Consumers need to provide a key lookup function when verifying messages

Author: dhensby

src/cavage/index.ts

@@ -265,7 +265,7 @@ export async function verifyMessage(config: VerifyConfig, message: Request | Res
         }
     }
     // now look to verify the signature! Build the expected "signing base" and verify it!
-    return config.verifier(Buffer.from(base), Buffer.from(parsedHeader.get('signature'), 'base64'), Array.from(parsedHeader.entries()).reduce((params, [key, value]) => {
+    const params = Array.from(parsedHeader.entries()).reduce((params, [key, value]) => {
         let keyName = key;
         let val: Date | number | string;
         switch (key.toLowerCase()) {
@@ -284,7 +284,6 @@ export async function verifyMessage(config: VerifyConfig, message: Request | Res
                 keyName = 'keyid';
                 val = value;
                 break;
-                // no break
             default: {
                 if (typeof value === 'string' || typeof value=== 'number') {
                     val = value;
@@ -296,5 +295,7 @@ export async function verifyMessage(config: VerifyConfig, message: Request | Res
         return Object.assign(params, {
             [keyName]: val,
         });
-    }, {}));
+    }, {});
+    const key = await config.keyLookup(params);
+    return key?.verify(Buffer.from(base), Buffer.from(parsedHeader.get('signature'), 'base64'), params) ?? null;
 }

src/httpbis/index.ts

@@ -22,6 +22,7 @@ import {
     defaultParams,
     isRequest,
     CommonConfig,
+    VerifyingKey,
 } from '../types';
 
 export function deriveComponent(component: string, params: Map<string, string | number | boolean>, res: Response, req?: Request): string[];
@@ -353,7 +354,28 @@ export async function verifyMessage(config: VerifyConfig, message: Request | Res
     const requiredParams = config.requiredParams ?? [];
     const requiredFields = config.requiredFields ?? [];
     return Array.from(signatureInputs.entries()).reduce<Promise<boolean | null>>(async (prev, [name, input]) => {
-        const result: Error | boolean | null = await prev.catch((e) => e);
+        const [result, key]: [Error | boolean | null, VerifyingKey] = await Promise.all([
+            prev.catch((e) => e),
+            config.keyLookup(Array.from(input[1].entries()).reduce((params, [key, value]) => {
+                if (value instanceof ByteSequence) {
+                    Object.assign(params, {
+                        [key]: value.toBase64(),
+                    });
+                } else if (value instanceof Token) {
+                    Object.assign(params, {
+                        [key]: value.toString(),
+                    });
+                } else {
+                    Object.assign(params, {
+                        [key]: value,
+                    });
+                }
+                return params;
+            }, {})),
+        ]);
+        if (!config.all && !key) {
+            return null;
+        }
         if (!config.all && result === true) {
             return result;
         }
@@ -407,7 +429,7 @@ export async function verifyMessage(config: VerifyConfig, message: Request | Res
         if (!isByteSequence(signature[0] as BareItem)) {
             throw new Error('Malformed signature');
         }
-        return config.verifier(Buffer.from(base), Buffer.from((signature[0] as ByteSequence).toBase64(), 'base64'), Array.from(input[1].entries()).reduce((params, [key, value]) => {
+        return key.verify(Buffer.from(base), Buffer.from((signature[0] as ByteSequence).toBase64(), 'base64'), Array.from(input[1].entries()).reduce((params, [key, value]) => {
             let val: Date | number | string;
             switch (key.toLowerCase()) {
                 case 'created':

src/types/index.ts

@@ -11,15 +11,40 @@ export interface Response {
 
 export type Signer = (data: Buffer) => Promise<Buffer>;
 export type Verifier = (data: Buffer, signature: Buffer, parameters?: SignatureParameters) => Promise<boolean | null>;
+export type VerifierFinder = (parameters: SignatureParameters) => Promise<VerifyingKey>;
 
 export type Algorithm = 'rsa-v1_5-sha256' | 'ecdsa-p256-sha256' | 'hmac-sha256' | 'rsa-pss-sha512' | string;
 
 export interface SigningKey {
+    /**
+     * The ID of this key
+     */
     id?: string;
+    /**
+     * The algorithm to sign with
+     */
     alg?: Algorithm;
+    /**
+     * The Signer function
+     */
     sign: Signer;
 }
 
+export interface VerifyingKey {
+    /**
+     * The ID of this key
+     */
+    id?: string;
+    /**
+     * The supported algorithms for this key
+     */
+    algs?: Algorithm[];
+    /**
+     * The Verify function
+     */
+    verify: Verifier;
+}
+
 /**
  * The signature parameters to include in signing
  */
@@ -47,9 +72,9 @@ export interface SignatureParameters {
      */
     keyid?: string;
     /**
-     * A context parameter for the signature
+     * A tag parameter for the signature
      */
-    context?: string;
+    tag?: string;
     [param: string]: Date | number | string | null | undefined;
 }
 
@@ -105,20 +130,25 @@ export interface SignConfig extends CommonConfig {
      * of adding creation time (by setting `created: null`)
      */
     paramValues?: SignatureParameters,
+    /**
+     * A list of supported algorithms
+     */
+    algs?: Algorithm[];
 }
 
 /**
  * Options when verifying signatures
  */
 export interface VerifyConfig extends CommonConfig {
-    verifier: Verifier;
+    keyLookup: VerifierFinder;
     /**
-     * A maximum age for the signature
+     * A date that the signature can't have been marked as `created` after
      * Default: Date.now() + tolerance
      */
     notAfter?: Date | number;
     /**
-     * The maximum age of the signature - this overrides the `expires` value for the signature
+     * The maximum age of the signature - this effectively overrides the `expires` value for the
+     * signature (unless the expires age is less than the maxAge specified)
      * if provided
      */
     maxAge?: number;

test/cavage/new.spec.ts

@@ -413,10 +413,12 @@ describe('cavage', () => {
             };
             it('verifies a request', async () => {
                 const verifierStub = stub().resolves(true);
+                const keyLookup = stub().callsFake(async ({ keyid }) => keyid === 'test-key-a' ? { verify: verifierStub } : null);
                 const valid = await cavage.verifyMessage({
-                    verifier: verifierStub,
+                    keyLookup,
                 }, request);
                 expect(valid).to.equal(true);
+                expect(keyLookup).to.have.callCount(1);
                 expect(verifierStub).to.have.callCount(1);
                 expect(verifierStub).to.have.been.calledOnceWithExactly(
                     Buffer.from(
@@ -450,8 +452,9 @@ describe('cavage', () => {
             };
             it('verifies a response', async () => {
                 const verifierStub = stub().resolves(true);
+                const keyLookup = stub().callsFake(async ({ keyid }) => keyid === 'test-key-a' ? { verify: verifierStub } : null);
                 const result = await cavage.verifyMessage({
-                    verifier: verifierStub,
+                    keyLookup,
                 }, response);
                 expect(result).to.equal(true);
                 expect(verifierStub).to.have.callCount(1);

test/httpbis/new.spec.ts

@@ -1095,10 +1095,12 @@ describe('httpbis', () => {
             };
             it('verifies a request', async () => {
                 const verifierStub = stub().resolves(true);
+                const keyLookup = stub().callsFake(async ({ keyid }) => keyid === 'test-key-rsa-pss' ? { verify: verifierStub } : null);
                 const valid = await httpbis.verifyMessage({
-                    verifier: verifierStub,
+                    keyLookup,
                 }, request);
                 expect(valid).to.equal(true);
+                expect(keyLookup).to.have.callCount(1);
                 expect(verifierStub).to.have.callCount(1);
                 expect(verifierStub).to.have.been.calledOnceWithExactly(
                     Buffer.from('"@method": POST\n' +
@@ -1131,10 +1133,12 @@ describe('httpbis', () => {
             };
             it('verifies a response', async () => {
                 const verifierStub = stub().resolves(true);
+                const keyLookup = stub().callsFake(async ({ keyid }) => keyid === 'test-key-ecc-p256' ? { verify: verifierStub } : null);
                 const result = await httpbis.verifyMessage({
-                    verifier: verifierStub,
+                    keyLookup,
                 }, response);
                 expect(result).to.equal(true);
+                expect(keyLookup).to.have.callCount(1);
                 expect(verifierStub).to.have.callCount(1);
                 expect(verifierStub).to.have.been.calledOnceWithExactly(
                     Buffer.from('"@status": 200\n' +
@@ -1176,13 +1180,15 @@ describe('httpbis', () => {
                 },
             };
             it('verifies a response bound to a request', async () => {
-                const stubVerifier = stub().resolves(true);
+                const verifierStub = stub().resolves(true);
+                const keyLookup = stub().callsFake(async ({ keyid }) => keyid === 'test-key-ecc-p256' ? { verify: verifierStub } : null);
                 const result = await httpbis.verifyMessage({
-                    verifier: stubVerifier,
+                    keyLookup,
                 }, response, request);
                 expect(result).to.equal(true);
-                expect(stubVerifier).to.have.callCount(1);
-                expect(stubVerifier).to.have.been.calledOnceWithExactly(
+                expect(keyLookup).to.have.callCount(1);
+                expect(verifierStub).to.have.callCount(1);
+                expect(verifierStub).to.have.been.calledOnceWithExactly(
                     Buffer.from('"@status": 503\n' +
                         '"content-length": 62\n' +
                         '"content-type": application/json\n' +