resilient.is/docs

Plugin: signed-integrity

The signed-integrity plugin provides a way to retrieve authenticated integrity data for content fetched from untrusted sources (alternative endpoints, open proxies, etc).

It does not provide for confidentiality (as this is not something LibResilient is designed to provide in general), and it does not by itself perform integrity checking — it only retrieves verified integrity data and sets it on a request.

Configuration

The signed-integrity plugin supports the following configuration options:

Operation

The signed-integrity plugin demonstrates how Subresource Integrity (SRI) can be used to provide verification of authenticity of resources retrieved from not entirely trusted sources (alternative endpoints, open proxies, etc). For each content URL being fetched, the plugin first fetches integrity data from an URL built by appending integrityFileSuffix (by default: “.integrity”) to the content URL, expecting it to contain a JSON Web Token (JWT).

That JWT’s signature is verified using a configured public key (assumption being that it was signed with a related private key before pushing the content out to alternatve endpoints). JWT’s payload should contain an integrity field, which is then used to set the SRI data on the request being handled. Only then does the request for the actual content (now with integrity data set on it) proceed.

IMPORTANT: This plugin does not itself check integrity of the response!

This is left to the wrapped plugin to perform that check. For example, integrity checks will happen automatically with fetch and alt-fetch plugins, since they rely directly on the Fetch API. You can use the integrity-check plugin to perform integrity verification for transports that do cannot be assumed to perform integrity checks on their own.