跳到主要内容

B.4. HTTP Message Transformations (B.4. HTTP 消息转换)

B.4. HTTP Message Transformations (B.4. HTTP 消息转换)

HTTP 允许中间人与应用在不影响消息本身语义的情况下转换 HTTP 消息. HTTP 消息签名旨在在不同情形下对其中许多转换具有稳健性.

例如, 下列 HTTP 请求消息已使用 Ed25519 算法与密钥 test-key-ed25519 签名:

NOTE: '' line wrapping per RFC 8792

GET /demo?name1=Value1&Name2=value2 HTTP/1.1 Host: example.org Date: Fri, 15 Jul 2022 14:24:55 GMT Accept: application/json Accept: / Signature-Input: transform=("@method" "@path" "@authority"
"accept");created=1618884473;keyid="test-key-ed25519" Signature: transform=:ZT1kooQsEHpZ0I1IjCqtQppOmIqlJPeo7DHR3SoMn0s5J
Z1eRGS0A+vyYP9t/LXlh5QMFFQ6cpLt2m0pmj3NDA==:

该消息的签名基字符串为:

"@method": GET "@path": /demo "@authority": example.org "accept": application/json, / "@signature-params": ("@method" "@path" "@authority" "accept")
;created=1618884473;keyid="test-key-ed25519"

下列消息经变更添加了 Accept-Language 头字段并添加了查询参数. 然而, 由于 Accept-Language 头字段与查询均未被签名覆盖, 同一签名仍然有效:

NOTE: '' line wrapping per RFC 8792

GET /demo?name1=Value1&Name2=value2&param=added HTTP/1.1 Host: example.org Date: Fri, 15 Jul 2022 14:24:55 GMT Accept: application/json Accept: / Accept-Language: en-US,en;q=0.5 Signature-Input: transform=("@method" "@path" "@authority"
"accept");created=1618884473;keyid="test-key-ed25519" Signature: transform=:ZT1kooQsEHpZ0I1IjCqtQppOmIqlJPeo7DHR3SoMn0s5J
Z1eRGS0A+vyYP9t/LXlh5QMFFQ6cpLt2m0pmj3NDA==:

下列消息经变更移除了 Date 头字段, 添加了 Referer 头字段, 并将 Accept 头字段折叠为单行. DateReferer 头字段未被签名覆盖, 且 Accept 头字段的折叠属于允许的转换, 已由 HTTP 字段值的规范化算法考虑. 同一签名仍然有效:

NOTE: '' line wrapping per RFC 8792

GET /demo?name1=Value1&Name2=value2 HTTP/1.1 Host: example.org Referer: https://developer.example.org/demo Accept: application/json, / Signature-Input: transform=("@method" "@path" "@authority"
"accept");created=1618884473;keyid="test-key-ed25519" Signature: transform=:ZT1kooQsEHpZ0I1IjCqtQppOmIqlJPeo7DHR3SoMn0s5J
Z1eRGS0A+vyYP9t/LXlh5QMFFQ6cpLt2m0pmj3NDA==:

下列消息经变更对原消息的字段值重新排序, 但未对各个 Accept 头字段重新排序. 同一签名仍然有效:

NOTE: '' line wrapping per RFC 8792

GET /demo?name1=Value1&Name2=value2 HTTP/1.1 Accept: application/json Accept: / Date: Fri, 15 Jul 2022 14:24:55 GMT Host: example.org Signature-Input: transform=("@method" "@path" "@authority"
"accept");created=1618884473;keyid="test-key-ed25519" Signature: transform=:ZT1kooQsEHpZ0I1IjCqtQppOmIqlJPeo7DHR3SoMn0s5J
Z1eRGS0A+vyYP9t/LXlh5QMFFQ6cpLt2m0pmj3NDA==:

下列消息经变更将方法改为 POST 并将 authority 改为 "example.com" (在 Host 头字段内). 由于方法与 authority 均被签名覆盖, 同一签名不再有效:

NOTE: '' line wrapping per RFC 8792

POST /demo?name1=Value1&Name2=value2 HTTP/1.1 Host: example.com Date: Fri, 15 Jul 2022 14:24:55 GMT Accept: application/json Accept: / Signature-Input: transform=("@method" "@path" "@authority"
"accept");created=1618884473;keyid="test-key-ed25519" Signature: transform=:ZT1kooQsEHpZ0I1IjCqtQppOmIqlJPeo7DHR3SoMn0s5J
Z1eRGS0A+vyYP9t/LXlh5QMFFQ6cpLt2m0pmj3NDA==:

下列消息经变更调换了两处 Accept 头字段的顺序. 由于 HTTP 中同名字段的顺序具有语义意义, 这会改变签名基中使用的值, 同一签名不再有效:

NOTE: '' line wrapping per RFC 8792

GET /demo?name1=Value1&Name2=value2 HTTP/1.1 Host: example.org Date: Fri, 15 Jul 2022 14:24:55 GMT Accept: / Accept: application/json Signature-Input: transform=("@method" "@path" "@authority"
"accept");created=1618884473;keyid="test-key-ed25519" Signature: transform=:ZT1kooQsEHpZ0I1IjCqtQppOmIqlJPeo7DHR3SoMn0s5J
Z1eRGS0A+vyYP9t/LXlh5QMFFQ6cpLt2m0pmj3NDA==:

最后 更新