line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Authen::HTTP::Signature; |
2
|
|
|
|
|
|
|
|
3
|
5
|
|
|
5
|
|
141132
|
use 5.010; |
|
5
|
|
|
|
|
27
|
|
|
5
|
|
|
|
|
200
|
|
4
|
5
|
|
|
5
|
|
26
|
use strict; |
|
5
|
|
|
|
|
9
|
|
|
5
|
|
|
|
|
167
|
|
5
|
5
|
|
|
5
|
|
25
|
use warnings; |
|
5
|
|
|
|
|
18
|
|
|
5
|
|
|
|
|
150
|
|
6
|
|
|
|
|
|
|
|
7
|
5
|
|
|
5
|
|
6510
|
use Moo; |
|
5
|
|
|
|
|
77487
|
|
|
5
|
|
|
|
|
37
|
|
8
|
5
|
|
|
5
|
|
9280
|
use Scalar::Util qw(blessed); |
|
5
|
|
|
|
|
31
|
|
|
5
|
|
|
|
|
658
|
|
9
|
5
|
|
|
5
|
|
29
|
use Carp qw(confess); |
|
5
|
|
|
|
|
13
|
|
|
5
|
|
|
|
|
272
|
|
10
|
|
|
|
|
|
|
|
11
|
5
|
|
|
5
|
|
7339
|
use HTTP::Date qw(time2str); |
|
5
|
|
|
|
|
34536
|
|
|
5
|
|
|
|
|
388
|
|
12
|
5
|
|
|
5
|
|
7092
|
use Data::Dumper; |
|
5
|
|
|
|
|
71201
|
|
|
5
|
|
|
|
|
15133
|
|
13
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
|
=head1 NAME |
15
|
|
|
|
|
|
|
|
16
|
|
|
|
|
|
|
Authen::HTTP::Signature - Sign and validate HTTP headers |
17
|
|
|
|
|
|
|
|
18
|
|
|
|
|
|
|
=head1 VERSION |
19
|
|
|
|
|
|
|
|
20
|
|
|
|
|
|
|
Version 0.02 |
21
|
|
|
|
|
|
|
|
22
|
|
|
|
|
|
|
=cut |
23
|
|
|
|
|
|
|
|
24
|
|
|
|
|
|
|
our $VERSION = '0.02'; |
25
|
|
|
|
|
|
|
|
26
|
|
|
|
|
|
|
=head1 SYNOPSIS |
27
|
|
|
|
|
|
|
|
28
|
|
|
|
|
|
|
Create signatures: |
29
|
|
|
|
|
|
|
|
30
|
|
|
|
|
|
|
use 5.010; |
31
|
|
|
|
|
|
|
use Authen::HTTP::Signature; |
32
|
|
|
|
|
|
|
use File::Slurp qw(read_file); |
33
|
|
|
|
|
|
|
use HTTP::Request::Common; |
34
|
|
|
|
|
|
|
|
35
|
|
|
|
|
|
|
my $key_string = read_file("/my/priv/key.pem") or die $!; |
36
|
|
|
|
|
|
|
|
37
|
|
|
|
|
|
|
my $signer = Authen::HTTP::Signature->new( |
38
|
|
|
|
|
|
|
key => $key_string, |
39
|
|
|
|
|
|
|
key_id => 'Test', |
40
|
|
|
|
|
|
|
); |
41
|
|
|
|
|
|
|
|
42
|
|
|
|
|
|
|
my $req = POST('http://example.com/foo?param=value&pet=dog', |
43
|
|
|
|
|
|
|
Content_Type => 'application/json', |
44
|
|
|
|
|
|
|
Content_MD5 => 'Sd/dVLAcvNLSq16eXua5uQ==', |
45
|
|
|
|
|
|
|
Content_Length => 18, |
46
|
|
|
|
|
|
|
Content => '{"hello": "world"}' |
47
|
|
|
|
|
|
|
); |
48
|
|
|
|
|
|
|
|
49
|
|
|
|
|
|
|
my $signed_req = $signer->sign($req); |
50
|
|
|
|
|
|
|
|
51
|
|
|
|
|
|
|
# adds then signs the 'Date' header with private key using |
52
|
|
|
|
|
|
|
# RSA-SHA256, then adds 'Authorization' header to |
53
|
|
|
|
|
|
|
# $req |
54
|
|
|
|
|
|
|
|
55
|
|
|
|
|
|
|
Validate signatures: |
56
|
|
|
|
|
|
|
|
57
|
|
|
|
|
|
|
use 5.010; |
58
|
|
|
|
|
|
|
use Authen::HTTP::Signature::Parser; |
59
|
|
|
|
|
|
|
use HTTP::Request::Common; |
60
|
|
|
|
|
|
|
use File::Slurp qw(read_file); |
61
|
|
|
|
|
|
|
use Try::Tiny; |
62
|
|
|
|
|
|
|
|
63
|
|
|
|
|
|
|
my $req = POST('http://example.com/foo?param=value&pet=dog', |
64
|
|
|
|
|
|
|
Content_Type => 'application/json', |
65
|
|
|
|
|
|
|
Content_MD5 => 'Sd/dVLAcvNLSq16eXua5uQ==', |
66
|
|
|
|
|
|
|
Content_Length => 18, |
67
|
|
|
|
|
|
|
Date => 'Thu, 05 Jan 2012 21:31:40 GMT', |
68
|
|
|
|
|
|
|
Authorization => q{Signature keyId="Test",algorithm="rsa-sha256" MDyO5tSvin5FBVdq3gMBTwtVgE8U/JpzSwFvY7gu7Q2tiZ5TvfHzf/RzmRoYwO8PoV1UGaw6IMwWzxDQkcoYOwvG/w4ljQBBoNusO/mYSvKrbqxUmZi8rNtrMcb82MS33bai5IeLnOGl31W1UbL4qE/wL8U9wCPGRJlCFLsTgD8=}, |
69
|
|
|
|
|
|
|
Content => '{"hello": "world"}' |
70
|
|
|
|
|
|
|
); |
71
|
|
|
|
|
|
|
|
72
|
|
|
|
|
|
|
my $p; |
73
|
|
|
|
|
|
|
try { |
74
|
|
|
|
|
|
|
$p = Authen::HTTP::Signature::Parser->new($req)->parse(); |
75
|
|
|
|
|
|
|
} |
76
|
|
|
|
|
|
|
catch { |
77
|
|
|
|
|
|
|
die "Parse failed: $_\n"; |
78
|
|
|
|
|
|
|
}; |
79
|
|
|
|
|
|
|
|
80
|
|
|
|
|
|
|
my $key_string = read_file("/my/pub/key.pem") or die $!; |
81
|
|
|
|
|
|
|
$p->key( $key_string ); |
82
|
|
|
|
|
|
|
|
83
|
|
|
|
|
|
|
if ( $p->verify() ) { |
84
|
|
|
|
|
|
|
say "Request is valid!" |
85
|
|
|
|
|
|
|
} |
86
|
|
|
|
|
|
|
else { |
87
|
|
|
|
|
|
|
say "Request isn't valid"; |
88
|
|
|
|
|
|
|
}; |
89
|
|
|
|
|
|
|
|
90
|
|
|
|
|
|
|
=head1 PURPOSE |
91
|
|
|
|
|
|
|
|
92
|
|
|
|
|
|
|
This is an implementation of Joyent's HTTP signature authentication scheme. The idea is to authenticate |
93
|
|
|
|
|
|
|
connections (over HTTPS ideally) using either an RSA keypair or a symmetric key by signing a set of header |
94
|
|
|
|
|
|
|
values. |
95
|
|
|
|
|
|
|
|
96
|
|
|
|
|
|
|
If you wish to use SSH keys for validation as in Joyent's proposal, check out L. |
97
|
|
|
|
|
|
|
|
98
|
|
|
|
|
|
|
=head1 ATTRIBUTES |
99
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
These are Perlish mutators; give an argument to set a value or no argument to get the current value. |
101
|
|
|
|
|
|
|
|
102
|
|
|
|
|
|
|
=over |
103
|
|
|
|
|
|
|
|
104
|
|
|
|
|
|
|
=item algorithm |
105
|
|
|
|
|
|
|
|
106
|
|
|
|
|
|
|
The algorithm to use for signing. Read-only. |
107
|
|
|
|
|
|
|
|
108
|
|
|
|
|
|
|
One of: |
109
|
|
|
|
|
|
|
|
110
|
|
|
|
|
|
|
=over |
111
|
|
|
|
|
|
|
|
112
|
|
|
|
|
|
|
=item * C |
113
|
|
|
|
|
|
|
|
114
|
|
|
|
|
|
|
=item * C (B) |
115
|
|
|
|
|
|
|
|
116
|
|
|
|
|
|
|
=item * C |
117
|
|
|
|
|
|
|
|
118
|
|
|
|
|
|
|
=item * C |
119
|
|
|
|
|
|
|
|
120
|
|
|
|
|
|
|
=item * C |
121
|
|
|
|
|
|
|
|
122
|
|
|
|
|
|
|
=item * C |
123
|
|
|
|
|
|
|
|
124
|
|
|
|
|
|
|
=back |
125
|
|
|
|
|
|
|
|
126
|
|
|
|
|
|
|
=back |
127
|
|
|
|
|
|
|
|
128
|
|
|
|
|
|
|
=cut |
129
|
|
|
|
|
|
|
|
130
|
|
|
|
|
|
|
has 'algorithm' => ( |
131
|
|
|
|
|
|
|
is => 'ro', |
132
|
|
|
|
|
|
|
isa => sub { |
133
|
|
|
|
|
|
|
my $n = lc shift; |
134
|
|
|
|
|
|
|
confess "$n doesn't match any supported algorithm.\n" unless |
135
|
|
|
|
|
|
|
scalar grep { $_ eq $n } qw( |
136
|
|
|
|
|
|
|
rsa-sha1 |
137
|
|
|
|
|
|
|
rsa-sha256 |
138
|
|
|
|
|
|
|
rsa-sha512 |
139
|
|
|
|
|
|
|
hmac-sha1 |
140
|
|
|
|
|
|
|
hmac-sha256 |
141
|
|
|
|
|
|
|
hmac-sha512 |
142
|
|
|
|
|
|
|
); |
143
|
|
|
|
|
|
|
}, |
144
|
|
|
|
|
|
|
default => sub { 'rsa-sha256' }, |
145
|
|
|
|
|
|
|
); |
146
|
|
|
|
|
|
|
|
147
|
|
|
|
|
|
|
=over |
148
|
|
|
|
|
|
|
|
149
|
|
|
|
|
|
|
=item headers |
150
|
|
|
|
|
|
|
|
151
|
|
|
|
|
|
|
The list of headers to be signed (or already signed.) Defaults to the 'Date' header. The order of the headers |
152
|
|
|
|
|
|
|
in this list will be used to build the order of the text in the signing string. |
153
|
|
|
|
|
|
|
|
154
|
|
|
|
|
|
|
This attribute can have a psuedo-value. It is: |
155
|
|
|
|
|
|
|
|
156
|
|
|
|
|
|
|
=over |
157
|
|
|
|
|
|
|
|
158
|
|
|
|
|
|
|
=item * C |
159
|
|
|
|
|
|
|
|
160
|
|
|
|
|
|
|
Use the method, text of the path and query from the request, and the protocol version signature |
161
|
|
|
|
|
|
|
(i.e., C) as part of the signing string. |
162
|
|
|
|
|
|
|
|
163
|
|
|
|
|
|
|
=back |
164
|
|
|
|
|
|
|
|
165
|
|
|
|
|
|
|
=back |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
=cut |
168
|
|
|
|
|
|
|
|
169
|
|
|
|
|
|
|
has 'headers' => ( |
170
|
|
|
|
|
|
|
is => 'rw', |
171
|
|
|
|
|
|
|
isa => sub { confess "The 'headers' attribute expects an arrayref.\n" unless ref($_[0]) eq ref([]) }, |
172
|
|
|
|
|
|
|
default => sub { [ 'date' ] }, |
173
|
|
|
|
|
|
|
); |
174
|
|
|
|
|
|
|
|
175
|
|
|
|
|
|
|
=over |
176
|
|
|
|
|
|
|
|
177
|
|
|
|
|
|
|
=item signing_string |
178
|
|
|
|
|
|
|
|
179
|
|
|
|
|
|
|
The string used to compute the signature digest. It contents are derived from the |
180
|
|
|
|
|
|
|
values of the C array. |
181
|
|
|
|
|
|
|
|
182
|
|
|
|
|
|
|
=back |
183
|
|
|
|
|
|
|
|
184
|
|
|
|
|
|
|
=cut |
185
|
|
|
|
|
|
|
|
186
|
|
|
|
|
|
|
has 'signing_string' => ( |
187
|
|
|
|
|
|
|
is => 'rw', |
188
|
|
|
|
|
|
|
predicate => 'has_signing_string', |
189
|
|
|
|
|
|
|
); |
190
|
|
|
|
|
|
|
|
191
|
|
|
|
|
|
|
=over |
192
|
|
|
|
|
|
|
|
193
|
|
|
|
|
|
|
=item signature |
194
|
|
|
|
|
|
|
|
195
|
|
|
|
|
|
|
Contains the digital signature authorization data. |
196
|
|
|
|
|
|
|
|
197
|
|
|
|
|
|
|
=back |
198
|
|
|
|
|
|
|
|
199
|
|
|
|
|
|
|
=cut |
200
|
|
|
|
|
|
|
|
201
|
|
|
|
|
|
|
has 'signature' => ( |
202
|
|
|
|
|
|
|
is => 'rw', |
203
|
|
|
|
|
|
|
predicate => 'has_signature', |
204
|
|
|
|
|
|
|
); |
205
|
|
|
|
|
|
|
|
206
|
|
|
|
|
|
|
=over |
207
|
|
|
|
|
|
|
|
208
|
|
|
|
|
|
|
=item extensions |
209
|
|
|
|
|
|
|
|
210
|
|
|
|
|
|
|
There are currently no extentions implemented by this library, but the library will append extension |
211
|
|
|
|
|
|
|
information to the generated header data if this attribute has a value. |
212
|
|
|
|
|
|
|
|
213
|
|
|
|
|
|
|
=back |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
=cut |
216
|
|
|
|
|
|
|
|
217
|
|
|
|
|
|
|
has 'extensions' => ( |
218
|
|
|
|
|
|
|
is => 'rw', |
219
|
|
|
|
|
|
|
predicate => 'has_extensions', |
220
|
|
|
|
|
|
|
); |
221
|
|
|
|
|
|
|
|
222
|
|
|
|
|
|
|
|
223
|
|
|
|
|
|
|
=over |
224
|
|
|
|
|
|
|
|
225
|
|
|
|
|
|
|
=item key |
226
|
|
|
|
|
|
|
|
227
|
|
|
|
|
|
|
The key to use for cryptographic operations. The key type may have specific meaning based |
228
|
|
|
|
|
|
|
on the algorithm used. RSA requires private keys for signing and the corresponding public |
229
|
|
|
|
|
|
|
key for validation. See the specific implementation module for more details about what this |
230
|
|
|
|
|
|
|
value should be. |
231
|
|
|
|
|
|
|
|
232
|
|
|
|
|
|
|
=back |
233
|
|
|
|
|
|
|
|
234
|
|
|
|
|
|
|
=cut |
235
|
|
|
|
|
|
|
|
236
|
|
|
|
|
|
|
has 'key' => ( |
237
|
|
|
|
|
|
|
is => 'rw', |
238
|
|
|
|
|
|
|
predicate => 'has_key', |
239
|
|
|
|
|
|
|
); |
240
|
|
|
|
|
|
|
|
241
|
|
|
|
|
|
|
=over |
242
|
|
|
|
|
|
|
|
243
|
|
|
|
|
|
|
=item key_id |
244
|
|
|
|
|
|
|
|
245
|
|
|
|
|
|
|
Required. |
246
|
|
|
|
|
|
|
|
247
|
|
|
|
|
|
|
A means to identify the key being used to both sender and receiver. This can be any token which makes |
248
|
|
|
|
|
|
|
sense to the sender and receiver. The exact specification of a token and any necessary key management |
249
|
|
|
|
|
|
|
are outside the scope of this library. |
250
|
|
|
|
|
|
|
|
251
|
|
|
|
|
|
|
=back |
252
|
|
|
|
|
|
|
|
253
|
|
|
|
|
|
|
=cut |
254
|
|
|
|
|
|
|
|
255
|
|
|
|
|
|
|
has 'key_id' => ( |
256
|
|
|
|
|
|
|
is => 'rw', |
257
|
|
|
|
|
|
|
predicate => 'has_key_id', |
258
|
|
|
|
|
|
|
required => 1, |
259
|
|
|
|
|
|
|
); |
260
|
|
|
|
|
|
|
|
261
|
|
|
|
|
|
|
=over |
262
|
|
|
|
|
|
|
|
263
|
|
|
|
|
|
|
=item request |
264
|
|
|
|
|
|
|
|
265
|
|
|
|
|
|
|
Holds the request to be parsed. Should be some kind of 'Request' object with an interface to |
266
|
|
|
|
|
|
|
get/set headers. |
267
|
|
|
|
|
|
|
|
268
|
|
|
|
|
|
|
=back |
269
|
|
|
|
|
|
|
|
270
|
|
|
|
|
|
|
=cut |
271
|
|
|
|
|
|
|
|
272
|
|
|
|
|
|
|
has 'request' => ( |
273
|
|
|
|
|
|
|
is => 'rw', |
274
|
|
|
|
|
|
|
isa => sub { confess "'request' argument isn't blessed" unless blessed($_[0]) }, |
275
|
|
|
|
|
|
|
predicate => 'has_request', |
276
|
|
|
|
|
|
|
); |
277
|
|
|
|
|
|
|
|
278
|
|
|
|
|
|
|
=over |
279
|
|
|
|
|
|
|
|
280
|
|
|
|
|
|
|
=item get_header |
281
|
|
|
|
|
|
|
|
282
|
|
|
|
|
|
|
Expects a C reference. |
283
|
|
|
|
|
|
|
|
284
|
|
|
|
|
|
|
This callback represents the method to get header values from the object in the C attribute. |
285
|
|
|
|
|
|
|
|
286
|
|
|
|
|
|
|
The request will be the first parameter, and name of the header to fetch a value will be provided |
287
|
|
|
|
|
|
|
as the second parameter to the callback. |
288
|
|
|
|
|
|
|
|
289
|
|
|
|
|
|
|
B: The callback should be prepared to handle a "psuedo-header" of C which |
290
|
|
|
|
|
|
|
is the path and query portions of the request's URI and HTTP version string. |
291
|
|
|
|
|
|
|
(For more information see the |
292
|
|
|
|
|
|
|
L.) |
293
|
|
|
|
|
|
|
|
294
|
|
|
|
|
|
|
=back |
295
|
|
|
|
|
|
|
|
296
|
|
|
|
|
|
|
=cut |
297
|
|
|
|
|
|
|
|
298
|
|
|
|
|
|
|
has 'get_header' => ( |
299
|
|
|
|
|
|
|
is => 'rw', |
300
|
|
|
|
|
|
|
isa => sub { die "'get_header' expects a CODE ref\n" unless ref($_[0]) eq "CODE" }, |
301
|
|
|
|
|
|
|
predicate => 'has_get_header', |
302
|
|
|
|
|
|
|
default => sub { |
303
|
|
|
|
|
|
|
sub { |
304
|
|
|
|
|
|
|
confess "Didn't get 2 arguments" unless @_ == 2; |
305
|
|
|
|
|
|
|
my $request = shift; |
306
|
|
|
|
|
|
|
confess "'request' isn't blessed" unless blessed $request; |
307
|
|
|
|
|
|
|
my $name = lc(shift); |
308
|
|
|
|
|
|
|
|
309
|
|
|
|
|
|
|
$name eq 'request-line' ? |
310
|
|
|
|
|
|
|
sprintf("%s %s", |
311
|
|
|
|
|
|
|
$request->uri->path_query, |
312
|
|
|
|
|
|
|
$request->protocol) |
313
|
|
|
|
|
|
|
: $request->header($name); |
314
|
|
|
|
|
|
|
}; |
315
|
|
|
|
|
|
|
}, |
316
|
|
|
|
|
|
|
lazy => 1, |
317
|
|
|
|
|
|
|
); |
318
|
|
|
|
|
|
|
|
319
|
|
|
|
|
|
|
=over |
320
|
|
|
|
|
|
|
|
321
|
|
|
|
|
|
|
=item set_header |
322
|
|
|
|
|
|
|
|
323
|
|
|
|
|
|
|
Expects a C reference. |
324
|
|
|
|
|
|
|
|
325
|
|
|
|
|
|
|
This callback represents the way to set header values on the object in the C attribute. |
326
|
|
|
|
|
|
|
|
327
|
|
|
|
|
|
|
The request will be the first parameter. The name of the header and its value will be the second and |
328
|
|
|
|
|
|
|
third parameters. |
329
|
|
|
|
|
|
|
|
330
|
|
|
|
|
|
|
Returns the request object. |
331
|
|
|
|
|
|
|
|
332
|
|
|
|
|
|
|
=back |
333
|
|
|
|
|
|
|
|
334
|
|
|
|
|
|
|
=cut |
335
|
|
|
|
|
|
|
|
336
|
|
|
|
|
|
|
has 'set_header' => ( |
337
|
|
|
|
|
|
|
is => 'rw', |
338
|
|
|
|
|
|
|
isa => sub { die "'set_header' expects a CODE ref\n" unless ref($_[0]) eq "CODE" }, |
339
|
|
|
|
|
|
|
predicate => 'has_set_header', |
340
|
|
|
|
|
|
|
default => sub { |
341
|
|
|
|
|
|
|
sub { |
342
|
|
|
|
|
|
|
confess "Didn't get 3 arguments" unless @_ == 3; |
343
|
|
|
|
|
|
|
my ($request, $name, $value) = @_; |
344
|
|
|
|
|
|
|
confess "'request' isn't blessed" unless blessed $request; |
345
|
|
|
|
|
|
|
|
346
|
|
|
|
|
|
|
$request->header( $name => $value ); |
347
|
|
|
|
|
|
|
|
348
|
|
|
|
|
|
|
$request; |
349
|
|
|
|
|
|
|
}; |
350
|
|
|
|
|
|
|
}, |
351
|
|
|
|
|
|
|
lazy => 1, |
352
|
|
|
|
|
|
|
); |
353
|
|
|
|
|
|
|
|
354
|
|
|
|
|
|
|
=over |
355
|
|
|
|
|
|
|
|
356
|
|
|
|
|
|
|
=item authorizaton_string |
357
|
|
|
|
|
|
|
|
358
|
|
|
|
|
|
|
The text to identify the HTTP signature authorization scheme. Currently defined as the string |
359
|
|
|
|
|
|
|
literal 'Signature'. Read-only. |
360
|
|
|
|
|
|
|
|
361
|
|
|
|
|
|
|
=back |
362
|
|
|
|
|
|
|
|
363
|
|
|
|
|
|
|
=cut |
364
|
|
|
|
|
|
|
|
365
|
|
|
|
|
|
|
has 'authorization_string' => ( |
366
|
|
|
|
|
|
|
is => 'ro', |
367
|
|
|
|
|
|
|
default => sub { 'Signature' }, |
368
|
|
|
|
|
|
|
); |
369
|
|
|
|
|
|
|
|
370
|
|
|
|
|
|
|
=head1 METHODS |
371
|
|
|
|
|
|
|
|
372
|
|
|
|
|
|
|
Errors are generally fatal. Use L for more graceful error handling. |
373
|
|
|
|
|
|
|
|
374
|
|
|
|
|
|
|
=cut |
375
|
|
|
|
|
|
|
|
376
|
|
|
|
|
|
|
sub _update_signing_string { |
377
|
3
|
|
|
3
|
|
6
|
my $self = shift; |
378
|
3
|
|
33
|
|
|
9
|
my $request = shift || $self->request; |
379
|
|
|
|
|
|
|
|
380
|
3
|
50
|
|
|
|
18
|
confess "I can't update the signing string because I don't have a request" unless $request; |
381
|
3
|
50
|
|
|
|
16
|
confess "I can't update the signing string because I don't have a 'get_header' callback" unless $self->has_get_header; |
382
|
|
|
|
|
|
|
|
383
|
4
|
50
|
|
|
|
1741
|
my $ss = join "\n", map { |
384
|
3
|
|
|
|
|
13
|
$self->get_header->($request, $_) |
385
|
3
|
|
|
|
|
7
|
or confess "Couldn't get header value for $_\n" } @{ $self->headers }; |
386
|
|
|
|
|
|
|
|
387
|
3
|
|
|
|
|
133
|
$self->signing_string( $ss ); |
388
|
|
|
|
|
|
|
|
389
|
3
|
|
|
|
|
5
|
return $ss; |
390
|
|
|
|
|
|
|
} |
391
|
|
|
|
|
|
|
|
392
|
|
|
|
|
|
|
sub _format_signature { |
393
|
0
|
|
|
0
|
|
0
|
my $self = shift; |
394
|
|
|
|
|
|
|
|
395
|
0
|
|
|
|
|
0
|
my $rv = sprintf(q{%s keyId="%s",algorithm="%s"}, |
396
|
|
|
|
|
|
|
$self->authorization_string, |
397
|
|
|
|
|
|
|
$self->key_id, |
398
|
|
|
|
|
|
|
$self->algorithm |
399
|
|
|
|
|
|
|
); |
400
|
|
|
|
|
|
|
|
401
|
0
|
0
|
0
|
|
|
0
|
if ( scalar @{ $self->headers } == 1 and $self->headers->[0] =~ /^date$/i ) { |
|
0
|
|
|
|
|
0
|
|
402
|
|
|
|
|
|
|
# if there's only the default header, omit the headers param |
403
|
|
|
|
|
|
|
} |
404
|
|
|
|
|
|
|
else { |
405
|
0
|
|
|
|
|
0
|
$rv .= q{,headers="} . lc(join " ", @{$self->headers}) . q{"}; |
|
0
|
|
|
|
|
0
|
|
406
|
|
|
|
|
|
|
} |
407
|
|
|
|
|
|
|
|
408
|
0
|
0
|
|
|
|
0
|
if ( $self->has_extensions ) { |
409
|
0
|
|
|
|
|
0
|
$rv .= q{,ext="} . $self->extensions . q{"}; |
410
|
|
|
|
|
|
|
} |
411
|
|
|
|
|
|
|
|
412
|
0
|
|
|
|
|
0
|
$rv .= q{ } . $self->signature; |
413
|
|
|
|
|
|
|
|
414
|
0
|
|
|
|
|
0
|
return $rv; |
415
|
|
|
|
|
|
|
|
416
|
|
|
|
|
|
|
} |
417
|
|
|
|
|
|
|
|
418
|
|
|
|
|
|
|
=over |
419
|
|
|
|
|
|
|
|
420
|
|
|
|
|
|
|
=item sign() |
421
|
|
|
|
|
|
|
|
422
|
|
|
|
|
|
|
This method takes signs the values of the specified C using C and C. |
423
|
|
|
|
|
|
|
|
424
|
|
|
|
|
|
|
By default, it uses C as its input. You may optionally pass a request object and it |
425
|
|
|
|
|
|
|
will use that instead. By default, it uses C. You may optionally pass key material and it |
426
|
|
|
|
|
|
|
will use that instead. |
427
|
|
|
|
|
|
|
|
428
|
|
|
|
|
|
|
It will add a C header to the C if there isn't already one in the request |
429
|
|
|
|
|
|
|
object. |
430
|
|
|
|
|
|
|
|
431
|
|
|
|
|
|
|
It adds a C header with the appropriate signature data. |
432
|
|
|
|
|
|
|
|
433
|
|
|
|
|
|
|
The return value is a signed request object. |
434
|
|
|
|
|
|
|
|
435
|
|
|
|
|
|
|
=back |
436
|
|
|
|
|
|
|
|
437
|
|
|
|
|
|
|
=cut |
438
|
|
|
|
|
|
|
|
439
|
|
|
|
|
|
|
sub sign { |
440
|
3
|
|
|
3
|
1
|
1351
|
my $self = shift; |
441
|
|
|
|
|
|
|
|
442
|
3
|
|
33
|
|
|
25
|
my $request = shift || $self->request; |
443
|
3
|
50
|
|
|
|
1761
|
confess "I don't have a request to sign" unless $request; |
444
|
|
|
|
|
|
|
|
445
|
3
|
|
33
|
|
|
56
|
my $key = shift || $self->key; |
446
|
3
|
50
|
|
|
|
13
|
confess "I don't have a key to use for signing" unless $key; |
447
|
|
|
|
|
|
|
|
448
|
3
|
100
|
|
|
|
16
|
unless ( $self->get_header->($request, 'date') ) { |
449
|
2
|
|
|
|
|
162
|
$self->set_header->($request, 'date', time2str()); |
450
|
|
|
|
|
|
|
} |
451
|
|
|
|
|
|
|
|
452
|
3
|
|
|
|
|
99
|
$self->_update_signing_string($request); |
453
|
|
|
|
|
|
|
|
454
|
3
|
|
|
|
|
5
|
my $signer; |
455
|
3
|
100
|
|
|
|
30
|
if ( $self->algorithm =~ /^rsa/ ) { |
|
|
50
|
|
|
|
|
|
456
|
1
|
|
|
|
|
759
|
require Authen::HTTP::Signature::Method::RSA; |
457
|
0
|
|
|
|
|
0
|
$signer = Authen::HTTP::Signature::Method::RSA->new( |
458
|
|
|
|
|
|
|
key => $key, |
459
|
|
|
|
|
|
|
data => $self->signing_string, |
460
|
|
|
|
|
|
|
hash => $self->algorithm |
461
|
|
|
|
|
|
|
); |
462
|
|
|
|
|
|
|
} |
463
|
|
|
|
|
|
|
elsif ( $self->algorithm =~ /^hmac/ ) { |
464
|
2
|
|
|
|
|
1624
|
require Authen::HTTP::Signature::Method::HMAC; |
465
|
0
|
|
|
|
|
0
|
$signer = Authen::HTTP::Signature::Method::HMAC->new( |
466
|
|
|
|
|
|
|
key => $key, |
467
|
|
|
|
|
|
|
data => $self->signing_string, |
468
|
|
|
|
|
|
|
hash => $self->algorithm |
469
|
|
|
|
|
|
|
); |
470
|
|
|
|
|
|
|
} |
471
|
|
|
|
|
|
|
else { |
472
|
0
|
|
|
|
|
0
|
confess "I don't know how to sign using " . $self->algorithm; |
473
|
|
|
|
|
|
|
} |
474
|
|
|
|
|
|
|
|
475
|
0
|
|
|
|
|
0
|
$self->signature( $signer->sign() ); |
476
|
|
|
|
|
|
|
|
477
|
0
|
|
|
|
|
0
|
$self->set_header->($request, 'Authorization', $self->_format_signature); |
478
|
|
|
|
|
|
|
|
479
|
0
|
|
|
|
|
0
|
return $request; |
480
|
|
|
|
|
|
|
} |
481
|
|
|
|
|
|
|
|
482
|
|
|
|
|
|
|
=over |
483
|
|
|
|
|
|
|
|
484
|
|
|
|
|
|
|
=item verify() |
485
|
|
|
|
|
|
|
|
486
|
|
|
|
|
|
|
This method verifies that a signature on a request is valid. |
487
|
|
|
|
|
|
|
|
488
|
|
|
|
|
|
|
By default it uses C. You may optionally pass in key material and it |
489
|
|
|
|
|
|
|
will use that instead. |
490
|
|
|
|
|
|
|
|
491
|
|
|
|
|
|
|
Returns a boolean. |
492
|
|
|
|
|
|
|
|
493
|
|
|
|
|
|
|
=back |
494
|
|
|
|
|
|
|
|
495
|
|
|
|
|
|
|
=cut |
496
|
|
|
|
|
|
|
|
497
|
|
|
|
|
|
|
sub verify { |
498
|
1
|
|
|
1
|
1
|
689
|
my $self = shift; |
499
|
|
|
|
|
|
|
|
500
|
1
|
|
33
|
|
|
14
|
my $key = shift || $self->key; |
501
|
1
|
50
|
|
|
|
5
|
confess "I don't have a key to use for verification" unless $key; |
502
|
|
|
|
|
|
|
|
503
|
1
|
50
|
|
|
|
9
|
confess "I don't have a signing string" unless $self->has_signing_string; |
504
|
1
|
50
|
|
|
|
7
|
confess "I don't have a signature" unless $self->has_signature; |
505
|
|
|
|
|
|
|
|
506
|
1
|
|
|
|
|
2
|
my $v; |
507
|
1
|
50
|
|
|
|
16
|
if ( $self->algorithm =~ /^rsa/ ) { |
|
|
0
|
|
|
|
|
|
508
|
1
|
|
|
|
|
1227
|
require Authen::HTTP::Signature::Method::RSA; |
509
|
0
|
|
|
|
|
|
$v = Authen::HTTP::Signature::Method::RSA->new( |
510
|
|
|
|
|
|
|
key => $key, |
511
|
|
|
|
|
|
|
data => $self->signing_string, |
512
|
|
|
|
|
|
|
hash => $self->algorithm |
513
|
|
|
|
|
|
|
); |
514
|
|
|
|
|
|
|
} |
515
|
|
|
|
|
|
|
elsif ( $self->algorithm =~ /^hmac/ ) { |
516
|
0
|
|
|
|
|
|
require Authen::HTTP::Signature::Method::HMAC; |
517
|
0
|
|
|
|
|
|
$v = Authen::HTTP::Signature::Method::HMAC->new( |
518
|
|
|
|
|
|
|
key => $key, |
519
|
|
|
|
|
|
|
data => $self->signing_string, |
520
|
|
|
|
|
|
|
hash => $self->algorithm |
521
|
|
|
|
|
|
|
); |
522
|
|
|
|
|
|
|
} |
523
|
|
|
|
|
|
|
else { |
524
|
0
|
|
|
|
|
|
confess "I don't know how to verify using " . $self->algorithm; |
525
|
|
|
|
|
|
|
} |
526
|
|
|
|
|
|
|
|
527
|
0
|
|
|
|
|
|
return $v->verify($self->signature); |
528
|
|
|
|
|
|
|
} |
529
|
|
|
|
|
|
|
|
530
|
|
|
|
|
|
|
=head1 AUTHOR |
531
|
|
|
|
|
|
|
|
532
|
|
|
|
|
|
|
Mark Allen, C<< >> |
533
|
|
|
|
|
|
|
|
534
|
|
|
|
|
|
|
=head1 BUGS |
535
|
|
|
|
|
|
|
|
536
|
|
|
|
|
|
|
Please report any bugs or feature requests to C, or through |
537
|
|
|
|
|
|
|
the web interface at L. I will be notified, and then you'll |
538
|
|
|
|
|
|
|
automatically be notified of progress on your bug as I make changes. |
539
|
|
|
|
|
|
|
|
540
|
|
|
|
|
|
|
=head1 SUPPORT |
541
|
|
|
|
|
|
|
|
542
|
|
|
|
|
|
|
You can find documentation for this module with the perldoc command. |
543
|
|
|
|
|
|
|
|
544
|
|
|
|
|
|
|
perldoc Authen::HTTP::Signature |
545
|
|
|
|
|
|
|
|
546
|
|
|
|
|
|
|
You can also look for information at: |
547
|
|
|
|
|
|
|
|
548
|
|
|
|
|
|
|
=over 4 |
549
|
|
|
|
|
|
|
|
550
|
|
|
|
|
|
|
=item * RT: CPAN's request tracker (report bugs here) |
551
|
|
|
|
|
|
|
|
552
|
|
|
|
|
|
|
L |
553
|
|
|
|
|
|
|
|
554
|
|
|
|
|
|
|
=item * AnnoCPAN: Annotated CPAN documentation |
555
|
|
|
|
|
|
|
|
556
|
|
|
|
|
|
|
L |
557
|
|
|
|
|
|
|
|
558
|
|
|
|
|
|
|
=item * CPAN Ratings |
559
|
|
|
|
|
|
|
|
560
|
|
|
|
|
|
|
L |
561
|
|
|
|
|
|
|
|
562
|
|
|
|
|
|
|
=item * MetaCPAN |
563
|
|
|
|
|
|
|
|
564
|
|
|
|
|
|
|
L |
565
|
|
|
|
|
|
|
|
566
|
|
|
|
|
|
|
=item * GitHub |
567
|
|
|
|
|
|
|
|
568
|
|
|
|
|
|
|
L |
569
|
|
|
|
|
|
|
|
570
|
|
|
|
|
|
|
=back |
571
|
|
|
|
|
|
|
|
572
|
|
|
|
|
|
|
=head1 SEE ALSO |
573
|
|
|
|
|
|
|
|
574
|
|
|
|
|
|
|
L, |
575
|
|
|
|
|
|
|
L, |
576
|
|
|
|
|
|
|
L |
577
|
|
|
|
|
|
|
|
578
|
|
|
|
|
|
|
L |
579
|
|
|
|
|
|
|
|
580
|
|
|
|
|
|
|
=head1 LICENSE AND COPYRIGHT |
581
|
|
|
|
|
|
|
|
582
|
|
|
|
|
|
|
Copyright 2012 Mark Allen. |
583
|
|
|
|
|
|
|
|
584
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify it |
585
|
|
|
|
|
|
|
under the terms of either: the GNU General Public License as published |
586
|
|
|
|
|
|
|
by the Free Software Foundation; or the Artistic License. |
587
|
|
|
|
|
|
|
|
588
|
|
|
|
|
|
|
See http://dev.perl.org/licenses/ for more information. |
589
|
|
|
|
|
|
|
|
590
|
|
|
|
|
|
|
=cut |
591
|
|
|
|
|
|
|
|
592
|
|
|
|
|
|
|
1; # End of Authen::HTTP::Signature |