mirror of
https://github.com/imjasonh/webpush
synced 2026-07-06 23:52:25 +00:00
Use SHA-256 hash for key ID to prevent collisions
Co-authored-by: imjasonh <210737+imjasonh@users.noreply.github.com>
This commit is contained in:
parent
ddf38bc4ba
commit
d30c4b1906
1 changed files with 7 additions and 2 deletions
|
|
@ -10,8 +10,10 @@ package main
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/sha256"
|
||||
"embed"
|
||||
"encoding/base64"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"io/fs"
|
||||
"net/http"
|
||||
|
|
@ -174,11 +176,14 @@ func isGone(err error) bool {
|
|||
func handleVAPIDPublicKey(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
publicKeyB64 := base64.RawURLEncoding.EncodeToString(signer.PublicKey())
|
||||
// Use SHA-256 hash of the public key for a collision-resistant key ID
|
||||
hash := sha256.Sum256(signer.PublicKey())
|
||||
keyId := hex.EncodeToString(hash[:])[:16]
|
||||
json.NewEncoder(w).Encode(map[string]string{
|
||||
"publicKey": publicKeyB64,
|
||||
// Include a truncated key ID that clients can use to detect key rotation
|
||||
// Include a key ID that clients can use to detect key rotation
|
||||
// When this changes, clients know they need to resubscribe
|
||||
"keyId": publicKeyB64[:16],
|
||||
"keyId": keyId,
|
||||
})
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue