Teaser: Cryptographic signing/verification in the agent


#1

(@hugo said that I could tease this…)

Developer server only right now. The API is stable, barring major issues.

Signing:

local private_key_pem = @"
-----BEGIN PRIVATE KEY-----
<private key goes here>
-----END PRIVATE KEY-----
";
local private_key_der = convert_pem_to_der(private_key_pem);
local message = "Hello World!";
crypto.sign(crypto.RSASSA_PKCS1_SHA256, message, private_key_der,
    function(err, sig) {
        if (err) {
            server.error(err);
        } else {
            server.log(sig);
        }
    });

Verification:

local public_key_pem = @"
-----BEGIN PUBLIC KEY-----
<public key goes here>
-----END PUBLIC KEY-----
";
local public_key_der = convert_pem_to_der(public_key_pem);
crypto.verify(crypto.RSASSA_PKCS1_SHA256, message, sig, public_key_der,
    function(err, is_valid) {
        /* ... */
    });

Note that problems with the passed-in arguments are thrown as exceptions, so be prepared to handle those too.

convert_pem_to_der is left as an exercise for the reader; we’ll probably provide a library function for it later (or we’ll make the API take PEM- or DER-formatted keys).

We’re working on wrapping it up in a library, but I’ve tested it (generating an RS256 JWT) with the Google Pub/Sub API, and it works fine. Documentation is a work in progress.

Note that there are currently no rate limits; please don’t abuse it (or we’ll turn the feature off). We’ll add rate limits before we put it on the production servers.

Rate limits will probably be notified in the form of an error passed to the callback, but suggestions are welcome.

Also available: crypto.sha256(), crypto.hmacsha256() and crypto.equals(), mirroring the imp’s functionality.

Feedback welcomed.


#2

Documentation here, natch.