httpsignatures

package module

v0.0.23 Latest Latest Go to latest Published: Nov 4, 2020 License: MIT Imports: 25 Imported by: 14

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/igor-pavlenko/httpsignatures-go

Links

Open Source Insights

README ¶

Sign/Verify signature with http-signatures golang lib

This module is created to provide a simple solution to sign and verify signature in HTTP messages according to the document:

https://tools.ietf.org/html/draft-ietf-httpbis-message-signatures-00

Versions compatibility

Since the current standard is still in draft mode and will have a few iterations (versions) before becoming stable, the project is going to maintain current and future versions.

To be compatible with ietf.org versioning the project will change only MINOR & PATCH versions, until document final release. A MINOR version will be equal to the draft version. A PATCH version will be used for bug fixes & improvements and will not break backward compatibility with IETF version.

For example:

The Document version	Httpsignatures.go
draft-ietf-httpbis-message-signatures-00	v0.0.1
draft-ietf-httpbis-message-signatures-{MINOR}	v0.{MINOR}.0
Final release	v1.0.0

Installation

To install the module:

go get github.com/igor-pavlenko/httpsignatures-go

To install a specific version, use:

go get github.com/igor-pavlenko/httpsignatures-go@v0.0.14

Don't forget: export GO111MODULE=on

Sign

package main

import (
	"fmt"
	"github.com/igor-pavlenko/httpsignatures-go"
	"net/http"
	"strings"
)

func main() {
	const sKey = "key1"
	// Don't put keys into code, neither push it in to git repo (this is just for example)
	secrets := map[string]httpsignatures.Secret{
		sKey: {
			KeyID: sKey,
			PublicKey: `-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----`,
			PrivateKey: `-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----`,
			Algorithm: "RSA-SHA256",
		},
	}
	ss := httpsignatures.NewSimpleSecretsStorage(secrets)
	hs := httpsignatures.NewHTTPSignatures(ss)
	hs.SetDefaultSignatureHeaders([]string{"(created)", "digest", "(expires)", "(request-target)"})

	r, _ := http.NewRequest(
		"POST",
		"https://example.com/foo?param=value&pet=dog",
		strings.NewReader(`{"hello": "world"}`),
	)
	err := hs.Sign(sKey, r)
	if err != nil {
		panic(err)
	}

	fmt.Println(r.Header.Get("Digest"))
	fmt.Println(r.Header.Get("Signature"))
}

Verify

package main

import (
	"fmt"
	"github.com/igor-pavlenko/httpsignatures-go"
	"net/http"
	"strings"
)

func main() {
	const sKey = "key1"
	// Don't put keys into code, neither push it in to git repo (this is just for example)
	secrets := map[string]httpsignatures.Secret{
		sKey: {
			KeyID: sKey,
			PublicKey: `-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----`,
			PrivateKey: `-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----`,
			Algorithm: "RSA-SHA256",
		},
	}
	ss := httpsignatures.NewSimpleSecretsStorage(secrets)
	hs := httpsignatures.NewHTTPSignatures(ss)

	r, _ := http.NewRequest(
		"POST",
		"https://example.com/foo?param=value&pet=dog",
		strings.NewReader(`{"hello": "world"}`),
	)
	r.Header.Set("Digest", "SHA-512=WZDPaVn/7XgHaAy8pmojAkGWoRx2UFChF41A2svX+TaPm+AbwAgBWnrIiYllu7BNNyealdVLvRwEmTHWXvJwew==")
	r.Header.Set("Signature", `keyId="key1",algorithm="RSA-SHA256",created=1594222776,headers="(created) digest (request-target)",signature="HobdANH0pDuVm9ag0Zdy06+1wgPttgSqJIiBI0wmgILrJ3IlZ26KuHPGNTZs2N55SFHCpE1gLnmyKJwLF46hmgdElB7zFreYAGmNhukguoIiQ8slZnOjs2GtZ40kHa+7kO5mqT+i5GaRKwBtRiiFe3nEPxEmrugXEwj5j6DEvl8="`)

	err := hs.Verify(r)
	if err != nil {
		panic(err)
	}
	fmt.Println("Signature verified")
}

Settings

Custom Secrets Storage

If you have a lot of keys, you can get them from any external storage, for example: DB, Files, Vaults etc. Just implement Secrets interface and inject it into httpsignatures.NewHTTPSignatures().

package main

import (
	"fmt"
	"github.com/igor-pavlenko/httpsignatures-go"
	"io/ioutil"
	"os"
	"regexp"
)

// To create your own secrets storage implement the httpsignatures.Secrets interface
// type Secrets interface {
//	   Get(keyID string) (Secret, error)
// }

const alg = "RSA-SHA512"

// SimpleSecretsStorage local static secrets storage
type FileSecretsStorage struct {
	dir     string
	storage map[string]httpsignatures.Secret
}

// Get get secret from local files by KeyID
func (s FileSecretsStorage) Get(keyID string) (httpsignatures.Secret, error) {
	if secret, ok := s.storage[keyID]; ok {
		return secret, nil
	}

	validKeyID, err := regexp.Match(`[a-zA-Z0-9]+`, []byte(keyID))
	if !validKeyID {
		return httpsignatures.Secret{}, &httpsignatures.SecretError{Message: "wrong keyID format allowed: [a-zA-Z0-9]+"}
	}

	publicKeyFile := fmt.Sprintf("%s/%s.pub", s.dir, keyID)
	publicKey, err := s.readFile(publicKeyFile)
	if err != nil {
		return httpsignatures.Secret{}, &httpsignatures.SecretError{Message: "public key file not found", Err: err}
	}

	privateKeyFile := fmt.Sprintf("%s/%s.key", s.dir, keyID)
	privateKey, err := s.readFile(privateKeyFile)
	if err != nil {
		return httpsignatures.Secret{}, &httpsignatures.SecretError{Message: "private key file not found", Err: err}
	}

	fmt.Println(privateKey, publicKey)
	s.storage[keyID] = httpsignatures.Secret{
		KeyID:      keyID,
		PublicKey:  publicKey,
		PrivateKey: privateKey,
		Algorithm:  alg,
	}
	return s.storage[keyID], nil
}

// Get key from file
func (s FileSecretsStorage) readFile(f string) (string, error) {
	if !s.fileExists(f) {
		return "", &httpsignatures.SecretError{Message: fmt.Sprintf("file '%s' not found", f)}
	}
	key, err := ioutil.ReadFile(f)
	if err != nil {
		return "", &httpsignatures.SecretError{Message: fmt.Sprintf("read file error: '%s'", f), Err: err}
	}

	return string(key), nil
}

// Check if file exists
func (s FileSecretsStorage) fileExists(f string) bool {
	i, err := os.Stat(f)
	if os.IsNotExist(err) {
		return false
	}
	return !i.IsDir()
}

// NewSimpleSecretsStorage create new digest
func NewFileSecretsStorage(dir string) httpsignatures.Secrets {
    if len(dir) == 0 {
		return nil
	}
	s := new(FileSecretsStorage)
	s.dir = dir
	s.storage = make(map[string]httpsignatures.Secret)
	return s
}

func main() {
	hs := httpsignatures.NewHTTPSignatures(NewFileSecretsStorage("/tmp"))
	hs.SetDefaultExpiresSeconds(10)
}

AWS Secrets Manager Storage

It's good practice to store private/public keys in secrets storage like AWS Secrets Manager, Vault by HashiCorp, or any other service. So you need to get keys by request.

Some use cases, service used to:

validate incoming requests from other services (it needs only public keys)
sign self outgoing requests (signed by itself. So it needs only self private key)
sign outgoing requests on behalf of other services (it needs all private keys of served services)
validate other service requests & sign self requests (it needs access to self private keys & only public keys of served services)

How to store keys in Secrets Manager

Keys should be stored as binary. Name pattern: "///<PrivateKey|PublicKey|Algorithm>". Where — environment (for example: prod, dev, sandbox, staging etc), — service identifier used as KeyID in requests, <PrivateKey|PublicKey|Algorithm> — key type, can be only PrivateKey, PublicKey, Algorithm.

aws secretsmanager create-secret --name "/dev/myServiceID/PrivateKey" \
    --description "Private Key for service with keyID = myServiceID" \
    --secret-binary file://private.key

aws secretsmanager create-secret --name "/dev/myServiceID/PublicKey" \
    --description "Public Key for service with keyID = myServiceID" \
    --secret-binary file://public.pub

# In case services use different signature algorithms, store it also in Secrets Manager
# If you have only one algorithm for all services, set it as a parameter (see below).
aws secretsmanager create-secret --name "/dev/myServiceID/Algorithm" \
    --description "Algorithm for service with keyID = myServiceID" \
    --secret-binary file://algorithm.txt

If you have only one algorithm for all services, set it as a parameter and do not store the algorithm name in Secrets Manager:

//...
sm := NewAwsSecretsManagerStorage("prod", secretsManager)
sm.SetAlgorithm("RSA-SHA512")
//...

Validate incoming requests

To validate incoming requests you need only PublicKey. PrivateKey & Algorithm can be omitted:

//...
sm := NewAwsSecretsManagerStorage("prod", secretsManager)
// Omit Algorithm 
sm.SetAlgorithm("RSA-SHA512")
// To skip private keys for all services, you have to define not empty map with "*" KeyID and set it to false
sm.SetRequiredPrivateKeys(map[string]bool{"*": false})
//...

Sign self outgoing requests or sign outgoing requests on behalf of other services

To sign outgoing requests you need only PrivateKey. PublicKey & Algorithm can be omitted:

//...
sm := NewAwsSecretsManagerStorage("prod", secretsManager)
// Omit Algorithm 
sm.SetAlgorithm("RSA-SHA512")
// To skip public keys for all services, you have to define not empty map with "*" KeyID and set it to false
sm.SetRequiredPublicKeys(map[string]bool{"*": false})
//...

Validate other service requests & sign self requests

To sign self outgoing requests you need only PrivateKey. PublicKey & Algorithm can be omitted. To validate other services incoming requests you need only PublicKeys, PrivateKeys & Algorithms can be omitted:

//...
sm := NewAwsSecretsManagerStorage("prod", secretsManager)
// Omit Algorithm 
sm.SetAlgorithm("RSA-SHA512")
// Set required PrivateKey only for service with keyID = MyselfKeyID (current service).
// You don't need PrivateKeys to validate incoming requests (and you don't have permissions to get PrivateKeys)
sm.SetRequiredPrivateKeys(map[string]bool{"MyselfKeyID": true})
// You don't need self PublicKey, but PublicKeys of other services are required.
sm.SetRequiredPublicKeys(map[string]bool{"MyselfKeyID": false})
//...

Custom Digest hash algorithm

You can set your custom signature hash algorithm by implementing the DigestHashAlgorithm interface.

package main

import (
	"crypto/sha1"
	"crypto/subtle"
	"fmt"
	"github.com/igor-pavlenko/httpsignatures-go"
)

// To create new digest algorithm, implement httpsignatures.DigestHashAlgorithm interface
// type DigestHashAlgorithm interface {
//	 Algorithm() string
//	 Create(data []byte) ([]byte, error)
// 	 Verify(data []byte, digest []byte) error
// }

// Digest algorithm name
const algSha1Name = "sha1"

// algSha1 sha1 Algorithm
type algSha1 struct{}

// Return algorithm name
func (a algSha1) Algorithm() string {
	return algSha1Name
}

// Create hash
func (a algSha1) Create(data []byte) ([]byte, error) {
	h := sha1.New()
	_, err := h.Write(data)
	if err != nil {
		return nil, &httpsignatures.CryptoError{Message: "error creating hash", Err: err}
	}
	return h.Sum(nil), nil
}

// Verify hash
func (a algSha1) Verify(data []byte, digest []byte) error {
	expected, err := a.Create(data)
	if err != nil {
		return err
	}
	if subtle.ConstantTimeCompare(digest, expected) != 1 {
		return &httpsignatures.CryptoError{Message: "wrong hash"}
	}
	return nil
}

func main() {
	hs := httpsignatures.NewHTTPSignatures(httpsignatures.NewSimpleSecretsStorage(map[string]httpsignatures.Secret{}))
	// Add algorithm implementation
	hs.SetDigestAlgorithm(algSha1{})
	// Set `algSha1Name` as default algorithm for digest
	err := hs.SetDefaultDigestAlgorithm(algSha1Name)
	if err != nil {
		fmt.Println(err)
	}
}

Default Digest algorithm

Choose one of supported digest hash algorithms with method SetDefaultDigestAlgorithm.

hs := httpsignatures.NewHTTPSignatures(httpsignatures.NewSimpleSecretsStorage(map[string]httpsignatures.Secret{}))
hs.SetDefaultDigestAlgorithm("MD5")

Disable/Enable verify Digest function

If digest header set in signature headers — module will verify it. To disable verification use SetDefaultVerifyDigest method.

hs := httpsignatures.NewHTTPSignatures(httpsignatures.NewSimpleSecretsStorage(map[string]httpsignatures.Secret{}))
hs.SetDefaultVerifyDigest(false)

Custom Signature hash algorithm

You can set your own custom signature hash algorithm by implementing the SignatureHashAlgorithm interface.

package main

import (
	"crypto/hmac"
	"crypto/sha1"
	"github.com/igor-pavlenko/httpsignatures-go"
)

// To create your own signature hash algorithm, implement httpsignatures.SignatureHashAlgorithm interface
// type SignatureHashAlgorithm interface {
// 	   Algorithm() string
// 	   Create(secret Secret, data []byte) ([]byte, error)
// 	   Verify(secret Secret, data []byte, signature []byte) error
// }

// Digest algorithm name
const algHmacSha1Name = "HMAC-SHA1"

// algHmacSha1 HMAC-SHA1 Algorithm
type algHmacSha1 struct{}

// Return algorithm name
func (a algHmacSha1) Algorithm() string {
	return algHmacSha1Name
}

// Create hash
func (a algHmacSha1) Create(secret httpsignatures.Secret, data []byte) ([]byte, error) {
	if len(secret.PrivateKey) == 0 {
		return nil, &httpsignatures.CryptoError{Message: "no private key found"}
	}
	mac := hmac.New(sha1.New, []byte(secret.PrivateKey))
	_, err := mac.Write(data)
	if err != nil {
		return nil, &httpsignatures.CryptoError{Message: "error creating signature", Err: err}
	}
	return mac.Sum(nil), nil
}

// Verify hash
func (a algHmacSha1) Verify(secret httpsignatures.Secret, data []byte, signature []byte) error {
	expected, err := a.Create(secret, data)
	if err != nil {
		return err
	}
	if !hmac.Equal(signature, expected) {
		return &httpsignatures.CryptoError{Message: "wrong signature"}
	}
	return nil
}

func main() {
	hs := httpsignatures.NewHTTPSignatures(httpsignatures.NewSimpleSecretsStorage(map[string]httpsignatures.Secret{}))
	hs.SetSignatureHashAlgorithm(algHmacSha1{})
}

Default expires seconds

By default, signature will expire in 30 seconds. You can set custom value for expiration using SetDefaultExpiresSeconds method.

hs := httpsignatures.NewHTTPSignatures(httpsignatures.NewSimpleSecretsStorage(map[string]httpsignatures.Secret{}))
hs.SetDefaultExpiresSeconds(60)

Default time gap for expires/created time verification

Default time gap is 10 seconds. To set custom time gap use SetDefaultTimeGap method.

hs := httpsignatures.NewHTTPSignatures(httpsignatures.NewSimpleSecretsStorage(map[string]httpsignatures.Secret{}))
hs.SetDefaultTimeGap(100)

Default signature headers

By default, headers used in signature: ["(created)"]. Use SetDefaultSignatureHeaders method to set custom headers list.

hs := httpsignatures.NewHTTPSignatures(httpsignatures.NewSimpleSecretsStorage(map[string]httpsignatures.Secret{}))
hs.SetDefaultSignatureHeaders([]string{"(request-target)", "(created)", "(expires)", "date", "host", "digest"})

Supported Signature hash algorithms

RSASSA-PSS with SHA256
RSASSA-PSS with SHA512
ECDSA with SHA256
ECDSA with SHA512
RSA-SHA256
RSA-SHA512
HMAC-SHA256
HMAC-SHA512
ED25519

Supported Digest hash algorithms

MD5
SHA256
SHA512

Examples

Look at examples & tests to find out how to work with lib.

Todo

Gin plugin
AwsSecretsManagerStorage plugin

Documentation ¶

Index ¶

type Digest
- func NewDigest() *Digest
- func (d *Digest) Create(alg string, r *http.Request) (string, error)
- func (d *Digest) SetDefaultDigestHashAlgorithm(a string) error
- func (d *Digest) SetDigestHashAlgorithm(a DigestHashAlgorithm)
- func (d *Digest) Verify(r *http.Request) error
type DigestHashAlgorithm
type DigestHeader
type ECDSASignature
type ED25519
- func (a ED25519) Algorithm() string
- func (a ED25519) Create(secret Secret, data []byte) ([]byte, error)
- func (a ED25519) Verify(secret Secret, data []byte, signature []byte) error
type ED25519PrivateKey
type ED25519PublicKey
type EcdsaSha256
- func (a EcdsaSha256) Algorithm() string
- func (a EcdsaSha256) Create(secret Secret, data []byte) ([]byte, error)
- func (a EcdsaSha256) Verify(secret Secret, data []byte, signature []byte) error
type EcdsaSha512
- func (a EcdsaSha512) Algorithm() string
- func (a EcdsaSha512) Create(secret Secret, data []byte) ([]byte, error)
- func (a EcdsaSha512) Verify(secret Secret, data []byte, signature []byte) error
type ErrCrypto
- func (e *ErrCrypto) Error() string
type ErrDigest
- func (e *ErrDigest) Error() string
type ErrHS
- func (e *ErrHS) Error() string
type ErrParser
- func (e *ErrParser) Error() string
type ErrSecret
- func (e *ErrSecret) Error() string
type HTTPSignatures
- func NewHTTPSignatures(ss Secrets) *HTTPSignatures
- func (hs *HTTPSignatures) SetDefaultDigestAlgorithm(a string) error
- func (hs *HTTPSignatures) SetDefaultExpiresSeconds(e uint32)
- func (hs *HTTPSignatures) SetDefaultSignatureHeaders(h []string)
- func (hs *HTTPSignatures) SetDefaultTimeGap(t int64)
- func (hs *HTTPSignatures) SetDefaultVerifyDigest(v bool)
- func (hs *HTTPSignatures) SetDigestAlgorithm(a DigestHashAlgorithm)
- func (hs *HTTPSignatures) SetSignatureHashAlgorithm(a SignatureHashAlgorithm)
- func (hs *HTTPSignatures) Sign(secretKeyID string, r *http.Request) error
- func (hs *HTTPSignatures) Verify(r *http.Request) error
type Headers
type HmacSha256
- func (a HmacSha256) Algorithm() string
- func (a HmacSha256) Create(secret Secret, data []byte) ([]byte, error)
- func (a HmacSha256) Verify(secret Secret, data []byte, signature []byte) error
type HmacSha512
- func (a HmacSha512) Algorithm() string
- func (a HmacSha512) Create(secret Secret, data []byte) ([]byte, error)
- func (a HmacSha512) Verify(secret Secret, data []byte, signature []byte) error
type Md5
- func (a Md5) Algorithm() string
- func (a Md5) Create(data []byte) ([]byte, error)
- func (a Md5) Verify(data []byte, digest []byte) error
type Parser
- func NewParser() *Parser
- func (p *Parser) ParseDigestHeader(header string) (DigestHeader, *ErrParser)
- func (p *Parser) ParseSignatureHeader(header string) (Headers, *ErrParser)
- func (p *Parser) VerifySignatureFields() *ErrParser
type RsaSha256
- func (a RsaSha256) Algorithm() string
- func (a RsaSha256) Create(secret Secret, data []byte) ([]byte, error)
- func (a RsaSha256) Verify(secret Secret, data []byte, signature []byte) error
type RsaSha512
- func (a RsaSha512) Algorithm() string
- func (a RsaSha512) Create(secret Secret, data []byte) ([]byte, error)
- func (a RsaSha512) Verify(secret Secret, data []byte, signature []byte) error
type RsaSsaPssSha256
- func (a RsaSsaPssSha256) Algorithm() string
- func (a RsaSsaPssSha256) Create(secret Secret, data []byte) ([]byte, error)
- func (a RsaSsaPssSha256) Verify(secret Secret, data []byte, signature []byte) error
type RsaSsaPssSha512
- func (a RsaSsaPssSha512) Algorithm() string
- func (a RsaSsaPssSha512) Create(secret Secret, data []byte) ([]byte, error)
- func (a RsaSsaPssSha512) Verify(secret Secret, data []byte, signature []byte) error
type Secret
type Secrets
- func NewSimpleSecretsStorage(storage map[string]Secret) Secrets
type Sha256
- func (a Sha256) Algorithm() string
- func (a Sha256) Create(data []byte) ([]byte, error)
- func (a Sha256) Verify(data []byte, digest []byte) error
type Sha512
- func (a Sha512) Algorithm() string
- func (a Sha512) Create(data []byte) ([]byte, error)
- func (a Sha512) Verify(data []byte, digest []byte) error
type SignatureHashAlgorithm
type SimpleSecretsStorage
- func (s SimpleSecretsStorage) Get(keyID string) (Secret, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Digest ¶

type Digest struct {
	// contains filtered or unexported fields
}

Digest digest internal struct

func NewDigest ¶

func NewDigest() *Digest

NewDigest create new digest

func (*Digest) Create ¶

func (d *Digest) Create(alg string, r *http.Request) (string, error)

Create create digest hash

func (*Digest) SetDefaultDigestHashAlgorithm ¶

func (d *Digest) SetDefaultDigestHashAlgorithm(a string) error

SetDefaultDigestHashAlgorithm set digest default algorithm options (default from available)

func (*Digest) SetDigestHashAlgorithm ¶

func (d *Digest) SetDigestHashAlgorithm(a DigestHashAlgorithm)

SetDigestHashAlgorithm set digest options (add new digest hash algorithm)

func (*Digest) Verify ¶

func (d *Digest) Verify(r *http.Request) error

Verify verify digest header (compare with real request body hash)

type DigestHashAlgorithm ¶

type DigestHashAlgorithm interface {
	Algorithm() string
	Create(data []byte) ([]byte, error)
	Verify(data []byte, digest []byte) error
}

DigestHashAlgorithm interface to create/verify digest HMAC hash

type DigestHeader ¶

type DigestHeader struct {
	// contains filtered or unexported fields
}

DigestHeader Digest header parsed into params (alg & digest)

type ECDSASignature ¶

type ECDSASignature struct {
	R, S *big.Int
}

ECDSASignature ECDSA signature

type ED25519 ¶

type ED25519 struct{}

ED25519 ED25519 Algorithm

func (ED25519) Algorithm ¶

func (a ED25519) Algorithm() string

Algorithm Return algorithm name

func (ED25519) Create ¶

func (a ED25519) Create(secret Secret, data []byte) ([]byte, error)

Create Create signature using passed privateKey from secret

func (ED25519) Verify ¶

func (a ED25519) Verify(secret Secret, data []byte, signature []byte) error

Verify Verify signature using passed publicKey from secret

type ED25519PrivateKey ¶

type ED25519PrivateKey struct {
	Version          int
	ObjectIdentifier struct {
		ObjectIdentifier asn1.ObjectIdentifier
	}
	PrivateKey []byte
}

ED25519PrivateKey ED25519 PrivateKey

type ED25519PublicKey ¶

type ED25519PublicKey struct {
	ObjectIdentifier struct {
		ObjectIdentifier asn1.ObjectIdentifier
	}
	PublicKey asn1.BitString
}

ED25519PublicKey ED25519 PublicKey

type EcdsaSha256 ¶

type EcdsaSha256 struct{}

EcdsaSha256 ECDSA with SHA256 Algorithm

func (EcdsaSha256) Algorithm ¶

func (a EcdsaSha256) Algorithm() string

Algorithm Return algorithm name

func (EcdsaSha256) Create ¶

func (a EcdsaSha256) Create(secret Secret, data []byte) ([]byte, error)

Create Create signature using passed privateKey from secret

func (EcdsaSha256) Verify ¶

func (a EcdsaSha256) Verify(secret Secret, data []byte, signature []byte) error

Verify Verify signature using passed publicKey from secret

type EcdsaSha512 ¶

type EcdsaSha512 struct{}

EcdsaSha512 ECDSA with SHA512 Algorithm

func (EcdsaSha512) Algorithm ¶

func (a EcdsaSha512) Algorithm() string

Algorithm Return algorithm name

func (EcdsaSha512) Create ¶

func (a EcdsaSha512) Create(secret Secret, data []byte) ([]byte, error)

Create Create signature using passed privateKey from secret

func (EcdsaSha512) Verify ¶

func (a EcdsaSha512) Verify(secret Secret, data []byte, signature []byte) error

Verify Verify signature using passed publicKey from secret

type ErrCrypto ¶

type ErrCrypto struct {
	Message string
	Err     error
}

ErrCrypto errors during Create/Verify signature functions

func (*ErrCrypto) Error ¶

func (e *ErrCrypto) Error() string

ErrHS error message

type ErrDigest ¶

type ErrDigest struct {
	Message string
	Err     error
}

ErrDigest errors during digest verification

func (*ErrDigest) Error ¶

func (e *ErrDigest) Error() string

ErrHS error message

type ErrHS ¶

type ErrHS struct {
	Message string
	Err     error
}

ErrHS errors during validating or creating Signature|Authorization

func (*ErrHS) Error ¶

func (e *ErrHS) Error() string

ErrHS error message

type ErrParser ¶

type ErrParser struct {
	Message string
	Err     error
}

ErrParser errors during parsing

func (*ErrParser) Error ¶

func (e *ErrParser) Error() string

ErrHS error message

type ErrSecret ¶

type ErrSecret struct {
	Message string
	Err     error
}

ErrSecret errors during retrieving secret

func (*ErrSecret) Error ¶

func (e *ErrSecret) Error() string

ErrHS error message

type HTTPSignatures ¶

type HTTPSignatures struct {
	// contains filtered or unexported fields
}

HTTPSignatures struct

func NewHTTPSignatures ¶

func NewHTTPSignatures(ss Secrets) *HTTPSignatures

NewHTTPSignatures Constructor

func (*HTTPSignatures) SetDefaultDigestAlgorithm ¶

func (hs *HTTPSignatures) SetDefaultDigestAlgorithm(a string) error

SetDefaultDigestAlgorithm set custom digest hash algorithm

func (*HTTPSignatures) SetDefaultExpiresSeconds ¶

func (hs *HTTPSignatures) SetDefaultExpiresSeconds(e uint32)

SetDefaultExpiresSeconds set default expires seconds (while creating signature). If signature never expires just exclude "expires" param from the headers list

func (*HTTPSignatures) SetDefaultSignatureHeaders ¶

func (hs *HTTPSignatures) SetDefaultSignatureHeaders(h []string)

SetDefaultSignatureHeaders set default list of headers to create signature (Sign method)

func (*HTTPSignatures) SetDefaultTimeGap ¶

func (hs *HTTPSignatures) SetDefaultTimeGap(t int64)

SetDefaultTimeGap set default time gap for (created)/(expires) validation

func (*HTTPSignatures) SetDefaultVerifyDigest ¶

func (hs *HTTPSignatures) SetDefaultVerifyDigest(v bool)

SetDefaultVerifyDigest set default verify digest or skip verification

func (*HTTPSignatures) SetDigestAlgorithm ¶

func (hs *HTTPSignatures) SetDigestAlgorithm(a DigestHashAlgorithm)

SetDigestAlgorithm set custom digest hash algorithm

func (*HTTPSignatures) SetSignatureHashAlgorithm ¶

func (hs *HTTPSignatures) SetSignatureHashAlgorithm(a SignatureHashAlgorithm)

SetSignatureHashAlgorithm set custom signature hash algorithm

func (*HTTPSignatures) Sign ¶

func (hs *HTTPSignatures) Sign(secretKeyID string, r *http.Request) error

Sign add signature header

func (*HTTPSignatures) Verify ¶

func (hs *HTTPSignatures) Verify(r *http.Request) error

Verify Verify signature

type Headers ¶

type Headers struct {
	KeyID     string    // REQUIRED
	Algorithm string    // RECOMMENDED
	Created   time.Time // RECOMMENDED
	Expires   time.Time // OPTIONAL (Not implemented: "Subsecond precision is allowed using decimal notation.")
	Headers   []string  // OPTIONAL
	Signature string    // REQUIRED
}

Headers Signature headers & params

type HmacSha256 ¶

type HmacSha256 struct{}

HmacSha256 HMAC-SHA256 Algorithm

func (HmacSha256) Algorithm ¶

func (a HmacSha256) Algorithm() string

Algorithm Return algorithm name

func (HmacSha256) Create ¶

func (a HmacSha256) Create(secret Secret, data []byte) ([]byte, error)

Create Create signature using passed privateKey from secret

func (HmacSha256) Verify ¶

func (a HmacSha256) Verify(secret Secret, data []byte, signature []byte) error

Verify Verify signature using passed privateKey from secret

type HmacSha512 ¶

type HmacSha512 struct{}

HmacSha512 HMAC-SHA512 Algorithm

func (HmacSha512) Algorithm ¶

func (a HmacSha512) Algorithm() string

Algorithm Return algorithm name

func (HmacSha512) Create ¶

func (a HmacSha512) Create(secret Secret, data []byte) ([]byte, error)

Create Create signature using passed privateKey from secret

func (HmacSha512) Verify ¶

func (a HmacSha512) Verify(secret Secret, data []byte, signature []byte) error

Verify Verify signature using passed privateKey from secret

type Md5 ¶

type Md5 struct{}

Md5 MD5 Algorithm

func (Md5) Algorithm ¶

func (a Md5) Algorithm() string

Algorithm Return algorithm name

func (Md5) Create ¶

func (a Md5) Create(data []byte) ([]byte, error)

Create Create hash

func (Md5) Verify ¶

func (a Md5) Verify(data []byte, digest []byte) error

Verify Verify hash

type Parser ¶

type Parser struct {
	// contains filtered or unexported fields
}

Parser parser internal struct

func NewParser ¶

func NewParser() *Parser

NewParser create new parser

func (*Parser) ParseDigestHeader ¶

func (p *Parser) ParseDigestHeader(header string) (DigestHeader, *ErrParser)

ParseDigestHeader parse Digest header

func (*Parser) ParseSignatureHeader ¶

func (p *Parser) ParseSignatureHeader(header string) (Headers, *ErrParser)

ParseSignatureHeader parse Signature header

func (*Parser) VerifySignatureFields ¶

func (p *Parser) VerifySignatureFields() *ErrParser

VerifySignatureFields verify required fields

type RsaSha256 ¶

type RsaSha256 struct{}

RsaSha256 RSA-SHA265 Algorithm

func (RsaSha256) Algorithm ¶

func (a RsaSha256) Algorithm() string

Algorithm Return algorithm name

func (RsaSha256) Create ¶

func (a RsaSha256) Create(secret Secret, data []byte) ([]byte, error)

Create Create signature using passed privateKey from secret

func (RsaSha256) Verify ¶

func (a RsaSha256) Verify(secret Secret, data []byte, signature []byte) error

Verify Verify signature using passed publicKey from secret

type RsaSha512 ¶

type RsaSha512 struct{}

RsaSha512 RSA-SHA512 Algorithm

func (RsaSha512) Algorithm ¶

func (a RsaSha512) Algorithm() string

Algorithm Return algorithm name

func (RsaSha512) Create ¶

func (a RsaSha512) Create(secret Secret, data []byte) ([]byte, error)

Create Create signature using passed privateKey from secret

func (RsaSha512) Verify ¶

func (a RsaSha512) Verify(secret Secret, data []byte, signature []byte) error

Verify Verify signature using passed publicKey from secret

type RsaSsaPssSha256 ¶

type RsaSsaPssSha256 struct{}

RsaSsaPssSha256 RSA-PSS-SHA256 Algorithm

func (RsaSsaPssSha256) Algorithm ¶

func (a RsaSsaPssSha256) Algorithm() string

Algorithm Return algorithm name

func (RsaSsaPssSha256) Create ¶

func (a RsaSsaPssSha256) Create(secret Secret, data []byte) ([]byte, error)

Create Create signature using passed privateKey from secret

func (RsaSsaPssSha256) Verify ¶

func (a RsaSsaPssSha256) Verify(secret Secret, data []byte, signature []byte) error

Verify Verify signature using passed publicKey from secret

type RsaSsaPssSha512 ¶

type RsaSsaPssSha512 struct{}

RsaSsaPssSha512 RSA-PSS-SHA512 Algorithm

func (RsaSsaPssSha512) Algorithm ¶

func (a RsaSsaPssSha512) Algorithm() string

Algorithm Return algorithm name

func (RsaSsaPssSha512) Create ¶

func (a RsaSsaPssSha512) Create(secret Secret, data []byte) ([]byte, error)

Create Create signature using passed privateKey from secret

func (RsaSsaPssSha512) Verify ¶

func (a RsaSsaPssSha512) Verify(secret Secret, data []byte, signature []byte) error

Verify Verify signature using passed publicKey from secret

type Secret ¶

type Secret struct {
	KeyID      string
	PublicKey  string
	PrivateKey string
	Algorithm  string
}

Secret struct to return/store secret

type Secrets ¶

type Secrets interface {
	Get(keyID string) (Secret, error)
}

Secrets interface to retrieve secrets from storage (local, DB, file etc)

func NewSimpleSecretsStorage ¶

func NewSimpleSecretsStorage(storage map[string]Secret) Secrets

NewSimpleSecretsStorage create new storage

type Sha256 ¶

type Sha256 struct{}

Sha256 Sha256 Algorithm

func (Sha256) Algorithm ¶

func (a Sha256) Algorithm() string

Algorithm Return algorithm name

func (Sha256) Create ¶

func (a Sha256) Create(data []byte) ([]byte, error)

Create Create hash

func (Sha256) Verify ¶

func (a Sha256) Verify(data []byte, digest []byte) error

Verify Verify hash

type Sha512 ¶

type Sha512 struct{}

Sha512 Sha512 Algorithm

func (Sha512) Algorithm ¶

func (a Sha512) Algorithm() string

Algorithm Return algorithm name

func (Sha512) Create ¶

func (a Sha512) Create(data []byte) ([]byte, error)

Create Create hash

func (Sha512) Verify ¶

func (a Sha512) Verify(data []byte, digest []byte) error

Verify Verify hash

type SignatureHashAlgorithm ¶

type SignatureHashAlgorithm interface {
	Algorithm() string
	Create(secret Secret, data []byte) ([]byte, error)
	Verify(secret Secret, data []byte, signature []byte) error
}

SignatureHashAlgorithm interface to create/verify Signature using secret keys Algorithm return algorithm name Create create new signature Verify verify passed signature

type SimpleSecretsStorage ¶

type SimpleSecretsStorage struct {
	// contains filtered or unexported fields
}

SimpleSecretsStorage local static secrets storage

func (SimpleSecretsStorage) Get ¶

func (s SimpleSecretsStorage) Get(keyID string) (Secret, error)

Get get secret from local storage by KeyID

Directories ¶

Path	Synopsis
aws
examples
digestHashAlgorithm
fileSecretsStorage
sign
signatureHashAlgorith
verify

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL