kopia lustrzana https://gitlab.com/rysiekpl/libresilient
cli: signed-integrity now takes "algorithm" option (ref. #66)
rodzic
6e4e29b47e
commit
4d80cbe743
|
@ -166,10 +166,16 @@ let getFileIntegrity = async (path, algos) => {
|
|||
*
|
||||
* paths - paths to files for which integrity files are to be generated
|
||||
* keyfile - path of the file containing the private key to use
|
||||
* output - whether to output the signed integrity data to "files" or "stdout" (default)
|
||||
* algos - array of SubtleCrypto.digest-compatible hashing algorithms (default: ["SHA-256"])
|
||||
* output - whether to output the signed integrity data to "files" or "text" (default)
|
||||
* extension - file extension to use when saving integrity files (default: ".integrity")
|
||||
*/
|
||||
let genSignedIntegrity = async (paths, keyfile, output='files', extension='.integrity') => {
|
||||
let genSignedIntegrity = async (
|
||||
paths,
|
||||
keyfile,
|
||||
algos=["SHA-256"],
|
||||
output='files',
|
||||
extension='.integrity') => {
|
||||
|
||||
// load the key
|
||||
var keydata = JSON.parse(Deno.readTextFileSync(keyfile));
|
||||
|
@ -200,7 +206,7 @@ let genSignedIntegrity = async (paths, keyfile, output='files', extension='.inte
|
|||
for (const path of paths) {
|
||||
|
||||
// get the integrity hash
|
||||
let integrity = await getFileIntegrity(path, ["SHA-512"])
|
||||
let integrity = await getFileIntegrity(path, algos)
|
||||
|
||||
// if integrity is false, the path is a directory or some such
|
||||
if (integrity == false) {
|
||||
|
@ -211,7 +217,10 @@ let genSignedIntegrity = async (paths, keyfile, output='files', extension='.inte
|
|||
let header = btoa('{"alg": "ES384"}').replace(/\//g, '_').replace(/\+/g, '-').replace(/=/g, '')
|
||||
|
||||
// JWT payload -- the integrity hash
|
||||
let payload = btoa(`{"integrity": "${integrity[0]}"}`).replace(/\//g, '_').replace(/\+/g, '-').replace(/=/g, '')
|
||||
// from MDN: "An integrity value may contain multiple hashes separated by whitespace.
|
||||
// A resource will be loaded if it matches one of those hashes."
|
||||
// https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
|
||||
let payload = btoa(`{"integrity": "${integrity.join(' ')}"}`).replace(/\//g, '_').replace(/\+/g, '-').replace(/=/g, '')
|
||||
|
||||
// get the signature for header + payload
|
||||
let data = new TextEncoder("utf-8").encode(header + '.' + payload)
|
||||
|
@ -229,8 +238,8 @@ let genSignedIntegrity = async (paths, keyfile, output='files', extension='.inte
|
|||
// put it all together
|
||||
let jwt = header + '.' + payload + '.' + signature
|
||||
|
||||
// do we want output to stdout or files
|
||||
if (output == 'stdout') {
|
||||
// do we want output to text or files
|
||||
if (output == 'text') {
|
||||
result += `${path}: ${jwt}\n`
|
||||
} else {
|
||||
// write it out to {path}.extension
|
||||
|
@ -273,9 +282,15 @@ const pluginActions = {
|
|||
description: "path to the file containing a private key in JSON Web Key format",
|
||||
string: true
|
||||
},
|
||||
algorithm: {
|
||||
description: "SubtleCrypto.digest-compatible algorithm names to use when calculating digests (default: \"SHA-256\")",
|
||||
collect: true,
|
||||
string: true,
|
||||
default: "SHA-256"
|
||||
},
|
||||
output: {
|
||||
description: "output mode: 'files' or 'stdout'",
|
||||
default: 'stdout',
|
||||
description: "output mode: 'files' or 'text'",
|
||||
default: 'text',
|
||||
string: true
|
||||
},
|
||||
extension: {
|
||||
|
|
Ładowanie…
Reference in New Issue