Skip to content

ref(auth): add support for prehashed signature creation #5012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 5, 2025
Merged

ref(auth): add support for prehashed signature creation #5012

merged 4 commits into from
Aug 5, 2025

Conversation

Litarnus
Copy link
Contributor

@Litarnus Litarnus commented Jul 31, 2025
edited
Loading

This PR introduces support for pre-hashed signatures.

Currently we create signatures by cloning the passed data, which in some cases is the entire request body.
With pre-hashed signatures we can create the hash that is used in the signature process ourselves by incrementally digesting it.
Unfortunately, signatures creates by the two mentioned mechanisms are not compatible with each other.

Support for the new type is created by extending the signature header with informations about how the signature was created. To remain backwards compatible, it defaults to the old way of verifying signatures in case this information is missing.

To allow for a smooth rollout, only the verification is introduced in this PR and changing the creation will be done in a separate PR once this is sufficiently rolled out.

ref INGEST-430

@linear Linear
Copy link

linear bot commented Jul 31, 2025

INGEST-430 Manually create sha512 hash for signature verification

Litarnus
Litarnus commented Jul 31, 2025
View reviewed changes
relay-auth/src/lib.rs

/// Used to tell which algorithm was used for signature creation.
#[derive(Default, Copy, Clone, Debug, Serialize, Deserialize, PartialEq, Eq)]
pub enum SignatureAlgorithm {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't think of a better name (SignatureType is used). Feel free to suggest a better name

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think SignatureAlgorithm works fine.

@Litarnus Litarnus marked this pull request as ready for review August 1, 2025 09:03
@Litarnus Litarnus requested a review from a team as a code owner August 1, 2025 09:03
Dav1dde
Dav1dde reviewed Aug 1, 2025
View reviewed changes
@Litarnus Litarnus requested review from loewenheim and Dav1dde August 1, 2025 12:36
Dav1dde
Dav1dde approved these changes Aug 1, 2025
View reviewed changes
relay-auth/src/lib.rs
}
SignatureAlgorithm::Prehashed => {
let digest = create_digest(&header, data);
self.inner.sign_digest(digest)
Copy link
Member

@Dav1dde Dav1dde Aug 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess nothing can go wrong, but this method panics silently (like sign before).

@Litarnus Litarnus self-assigned this Aug 5, 2025
@Litarnus Litarnus added this pull request to the merge queue Aug 5, 2025
Merged via the queue into master with commit 065ba88 Aug 5, 2025
47 of 48 checks passed
@Litarnus Litarnus deleted the martinl/prehashed-signature branch August 5, 2025 09:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Dav1dde Dav1dde Dav1dde approved these changes

@loewenheim loewenheim loewenheim approved these changes

Assignees

@Litarnus Litarnus

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Litarnus @Dav1dde @loewenheim