JWS support added in existing plugin #71
Conversation
karen-avetisyan-mc
added
the
safe
|
Please refer this document for JWS support design document and use case summary |
karen-avetisyan-mc
requested review from
ShimonaR-MC,
joseph-neeraj and
karen-avetisyan-mc
|
There was a problem hiding this comment.
If you have a design/requirement doc for this.Please send us a link.
The JWS header seems to use custom configuration, with an iat in the header and crit iat. We need some context on this. If this is a one off and not the generic design across APIs in Mastercard, we'll have to re-think if this should be merged to the common/public repo.
| const jwsHeaders = jwsParts[0]; | ||
| const jwsSignature = jwsParts[2]; | ||
| const jwsSign = jwsHeaders + '.' + jwsPayload + '.' + jwsSignature; | ||
| const isVerified = KJUR.jws.JWS.verify(jwsSign, publicKeyPEM, [algo]); |
There was a problem hiding this comment.
Does this response JWS header have the crit: [ "iat" ] and "iat" keys ? if so is it verified here ?
There was a problem hiding this comment.
Note: Please refer to this comment , to decide whether this change needs to be implemented or not.
iat in the header is a custom header value as far as I can tell.
Nothing in the code or jsrassign's docs suggest that it will be checked automatically.
the lib only seems to be verifying the signature here.
Please verify iat here.
The link directs to this page again, please mail us the valid link. |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
|
|
||
| function jwsVerify(jws, expectedPayload, publicKeyPEM, algo) { | ||
| const stringPayload = JSON.stringify(expectedPayload); | ||
| const jwsPayload = Buffer.from(stringPayload, 'binary').toString('base64url'); |
There was a problem hiding this comment.
Same as my previous comment, please check this again, as per nodejs' documentation 'binary' is an alias for 'latin1', so any unicode character which does not fit into latin1 will be truncated.
the english alphabet will fit but a lot of other characters won't and will result in data loss, resulting in incorrect signature computation. Please use utf-8 when reading the string to the buffer and see if it works.
| const jwsPayload = Buffer.from(stringPayload, 'binary').toString('base64url'); | |
| const jwsPayload = Buffer.from(stringPayload, 'utf-8').toString('base64url'); |
| const jwsHeaders = jwsParts[0]; | ||
| const jwsSignature = jwsParts[2]; | ||
| const jwsSign = jwsHeaders + '.' + jwsPayload + '.' + jwsSignature; | ||
| const isVerified = KJUR.jws.JWS.verify(jwsSign, publicKeyPEM, [algo]); |
There was a problem hiding this comment.
Note: Please refer to this comment , to decide whether this change needs to be implemented or not.
iat in the header is a custom header value as far as I can tell.
Nothing in the code or jsrassign's docs suggest that it will be checked automatically.
the lib only seems to be verifying the signature here.
Please verify iat here.
| const requestConfig = utils.getRequestConfig(mcContext.signatureConfig, mcContext.url); | ||
|
|
||
| if (!requestConfig) { | ||
| return | ||
| } |
There was a problem hiding this comment.
Please move these to the line just after
const mcContext = new MastercardContext(context);
None of the payload or signature calculations matter if the request does not have any signature configuration.
| const url = new URL(requestUrl); | ||
| payload = url.pathname + url.search; | ||
| } else { | ||
| payload = body.text ? body.text : undefined; |
There was a problem hiding this comment.
The check has already been done by hasBody
| payload = body.text ? body.text : undefined; | |
| payload = body.text |
|
|
||
| function jwsSign(payload, KID, privateKeyPEM, algo) { | ||
|
|
||
| const header = { "alg": algo, "kid": KID, "crit": [ "iat" ], "iat": KJUR.jws.IntDate.get("now").toString()}; |
There was a problem hiding this comment.
As per the implementation guide iat is a number. Please fix this. I suppose it needs to be fixed on the server side as well .
| return detachedJWS; | ||
| } | ||
|
|
||
| function jwsVerify(jws, expectedPayload, publicKeyPEM, algo) { |
There was a problem hiding this comment.
Note that these suggestions are applicable only if we don't merge the PR to this repo.
These are requirements for the zapp platform and may not be applicable in a generic sense.
So please hold off implementing these until we decide on whether these are going into this repo.
A few checks from the implementation guide are missing here:
- Check that
critheader only containsiat. algshould only beRS256.- Verify the
iatheader value. It should be a number and within tolerance levels to account for network delays/clock skews.
3 participants
This plugin can take care of generating jws signature creation and/or jws signature verification. To enable jws signing support,
you need to configure in the environment the
signatureConfigproperty.