Support draft-directory-04 with sf-dictionary signature-agent#63
Support draft-directory-04 with sf-dictionary signature-agent#63thibmeu wants to merge 1 commit intocloudflare:mainfrom
Conversation
This commits adds support for sf-dioctionary headers in http-message-sig, and paired signature-agent as a dictionary format. This is made to be backward compatible: old test vectors still pass. The implementation of sf-dictionary is primitive, and likely does not pass all tests for [RFC 8941](https://www.rfc-editor.org/rfc/rfc8941.html). This is acceptable for now. We _could_ publish this as an alpha. The new test vectors are added in thibmeu/http-message-signatures-directory#79, and have a corresponding json [web_bot_auth_architecture_v2.json](./packages/web-bot-auth/test/test_data/web_bot_auth_architecture_v2.json). They can be imported by other implementations.
thibmeu
force-pushed
the
update-signature-agent-sf-dictionary
branch
from
28a3d83 to
5afdf96
Compare
|
@AkshataDM ping |
AkshatM
left a comment
AkshatM
left a comment
There was a problem hiding this comment.
I think the implementation works, just left a minor comment for supporting more liberal input to the verifier.
| | "keyid" | ||
| | string; | ||
|
|
||
| export interface StructuredFieldComponent { |
There was a problem hiding this comment.
The name StructuredDictionaryHeader is clearer about the shape of the component and what it applies to.
| if (value.match(/^".*"$/)) return [key.trim(), value.slice(1, -1)]; | ||
| if (value.match(/^\d+$/)) return [key.trim(), parseInt(value)]; | ||
|
|
||
| // TODO: this is restricted to components array. Per RFC9421, there could be more |
There was a problem hiding this comment.
A small comment to clarify value here has shape of an SFV innerlist would help - I didn't realize this was parsing e.g. foo=("a" "b";key="...") for a while.
| toPush = parseInt(item); | ||
| } else if (match[1].includes('";key="')) { | ||
| toPush = { | ||
| key: match[1].split('";key="')[1], |
There was a problem hiding this comment.
nit: this works if key is the first parameter on the inner list, and it works for the specific case of "signature-agent";key"...." today because it's the only parameter we require.
But for cases of two or more keys, where order is not fixed, this will break. I think a proper parser of innerlist parameters for incoming requests should handle that.
2 participants
This commits adds support for sf-dioctionary headers in http-message-sig, and paired signature-agent as a dictionary format.
This is made to be backward compatible: old test vectors still pass.
The implementation of sf-dictionary is primitive, and likely does not pass all tests for RFC 8941.
This is acceptable for now. We could publish this as an alpha.
The new test vectors are added in
thibmeu/http-message-signatures-directory#79, and have a corresponding json
web_bot_auth_architecture_v2.json. They can be imported by other implementations.