmac-sha256 algorithm with the secret don't tell, and then encoded with Base64 would yield the result:

6aq7lLvqJlYRhEBkvl0+qMuSbMyxalPICsBh1qV6V/s=

This would then be applied to the Authorization header as below:

Authorization: Signature keyId="myusername:mykey",algorithm="hmac-sha256",headers="digest
date (request-target)",signature="6aq7lLvqJlYRhEBkvl0+qMuSbMyxalPICsBh1qV6V/s="

Maven Dependency

Add the following dependency to your Maven pom file.

<dependency>
  <groupId>org.tomitribe</groupId>
  <artifactId>tomitribe-http-signatures</artifactId>
  <version>1.0</version>
</dependency>

Library Overview

There are 2 key classes in this library:

  • Signature - defines the headers that make up the signature - this must as a minimum include the headers that the server requires to be part of the signature

  • Signer - computes the signature value using the headers/values defined on the Signature classes

Creating a Signer

The Signer instance is intended to be created once and reused to sign all the HTTP messages that require HTTP Signature Authentication.

It is immutable, fully thread-safe and optimized to check and verify the supplied Key on construction.

The first steps to creating a Signer instance are as follows:

final Signature signature = new Signature("key-alias", "hmac-sha256", null, "(request-target)"); // (1)
final Key key = new SecretKeySpec(passphrase.getBytes(), "HmacSHA256");	 // (2)
final Signer signer = new Signer(key, signature); // (3)

  1. Define a new Signature object. This Signature object isn’t fully computed signature, but rather a template for the Signatures that will be created by the Signer for specific HTTP messages. It requires a key alias (1st parameter), the signature algorithm (2nd parameter - usually "hmac-sha256") and a var-arg list of header names indicating which headers will require signing (4th - nth parameters).

  2. Define a SecretKeySpec instance, this needs the shared secret passphrase, and the algorithm used to store it in the keystore (usually "HmacSHA256").

  3. Initialize a new Signer object with the key and signature from <1> and <2> above

Signing an HTTP Message

Once you have a Signer, signing an HTTP Message is as simple as passing in the respective parts and letting the signer do the magic. The library is not specific to any HTTP Client Java library such as Apache HttpClient, therefore data must be copied from the request object of your specifc HTTP Client library and passed to the Signer in simple String and Map form.

final String method = "GET";

final String uri = "/foo/Bar";

final Map<String, String> headers = new HashMap<String, String>();
headers.put("Host", "example.org");
headers.put("Date", "Tue, 07 Jun 2014 20:51:35 GMT");
headers.put("Content-Type", "application/json");
headers.put("Digest", "SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=");
headers.put("Accept", "*/*");
headers.put("Content-Length", "18");

// Here it is!
final Signature signed = signer.sign(method, uri, headers);

The returned Signature object represents a full HTTP Signature. Simply call toString() on it to get a fully formatted Authorization header value.

Calling toString() on the above Signature instance will yeild the following:

Signature keyId="my-key-name","algorithm="hmac-sha256",headers="content-length host date (request-target)",signature="yT/NrPI9mKB5R7FTLRyFWvB+QLQOEAvbGmauC0tI+Jg="

The output of signature.toString() should be used as the value the Authorization header for the request.

Scenarios

The following sections demonstrate a few common scenarios using http-signatures-java.

Simple (request-target)

This is the simplest request. Only the request-target (URI) is used to build the signature.

final Signature signature = new Signature("key-alias", "hmac-sha256", null, "(request-target)"); // (1)
final Key key = new SecretKeySpec(passphrase.getBytes(), "HmacSHA256");
final Signer signer = new Signer(key, signature);
final Map<String, String> headers = new HashMap<>();
return signer.sign(method, uri, headers); // (2)

  1. Define the Signature object using just the "(request-target)" (note the use of parenthesis) element.

  2. Use the Signer class with the method, URI, and an empty header map to create the signature.

(request-target) date (with date validation)

This is similar to the the previous example, but expands on it by adding the date header to the signature. The date should be created in the "EEE, dd MMM yyyy HH:mm:ss zzz" format, and the exact same date should be passed to the Signer as is used on the Date header.

final Date today = new Date(); // default window is 1 hour
final String stringToday = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss zzz", Locale.US).format(today);

final Signature signature = new Signature("key-alias", "hmac-sha256", null, "(request-target)", "date");  // (1)
final Key key = new SecretKeySpec(passphrase.getBytes(), "HmacSHA256");
final Signer signer = new Signer(key, signature);
final Map<String, String> headers = new HashMap<>();
s.put("Date", stringToday);	 // (2)
return signer.sign(method, uri, headers);

  1. Define the Signature object with the "(request-target)" and "date" headers

  2. Include the date in the headers map

Message body digest

final byte[] digest = MessageDigest.getInstance("SHA-256").digest(payload.getBytes()); // (1)
final String digestHeader = "SHA256=" + new String(Base64.encodeBase64(digest));

final Signature signature = new Signature("key-alias", "hmac-sha256", null, "(request-target)", "digest"); // (2)
final Key key = new SecretKeySpec(passphrase.getBytes(), "HmacSHA256");
final Signer signer = new Signer(key, signature);
final Map<String, String> headers = new HashMap<>();
headers.put("digest", digestHeader);
return signer.sign(method, uri, headers);

  1. Define the Signature object with the "(request-target)" and "digest" headers

  2. Include the digest in the headers map

References

Signing HTTP Messages (Internet Draft 4) https://www.ietf.org/id/draft-cavage-http-signatures-04.txt

Instance Digests in HTTP http://tools.ietf.org/html/rfc3230

http-signatures-java's People

Contributors

dblevins avatar jeanouii avatar jgallimore avatar

Watchers

avatar avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.