Allow for non-string HMAC keys (#98)

TritonDataCenter · Feb 24, 2020 · f2b5ee3 · f2b5ee3
1 parent dde0188
commit f2b5ee3
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 4 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -4,6 +4,10 @@
 
 (nothing yet)
 
+## 1.3.2
+
+- Allow Buffers to be used for verifyHMAC (#98)
+
 ## 1.3.1
 
 - Fix node 0.10 usage (#90)

diff --git a/lib/verify.js b/lib/verify.js
@@ -44,14 +44,14 @@ module.exports = {
    * that was returned from `parse()`.
    *
    * @param {Object} parsedSignature the object you got from `parse`.
-   * @param {String} secret HMAC shared secret.
+   * @param {String} or {Buffer} secret HMAC shared secret.
    * @return {Boolean} true if valid, false otherwise.
    * @throws {TypeError} if you pass in bad arguments.
    * @throws {InvalidAlgorithmError}
    */
   verifyHMAC: function verifyHMAC(parsedSignature, secret) {
     assert.object(parsedSignature, 'parsedHMAC');
-    assert.string(secret, 'secret');
+    assert(typeof (secret) === 'string' || secret instanceof Buffer);
 
     var alg = validateAlgorithm(parsedSignature.algorithm);
     if (alg[0] !== 'hmac')

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "http-signature",
   "description": "Reference implementation of Joyent's HTTP Signature scheme.",
-  "version": "1.3.1",
+  "version": "1.3.2",
   "license": "MIT",
   "author": "Joyent, Inc",
   "contributors": [

diff --git a/test/verify.test.js b/test/verify.test.js
@@ -16,6 +16,7 @@ var httpSignature = require('../lib/index');
 ///--- Globals
 
 var hmacKey = null;
+var rawhmacKey = null;
 var options = null;
 var rsaPrivate = null;
 var rsaPublic = null;
@@ -45,6 +46,8 @@ test('setup', function(t) {
   t.ok(ecdsaPublic);
 
   hmacKey = uuid();
+  rawhmacKey = crypto.randomBytes(64);
+
   socket = '/tmp/.' + uuid();
   options = {
     socketPath: socket,
@@ -107,6 +110,49 @@ test('valid hmac', function(t) {
   });
 });
 
+test('invalid raw hmac', function(t) {
+  server.tester = function(req, res) {
+    var parsed = httpSignature.parseRequest(req);
+    t.ok(!httpSignature.verifyHMAC(parsed, rawhmacKey));
+
+    res.writeHead(200);
+    res.write(JSON.stringify(parsed, null, 2));
+    res.end();
+  };
+
+  options.headers.Date = jsprim.rfc1123(new Date());
+  options.headers.Authorization =
+    'Signature keyId="foo",algorithm="hmac-sha1",signature="' +
+     uuid() + '"';
+
+  http.get(options, function(res) {
+    t.equal(res.statusCode, 200);
+    t.end();
+  });
+});
+
+test('valid raw hmac', function(t) {
+  server.tester = function(req, res) {
+    var parsed = httpSignature.parseRequest(req);
+    t.ok(httpSignature.verifyHMAC(parsed, rawhmacKey));
+
+    res.writeHead(200);
+    res.write(JSON.stringify(parsed, null, 2));
+    res.end();
+  };
+
+  options.headers.Date = jsprim.rfc1123(new Date());
+  var hmac = crypto.createHmac('sha1', rawhmacKey);
+  hmac.update('date: ' + options.headers.Date);
+  options.headers.Authorization =
+    'Signature keyId="foo",algorithm="hmac-sha1",signature="' +
+    hmac.digest('base64') + '"';
+
+  http.get(options, function(res) {
+    t.equal(res.statusCode, 200);
+    t.end();
+  });
+});
 
 test('invalid rsa', function(t) {
   server.tester = function(req, res) {