B.2.3. Full Coverage Using rsa-pss-sha512
B.2.3. Full Coverage Using rsa-pss-sha512
This example covers all applicable message components in test-request (including the content type and length) plus many derived components, again using the rsa-pss-sha512 algorithm. Note that the Host header field is not covered because the @authority derived component is included instead.
The corresponding signature base is:
NOTE: '' line wrapping per RFC 8792
"date": Tue, 20 Apr 2021 02:07:55 GMT
"@method": POST
"@path": /foo
"@query": ?param=Value&Pet=dog
"@authority": example.com
"content-type": application/json
"content-digest": sha-512=:WZDPaVn/7XgHaAy8pmojAkGWoRx2UFChF41A2svX
+TaPm+AbwAgBWnrIiYllu7BNNyealdVLvRwEmTHWXvJwew==:
"content-length": 18
"@signature-params": ("date" "@method" "@path" "@query"
"@authority" "content-type" "content-digest" "content-length")
;created=1618884473;keyid="test-key-rsa-pss"
This results in the following Signature-Input and Signature header fields being added to the message under the label sig-b23:
NOTE: '' line wrapping per RFC 8792
Signature-Input: sig-b23=("date" "@method" "@path" "@query"
"@authority" "content-type" "content-digest" "content-length")
;created=1618884473;keyid="test-key-rsa-pss"
Signature: sig-b23=:bbN8oArOxYoyylQQUU6QYwrTuaxLwjAC9fbY2F6SVWvh0yB
iMIRGOnMYwZ/5MR6fb0Kh1rIRASVxFkeGt683+qRpRRU5p2voTp768ZrCUb38K0fU
xN0O0iC59DzYx8DFll5GmydPxSmme9v6ULbMFkl+V5B1TP/yPViV7KsLNmvKiLJH1
pFkh/aYA2HXXZzNBXmIkoQoLd7YfW91kE9o/CCoC1xMy7JA1ipwvKvfrs65ldmlu9
bpG6A9BmzhuzF8Eim5f8ui9eH8LZH896+QIF61ka39VBrohr9iyMUJpvRX2Zbhl5Z
JzSRxpJyoEZAFL2FUo5fTIztsDZKEgM4cUA==:
Note in this example that the value of the Date header field and the value of the created signature parameter need not be the same. This is due to the fact that the Date header field is added when creating the HTTP message and the created parameter is populated when creating the signature over that message, and these two times could vary. If the Date header field is covered by the signature, it is up to the verifier to determine whether its value has to match that of the created parameter or not. See Section 7.2.4 for more discussion.
Note that the RSA-PSS algorithm in use here is non-deterministic, meaning that a different signature value will be created every time the algorithm is run. The signature value provided here can be validated against the given keys, but newly generated signature values are not expected to match the example. See Section 7.3.5.