Stability: 1 - Experimental
This module provides specification and reference implementation of Capability Signature Version 1 CAP1-HMAC-SHA512
.
The signature is based on AWS Signature Version 4 with the following modifications:
- Algorithm used is
CAP1-HMAC-SHA512
. - Credential termination string is
cap1_request
instead ofaws4_request
. sha512
is used throughout instead ofsha256
.X-Cap-Date
header is used instead ofX-Amz-Date
orDate
.- Request payload is not used as part of the signature.
- Credential scope uses
host
instead ofregion
andservice
. - Signing key derivation uses
host
instead ofregion
andservice
. - Generated string to sign uses
base64url
encodedsha512
hash of canonical request instead ofhex
encodedsha256
hash. - Signature is
base64url
encoded instead ofhex
.
npm install cap1-hmac-sha512
To run the below example run:
npm run demo
"use strict";
const cap1HmacSha512 = require("../index.js");
const http = require("http"); // not https for demo only
const url = require("url");
const secrets = // hardcoded for demo only
{
"someId": "mySecret"
};
const server = http.createServer((req, resp) =>
{
console.log("request received:", req.headers);
const parsedUrl = url.parse(req.url);
const verifyParams =
{
headers: req.headers,
httpRequestMethod: req.method,
path: parsedUrl.pathname,
queryString: parsedUrl.query,
secret: (keyId, callback) => callback(undefined, secrets[keyId])
};
cap1HmacSha512.verify(verifyParams, (error, authorized) =>
{
console.log("request authorized:", authorized);
if (authorized)
{
resp.statusCode = 200;
}
else
{
resp.statusCode = 401;
}
resp.end();
}
);
req.on("data", () => {}); // drain request
}
);
server.listen(8888, () =>
{
console.log("server listening");
const options =
{
host: "localhost",
headers:
{
host: "localhost:8888",
connection: "close"
},
method: "GET",
path: "/somewhere?page=12",
port: 8888
};
const signature = cap1HmacSha512.sign(
{
headers: options.headers,
httpRequestMethod: options.method,
key: secrets["someId"],
keyId: "someId",
path: "/somewhere",
queryString: "page=12"
}
);
options.headers.authorization = signature.authorization;
options.headers["x-cap-date"] = signature["x-cap-date"];
console.log("client request:", options);
http.request(options, resp =>
{
console.log("response status code:", resp.statusCode);
resp.on("data", () => {}); // drain response
delete options.headers["x-cap-date"];
http.request(options, resp =>
{
console.log("response status code:", resp.statusCode);
resp.on("data", () => {}); // drain response
process.exit(0);
}
).end();
}
).end();
}
);
npm test
Public API
params
: Object Signature parameters.headers
: Object HTTP request headers.httpRequestMethod
: String (Default: "GET") HTTP request method.key
: String Secret to sign with corresponding to providedkeyId
.keyId
: String Id of the secret to sign with.path
: String (Default: "/") HTTP request path.queryString
: String (Default: "") HTTP request query string.
- Return: Object Result.
algorithm
: String Algorithm used,CAP1-HMAC-SHA512
.authorization
: String HTTP Authorization header contents.credential
: String Credential used for signing.x-cap-date
: String HTTP X-Cap-Date header contents.signedHeaders
: String List of headers used for signing.signature
: String base64url encoded signature.
Calculates the CAP1-HMAC-SHA512
signature given provided params
. The authorization
parameter from the result can be used directly as the Authorization
header in HTTP request.
If params.headers["X-Cap-Date"]
is not provided, an X-Cap-Date
header will be generated and used as part of the signature. For the HTTP request to be valid, the x-cap-date
field from the result must be used as the X-Cap-Date
header in the HTTP request.
params
: Object Verification parameters.headers
: Object HTTP request headers.httpRequestMethod
: String HTTP request method.path
: String HTTP request path.queryString
: String HTTP request query string.secret
: Function(keyId, callback) => {}
Function to retrievekey
material corresponding to providedkeyId
.keyId
: String Key id fromCAP1-HMAC-SHA512
signature to retrievekey
material for.callback
: Function(error, key) => {}
Callback to call with error or key material.
callback
: Function(error, authorized) => {}
error
: Error Error, if any.authorized
: Booleantrue
if signature is verified,false
otherwise.
Extracts keyId
from Authorization
header, retrieves corresponding key
material via secret
callback, and calculates CAP1-HMAC-SHA512
signature given provided params
. If signature is verified, it calls callback with authorized=true
, otherwise, callback is called with authorized=false
or an error
.
We follow the semantic versioning policy (semver.org) with a caveat:
Given a version number MAJOR.MINOR.PATCH, increment the:
MAJOR version when you make incompatible API changes,
MINOR version when you add functionality in a backwards-compatible manner, and
PATCH version when you make backwards-compatible bug fixes.
caveat: Major version zero is a special case indicating development version that may make incompatible API changes without incrementing MAJOR version.