fix(picky)!: comply with draft-cavage-http-signatures-12 when signing HTTP messages (#351)

sp1ff · web-flow · commit f043d04e1462 · 2025-03-03T16:17:38.000+09:00
BREAKING CHANGE: Change request target handling to comply with
draft-cavage-http-signatures-12 when signing HTTP messages.
diff --git a/picky/src/http/http_signature.rs b/picky/src/http/http_signature.rs
@@ -555,6 +555,9 @@ impl<'a> HttpSignatureBuilder<'a> {
                         let key = split.next().expect("there is always at least one element in the split");
                         if let Some(value) = split.next() {
                             match key {
+                                Header::REQUEST_TARGET_STR => {
+                                    headers.push(Header::RequestTarget);
+                                }
                                 Header::CREATED_STR => {
                                     headers.push(Header::Created);
                                     created = Some(value.trim().parse().map_err(|_| {
@@ -569,12 +572,6 @@ impl<'a> HttpSignatureBuilder<'a> {
                                 }
                                 header_name => headers.push(Header::new_name(header_name.to_owned())),
                             }
-                        } else if key.starts_with("get")
-                            || key.starts_with("post")
-                            || key.starts_with("put")
-                            || key.starts_with("delete")
-                        {
-                            headers.push(Header::RequestTarget);
                         } else {
                             return Err(HttpSignatureError::InvalidSigningString { line: line.to_owned() });
                         }
@@ -603,7 +600,8 @@ impl<'a> HttpSignatureBuilder<'a> {
                             }
                             Header::RequestTarget => {
                                 acc.push(format!(
-                                    "{} {}",
+                                    "{}: {} {}",
+                                    header.as_str(),
                                     http_request.get_lowercased_method()?,
                                     http_request.get_target()?
                                 ));
@@ -771,7 +769,8 @@ impl<'a> HttpSignatureVerifier<'a> {
                         }
                         Header::RequestTarget => {
                             acc.push(format!(
-                                "{} {}",
+                                "{}: {} {}",
+                                header.as_str(),
                                 http_request.get_lowercased_method()?,
                                 http_request.get_target()?
                             ));
@@ -914,20 +913,20 @@ mod tests {
     use picky_asn1_x509::{AlgorithmIdentifier, SubjectPublicKeyInfo};
 
     const HTTP_SIGNATURE_EXAMPLE: &str = "Signature keyId=\"my-rsa-key\",algorithm=\"rsa-sha256\"\
-         ,created=1402170695,headers=\"(request-target) (created) date\",\
-         signature=\"CM3Ui6l4Z6+yYdWaX5Cz10OAqUceS53Zy/qA+e4xG5Nabe215iTlnj/sfVJ3nBaMIOj/4e\
-         gxTKNDXAJbLm6nOF8zUOdJBuKQZNO1mfzrMKLsz7gc2PQI1eVxGNJoBZ40L7CouertpowQFpKyizNXqH/y\
-         YBgqPEnLk+p5ISkXeHd7P/YbAAQGnSe3hnJ/gkkJ5rS6mGuu2C8+Qm68tcSGz9qwVdNTFPpji5VPxprs2J\
-         2Z1vjsMVW97rsKOs8lo+qxPGfni27udledH2ZQABGZHOgZsChj59Xb3oVAA8/V3rjt5Un7gsz2AHQ6aY6o\
-         ky59Rsg/CpB8gP7szjK/wrCclA==\"";
+        ,created=1402170695,headers=\"(request-target) (created) date\",\
+        signature=\"bw579lDtTDsp7zif/F7Fy93KXrM6qUfCb43JMJtiL4+3nazIPlxcxVsRJEgZzK/QQPDoeUQ\
+        p4BYCzi2CbthYhHJMn/Wv008gNMcQQTuEw/KcnMrFWxqqUnVZQbCQvNai2y80WrBiOFZvN2VIdLUSO4SoIa\
+        OHvrvEoQhl3sqpv1z7yCVbQtJHwnPOWoy/11p+SU3X2ARJXN555q5wSn+DykM0Ohq1cXD84MHXP5ulI0Fa8\
+        4zQ5waxoXsieex4FI+zXSlngGmchBPXMUC437u2wXA1zLA4KGUL/uNScL1MKrTMqgV0MK4o6sR0LHOqHmIi\
+        MJ7h++UmOW/0Iw74CL2UGQ==\"";
 
     const HTTP_SIGNATURE_WEIRD_FORMAT: &str = "Signature keyId = my-rsa-key ,created= \"1402170695\",\
-         ,algorithm =\"rsa-sha256  \",headers=(request-target) (created) date  ,\
-         signature=CM3Ui6l4Z6+yYdWaX5Cz10OAqUceS53Zy/qA+e4xG5Nabe215iTlnj/sfVJ3nBaMIOj/4e\
-         gxTKNDXAJbLm6nOF8zUOdJBuKQZNO1mfzrMKLsz7gc2PQI1eVxGNJoBZ40L7CouertpowQFpKyizNXqH/y\
-         YBgqPEnLk+p5ISkXeHd7P/YbAAQGnSe3hnJ/gkkJ5rS6mGuu2C8+Qm68tcSGz9qwVdNTFPpji5VPxprs2J\
-         2Z1vjsMVW97rsKOs8lo+qxPGfni27udledH2ZQABGZHOgZsChj59Xb3oVAA8/V3rjt5Un7gsz2AHQ6aY6o\
-         ky59Rsg/CpB8gP7szjK/wrCclA==";
+        ,algorithm =\"rsa-sha256  \",headers=(request-target) (created) date  ,\
+        signature=bw579lDtTDsp7zif/F7Fy93KXrM6qUfCb43JMJtiL4+3nazIPlxcxVsRJEgZzK/QQPDoeUQ\
+        p4BYCzi2CbthYhHJMn/Wv008gNMcQQTuEw/KcnMrFWxqqUnVZQbCQvNai2y80WrBiOFZvN2VIdLUSO4SoIa\
+        OHvrvEoQhl3sqpv1z7yCVbQtJHwnPOWoy/11p+SU3X2ARJXN555q5wSn+DykM0Ohq1cXD84MHXP5ulI0Fa8\
+        4zQ5waxoXsieex4FI+zXSlngGmchBPXMUC437u2wXA1zLA4KGUL/uNScL1MKrTMqgV0MK4o6sR0LHOqHmIi\
+        MJ7h++UmOW/0Iw74CL2UGQ==";
 
     fn private_key_1() -> PrivateKey {
         let pem = picky_test_data::RSA_2048_PK_7.parse::<Pem>().expect("pem 1");
@@ -1136,7 +1135,7 @@ mod tests {
 
     #[test]
     fn sign_with_pre_generated_signing_string() {
-        let signing_string = "get /foo\n(created): 1402170695\ndate: Tue, 07 Jun 2014 20:51:35 GMT";
+        let signing_string = "(request-target): get /foo\n(created): 1402170695\ndate: Tue, 07 Jun 2014 20:51:35 GMT";
         let http_signature = HttpSignatureBuilder::new()
             .key_id("my-rsa-key")
             .signature_method(
@@ -1152,7 +1151,7 @@ mod tests {
 
     #[test]
     fn verify_with_pre_generated_signing_string() {
-        let signing_string = "get /foo\n(created): 1402170695\ndate: Tue, 07 Jun 2014 20:51:35 GMT";
+        let signing_string = "(request-target): get /foo\n(created): 1402170695\ndate: Tue, 07 Jun 2014 20:51:35 GMT";
         let http_signature = HttpSignature::from_str(HTTP_SIGNATURE_EXAMPLE).expect("http signature");
         http_signature
             .verifier()
@@ -1168,7 +1167,7 @@ mod tests {
 
     #[test]
     fn verify_with_leeway() {
-        let signing_string = "get /foo\n(created): 1402170695\ndate: Tue, 07 Jun 2014 20:51:35 GMT";
+        let signing_string = "(request-target): get /foo\n(created): 1402170695\ndate: Tue, 07 Jun 2014 20:51:35 GMT";
         let http_signature = HttpSignature::from_str(HTTP_SIGNATURE_EXAMPLE).expect("http signature");
         http_signature
             .verifier()
@@ -1207,12 +1206,12 @@ mod tests {
     }
 
     const HTTP_SIGNATURE_LEGACY: &str = "Signature keyId=my-rsa-key,created=1402170695,\
-         headers=(request-target) (created) date,\
-         signature=CM3Ui6l4Z6-yYdWaX5Cz10OAqUceS53Zy_qA-e4xG5Nabe215iTlnj_sfVJ3nBaMIOj_4e\
-         gxTKNDXAJbLm6nOF8zUOdJBuKQZNO1mfzrMKLsz7gc2PQI1eVxGNJoBZ40L7CouertpowQFpKyizNXqH_y\
-         YBgqPEnLk-p5ISkXeHd7P_YbAAQGnSe3hnJ_gkkJ5rS6mGuu2C8-Qm68tcSGz9qwVdNTFPpji5VPxprs2J\
-         2Z1vjsMVW97rsKOs8lo-qxPGfni27udledH2ZQABGZHOgZsChj59Xb3oVAA8_V3rjt5Un7gsz2AHQ6aY6o\
-         ky59Rsg_CpB8gP7szjK_wrCclA";
+        headers=(request-target) (created) date,\
+        signature=bw579lDtTDsp7zif_F7Fy93KXrM6qUfCb43JMJtiL4-3nazIPlxcxVsRJEgZzK_QQPDoeUQp4B\
+        YCzi2CbthYhHJMn_Wv008gNMcQQTuEw_KcnMrFWxqqUnVZQbCQvNai2y80WrBiOFZvN2VIdLUSO4SoIaOHvr\
+        vEoQhl3sqpv1z7yCVbQtJHwnPOWoy_11p-SU3X2ARJXN555q5wSn-DykM0Ohq1cXD84MHXP5ulI0Fa84zQ5w\
+        axoXsieex4FI-zXSlngGmchBPXMUC437u2wXA1zLA4KGUL_uNScL1MKrTMqgV0MK4o6sR0LHOqHmIiMJ7h--\
+        UmOW_0Iw74CL2UGQ";
 
     #[test]
     fn legacy() {
diff --git a/picky/src/http/mod.rs b/picky/src/http/mod.rs
@@ -84,11 +84,11 @@
 //!     http_signature_str,
 //!     "Signature keyId=\"my-rsa-key\",algorithm=\"rsa-sha224\",created=1402170695,\
 //!      headers=\"(request-target) (created) host date cache-control x-emptyheader x-example\",\
-//!      signature=\"QwuxxMSuvCdA5a2cDOjg+1WFEEGa/gD8fWwKm7gah4IUCssrie+bA5sp9wH7Jz8TQYh/XNDRUHKc\
-//!                  0oziBAIy1CsfDQWGRM+pAonfXEJufdt07v/i0OFhj5rBJfoOWPUcJ0cXzu0gs6svNhvimS3h2g30\
-//!                  gsnw1+Qjgv0+5HFwqZH4i+bHzaj0r9vIZZnnk3ecg8O2uOLuG5jCszJU9SBA0ug8l/NrQPJXMhCO\
-//!                  X59HkNVCkT4TPOovNZHyJQwu8IDhba0evPTCIvrzULpN4qY+ZAua2i3wGwWqFUgbm4eBJS2pwjWr\
-//!                  XyRusoELK0BjJ8a0KdOegmbEViIxy/Uqu0L2yQ==\""
+//!      signature=\"JueyecQbV5rQ3TI1EfqZRjAZMMOb4ABZNS0yDcBDgyfbOLORYipT2An2MCH8n/HequVJkEE\
+//!          86/vj9ZFLbyqFkV3a8uQGB6gaE79l9YNdzVeO5k7GBb1jskwBXnqVtGmn8aT2f+cJzkDtu6ptg+UtaU\
+//!          ZOQKdutc8aHq1NCLwvqMbA410XP0pA5r/VTbMg/yW8rHguue0Trh0WYCw8zHfNuZtheWxvWGLdYxvC0\
+//!          u5oJA0PdxFceqVd/304+RQsrDGLtX8J9vSeqEsQJfvswFyMTkdl1gDbP/YdXp7ADzc2D9IefT9zqvFd\
+//!          yEDDXEXKmZm+22395xRtnFmeWXu/+PM6wg==\""
 //! );
 //!
 //! // parse a http signature and verify it
@@ -108,7 +108,7 @@
 //! // alternatively you can provide a pre-generated signing string
 //!
 //! let signing_string =
-//!     "get /foo\n\
+//!     "(request-target): get /foo\n\
 //!      (created): 1402170695\n\
 //!      host: example.org\n\
 //!      date: Tue, 07 Jun 2014 20:51:35 GMT\n\
