Hauke D
and 1 contributors

Name

Digest::SRI - Calculate and verify Subresource Integrity hashes (SRI)

Synopsis

 use Digest::SRI qw/sri verify_sri/;
 
 print sri($filename),   "\n";       # current default: SHA-512
 print sri($filehandle), "\n";
 print sri(\$string),    "\n";
 print sri("SHA-256", $data), "\n";  # SHA-256, SHA-384, or SHA-512
 
 die "SRI mismatch" unless verify_sri('sha256-...base64...', $data);
 
 my $sri = Digest::SRI->new("SHA-256");
 $sri->addfilename($filename);
 $sri->addfile($filehandle);
 $sri->add($string);
 print $sri->sri, "\n";
 
 my $sri = Digest::SRI->new("sha256-...base64...");
 $sri->add...(...);
 die "SRI mismatch" unless $sri->verify;

Description

This module provides functions to calculate and verify Subresource Integrity hashes (SRI). All of the usage is shown in the "Synopsis", with some usage notes here:

  • The sri and verify_sri functions both accept either:

    • a filename as a plain scalar,

    • a filehandle as a reference to a glob, or

    • a string of data as a reference to a scalar.

  • Digest::SRI->new accepts either:

    • no argument, which will use the "strongest" hashing algorithm (currently SHA-512),

    • the strings "SHA-256", "SHA-384", or "SHA-512" (or variants thereof, such as "SHA256" or "sha512") to specify those algorithms, or

    • a string representing a Subresource Integrity hash, which is to be used for later verification with ->verify.

    • Some other hashing algorithms, such as "MD5", are currently accepted, but known-weak hashing algorithms are not recommended by the W3C spec and they may be rejected by browsers.

  • The methods ->sri and ->verify are destructive operations, meaning the state of the underlying Digest object will be reset once you call one of these methods.

  • The other methods provided by the Digest family of modules, such as reset and clone, are also provided by this module.

  • Differences in Base64 padding (=) are currently ignored on verification, but future versions of this module may add warnings if this is deemed necessary.

This documentation describes version 0.02 of this module.

References

Author, Copyright, and License

Copyright (c) 2018 Hauke Daempfling (haukex@zero-g.net) at the Leibniz Institute of Freshwater Ecology and Inland Fisheries (IGB), Berlin, Germany, http://www.igb-berlin.de/

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.