HTTP Message Signing using RSA-SHA256


#1

I’m attempting to communicate with an API which requires each request to sign messages in accordance with draft-cavage-http-signatures-10 and the requirements imposed by XS2A Framework Implementation Guidelines v1.1, which requires signing using the RSA-SHA256 algorithm.

My initial idea was to simply use a pre-request script on the collection to generate this signature header, seeing as I already use it to set the RFC 2822 HTTP Date and SHA-256 message digest used in the execution of the request.

However, CryptoJS doesn’t support RSA, and it’s the only crypto library available in the Postman Sandbox. So I’m sort of stuck, unless I implement a RSA-SHA256 signing algorithm myself.

Now, I’ve noticed that crypto-js hasn’t had a single commit for a year on GitHub, which makes me ask;

  1. Has Postman considered other options for their sandbox to replace CryptoJS?
  2. Has Postman considered any other mechanism for easily adding “dynamic header values”, such as Date, Digest, and Signature?

The workaround we’re using today is to run each request through a custom reverse proxy written using Node.js and Koa, but we’d much rather do this entirely in Postman if possible, since the reverse proxy part complicates both manual and automated testing.


#2

Desperately needing this functionality right now. CryptoJs really doesn’t cut it.


#3

For now, ended up spinning up a small Node service that Postman will use in pre-request scripts to get the necessary data:

const express = require('express')
const fs = require('fs')
const jwt = require('jsonwebtoken')

const app = express()
const cert = fs.readFileSync('private.key')

app.use(express.json())

app.get('/', (req, res) => {
	res.send('Hello World!')
})

app.post('/sign', (req, res) => {
	let claims = req.body

	console.log('Received sign request for data:')
	console.log(claims)

	let signed = jwt.sign(claims, cert, {
		algorithm: 'RS256',
		expiresIn: '1h'
	})

	res.send(signed)

})

app.listen(3000, () => console.log('rs256 server listening...'))

This is working really well for my uses.