Function to create hash in SRI pattern

2

I was looking at a new specification W3C SRI (Subresource Integrity) , which roughly means Sub-feature integrity that promises to bring more security to features hosted on third-party (or in-house) servers already in use by BootstrapCDN , CloudFlare , < GitHub and jQuery although it is still new and does not have a wide implementation by browsers.

Basically the new specification adds the tag script two new attributes:

  • integrity : Contains the% cryptographic% of the file
  • crossorigin : by default "anonymous"

The (simplistic) documentation describes the use of hash via the command line to create OpenSSL :

Command line statement to generate hash

openssl dgst -sha384 -binary FILENAME.js | openssl base64 -A

My question is: how do I use the hash functions of openssl to get the same result (generate a hash of a file)?

References:

asked by anonymous 09.03.2017 / 02:12

2 answers

3

You have hash_file() in PHP, that% change of% just for files, which is similar to dead hash() .

$algoritmo = 'SHA512';
$arquivo = 'arquivo.js';

$hash = hash_file($algoritmo, $arquivo, true);

$integrity = strtolower($algoritmo) . '-' . base64_encode( $hash );

That way you just need to use:

<script src="' . $arquivo . '" integrity="' . $integrity . '" crossorigin="anonymous">

Obviously I should have calculated this in advance, because running this on every visited page is wasteful, spending time to compute same hash every time ...

I do not see much sense in using this for the same domain, because if someone has access or is able to change the content the javascript will most likely be able to change the hash of the HTML, thus making the new JavaScript valid.

If you use CDN (or another server) to distribute the javascript or if you will allow others to embed your javascript it makes a great sense to use this feature because in this situation if someone changes your file your clients will have to HASH of the file.

Using this feature would prevent / minimize the attack you had on the "Blinded Site", which modified the image, showing another result, this occurred in 2012, see here , all clients of" a "Hacked Armored Site" logo, because there was no verification.

    
09.03.2017 / 17:34
0

When searching the community for SRI I did not get results so I leave my own answer.

Practically I came up with the result in two ways in PHP :

<?php

   $file = file_get_contents('./main.js');

   echo "sha512-".base64_encode(openssl_digest($file, 'sha512', true));

   //output: sha512-4nAOca/W9ZDO2dwcudh/hbnatmbvezf5ZTti0+VZFDG+V65tDx8OeKIpZfG7NYvOjqytEveULALcb7ZbPAuF/Q==


   $hash = hash('sha512', $file, true);

   echo "sha512-".base64_encode($hash);

   //output: sha512-4nAOca/W9ZDO2dwcudh/hbnatmbvezf5ZTti0+VZFDG+V65tDx8OeKIpZfG7NYvOjqytEveULALcb7ZbPAuF/Q==

Both return the same result, it would fit here to test performance.

Reference:

In this site article tenzer.dk the author indicates that he has observed the site's source code SRI Hash Generator and adapted the logic for other languages among them:

  • Shell
  • Python
  • Node.js
  • Go
  • Ruby
  • PHP

And since the specification tries to use a checksum it is worth passing through this reference here from the community .

That's it.

    
09.03.2017 / 06:29