kong icon indicating copy to clipboard operation
kong copied to clipboard

Published 20 hours ago verified publisher icon Kong

feat(hmac-auth) add support for RSA signatures

Open mideuger opened this issue 2 years ago • 2 comments

Summary

The hmac-auth plugin allow authentication with HMAC signatures based on the draft-cavage-http-signatures draft. This commit aims to add support for RSA signatures as described in the draft, providing a stronger layer of security via asymmetric encryption.

Full changelog

  • Add possible values to algorithms (rsa-sha256 and rsa-sha512)
  • Add a new field to this plugin's credential (public_key)
  • Add tests showing failed and succeeded authentications using rsa algorithms

How to test

First, create a RSA key pair :

openssl genrsa -out private_key.pem
openssl rsa -in private_key.pem -pubout -out public_key.pem

Then, enable the plugin, create a consumer and a corresponding credential with the public key :

curl -X POST http://localhost:8001/plugins \
    --form "name=hmac-auth"  \
    --form "config.algorithms=rsa-sha256" \
    --form "config.algorithms=rsa-sha512"

curl -X POST http://localhost:8001/consumers \
    --form "username=alice"

curl -X POST http://localhost:8001/consumers/alice/hmac-auth \
    --form "username=alice" \
    --form "public_key=@public_key.pem"

Finally, make a signed request :

export DATE="date: $(echo -n $(TZ=GMT date '+%a, %d %b %Y %T %Z'))"
export SIGNATURE=$(printf %s "${DATE}" | openssl dgst -binary -sha512 -sign private_key.pem | openssl base64 -A)
export AUTHORIZATION='authorization: username="alice", algorithm="rsa-sha512", headers="date", signature="'${SIGNATURE}'"'

curl -X GET http://localhost:8000 \
    --header "${DATE}" \
    --header "${AUTHORIZATION}"

Possible improvements

Here are some improvements that we might want to implement after this one :

  • Check public key validity during credential creation/update
  • Rebrand the plugin to HTTP Signature
  • Use Signature header to provide the signature (or let it be configurable)
  • Implement keyId from the draft

mideuger avatar Mar 10 '22 17:03 mideuger

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Mar 10 '22 17:03 CLAassistant

The branch has been rebased following https://github.com/Kong/kong/commit/88abdb80c6ba12fedf0500d1a44d47f6e4179c95, which created some conflicts. That allowed to slightly improve the implementation of the validate_signature function 🙂

mideuger avatar Mar 28 '22 10:03 mideuger

  • ✅ I've examined other parts of the source code and believe it works correctly.
    • I mannually fix the 'kong/plugins/hmac-auth/access.lua.rej' and test it ok with the simple scripts from this pr's first comment.

TODO

  • Test case: with some efforts to resolve the rejections in the test case, I'm unable to get the test case to pass. Maybe there are some modifications of the hmac-auth test cases since this commit.
  • unnecessary to support cassandra in this PR, as mentioned in this comment
  • need to compatitble with old version kong as mentioned in this comment.
  • need to rebase on the master, there are some conflicts
    • 1 out of 7 hunks failed--saving rejects to 'kong/plugins/hmac-auth/access.lua.rej'
    • 1 out of 1 hunks failed--saving rejects to 'spec/03-plugins/19-hmac-auth/01-schema_spec.lua.rej'
    • 1 out of 5 hunks failed--saving rejects to 'spec/03-plugins/19-hmac-auth/03-access_spec.lua.rej'

chobits avatar Sep 17 '23 09:09 chobits

I found that we have an updated pr here: https://github.com/Kong/kong/pull/11133 @hanshuebner so I'll try to review that pr. not opening a new one

chobits avatar Sep 19 '23 08:09 chobits

Closing in favor of #11133

hanshuebner avatar Sep 25 '23 07:09 hanshuebner