httpsurlconn service message-signing integration#8
Open
charlesoj6205 wants to merge 8 commits intomainfrom
Open
httpsurlconn service message-signing integration#8charlesoj6205 wants to merge 8 commits intomainfrom
charlesoj6205 wants to merge 8 commits intomainfrom
Conversation
…or implementation.
There was a problem hiding this comment.
Pull request overview
This PR adds an HTTP message-signing capability to the HttpsURLConnection Approov service layer by introducing a service mutator hook, a default message-signing mutator implementation, and supporting HTTP Structured Field Values (RFC 8941) + signature-base building utilities.
Changes:
- Add
ApproovServiceMutatorcallbacks and wire them intoApproovService.addApproov(...)to allow post-processing/mutation of requests. - Implement default message signing for
HttpsURLConnectionrequests (Signature / Signature-Input headers) with supporting signature-base construction utilities. - Add a Structured Field Values (RFC 8941) implementation used for Signature/Signature-Input header serialization, and add BouncyCastle for ASN.1 parsing.
Reviewed changes
Copilot reviewed 34 out of 34 changed files in this pull request and generated 19 comments.
Show a summary per file
| File | Description |
|---|---|
| approov-service/build.gradle | Updates Android SDK levels and adds BouncyCastle dependency needed for ASN.1 parsing in message signing |
| approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovService.java | Adds mutator plumbing, status-as-token option, message signing helper APIs, and changes addApproov signature |
| approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovServiceMutator.java | New mutator interface providing configurable hooks across token/substitution/interceptor flows |
| approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovDefaultMessageSigning.java | Default message-signing mutator that builds signature base and adds Signature/Signature-Input headers |
| approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovRequestMutations.java | Records request mutations (token header key, substituted headers, trace header key, etc.) for mutator use |
| approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovInterceptorExtensions.java | Deprecated compatibility interface bridging older extension API to the new mutator API |
| approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovFetchStatusException.java | New exception type to surface non-success token fetch statuses |
| approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovNetworkException.java | Extends network exception to optionally carry TokenFetchStatus |
| approov-service/src/main/java/io/approov/util/sig/ComponentProvider.java | Signature component value provider abstraction for building signature bases |
| approov-service/src/main/java/io/approov/util/sig/SignatureBaseBuilder.java | Builds the signature base string from covered components and signature parameters |
| approov-service/src/main/java/io/approov/util/sig/SignatureParameters.java | Represents signature parameters and covered component identifiers; supports SFV serialization/parsing |
| approov-service/src/main/java/io/approov/util/sig/LICENSE | License file for the signature utility package |
| approov-service/src/main/java/io/approov/util/http/sfv/package-info.java | Package documentation for the Structured Field Values implementation |
| approov-service/src/main/java/io/approov/util/http/sfv/Parser.java | RFC 8941 parser implementation |
| approov-service/src/main/java/io/approov/util/http/sfv/ParseException.java | Parser exception with position/diagnostics support |
| approov-service/src/main/java/io/approov/util/http/sfv/Type.java | Base interface for SFV types with serialization support |
| approov-service/src/main/java/io/approov/util/http/sfv/Parameterizable.java | Common interface for SFV types that can carry parameters |
| approov-service/src/main/java/io/approov/util/http/sfv/Parameters.java | Immutable parameter map with serialization and validation |
| approov-service/src/main/java/io/approov/util/http/sfv/Utils.java | Validation helpers for SFV keys |
| approov-service/src/main/java/io/approov/util/http/sfv/ListElement.java | Marker interface for elements of outer lists |
| approov-service/src/main/java/io/approov/util/http/sfv/OuterList.java | SFV Outer List type |
| approov-service/src/main/java/io/approov/util/http/sfv/InnerList.java | SFV Inner List type |
| approov-service/src/main/java/io/approov/util/http/sfv/Dictionary.java | SFV Dictionary type |
| approov-service/src/main/java/io/approov/util/http/sfv/Item.java | Item abstraction with conversions from raw Java types |
| approov-service/src/main/java/io/approov/util/http/sfv/StringItem.java | SFV String item |
| approov-service/src/main/java/io/approov/util/http/sfv/TokenItem.java | SFV Token item |
| approov-service/src/main/java/io/approov/util/http/sfv/BooleanItem.java | SFV Boolean item |
| approov-service/src/main/java/io/approov/util/http/sfv/IntegerItem.java | SFV Integer item |
| approov-service/src/main/java/io/approov/util/http/sfv/DecimalItem.java | SFV Decimal item |
| approov-service/src/main/java/io/approov/util/http/sfv/DateItem.java | SFV Date item |
| approov-service/src/main/java/io/approov/util/http/sfv/NumberItem.java | Common interface for numeric items |
| approov-service/src/main/java/io/approov/util/http/sfv/ByteSequenceItem.java | SFV Byte Sequence item |
| approov-service/src/main/java/io/approov/util/http/sfv/DisplayStringItem.java | SFV Display String item |
| approov-service/src/main/java/io/approov/util/http/sfv/LICENSE | License file for the SFV implementation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+278
to
+282
| String sigHeader = Dictionary.valueOf(Map.of( | ||
| sigId, ByteSequenceItem.valueOf(signature))).serialize(); | ||
| String sigInputHeader = Dictionary.valueOf(Map.of( | ||
| sigId, params.toComponentValue())).serialize(); | ||
|
|
There was a problem hiding this comment.
Map.of(...) is a Java 9 API and isn’t available on Android without additional desugaring; this will either fail at build time or at runtime on older Android versions. Use an Android/Java-8 compatible map construction (e.g., Collections.singletonMap, or a small LinkedHashMap) instead.
Comment on lines
15
to
+19
| compileSdkVersion 30 | ||
|
|
||
| defaultConfig { | ||
| minSdkVersion 21 | ||
| targetSdkVersion 28 | ||
| minSdkVersion 23 | ||
| targetSdkVersion 34 |
There was a problem hiding this comment.
compileSdkVersion (30) is lower than targetSdkVersion (34), which is likely to fail Android build/tooling checks. Align these values (typically set compileSdkVersion >= targetSdkVersion), and confirm whether raising minSdkVersion from 21 to 23 is intended (it’s a breaking change for library consumers).
| * @throws ApproovException if it is not possible to obtain an Approov token or secure strings | ||
| */ | ||
| public static synchronized void addApproov(HttpsURLConnection connection) throws ApproovException { | ||
| public static synchronized HttpsURLConnection addApproov(HttpsURLConnection request) throws ApproovException { |
There was a problem hiding this comment.
Changing addApproov to return HttpsURLConnection is a source/binary breaking change for existing consumers. Consider keeping the old void addApproov(HttpsURLConnection) signature as a deprecated wrapper that delegates to this method for backwards compatibility.
Contributor
|
I think we should address the issues from copilot code review. Did you verify message signing with Shapes API v5? (there is a better way to test message signing, such as using Cloudflare worker, we can disucss on Monday) |
…ApproovService.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ApproovDefaultMessageSigning.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ApproovNetworkException.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ApproovServiceMutator.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ApproovNetworkException.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ApproovService.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ApproovDefaultMessageSigning.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements message-signing/service mutator for HttpsURLConnection service layer. Lifted base line code from okhttp service layer and refactored for HttpsURLConnection.