Add support for HS2019

Author: drighetto

pom.xml

@@ -39,7 +39,7 @@
         <dependency>
             <groupId>org.tomitribe</groupId>
             <artifactId>tomitribe-http-signatures</artifactId>
-            <version>1.3</version>
+            <version>1.8</version>
         </dependency>
         <!-- https://mvnrepository.com/artifact/net.portswigger.burp.extender/burp-extender-api -->
         <dependency>

src/main/java/burp/ConfigSettings.java

@@ -3,6 +3,8 @@
 import javax.swing.*;
 import javax.swing.event.ChangeEvent;
 import java.awt.*;
+import java.awt.event.ItemEvent;
+import java.awt.event.ItemListener;
 import java.awt.event.MouseAdapter;
 import java.awt.event.MouseEvent;
 import java.io.IOException;
@@ -13,6 +15,7 @@
 import static burp.Signing.log;
 
 public class ConfigSettings {
+    public static String SIGNATURE_ALGORITHM = "rsa-sha256";
     public LinkedHashMap<String, String> settings; // key is e.g. "Header", value is "Authorization"
     // profiles: key is the name of the Tab, value is a settings LinkedHashMap
     private LinkedHashMap<String, LinkedHashMap<String, String>> profiles;
@@ -23,6 +26,8 @@ public class ConfigSettings {
     JCheckBox checkBoxToolScanner = new JCheckBox("Scanner");
     JCheckBox checkBoxToolIntruder = new JCheckBox("Intruder");
     JCheckBox checkBoxToolRepeater = new JCheckBox("Repeater");
+    JCheckBox useHS2019Signature = new JCheckBox("HS2019");
+    JCheckBox useRSASHA256Signature = new JCheckBox("RSA-SHA256");
     private boolean tabChangeListenerLock = false;
 
     ConfigSettings() {
@@ -83,7 +88,8 @@ public class ConfigSettings {
 
     /**
      * Return the Burp frame used for the option dialog and the menu button
-     * @return  The Burp Suite frame
+     *
+     * @return The Burp Suite frame
      */
     static JFrame getBurpFrame() {
         for (Frame f : Frame.getFrames()) {
@@ -96,8 +102,9 @@ static JFrame getBurpFrame() {
 
     /**
      * Get the value from a key/profile setting (e.g. "keyId") from the active profile
-     * @param key   The key to retrieve
-     * @return      The value for the key belonging to the active profile
+     *
+     * @param key The key to retrieve
+     * @return The value for the key belonging to the active profile
      */
     public String getString(String key) {
         return profiles.get("ActiveKey").get(key);
@@ -117,6 +124,41 @@ protected void showSettings() {
         titleGlobalConfig.setForeground(Color.ORANGE);
         titleGlobalConfig.setFont(titleGlobalConfig.getFont().deriveFont(Font.BOLD, titleGlobalConfig.getFont().getSize() + 4));
         globalPanel.add(titleGlobalConfig);
+        //Signature algo
+        JLabel labelSignatureAlgo = new JLabel("Signature algorithm:");
+        Font labelSigFont = labelSignatureAlgo.getFont();
+        labelSignatureAlgo.setFont(labelSigFont.deriveFont(labelSigFont.getStyle() | Font.BOLD)); // make text bold
+        globalPanel.add(labelSignatureAlgo);
+        if ((Signing.callbacks.loadExtensionSetting("useHS2019Signature") != null) &&
+                Signing.callbacks.loadExtensionSetting("useHS2019Signature").equals("true")) {
+            useHS2019Signature.setSelected(true);
+            useRSASHA256Signature.setSelected(false);
+            ConfigSettings.SIGNATURE_ALGORITHM = "hs2019";
+        } else {
+            useHS2019Signature.setSelected(false);
+            useRSASHA256Signature.setSelected(true);
+            ConfigSettings.SIGNATURE_ALGORITHM = "rsa-sha256";
+        }
+        useHS2019Signature.addItemListener(new ItemListener() {
+            @Override
+            public void itemStateChanged(ItemEvent e) {
+                if(e.getStateChange() == ItemEvent.SELECTED){
+                    ConfigSettings.this.useRSASHA256Signature.setSelected(false);
+                    ConfigSettings.SIGNATURE_ALGORITHM = "hs2019";
+                }
+            }
+        });
+        useRSASHA256Signature.addItemListener(new ItemListener() {
+            @Override
+            public void itemStateChanged(ItemEvent e) {
+                if(e.getStateChange() == ItemEvent.SELECTED){
+                    ConfigSettings.this.useHS2019Signature.setSelected(false);
+                    ConfigSettings.SIGNATURE_ALGORITHM = "rsa-sha256";
+                }
+            }
+        });
+        globalPanel.add(useHS2019Signature);
+        globalPanel.add(useRSASHA256Signature);
         // Checkboxes to enable/disable the extension for each Burp Suite tool
         JLabel labelTools = new JLabel("Enable the extension for the following Burp Suite tools:");
         Font labelToolsFont = labelTools.getFont();
@@ -173,7 +215,8 @@ public void mouseClicked(MouseEvent e) {
                 // the user clicks on the label
                 try {
                     Desktop.getDesktop().browse(new URI("https://github.com/nccgroup/HTTPSignatures"));
-                } catch (IOException | URISyntaxException e1) {}
+                } catch (IOException | URISyntaxException e1) {
+                }
             }
 
             @Override
@@ -248,11 +291,12 @@ public void mouseExited(MouseEvent e) {
 
     /**
      * Make a ProfileTab active
-     * @param profileTab   The ProfileTab to set active
+     *
+     * @param profileTab The ProfileTab to set active
      */
     private void setActiveProfile(ProfileTab profileTab) {
         String tabName = profileTab.profileTabHandle.tabNameField.getText();
-        tabName.replaceAll(";",""); // remove semicolons
+        tabName.replaceAll(";", ""); // remove semicolons
         log("Setting active profile to '" + tabName + "' active");
 
         LinkedHashMap<String, Object> newProfile = profileTab.getNewProfile();
@@ -265,7 +309,7 @@ private void setActiveProfile(ProfileTab profileTab) {
             }
             Object val = newProfile.get(key);
             String valStr = ((JTextField) val).getText();
-            profileValues += valStr.replaceAll(";",""); // remove semicolons
+            profileValues += valStr.replaceAll(";", ""); // remove semicolons
             newProfile2.put(key, valStr);
             log("Setting active profile " + tabName + ": key: " + key + " value: " + valStr);
         }
@@ -299,7 +343,7 @@ private void saveProfiles() {
             }
             LinkedHashMap<String, Object> newProfile = profileTab.getNewProfile();
             String tabName = profileTab.profileTabHandle.tabNameField.getText();
-            tabName = tabName.replaceAll(";",""); // remove semicolons
+            tabName = tabName.replaceAll(";", ""); // remove semicolons
 
             if (!tabNames.isEmpty()) {
                 // add semicolon, but not on first key
@@ -316,7 +360,7 @@ private void saveProfiles() {
                 }
                 Object val = newProfile.get(key);
                 String valStr = ((JTextField) val).getText();
-                valStr = valStr.replaceAll(";",""); // remove any semicolon
+                valStr = valStr.replaceAll(";", ""); // remove any semicolon
                 profileValues += valStr;
                 log("Saving profile " + tabName + ": key: " + key + " value: " + valStr);
             }
@@ -359,6 +403,11 @@ private void saveProfiles() {
             Signing.DEBUG = false;
             Signing.callbacks.saveExtensionSetting("debug", "false");
         }
+        if (useHS2019Signature.isSelected() || !useRSASHA256Signature.isSelected() || (!useRSASHA256Signature.isSelected() && !useHS2019Signature.isSelected())) {
+            Signing.callbacks.saveExtensionSetting("useHS2019Signature", "true");
+        } else {
+            Signing.callbacks.saveExtensionSetting("useHS2019Signature", "false");
+        }
     }
 
     /**
@@ -374,7 +423,8 @@ private void addTab() {
 
     /**
      * Add a new (empty) tab
-     * @param tabName   the name of the new tab
+     *
+     * @param tabName the name of the new tab
      */
     private void addTab(String tabName) {
         tabChangeListenerLock = true;
@@ -387,9 +437,10 @@ private void addTab(String tabName) {
 
     /**
      * Add a new tab with content
-     * @param tabName    The name of the new tab
-     * @param tabConfig  The configuration of the new tab (values separated by semicolons)
-     * @param active     Boolean: true means the profile is active; false means the profile is not active
+     *
+     * @param tabName   The name of the new tab
+     * @param tabConfig The configuration of the new tab (values separated by semicolons)
+     * @param active    Boolean: true means the profile is active; false means the profile is not active
      */
     private void addTab(String tabName, String tabConfig, Boolean active) {
         tabChangeListenerLock = true;
@@ -416,8 +467,9 @@ private void addTab(String tabName, String tabConfig, Boolean active) {
 
     /**
      * Checks if a color is bright or dark.
-     * @param color   The RGB color
-     * @return        True if bright, false if dark
+     *
+     * @param color The RGB color
+     * @return True if bright, false if dark
      */
     private boolean isColorBright(int color) {
         if (brightness(color) > 0.5) {
@@ -431,8 +483,9 @@ private boolean isColorBright(int color) {
      * Returns the brightness of a color.
      * Based on
      * https://chromium.googlesource.com/android_tools/+/18728e9dd5dd66d4f5edf1b792e77e2b544a1cb0/sdk/sources/android-19/android/graphics/Color.java#187
-     * @param color  The RGB color
-     * @return       A value between 0.0f and 1.0f
+     *
+     * @param color The RGB color
+     * @return A value between 0.0f and 1.0f
      */
     private float brightness(int color) {
         int r = (color >> 16) & 0xFF;
@@ -445,7 +498,8 @@ private float brightness(int color) {
 
     /**
      * Close a tab
-     * @param configTabContent   The tab to close
+     *
+     * @param configTabContent The tab to close
      */
     public void closeTab(JPanel configTabContent) {
         tabChangeListenerLock = true;
@@ -505,7 +559,7 @@ private void initTabs() {
                     continue;
                 }
                 String tabName = profileTab.profileTabHandle.tabNameField.getText();
-                if (tabName.equals(activeTabName) ) {
+                if (tabName.equals(activeTabName)) {
                     tabbedPane.setSelectedIndex(tabNum);
                 }
             }

src/main/java/burp/Signing.java

@@ -4,10 +4,7 @@
 import org.apache.http.client.methods.*;
 import org.apache.http.entity.ByteArrayEntity;
 import org.apache.http.entity.StringEntity;
-import org.tomitribe.auth.signatures.MissingRequiredHeaderException;
-import org.tomitribe.auth.signatures.PEM;
-import org.tomitribe.auth.signatures.Signature;
-import org.tomitribe.auth.signatures.Signer;
+import org.tomitribe.auth.signatures.*;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -21,10 +18,14 @@
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
+import java.security.spec.AlgorithmParameterSpec;
 import java.security.spec.InvalidKeySpecException;
+import java.security.spec.MGF1ParameterSpec;
+import java.security.spec.PSSParameterSpec;
 import java.text.Format;
 import java.text.SimpleDateFormat;
 import java.util.*;
+import java.util.Base64;
 import java.util.stream.Collectors;
 
 public class Signing {
@@ -285,7 +286,7 @@ private static PrivateKey loadPrivateKey(String privateKeyFilename) {
      */
     public static class RequestSigner {
         private static final SimpleDateFormat DATE_FORMAT;
-        private static final String SIGNATURE_ALGORITHM = "rsa-sha256";
+        private static final String SIGNATURE_ALGORITHM = ConfigSettings.SIGNATURE_ALGORITHM.trim();
         private Map<String, List<String>> REQUIRED_HEADERS;
 
         static {
@@ -338,8 +339,13 @@ private List stringToList(String input_string) {
          * @return Signer
          */
         protected Signer buildSigner(String apiKey, Key privateKey, String method) {
-            final Signature signature = new Signature(
-                    apiKey, SIGNATURE_ALGORITHM, null, REQUIRED_HEADERS.get(method.toLowerCase()));
+            Signature signature;
+            if ("hs2019".equalsIgnoreCase(SIGNATURE_ALGORITHM)) {
+                AlgorithmParameterSpec spec = new PSSParameterSpec("SHA-512", "MGF1", MGF1ParameterSpec.SHA512, 32, 1);
+                signature = new Signature(apiKey, SigningAlgorithm.HS2019, Algorithm.RSA_PSS, spec, null, REQUIRED_HEADERS.get(method.toLowerCase()));
+            } else {
+                signature = new Signature(apiKey, SIGNATURE_ALGORITHM, null, REQUIRED_HEADERS.get(method.toLowerCase()));
+            }
             return new Signer(privateKey, signature);
         }
 
@@ -409,7 +415,7 @@ public void signRequest(HttpRequestBase request, String header_name) {
 
             final Map<String, String> headers = extractHeadersToSign(request);
             String signature = this.calculateSignature(method, path, headers);
-            //log("DEBUG: signed signature: " + signature);
+            log("[DOM] Generated signature: " + signature);
 
             if (header_name.equalsIgnoreCase("Signature") && signature.startsWith("Signature ")) {
                 // remove "Signature" from the beginning of the string as we use "Signature" as the header name
@@ -451,7 +457,7 @@ private Map<String, String> extractHeadersToSign(HttpRequestBase request) {
             }
             return headersToSign.stream()
                     // (request-target) is a pseudo-header
-                    .filter(header -> !header.toLowerCase().equals("(request-target)"))
+                    .filter(header -> !header.toLowerCase().equals("(request-target)") && !header.toLowerCase().equals("(created)"))
                     .collect(Collectors.toMap(
                             header -> header,
                             header -> {