Name

Digest::SRI - Calculate and verify Subresource Integrity hashes (SRI)

Synopsis

use Digest::SRI qw/sri verify_sri/;

print sri($filename),   "\n";       # current default: SHA-512
print sri($filehandle), "\n";
print sri(\$string),    "\n";
print sri("SHA-256", $data), "\n";  # SHA-256, SHA-384, or SHA-512

die "SRI mismatch" unless verify_sri('sha256-...base64...', $data);

my $sri = Digest::SRI->new("SHA-256");
$sri->addfilename($filename);
$sri->addfile($filehandle);
$sri->add($string);
print $sri->sri, "\n";

my $sri = Digest::SRI->new("sha256-...base64...");
$sri->add...(...);
die "SRI mismatch" unless $sri->verify;

Description

This module provides functions to calculate and verify Subresource Integrity hashes (SRI). All of the usage is shown in the "Synopsis", with some usage notes here:

• The sri and verify_sri functions both accept either:

  • a filename as a plain scalar,

  • a filehandle as a reference to a glob, or

  • a string of data as a reference to a scalar.

• Digest::SRI->new accepts either:

  • no argument, which will use the "strongest" hashing algorithm (currently SHA-512),

  • the strings "SHA-256", "SHA-384", or "SHA-512" (or variants thereof, such as "SHA256" or "sha512") to specify those algorithms, or

  • a string representing a Subresource Integrity hash, which is to be used for later verification with ->verify.

  • Some other hashing algorithms, such as "MD5", are currently accepted, but known-weak hashing algorithms are not recommended by the W3C spec and they may be rejected by browsers.

• The methods ->sri and ->verify are destructive operations, meaning the state of the underlying Digest object will be reset once you call one of these methods.

• The other methods provided by the Digest family of modules, such as reset and clone, are also provided by this module.

• Differences in Base64 padding (=) are currently ignored on verification, but future versions of this module may add warnings if this is deemed necessary.

This documentation describes version 0.02 of this module.

References

• https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

• https://www.w3.org/TR/SRI/#the-integrity-attribute

• https://www.w3.org/TR/CSP2/#source-list-syntax

• https://html.spec.whatwg.org/multipage/scripting.html#attr-script-integrity

• https://tools.ietf.org/html/rfc2045#section-6.8

Author, Copyright, and License

Copyright (c) 2018 Hauke Daempfling (haukex@zero-g.net) at the Leibniz Institute of Freshwater Ecology and Inland Fisheries (IGB), Berlin, Germany, http://www.igb-berlin.de/

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.