openssl::signature_create() -> digest() + PKI.sign()

rstudio · Mar 18, 2024 · 17f2eff · 17f2eff
1 parent e6be95b
commit 17f2eff
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/DESCRIPTION b/DESCRIPTION
@@ -26,6 +26,7 @@ Imports:
     jsonlite,
     lifecycle,
     openssl (>= 2.0.0),
+    PKI,
     packrat (>= 0.6),
     renv (>= 1.0.0),
     rlang (>= 1.0.0),

diff --git a/R/http.R b/R/http.R
@@ -501,8 +501,14 @@ signatureHeaders <- function(authInfo, method, path, file = NULL) {
       der = TRUE
     )
 
-    # OpenSSL defaults to sha1 hash function (which is what we need)
-    rawsig <- openssl::signature_create(charToRaw(canonicalRequest), key = private_key)
+    # convert key into PKI format for signing, note this only accepts RSA, but
+    # that's what rsconnect generates already
+    pki_key <- PKI::PKI.load.key(strsplit(openssl::write_pem(private_key), "\n")[[1]], format = "PEM")
+
+    # use sha1 digest and then sign. digest and PKI avoid using system openssl which
+    # can be problematic in strict FIPS environments
+    digested <- digest::digest(charToRaw(canonicalRequest), "sha1", serialize = FALSE, raw = TRUE)
+    rawsig <- PKI::PKI.sign(key = pki_key, digest = digested)
     signature <- openssl::base64_encode(rawsig)
   } else {
     stop("can't sign request: no shared secret or private key")