kong icon indicating copy to clipboard operation
kong copied to clipboard
verified publisher icon Kong

feat(hmac-auth): add support for RSA signatures

Open locao opened this issue 2 years ago • 6 comments

Summary

The hmac-auth plugin allow authentication with HMAC signatures based on the draft-cavage-http-signatures draft. This commit aims to add support for RSA signatures as described in the draft, providing a stronger layer of security via asymmetric encryption.

Co-authored-by: Jérémy Quilleré [email protected]

Note: the feature was coded by @mideuger in #8530, this PR adds cluster compatibility support.

Checklist

  • [x] The Pull Request has tests
  • [x] There's an entry in the CHANGELOG
  • [ ] There is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HERE

Full changelog

  • Add possible values to algorithms (rsa-sha256 and rsa-sha512)
  • Add a new field to this plugin's credential (public_key)
  • Add tests showing failed and succeeded authentications using rsa algorithms

How to test

First, create a RSA key pair :

openssl genrsa -out private_key.pem
openssl rsa -in private_key.pem -pubout -out public_key.pem

Then, enable the plugin, create a consumer and a corresponding credential with the public key :

curl -X POST http://localhost:8001/plugins \
    --form "name=hmac-auth"  \
    --form "config.algorithms=rsa-sha256" \
    --form "config.algorithms=rsa-sha512"

curl -X POST http://localhost:8001/consumers \
    --form "username=alice"

curl -X POST http://localhost:8001/consumers/alice/hmac-auth \
    --form "username=alice" \
    --form "public_key=@public_key.pem"

Finally, make a signed request :

export DATE="date: $(echo -n $(TZ=GMT date '+%a, %d %b %Y %T %Z'))"
export SIGNATURE=$(printf %s "${DATE}" | openssl dgst -binary -sha512 -sign private_key.pem | openssl base64 -A)
export AUTHORIZATION='authorization: username="alice", algorithm="rsa-sha512", headers="date", signature="'${SIGNATURE}'"'

curl -X GET http://localhost:8000 \
    --header "${DATE}" \
    --header "${AUTHORIZATION}"

Possible improvements

Here are some improvements that we might want to implement after this one :

  • Check public key validity during credential creation/update
  • Rebrand the plugin to HTTP Signature
  • Use Signature header to provide the signature (or let it be configurable)
  • Implement keyId from the draft

Issue reference

KAG-1934 Closes: #8530

locao avatar Jun 27 '23 19:06 locao

@bungle please give this a review

kikito avatar Aug 22 '23 16:08 kikito

Please add an entry in removed_fields.lua

catbro666 avatar Sep 07 '23 03:09 catbro666

Strictly speaking, rsa doesn't belong to hmac. The scope of the plugin name feels a little small now. Maybe something like "sign-auth" would have been better

catbro666 avatar Sep 07 '23 03:09 catbro666

hi @locao I'm helping to resolve this conflict, recently I have also reviewed original community PRs. Hans and me will be helping to move the progress of this communit PR into our master.

chobits avatar Sep 23 '23 14:09 chobits

Looks like this is the latest draft: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures

So in theory at least I would rather move this plugin in direction of this: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures#iana-hsa-contents

That lists there:

  • rsa-pss-sha512
  • rsa-v1_5-sha256
  • hmac-sha256
  • ecdsa-p256-sha256
  • ecdsa-p384-sha384
  • ed25519

And perhaps later: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures#name-json-web-signature-jws-algo

bungle avatar Dec 07 '23 15:12 bungle