Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Private key being escaped and duplicated when passed to hash_function #109

Open
computebender opened this issue Aug 11, 2021 · 0 comments
Open

Private key being escaped and duplicated when passed to hash_function #109

computebender opened this issue Aug 11, 2021 · 0 comments

Comments

@computebender
Copy link

computebender commented Aug 11, 2021
edited
Loading

Hello,
I'm using this library to generate auth headers for Jira. Jira uses RSA-SHA1 to verify tokens so I have to modify the hash_function used in the examples. I was running into an issue where the key being passed into the function has been escaped causing an error when using it to sign.

Here is the initialization of OAuth I have, with console logs to demonstrate the issue,

const oauth = OAuth({
  consumer: { key: OAUTH_CONSUMER_KEY, secret: privateKey },
  signature_method: "RSA-SHA1",
  hash_function(base_string, key) {
    console.log("Private key from global scope \n");
    console.log(privateKey);
    console.log("Private key from function scope \n");
    console.log(key);
    
    const sign = crypto.createSign("RSA-SHA1");
    sign.update(base_string);
    sign.end();
    const signature = sign.sign(privateKey).toString("base64");

    return signature;
  },
});

Which, when a header is generated, leads to an output of,

Private key from global scope 

-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALRiMLAh9iimur8V
A7qVvdqxevEuUkW4K+2KdMXmnQbG9Aa7k7eBjK1S+0LYmVjPKlJGNXHDGuy5Fw/d
7rjVJ0BLB+ubPK8iA/Tw3hLQgXMRRGRXXCn8ikfuQfjUS1uZSatdLB81mydBETlJ
hI6GH4twrbDJCR2Bwy/XWXgqgGRzAgMBAAECgYBYWVtleUzavkbrPjy0T5FMou8H
X9u2AC2ry8vD/l7cqedtwMPp9k7TubgNFo+NGvKsl2ynyprOZR1xjQ7WgrgVB+mm
uScOM/5HVceFuGRDhYTCObE+y1kxRloNYXnx3ei1zbeYLPCHdhxRYW7T0qcynNmw
rn05/KO2RLjgQNalsQJBANeA3Q4Nugqy4QBUCEC09SqylT2K9FrrItqL2QKc9v0Z
zO2uwllCbg0dwpVuYPYXYvikNHHg+aCWF+VXsb9rpPsCQQDWR9TT4ORdzoj+Nccn
qkMsDmzt0EfNaAOwHOmVJ2RVBspPcxt5iN4HI7HNeG6U5YsFBb+/GZbgfBT3kpNG
WPTpAkBI+gFhjfJvRw38n3g/+UeAkwMI2TJQS4n8+hid0uus3/zOjDySH3XHCUno
cn1xOJAyZODBo47E+67R4jV1/gzbAkEAklJaspRPXP877NssM5nAZMU0/O/NGCZ+
3jPgDUno6WbJn5cqm8MqWhW1xGkImgRk+fkDBquiq4gPiT898jusgQJAd5Zrr6Q8
AO/0isr/3aa6O6NLQxISLKcPDk2NOccAfS/xOtfOz4sJYM3+Bs4Io9+dZGSDCA54
Lw03eHTNQghS0A==
-----END PRIVATE KEY-----
Private key from function scope

-----BEGIN%20PRIVATE%20KEY-----%0AMIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALRiMLAh9iimur8V%0AA7qVvdqxevEuUkW4K%2B2KdMXmnQbG9Aa7k7eBjK1S%2B0LYmVjPKlJGNXHDGuy5Fw%2Fd%0A7rjVJ0BLB%2BubPK8iA%2FTw3hLQgXMRRGRXXCn8ikfuQfjUS1uZSatdLB81mydBETlJ%0AhI6GH4twrbDJCR2Bwy%2FXWXgqgGRzAgMBAAECgYBYWVtleUzavkbrPjy0T5FMou8H%0AX9u2AC2ry8vD%2Fl7cqedtwMPp9k7TubgNFo%2BNGvKsl2ynyprOZR1xjQ7WgrgVB%2Bmm%0AuScOM%2F5HVceFuGRDhYTCObE%2By1kxRloNYXnx3ei1zbeYLPCHdhxRYW7T0qcynNmw%0Arn05%2FKO2RLjgQNalsQJBANeA3Q4Nugqy4QBUCEC09SqylT2K9FrrItqL2QKc9v0Z%0AzO2uwllCbg0dwpVuYPYXYvikNHHg%2BaCWF%2BVXsb9rpPsCQQDWR9TT4ORdzoj%2BNccn%0AqkMsDmzt0EfNaAOwHOmVJ2RVBspPcxt5iN4HI7HNeG6U5YsFBb%2B%2FGZbgfBT3kpNG%0AWPTpAkBI%2BgFhjfJvRw38n3g%2F%2BUeAkwMI2TJQS4n8%2Bhid0uus3%2FzOjDySH3XHCUno%0Acn1xOJAyZODBo47E%2B67R4jV1%2FgzbAkEAklJaspRPXP877NssM5nAZMU0%2FO%2FNGCZ%2B%0A3jPgDUno6WbJn5cqm8MqWhW1xGkImgRk%2BfkDBquiq4gPiT898jusgQJAd5Zrr6Q8%0AAO%2F0isr%2F3aa6O6NLQxISLKcPDk2NOccAfS%2FxOtfOz4sJYM3%2BBs4Io9%2BdZGSDCA54%0ALw03eHTNQghS0A%3D%3D%0A-----END%20PRIVATE%20KEY-----&-----BEGIN%20PRIVATE%20KEY-----%0AMIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALRiMLAh9iimur8V%0AA7qVvdqxevEuUkW4K%2B2KdMXmnQbG9Aa7k7eBjK1S%2B0LYmVjPKlJGNXHDGuy5Fw%2Fd%0A7rjVJ0BLB%2BubPK8iA%2FTw3hLQgXMRRGRXXCn8ikfuQfjUS1uZSatdLB81mydBETlJ%0AhI6GH4twrbDJCR2Bwy%2FXWXgqgGRzAgMBAAECgYBYWVtleUzavkbrPjy0T5FMou8H%0AX9u2AC2ry8vD%2Fl7cqedtwMPp9k7TubgNFo%2BNGvKsl2ynyprOZR1xjQ7WgrgVB%2Bmm%0AuScOM%2F5HVceFuGRDhYTCObE%2By1kxRloNYXnx3ei1zbeYLPCHdhxRYW7T0qcynNmw%0Arn05%2FKO2RLjgQNalsQJBANeA3Q4Nugqy4QBUCEC09SqylT2K9FrrItqL2QKc9v0Z%0AzO2uwllCbg0dwpVuYPYXYvikNHHg%2BaCWF%2BVXsb9rpPsCQQDWR9TT4ORdzoj%2BNccn%0AqkMsDmzt0EfNaAOwHOmVJ2RVBspPcxt5iN4HI7HNeG6U5YsFBb%2B%2FGZbgfBT3kpNG%0AWPTpAkBI%2BgFhjfJvRw38n3g%2F%2BUeAkwMI2TJQS4n8%2Bhid0uus3%2FzOjDySH3XHCUno%0Acn1xOJAyZODBo47E%2B67R4jV1%2FgzbAkEAklJaspRPXP877NssM5nAZMU0%2FO%2FNGCZ%2B%0A3jPgDUno6WbJn5cqm8MqWhW1xGkImgRk%2BfkDBquiq4gPiT898jusgQJAd5Zrr6Q8%0AAO%2F0isr%2F3aa6O6NLQxISLKcPDk2NOccAfS%2FxOtfOz4sJYM3%2BBs4Io9%2BdZGSDCA54%0ALw03eHTNQghS0A%3D%3D%0A-----END%20PRIVATE%20KEY-----

The private key from the function scope has been escaped as well as duplicated, which causes the signing to fail.
Using the key from global scope works fine.

Also, don't worry, this private key is irrelevant, its the one generated by Atlassian in their example project.

Any ideas or suggestions as to what could be happening would be appreciated.
Thanks

Update:

I've tracked it down to this method in the library,

/**
 * Create a Signing Key
 * @param  {String} token_secret Secret Token
 * @return {String} Signing Key
 */
OAuth.prototype.getSigningKey = function(token_secret) {
    token_secret = token_secret || '';

    if(!this.last_ampersand && !token_secret) {
        return this.percentEncode(this.consumer.secret);
    }

    return this.percentEncode(this.consumer.secret) + '&' + this.percentEncode(token_secret);
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@computebender