cli: signed-integrity now takes "algorithm" option (ref. #66)

2022-12-11 14:15:50 +00:00 · 2022-12-11 14:15:50 +00:00 · 4d80cbe743
commit 4d80cbe743
--- a/plugins/signed-integrity/cli.js
+++ b/plugins/signed-integrity/cli.js
@ -166,10 +166,16 @@ let getFileIntegrity = async (path, algos) => {
 * 
 * paths     - paths to files for which integrity files are to be generated
 * keyfile   - path of the file containing the private key to use
- * output    - whether to output the signed integrity data to "files" or "stdout" (default)
+ * algos     - array of SubtleCrypto.digest-compatible hashing algorithms (default: ["SHA-256"])
+ * output    - whether to output the signed integrity data to "files" or "text" (default)
 * extension - file extension to use when saving integrity files (default: ".integrity")
 */
-let genSignedIntegrity = async (paths, keyfile, output='files', extension='.integrity') => {
+let genSignedIntegrity = async (
+                                paths,
+                                keyfile,
+                                algos=["SHA-256"],
+                                output='files',
+                                extension='.integrity') => {
    
    // load the key
    var keydata = JSON.parse(Deno.readTextFileSync(keyfile));
@ -200,7 +206,7 @@ let genSignedIntegrity = async (paths, keyfile, output='files', extension='.inte
    for (const path of paths) {
        
        // get the integrity hash
-        let integrity = await getFileIntegrity(path, ["SHA-512"])
+        let integrity = await getFileIntegrity(path, algos)
        
        // if integrity is false, the path is a directory or some such
        if (integrity == false) {
@ -211,7 +217,10 @@ let genSignedIntegrity = async (paths, keyfile, output='files', extension='.inte
        let header = btoa('{"alg": "ES384"}').replace(/\//g, '_').replace(/\+/g, '-').replace(/=/g, '')
        
        // JWT payload -- the integrity hash
-        let payload = btoa(`{"integrity": "${integrity[0]}"}`).replace(/\//g, '_').replace(/\+/g, '-').replace(/=/g, '')
+        // from MDN: "An integrity value may contain multiple hashes separated by whitespace.
+        //            A resource will be loaded if it matches one of those hashes."
+        //            https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
+        let payload = btoa(`{"integrity": "${integrity.join(' ')}"}`).replace(/\//g, '_').replace(/\+/g, '-').replace(/=/g, '')
        
        // get the signature for header + payload
        let data = new TextEncoder("utf-8").encode(header + '.' + payload)
@ -229,8 +238,8 @@ let genSignedIntegrity = async (paths, keyfile, output='files', extension='.inte
        // put it all together
        let jwt = header + '.' + payload + '.' + signature
        
-        // do we want output to stdout or files
-        if (output == 'stdout') {
+        // do we want output to text or files
+        if (output == 'text') {
            result += `${path}: ${jwt}\n`
        } else {
            // write it out to {path}.extension
@ -273,9 +282,15 @@ const pluginActions = {
                description: "path to the file containing a private key in JSON Web Key format",
                string: true
            },
+            algorithm: {
+                description: "SubtleCrypto.digest-compatible algorithm names to use when calculating digests (default: \"SHA-256\")",
+                collect: true,
+                string: true,
+                default: "SHA-256"
+            },
            output: {
-                description: "output mode: 'files' or 'stdout'",
-                default: 'stdout',
+                description: "output mode: 'files' or 'text'",
+                default: 'text',
                string: true
            },
            extension: {