From bbcaf50ff9dc9cc6868687d37655c68ba6311683 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Mar 2024 14:28:29 +0000 Subject: [PATCH 1/2] Bump com.nimbusds:nimbus-jose-jwt from 9.23 to 9.37.2 Bumps [com.nimbusds:nimbus-jose-jwt](https://bitbucket.org/connect2id/nimbus-jose-jwt) from 9.23 to 9.37.2. - [Changelog](https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt) - [Commits](https://bitbucket.org/connect2id/nimbus-jose-jwt/branches/compare/9.37.2..9.23) --- updated-dependencies: - dependency-name: com.nimbusds:nimbus-jose-jwt dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 158c70f..bfb3ec1 100644 --- a/pom.xml +++ b/pom.xml @@ -36,7 +36,7 @@ com.nimbusds nimbus-jose-jwt - 9.23 + 9.37.2 commons-io From a5437de0a616b44df9779dfbd1c2ec074287bc27 Mon Sep 17 00:00:00 2001 From: Lokesh Rishi Date: Tue, 11 Jun 2024 08:54:36 -0700 Subject: [PATCH 2/2] Updating IETF standards links --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 99ddcb0..243e3ba 100644 --- a/README.md +++ b/README.md @@ -26,11 +26,11 @@ That said, it is entirely acceptable to include the signature for other APIs and ## Creating a Message Signature -The signature scheme is compliant with these upcoming IETF standards (currently not yet RFCs): -- [draft-ietf-httpbis-message-signatures-15](https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-15.html) -- [draft-ietf-httpbis-digest-headers-10](https://www.ietf.org/archive/id/draft-ietf-httpbis-digest-headers-10.html) +The signature scheme is compliant with these IETF standards: +- [RFC 9421 HTTP Message Signatures](https://www.rfc-editor.org/rfc/rfc9421.html) +- [RFC 9530 Digest Fields](https://www.rfc-editor.org/rfc/rfc9530.html) -NOTE: It is strongly recommended that the above drafts be read. +NOTE: It is strongly recommended that the above standards be read. Four HTTP headers need to be added to each HTTP message sent to an API in scope (as defined above) and on behalf of a EU/UK domiciled seller: - Content-Digest: This header includes a SHA-256 digest over the HTTP payload, if any. It is not required to be sent for APIs that do not include a request payload (e.g., GET requests). @@ -42,7 +42,7 @@ Four HTTP headers need to be added to each HTTP message sent to an API in scope ### Content-Digest Header This step can be skipped if there is no payload in the HTTP message (e.g., for a GET call). -To add the Content-Digest header (as specified in [draft-ietf-httpbis-digest-headers-10](https://www.ietf.org/archive/id/draft-ietf-httpbis-digest-headers-10.html)), calculate a SHA-256 digest over the HTTP payload. While the specification allows adding more than one digest (e.g., both SHA-256 and SHA-512), only a single digest using SHA-256 is supported in our case. +To add the Content-Digest header (as specified in [RFC 9530 Digest Fields](https://www.rfc-editor.org/rfc/rfc9530.html)), calculate a SHA-256 digest over the HTTP payload. While the specification allows adding more than one digest (e.g., both SHA-256 and SHA-512), only a single digest using SHA-256 is supported in our case. For the following payload: ``` @@ -60,7 +60,7 @@ x-ebay-signature-key: eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwidGFnIjoiSXh2dVRMb0 ``` ### Signature-Input Header -The Signature-Input and Signature headers are created as specified in [draft-ietf-httpbis-message-signatures-15](https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-15.html) +The Signature-Input and Signature headers are created as specified in [RFC 9421 HTTP Message Signatures](https://www.rfc-editor.org/rfc/rfc9421.html) The value of the Signature-Input header is: ``` @@ -76,14 +76,14 @@ sig1=("x-ebay-signature-key" "@method" "@path" "@authority");created=1658440308 ### Signature Header -The value of the Signature header is created as specified in [section 3.1 of the above IETF draft](https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-15.html#section-3.1). +The value of the Signature header is created as specified in [section 3.1 of the above IETF standard](https://www.rfc-editor.org/rfc/rfc9421.html#name-creating-a-signature). Depending on the cipher used, either of the following two sections applies: -- [RSASSA-PKCS1-v1_5 using SHA-256](https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-15.html#section-3.3.2) -- [EdDSA using curve edwards25519](https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-15.html#section-3.3.5) +- [RSASSA-PKCS1-v1_5 using SHA-256](https://www.rfc-editor.org/rfc/rfc9421.html#name-rsassa-pkcs1-v1_5-using-sha) +- [EdDSA using curve edwards25519](https://www.rfc-editor.org/rfc/rfc9421.html#name-eddsa-using-curve-edwards25) -The test keys in this document are the same as those used in the IETF draft. +The test keys in this document are the same as those used in the IETF standard. ## How to Test the Signature Mechanism @@ -101,7 +101,7 @@ NOTE: The following samples include public keys in PEM format. However, they are The recommended signature cipher is “Ed25519” (Edwards Curve). As a fallback – in case an external developer's code framework doesn’t support this cipher – we also accept RSA. Ed25519 uses much shorter keys and will decrease the header size, which is why it is preferred over RSA. -The following test keys can be used (Note: They are the same as the sample keys from the above cited IETF drafts). +The following test keys can be used (Note: They are the same as the sample keys from the above cited IETF standards). Again, please note that you can only use the test keys and JWEs listed in the README, not one retrieved from the [Key Management API](https://developer.ebay.com/api-docs/developer/key-management/overview.html). These will only work on the ebay APIs.