Digest::SRI - Calculate and verify Subresource Integrity hashes (SRI)
use Digest::SRI qw/sri verify_sri/; print sri($filename), "\n"; # current default: SHA-512 print sri($filehandle), "\n"; print sri(\$string), "\n"; print sri("SHA-256", $data), "\n"; # SHA-256, SHA-384, or SHA-512 die "SRI mismatch" unless verify_sri('sha256-...base64...', $data); my $sri = Digest::SRI->new("SHA-256"); $sri->addfilename($filename); $sri->addfile($filehandle); $sri->add($string); print $sri->sri, "\n"; my $sri = Digest::SRI->new("sha256-...base64..."); $sri->add...(...); die "SRI mismatch" unless $sri->verify;
This module provides functions to calculate and verify Subresource Integrity hashes (SRI). All of the usage is shown in the "Synopsis", with some usage notes here:
The sri and verify_sri functions both accept either:
sri
verify_sri
a filename as a plain scalar,
a filehandle as a reference to a glob, or
a string of data as a reference to a scalar.
Digest::SRI->new accepts either:
Digest::SRI->new
no argument, which will use the "strongest" hashing algorithm (currently SHA-512),
the strings "SHA-256", "SHA-384", or "SHA-512" (or variants thereof, such as "SHA256" or "sha512") to specify those algorithms, or
"SHA-256"
"SHA-384"
"SHA-512"
"SHA256"
"sha512"
a string representing a Subresource Integrity hash, which is to be used for later verification with ->verify.
->verify
Some other hashing algorithms, such as "MD5", are currently accepted, but known-weak hashing algorithms are not recommended by the W3C spec and they may be rejected by browsers.
"MD5"
The methods ->sri and ->verify are destructive operations, meaning the state of the underlying Digest object will be reset once you call one of these methods.
->sri
The other methods provided by the Digest family of modules, such as reset and clone, are also provided by this module.
reset
clone
Differences in Base64 padding (=) are currently ignored on verification, but future versions of this module may add warnings if this is deemed necessary.
=
This documentation describes version 0.02 of this module.
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
https://www.w3.org/TR/SRI/#the-integrity-attribute
https://www.w3.org/TR/CSP2/#source-list-syntax
https://html.spec.whatwg.org/multipage/scripting.html#attr-script-integrity
https://tools.ietf.org/html/rfc2045#section-6.8
Copyright (c) 2018 Hauke Daempfling (haukex@zero-g.net) at the Leibniz Institute of Freshwater Ecology and Inland Fisheries (IGB), Berlin, Germany, http://www.igb-berlin.de/
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.
To install Digest::SRI, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Digest::SRI
CPAN shell
perl -MCPAN -e shell install Digest::SRI
For more information on module installation, please visit the detailed CPAN module installation guide.