HTTP Message Signing using RSA-SHA256

I’m attempting to communicate with an API which requires each request to sign messages in accordance with draft-cavage-http-signatures-10 and the requirements imposed by XS2A Framework Implementation Guidelines v1.1, which requires signing using the RSA-SHA256 algorithm.

My initial idea was to simply use a pre-request script on the collection to generate this signature header, seeing as I already use it to set the RFC 2822 HTTP Date and SHA-256 message digest used in the execution of the request.

However, CryptoJS doesn’t support RSA, and it’s the only crypto library available in the Postman Sandbox. So I’m sort of stuck, unless I implement a RSA-SHA256 signing algorithm myself.

Now, I’ve noticed that crypto-js hasn’t had a single commit for a year on GitHub, which makes me ask;

  1. Has Postman considered other options for their sandbox to replace CryptoJS?
  2. Has Postman considered any other mechanism for easily adding “dynamic header values”, such as Date, Digest, and Signature?

The workaround we’re using today is to run each request through a custom reverse proxy written using Node.js and Koa, but we’d much rather do this entirely in Postman if possible, since the reverse proxy part complicates both manual and automated testing.

1 Like

Desperately needing this functionality right now. CryptoJs really doesn’t cut it.

For now, ended up spinning up a small Node service that Postman will use in pre-request scripts to get the necessary data:

const express = require('express')
const fs = require('fs')
const jwt = require('jsonwebtoken')

const app = express()
const cert = fs.readFileSync('private.key')

app.use(express.json())

app.get('/', (req, res) => {
	res.send('Hello World!')
})

app.post('/sign', (req, res) => {
	let claims = req.body

	console.log('Received sign request for data:')
	console.log(claims)

	let signed = jwt.sign(claims, cert, {
		algorithm: 'RS256',
		expiresIn: '1h'
	})

	res.send(signed)

})

app.listen(3000, () => console.log('rs256 server listening...'))

This is working really well for my uses.

1 Like

Hi,

After encounter this problem in some of my projects I have created an easy to use library that let you generate jwt and more crypto operations form postman scripts (newman also…), here you can find how to use it

Best Regards.

Best Regards,

2 Likes

Hi,

If you want to use the ‘jsrsasign-js’ library in Postman, here is a way that worked for me:

  1. create a GET request with url: http://kjur.github.io/jsrsasign/jsrsasign-latest-all-min.js and inside ‘Tests’ tab, put this line of code:
    pm.globals.set(“jsrsasign-js”, responseBody);

  2. Afterwards you can use it in a ‘Pre-request Script’ tab, like below (I created a Base64URL RSA-SHA256 signature)

var navigator = {}; //fake a navigator object for the jsrsasign-js lib
var window = {}; //fake a window object for the jsrsasign-js lib
eval(pm.globals.get(“jsrsasign-js”)); //import javascript jsrsasign

var privateKey = KEYUTIL.getKey(privateKeyPem);
var sig = new KJUR.crypto.Signature({“alg”: “SHA256withRSA”});
sig.init(privateKey);
sig.updateString(inputForSignatureValueComputation);
var jwsSignatureValue = CryptoJS.enc.Base64.stringify(CryptoJS.enc.Hex.parse(sig.sign())).replace(/+/g, ‘-’).replace(///g, ‘_’).replace(/=/g, ‘’);

Enjoy :slight_smile: