react-native-security-suite 0.9.21 → 1.0.0-rc.1

package/android/src/main/java/com/securitysuite/CryptoUtils.java

@@ -0,0 +1,152 @@
+package com.securitysuite;
+
+import android.util.Base64;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.SecureRandom;
+import java.util.regex.Pattern;
+
+/**
+ * Shared cryptographic utilities. HKDF-SHA256 (RFC 5869) is used instead of raw
+ * ECDH output or single-pass SHA-256 to derive independent symmetric keys.
+ */
+public final class CryptoUtils {
+  public static final String HKDF_SALT = "react-native-security-suite";
+  public static final String HKDF_INFO_ENCRYPTION = "rss-encryption-v1";
+  public static final String HKDF_INFO_HMAC = "rss-hmac-v1";
+
+  private static final Pattern SAFE_JWS_HEADER_KEY = Pattern.compile("^[a-zA-Z][a-zA-Z0-9_-]*$");
+  private static final Pattern SAFE_JWS_VALUE = Pattern.compile("^[\\x20-\\x7E]+$");
+
+  private CryptoUtils() {}
+
+  /** RFC 5869 HKDF-SHA256 expand/extract. */
+  public static byte[] hkdfSha256(byte[] ikm, byte[] salt, byte[] info, int length) throws Exception {
+    byte[] actualSalt = (salt == null || salt.length == 0)
+        ? new byte[32]
+        : salt;
+
+    Mac extractMac = Mac.getInstance("HmacSHA256");
+    extractMac.init(new SecretKeySpec(actualSalt, "HmacSHA256"));
+    byte[] prk = extractMac.doFinal(ikm);
+
+    Mac expandMac = Mac.getInstance("HmacSHA256");
+    expandMac.init(new SecretKeySpec(prk, "HmacSHA256"));
+
+    byte[] result = new byte[length];
+    byte[] previous = new byte[0];
+    int offset = 0;
+    byte counter = 1;
+
+    while (offset < length) {
+      expandMac.reset();
+      expandMac.update(previous);
+      if (info != null && info.length > 0) {
+        expandMac.update(info);
+      }
+      expandMac.update(counter);
+      previous = expandMac.doFinal();
+      int copyLength = Math.min(previous.length, length - offset);
+      System.arraycopy(previous, 0, result, offset, copyLength);
+      offset += copyLength;
+      counter++;
+    }
+
+    return result;
+  }
+
+  public static byte[] deriveEncryptionKey(byte[] sharedSecret) throws Exception {
+    return hkdfSha256(
+        sharedSecret,
+        HKDF_SALT.getBytes(StandardCharsets.UTF_8),
+        HKDF_INFO_ENCRYPTION.getBytes(StandardCharsets.UTF_8),
+        32
+    );
+  }
+
+  public static byte[] deriveHmacKey(byte[] sharedSecret) throws Exception {
+    return hkdfSha256(
+        sharedSecret,
+        HKDF_SALT.getBytes(StandardCharsets.UTF_8),
+        HKDF_INFO_HMAC.getBytes(StandardCharsets.UTF_8),
+        32
+    );
+  }
+
+  public static String base64UrlEncode(byte[] data) {
+    return Base64.encodeToString(data, Base64.URL_SAFE | Base64.NO_PADDING | Base64.NO_WRAP);
+  }
+
+  public static boolean isHttpsUrl(String url) {
+    if (url == null || url.isEmpty()) {
+      return false;
+    }
+    try {
+      java.net.URI uri = new java.net.URI(url.trim());
+      return "https".equalsIgnoreCase(uri.getScheme())
+          && uri.getHost() != null
+          && !uri.getHost().isEmpty();
+    } catch (Exception e) {
+      return false;
+    }
+  }
+
+  public static String normalizePinHash(String pin) {
+    if (pin == null) {
+      return "";
+    }
+    return pin.trim().replaceAll("(?i)^sha256/", "");
+  }
+
+  public static void validateJwsHeaderKey(String key) throws IllegalArgumentException {
+    if (key == null || !SAFE_JWS_HEADER_KEY.matcher(key).matches()) {
+      throw new IllegalArgumentException("Invalid JWS header key: " + key);
+    }
+  }
+
+  public static void validateJwsHeaderValue(String value) throws IllegalArgumentException {
+    if (value == null || !SAFE_JWS_VALUE.matcher(value).matches()) {
+      throw new IllegalArgumentException("Invalid JWS header value");
+    }
+  }
+
+  public static String validateJwsAlgorithm(String algorithm) throws IllegalArgumentException {
+    if (algorithm == null || algorithm.isEmpty()) {
+      return "HS256";
+    }
+    switch (algorithm) {
+      case "HS256":
+      case "HS384":
+      case "HS512":
+        return algorithm;
+      default:
+        throw new IllegalArgumentException("Unsupported JWS algorithm: " + algorithm);
+    }
+  }
+
+  public static String hmacAlgorithmForJws(String algorithm) {
+    switch (algorithm) {
+      case "HS384":
+        return "HmacSHA384";
+      case "HS512":
+        return "HmacSHA512";
+      case "HS256":
+      default:
+        return "HmacSHA256";
+    }
+  }
+
+  public static byte[] sha256(byte[] input) throws Exception {
+    return MessageDigest.getInstance("SHA-256").digest(input);
+  }
+
+  public static byte[] randomBytes(int length) {
+    byte[] bytes = new byte[length];
+    new SecureRandom().nextBytes(bytes);
+    return bytes;
+  }
+}

package/android/src/main/java/com/securitysuite/EcdhKeyStore.java

@@ -0,0 +1,60 @@
+package com.securitysuite;
+
+import android.content.Context;
+import android.security.keystore.KeyGenParameterSpec;
+import android.security.keystore.KeyProperties;
+import android.util.Base64;
+
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+
+/**
+ * Persists the ECDH P-256 keypair in Android Keystore (non-exportable private key).
+ */
+public final class EcdhKeyStore {
+  private static final String ANDROID_KEYSTORE = "AndroidKeyStore";
+  private static final String KEY_ALIAS = "com.securitysuite.ecdh.p256";
+
+  private EcdhKeyStore() {}
+
+  public static KeyPair getOrCreateKeyPair(Context context) throws Exception {
+    KeyStore keyStore = KeyStore.getInstance(ANDROID_KEYSTORE);
+    keyStore.load(null);
+
+    if (keyStore.containsAlias(KEY_ALIAS)) {
+      KeyStore.Entry entry = keyStore.getEntry(KEY_ALIAS, null);
+      if (entry instanceof KeyStore.PrivateKeyEntry) {
+        KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) entry;
+        return new KeyPair(privateKeyEntry.getCertificate().getPublicKey(), privateKeyEntry.getPrivateKey());
+      }
+    }
+
+    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(
+        KeyProperties.KEY_ALGORITHM_EC,
+        ANDROID_KEYSTORE
+    );
+
+    KeyGenParameterSpec spec = new KeyGenParameterSpec.Builder(
+        KEY_ALIAS,
+        KeyProperties.PURPOSE_AGREE_KEY
+    )
+        .setAlgorithmParameterSpec(new java.security.spec.ECGenParameterSpec("secp256r1"))
+        .setDigests(KeyProperties.DIGEST_SHA256)
+        .build();
+
+    keyPairGenerator.initialize(spec);
+    return keyPairGenerator.generateKeyPair();
+  }
+
+  public static String getPublicKeyBase64(Context context) throws Exception {
+    PublicKey publicKey = getOrCreateKeyPair(context).getPublic();
+    return Base64.encodeToString(publicKey.getEncoded(), Base64.NO_WRAP);
+  }
+
+  public static PrivateKey getPrivateKey(Context context) throws Exception {
+    return getOrCreateKeyPair(context).getPrivate();
+  }
+}

package/android/src/main/java/com/securitysuite/HeaderSanitizer.java

@@ -0,0 +1,75 @@
+package com.securitysuite;
+
+import com.facebook.react.bridge.ReadableMap;
+import com.facebook.react.bridge.ReadableMapKeySetIterator;
+import com.facebook.react.bridge.ReadableType;
+
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+
+import okhttp3.Headers;
+
+/**
+ * Prevents sensitive credentials from appearing in debug network logs.
+ */
+public final class HeaderSanitizer {
+  public static final Set<String> SENSITIVE_HEADERS = Set.of(
+      "authorization",
+      "proxy-authorization",
+      "cookie",
+      "set-cookie",
+      "x-api-key",
+      "x-auth-token",
+      "x-access-token",
+      "x-jws-signature",
+      "x-request-signature",
+      "x-csrf-token"
+  );
+
+  private HeaderSanitizer() {}
+
+  public static boolean isSensitiveHeader(String name) {
+    return name != null && SENSITIVE_HEADERS.contains(name.toLowerCase(Locale.US));
+  }
+
+  public static String maskValue(String value) {
+    if (value == null || value.isEmpty()) {
+      return "***";
+    }
+    if (value.length() <= 8) {
+      return "***";
+    }
+    return value.substring(0, 4) + "***" + value.substring(value.length() - 2);
+  }
+
+  public static Headers sanitizeHeaders(Headers headers) {
+    if (headers == null) {
+      return new Headers.Builder().build();
+    }
+    Headers.Builder builder = new Headers.Builder();
+    for (int i = 0; i < headers.size(); i++) {
+      String name = headers.name(i);
+      String value = headers.value(i);
+      builder.add(name, isSensitiveHeader(name) ? maskValue(value) : value);
+    }
+    return builder.build();
+  }
+
+  public static Map<String, String> sanitizeReadableMap(ReadableMap readableMap) {
+    HashMap<String, String> map = new HashMap<>();
+    if (readableMap == null) {
+      return map;
+    }
+    ReadableMapKeySetIterator iterator = readableMap.keySetIterator();
+    while (iterator.hasNextKey()) {
+      String key = iterator.nextKey();
+      if (readableMap.getType(key) == ReadableType.String) {
+        String value = readableMap.getString(key);
+        map.put(key, isSensitiveHeader(key) ? maskValue(value) : value);
+      }
+    }
+    return map;
+  }
+}

package/android/src/main/java/com/securitysuite/JWSGenerator.java

@@ -1,45 +1,250 @@
 package com.securitysuite;
 
-import android.util.Base64;
+import com.facebook.react.bridge.ReadableMap;
+import com.facebook.react.bridge.ReadableMapKeySetIterator;
+import com.facebook.react.bridge.ReadableType;
+
+import org.json.JSONObject;
 
 import javax.crypto.Mac;
-import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
 
 import java.nio.charset.StandardCharsets;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
+import java.util.TreeMap;
 
+/**
+ * RFC 7515 compact JWS serialization.
+ * Protected headers are built with JSONObject — never string concatenation.
+ */
 public class JWSGenerator {
-    public String jwsHeader(byte[] payload, String keyId, String requestId, SecretKey secretKey) {
-        try {
-            // Construct JOSE Header
-            String joseHeader = "{\"alg\":\"HS256\",\"kid\":\"" + keyId + "\",\"b64\":false,\"crit\":[\"b64\"],\"requestId\":\"" + requestId + "\"}";
-            byte[] joseHeaderBytes = joseHeader.getBytes(StandardCharsets.UTF_8);
-            String base64JoseHeader = Base64.encodeToString(joseHeaderBytes, Base64.URL_SAFE | Base64.NO_PADDING | Base64.NO_WRAP);
-
-            byte[] value = prepareAggregatedContentBytes(base64JoseHeader.getBytes(), payload);
-
-            // Sign the value
-            Mac hmacSha256 = Mac.getInstance("HmacSHA256");
-            hmacSha256.init(secretKey);
-            byte[] signature = hmacSha256.doFinal(value);
-
-            // Convert signature to URL-safe Base64
-            String base64URLSignature = Base64.encodeToString(signature, Base64.URL_SAFE | Base64.NO_PADDING | Base64.NO_WRAP);
-
-            // Combine base64JoseHeader, "..", and base64URLSignature to form final JWS
-            return base64JoseHeader + ".." + base64URLSignature;
-        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
-            e.printStackTrace();
-            return "";
+  public String generate(
+      String payloadString,
+      String secret,
+      String algorithm,
+      ReadableMap headers,
+      boolean detached
+  ) throws Exception {
+    if (secret == null || secret.trim().isEmpty()) {
+      throw new IllegalArgumentException("JWS secret is required and must be a non-empty string");
+    }
+
+    String selectedAlgorithm = resolveAlgorithm(algorithm, headers);
+    JSONObject header = buildProtectedHeader(selectedAlgorithm, headers);
+
+    byte[] headerBytes = serializeHeader(header);
+    String encodedProtectedHeader = CryptoUtils.base64UrlEncode(headerBytes);
+    String encodedPayload = encodePayload(payloadString);
+    byte[] signingInput = buildSigningInputBytes(encodedProtectedHeader, encodedPayload);
+
+    Mac mac = Mac.getInstance(CryptoUtils.hmacAlgorithmForJws(selectedAlgorithm));
+    mac.init(new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), CryptoUtils.hmacAlgorithmForJws(selectedAlgorithm)));
+    String encodedSignature = CryptoUtils.base64UrlEncode(mac.doFinal(signingInput));
+
+    return formatCompactJws(encodedProtectedHeader, encodedPayload, encodedSignature, detached);
+  }
+
+  /** @deprecated Use {@link #generate} with explicit secret and headers. */
+  @Deprecated
+  public String jwsHeader(byte[] payload, String keyId, String requestId, String secret) {
+    try {
+      JSONObject legacyHeaders = new JSONObject();
+      legacyHeaders.put("kid", keyId);
+      legacyHeaders.put("request_id", requestId);
+
+      String payloadString = payload != null
+          ? new String(payload, StandardCharsets.UTF_8)
+          : "";
+
+      return generate(payloadString, secret, "HS256", toReadableMap(legacyHeaders), true);
+    } catch (Exception e) {
+      throw new IllegalStateException("JWS generation failed: " + e.getMessage(), e);
+    }
+  }
+
+  public boolean verify(
+      String compactJws,
+      String payloadString,
+      String secret,
+      String expectedAlgorithm,
+      boolean detached
+  ) throws Exception {
+    if (compactJws == null || compactJws.isEmpty()) {
+      throw new IllegalArgumentException("Invalid compact JWS format");
+    }
+
+    String encodedProtectedHeader;
+    String encodedSignature;
+
+    if (detached) {
+      String[] parts = compactJws.split("\\.\\.", 2);
+      if (parts.length != 2) {
+        throw new IllegalArgumentException("Invalid compact detached JWS format");
+      }
+      encodedProtectedHeader = parts[0];
+      encodedSignature = parts[1];
+    } else {
+      String[] parts = compactJws.split("\\.");
+      if (parts.length != 3) {
+        throw new IllegalArgumentException("Invalid compact JWS format");
+      }
+      encodedProtectedHeader = parts[0];
+      encodedSignature = parts[2];
+    }
+
+    String encodedPayload = encodePayload(payloadString);
+    byte[] signingInput = buildSigningInputBytes(encodedProtectedHeader, encodedPayload);
+
+    String algorithm = expectedAlgorithm != null ? expectedAlgorithm : "HS256";
+    Mac mac = Mac.getInstance(CryptoUtils.hmacAlgorithmForJws(CryptoUtils.validateJwsAlgorithm(algorithm)));
+    mac.init(new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), CryptoUtils.hmacAlgorithmForJws(algorithm)));
+    byte[] expectedSignature = mac.doFinal(signingInput);
+
+    byte[] providedSignature = android.util.Base64.decode(
+        encodedSignature,
+        android.util.Base64.URL_SAFE | android.util.Base64.NO_PADDING | android.util.Base64.NO_WRAP
+    );
+
+    return java.security.MessageDigest.isEqual(expectedSignature, providedSignature);
+  }
+
+  static String resolveAlgorithm(String algorithm, ReadableMap headers) throws Exception {
+    String headerAlg = null;
+    if (headers != null && headers.hasKey("alg") && !headers.isNull("alg")) {
+      headerAlg = readHeaderValueAsString(headers, "alg");
+    }
+
+    if (algorithm != null && !algorithm.isEmpty() && headerAlg != null && !algorithm.equals(headerAlg)) {
+      throw new IllegalArgumentException(
+          "JWS algorithm mismatch: options.algorithm and headers.alg must match"
+      );
+    }
+
+    if (algorithm != null && !algorithm.isEmpty()) {
+      return CryptoUtils.validateJwsAlgorithm(algorithm);
+    }
+
+    if (headerAlg != null && !headerAlg.isEmpty()) {
+      return CryptoUtils.validateJwsAlgorithm(headerAlg);
+    }
+
+    return "HS256";
+  }
+
+  private JSONObject buildProtectedHeader(String selectedAlgorithm, ReadableMap headers) throws Exception {
+    JSONObject header = new JSONObject();
+    header.put("alg", selectedAlgorithm);
+
+    if (headers != null) {
+      TreeMap<String, Object> sorted = new TreeMap<>();
+      ReadableMapKeySetIterator iterator = headers.keySetIterator();
+      while (iterator.hasNextKey()) {
+        String key = iterator.nextKey();
+        if ("alg".equals(key)) {
+          continue;
         }
+        CryptoUtils.validateJwsHeaderKey(key);
+        sorted.put(key, readHeaderValue(headers, key));
+      }
+
+      for (java.util.Map.Entry<String, Object> entry : sorted.entrySet()) {
+        header.put(entry.getKey(), entry.getValue());
+      }
+    }
+
+    return header;
+  }
+
+  private static Object readHeaderValue(ReadableMap headers, String key) {
+    ReadableType type = headers.getType(key);
+    switch (type) {
+      case Null:
+        return JSONObject.NULL;
+      case Boolean:
+        return headers.getBoolean(key);
+      case Number:
+        return headers.getDouble(key);
+      case String:
+        String value = headers.getString(key);
+        CryptoUtils.validateJwsHeaderValue(value);
+        return value;
+      default:
+        throw new IllegalArgumentException(
+            "JWS header values must be JSON-serializable primitives: " + key
+        );
+    }
+  }
+
+  private static String readHeaderValueAsString(ReadableMap headers, String key) {
+    ReadableType type = headers.getType(key);
+    if (type == ReadableType.String) {
+      return headers.getString(key);
+    }
+    if (type == ReadableType.Number) {
+      double number = headers.getDouble(key);
+      if (number == Math.rint(number)) {
+        return String.valueOf((long) number);
+      }
+      return String.valueOf(number);
+    }
+    if (type == ReadableType.Boolean) {
+      return String.valueOf(headers.getBoolean(key));
+    }
+    throw new IllegalArgumentException(
+        "JWS header values must be JSON-serializable primitives: " + key
+    );
+  }
+
+  private static byte[] serializeHeader(JSONObject header) throws Exception {
+    TreeMap<String, Object> sorted = new TreeMap<>();
+    java.util.Iterator<String> keys = header.keys();
+    while (keys.hasNext()) {
+      String key = keys.next();
+      sorted.put(key, header.get(key));
+    }
+
+    JSONObject sortedHeader = new JSONObject();
+    for (java.util.Map.Entry<String, Object> entry : sorted.entrySet()) {
+      sortedHeader.put(entry.getKey(), entry.getValue());
+    }
+    return sortedHeader.toString().getBytes(StandardCharsets.UTF_8);
+  }
+
+  static String encodePayload(String payloadString) {
+    if (payloadString == null || payloadString.isEmpty()) {
+      return "";
+    }
+    return CryptoUtils.base64UrlEncode(payloadString.getBytes(StandardCharsets.UTF_8));
+  }
+
+  static byte[] buildSigningInputBytes(String encodedProtectedHeader, String encodedPayload) {
+    String signingInput = encodedProtectedHeader + "." + (encodedPayload != null ? encodedPayload : "");
+    return signingInput.getBytes(StandardCharsets.UTF_8);
+  }
+
+  static String formatCompactJws(
+      String encodedProtectedHeader,
+      String encodedPayload,
+      String encodedSignature,
+      boolean detached
+  ) {
+    if (detached) {
+      return encodedProtectedHeader + ".." + encodedSignature;
     }
+    String payloadSegment = encodedPayload != null ? encodedPayload : "";
+    return encodedProtectedHeader + "." + payloadSegment + "." + encodedSignature;
+  }
 
-    private static byte[] prepareAggregatedContentBytes(byte[] headerBytes, byte[] payloadBytes) {
-        byte[] contentBytes = new byte[headerBytes.length + 1 + payloadBytes.length];
-        System.arraycopy(headerBytes, 0, contentBytes, 0, headerBytes.length);
-        contentBytes[headerBytes.length] = '.';
-        System.arraycopy(payloadBytes, 0, contentBytes, headerBytes.length + 1, payloadBytes.length);
-        return contentBytes;
+  private static ReadableMap toReadableMap(JSONObject jsonObject) {
+    com.facebook.react.bridge.WritableMap map = com.facebook.react.bridge.Arguments.createMap();
+    java.util.Iterator<String> keys = jsonObject.keys();
+    while (keys.hasNext()) {
+      String key = keys.next();
+      try {
+        map.putString(key, jsonObject.getString(key));
+      } catch (Exception e) {
+        throw new IllegalStateException("Failed to convert legacy JWS headers", e);
+      }
     }
+    return map;
+  }
 }

package/android/src/main/java/com/securitysuite/JwsFetchPayload.java

@@ -0,0 +1,81 @@
+package com.securitysuite;
+
+import com.facebook.react.bridge.ReadableMap;
+import com.facebook.react.bridge.ReadableType;
+
+import org.json.JSONObject;
+
+import java.net.URI;
+import java.nio.charset.StandardCharsets;
+import java.util.TreeMap;
+
+/**
+ * Builds the default fetch request-signing payload when jws.payload is omitted.
+ */
+public final class JwsFetchPayload {
+  private JwsFetchPayload() {}
+
+  public static String build(
+      String url,
+      String method,
+      byte[] requestBody,
+      ReadableMap jwsOptions
+  ) throws Exception {
+    if (jwsOptions != null && jwsOptions.hasKey("payload")) {
+      ReadableType payloadType = jwsOptions.getType("payload");
+      if (payloadType == ReadableType.Null) {
+        return "";
+      }
+      if (payloadType == ReadableType.String) {
+        String payload = jwsOptions.getString("payload");
+        return payload != null ? payload : "";
+      }
+      throw new IllegalArgumentException("JWS fetch payload must be a string when provided");
+    }
+
+    URI uri = new URI(url);
+    TreeMap<String, Object> fields = new TreeMap<>();
+    fields.put("method", method != null ? method.toUpperCase() : "GET");
+    fields.put("path", uri.getPath() != null && !uri.getPath().isEmpty() ? uri.getPath() : "/");
+
+    if (uri.getQuery() != null && !uri.getQuery().isEmpty()) {
+      fields.put("query", uri.getQuery());
+    }
+
+    if (requestBody != null && requestBody.length > 0) {
+      fields.put("bodyHash", CryptoUtils.base64UrlEncode(CryptoUtils.sha256(requestBody)));
+    }
+
+    if (jwsOptions != null && jwsOptions.hasKey("headers") && jwsOptions.getMap("headers") != null) {
+      ReadableMap headers = jwsOptions.getMap("headers");
+      copyIfPresent(headers, fields, "timestamp");
+      copyIfPresent(headers, fields, "nonce");
+      copyIfPresent(headers, fields, "request_id");
+      copyIfPresent(headers, fields, "requestId");
+    }
+
+    JSONObject json = new JSONObject();
+    for (java.util.Map.Entry<String, Object> entry : fields.entrySet()) {
+      json.put(entry.getKey(), entry.getValue());
+    }
+    return json.toString();
+  }
+
+  private static void copyIfPresent(
+      ReadableMap headers,
+      TreeMap<String, Object> fields,
+      String key
+  ) {
+    if (!headers.hasKey(key) || headers.isNull(key)) {
+      return;
+    }
+    ReadableType type = headers.getType(key);
+    if (type == ReadableType.String) {
+      fields.put(key, headers.getString(key));
+    } else if (type == ReadableType.Number) {
+      fields.put(key, headers.getDouble(key));
+    } else if (type == ReadableType.Boolean) {
+      fields.put(key, headers.getBoolean(key));
+    }
+  }
+}