Defining signature and hash algorithms - das-group/jCREHMA GitHub Wiki
Defining signature and hash algorithm
Neither RequestSigner, ResponseVerifyer, ResponseSigner nor RequestVerifyer do contain any cryptographic operations; they only define the to be signed (security-relevant) header entries and the workflow of the authentication process. To integrate a signature and hash algorithm for signing and verifying HTTP messages, jREHMA provides two interfaces: TbsAuthenticator and BodyHasher.
Defining a signature algorithm with TbsAuthenticator
The TbsAuthenticator interface encompasses 3 methods which need to be implemented.
public interface TbsAuthenticator {
public byte[] sign(String kid, String tbs) throws Exception;
public boolean verify(String kid, String tbs, String sv) throws NotAuthenticatedExpection;
public String getName();
}
As the name implies the sign method is responsible for signing HTTP messages. It requires a key id (kid) and and a tbs string. Since kid is a string, it can be any kind of key id, e.g. a URL to an external certificate, a fingerprint, a predefined identifier and so on. Moreover, jREHMA does not define any key management. Note, that any Signature algorithm, e.g. any instance of TbsAuthenticator, must define the key management by itself, as this process varies depending on the chosen signature algorithm. The tbs string represents concatenation of all security-relevant header entries and the hash of the body which is signed by this method.
The verify method requires kid and tbs as well. Note, that the validity and trustworthiness of the key id must be verified by this method too. The third argument sv is the signature value of the to be verified HTTP message.
For the message verifier, the name of the signature algorithm is also an important part of the signature description. Hence, every signature algorithm must have a name and hence every instantiation of TbsAuthenticate must implemented the getName method returning the name of the signature algorithm.
jREHMA already includes HmacSha256Authenticator which is an implementation of TbsAuthenticator. The code of this signature algorithm can be assessed here:
Defining a hash algorithm with BodyHasher
The hash of the HTTP message body is an crucial part of the tbs string. The BodyHasher is an interface for implementing a hash algorithm for the HTTP message body. As with TbsAuthenticator, it has 3 to be implemented methods, too.
public interface BodyHasher {
public byte[] hash(byte[] body);
public String getName();
public byte[] getHashOfEmptyBody();
}
The hash method represents the core function of this interface as it returns the hash of the given body. The getName method offers the same functionality as the getName method of TbsAuthenticator, since it specifies the name of the hash algorithm. To save computation time, the BodyHasher interface provides the getHashOfEmptyBody method. This function should return a static hash value of an empty body. In case if an HTTP message with empty body is being signed, this method is invoked instead of computing the hash of the body with the hash method.
A SHA256 BodyHasher is already available in jREHMA. The complete source code of this class can be found here: