Categorygithub.com/go-fed/httpsig
modulepackage
1.1.0
Repository: https://github.com/go-fed/httpsig.git
Documentation: pkg.go.dev
Overview
Versions
2
Dependencies
28
Dependents
40
Files
1.3k SLOC

# README

httpsig

go get github.com/go-fed/httpsig

Implementation of HTTP Signatures.

Supports many different combinations of MAC, HMAC signing of hash, or RSA signing of hash schemes. Its goals are:

  • Have a very simple interface for signing and validating
  • Support a variety of signing algorithms and combinations
  • Support setting either headers (Authorization or Signature)
  • Remaining flexible with headers included in the signing string
  • Support both HTTP requests and responses
  • Explicitly not support known-cryptographically weak algorithms
  • Support automatic signing and validating Digest headers

How to use

import "github.com/go-fed/httpsig"

Signing

Signing a request or response requires creating a new Signer and using it:

func sign(privateKey crypto.PrivateKey, pubKeyId string, r *http.Request) error {
	prefs := []httpsig.Algorithm{httpsig.RSA_SHA512, httpsig.RSA_SHA256}
	digestAlgorithm := DigestSha256
	// The "Date" and "Digest" headers must already be set on r, as well as r.URL.
	headersToSign := []string{httpsig.RequestTarget, "date", "digest"}
	signer, chosenAlgo, err := httpsig.NewSigner(prefs, digestAlgorithm, headersToSign, httpsig.Signature)
	if err != nil {
		return err
	}
	// To sign the digest, we need to give the signer a copy of the body...
	// ...but it is optional, no digest will be signed if given "nil"
	body := ...
	// If r were a http.ResponseWriter, call SignResponse instead.
	return signer.SignRequest(privateKey, pubKeyId, r, body)
}

Signers are not safe for concurrent use by goroutines, so be sure to guard access:

type server struct {
	signer httpsig.Signer
	mu *sync.Mutex
}

func (s *server) handlerFunc(w http.ResponseWriter, r *http.Request) {
	privateKey := ...
	pubKeyId := ...
	// Set headers and such on w
	s.mu.Lock()
	defer s.mu.Unlock()
	// To sign the digest, we need to give the signer a copy of the response body...
	// ...but it is optional, no digest will be signed if given "nil"
	body := ...
	err := s.signer.SignResponse(privateKey, pubKeyId, w, body)
	if err != nil {
		...
	}
	...
}

The pubKeyId will be used at verification time.

Verifying

Verifying requires an application to use the pubKeyId to both retrieve the key needed for verification as well as determine the algorithm to use. Use a Verifier:

func verify(r *http.Request) error {
	verifier, err := httpsig.NewVerifier(r)
	if err != nil {
		return err
	}
	pubKeyId := verifier.KeyId()
	var algo httpsig.Algorithm = ...
	var pubKey crypto.PublicKey = ...
	// The verifier will verify the Digest in addition to the HTTP signature
	return verifier.Verify(pubKey, algo)
}

Verifiers are not safe for concurrent use by goroutines, but since they are constructed on a per-request or per-response basis it should not be a common restriction.

# Functions

IsSupportedDigestAlgorithm returns true if hte string is supported by this library, is not a hash known to be weak, and is supported by the hardware.
IsSupportedHttpSigAlgorithm returns true if the string is supported by this library, is not a hash known to be weak, and is supported by the hardware.
NewResponseVerifier verifies the given response.
NewSigner creates a new Signer with the provided algorithm preferences to make HTTP signatures.
NewwSSHSigner creates a new Signer using the specified ssh.Signer At the moment only ed25519 ssh keys are supported.
NewVerifier verifies the given request.

# Constants

Authorization will place the HTTP Signature into the 'Authorization' HTTP header.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
ECDSA algorithms.
No description provided by the author
No description provided by the author
No description provided by the author
ED25519 algorithms can only be SHA512.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
MAC-based algoirthms.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
RequestTarget specifies to include the http request method and entire URI in the signature.
No description provided by the author
RSA-based algorithms.
No description provided by the author
RSA_SHA256 is the default algorithm.
No description provided by the author
No description provided by the author
Signature will place the HTTP Signature into the 'Signature' HTTP header.

# Structs

No description provided by the author

# Interfaces

Signers will sign HTTP requests or responses based on the algorithms and headers selected at creation time.
Signers will sign HTTP requests or responses based on the algorithms and headers selected at creation time.
Verifier verifies HTTP Signatures.

# Type aliases

Algorithm specifies a cryptography secure algorithm for signing HTTP requests and responses.
No description provided by the author
HTTP Signatures can be applied to different HTTP headers, depending on the expected application behavior.