This repository contains the W3C Signing HTTP Messages draft v11 test suite. Any conforming implementation MUST pass all tests in the test suite.
The test suite will check an implentation that generates and validates signatures compliant with Signing HTTP Messages to ensure conformance with the specification.
This suite requires a functioning installation of
nodejs (>v8.12), and specifically
the npm commmand (>v6.4).
The Signing HTTP Mesages implementation being tested will need to be accessible via a "generator" from the command line. This generator is invoked independently for each test, and state is not expected to be preserved between tests.
The generator will need to accept the following command line parameters to control behavior for each test:
Usage: <implementation_binary> <command> [options]
Options:
-V, --version output the version number
-d, --headers <headers> A list of header names, optionally quoted
-k, --keyId <keyId> A Key Id string.
-p, --private-key <privateKey> A private key file name filename.
-t, --key-type <keyType> The type of the keys.
-u, --public-key <publicKey> A public key file name filename.
-a, --algorithm <algorithm> One of: rsa-sha1, hmac-sha1, rsa-sha256, hmac-sha256, hs2019.
-c, --created <created> The created param for the signature.
-e, --expires <expires> The expires param for the signature.
-h, --help output usage information
Modes:
canonicalize
sign
verify
Each test will provide the generator with an HTTP message via standard in, for example:
POST /foo?param=value&pet=dog HTTP/1.1
Host: example.com
Date: Sun, 05 Jan 2014 21:31:40 GMT
Content-Type: application/json
Digest: SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=
Content-Length: 18
{"hello": "world"}
The generator is expected to parse the input HTTP message, perform
test-specific actions depending on the mode, and return:
- on success: an exit code of
0as well as mode-specific content on standard out as described below - on failure: an exit code of
1or greater. This includes both unexpected errors and any expected failure modes such as:- refusing to sign an message with invalid parameters
- failure to validate a signature
- etc
The canonicalize mode tests the implementation's ability to correctly
perform Signature String construction
, aka "canonicalisation".
Using the provided headers, the implementation must parse the input HTTP Message and produce a Signature String on standard out. Take care not to emit a trailing newline character as the output must match the expected Signature String exactly.
The sign mode will be called with various command-line parameters on
the commandline such as a path to a key file, a keyId etc, as well as
the mesage to be signed on standard in.
The generator is expeced to emit an entire HTTP message including the
created Authorization: Signature header on standard out if the signature
is successfully created, or exit with a code of 1 or greater if an error
is produced.
The verify mode will be called with a candidate signed HTTP message on
standard in, a path to a public key and the keyId for the provided key.
The generator is expeced to exit with code 0 on successful validation
of the message with the provided parameters, or 1 or greater if the
signature cannot be validated for any reason.
No output is expected on an exit code of 0.
- Install the suite's dependencies and set it up for execution with
npm install - Copy the
config.json.examplefile toconfig.jsonand provide the path of the generator.
Note: The path provided for the generator command must be executable, ie
can be launched from a commandline.
Once the suite is configured, launch the test suite with the command:
npm test- Create a fork of the repository https://github.com/w3c-dvcg/http-signatures-test-suite on GitHub.
npm install- Copy the
config.json.examplefile toconfig.jsonand modify. npm run report- Rename
implementation/results.jsontoimplementation/YOUR_IMPLEMENTATION-results.json. git add implementations/YOUR_IMPLEMENTATION-results.jsonand push to your forked repository- Submit a pull request for the results of your implementation to the master repository.
You may contribute to this test suite by submitting pull requests here:
https://github.com/w3c-dvcg/http-signatures-test-suite/pulls