Documentation ¶
Index ¶
- Constants
- Variables
- func ConstructSignMessageFromRequest(r *http.Request, p *Parameter) string
- func ParseECPrivateKeyFromPEM(key []byte) (*ecdsa.PrivateKey, error)
- func ParseECPublicKeyFromPEM(key []byte) (*ecdsa.PublicKey, error)
- func ParseEdPrivateKeyFromPEM(key []byte) (crypto.PrivateKey, error)
- func ParseEdPublicKeyFromPEM(key []byte) (crypto.PublicKey, error)
- func ParseRSAPrivateKeyFromPEM(key []byte) (*rsa.PrivateKey, error)
- func ParseRSAPrivateKeyFromPEMWithPassword(key []byte, password string) (*rsa.PrivateKey, error)deprecated
- func ParseRSAPublicKeyFromPEM(key []byte) (*rsa.PublicKey, error)
- type AuthorizationSignatureExtractor
- type CreatedValidator
- type DateValidator
- type DigestUsingShared
- type DigestUsingSharedValidator
- type DigestValidator
- type ExpiresValidator
- type Extractor
- type KeyId
- type Keystone
- type KeystoneMemory
- type Metadata
- type MultiExtractor
- type Parameter
- type Parser
- func (p *Parser) AddMetadata(keyId KeyId, md Metadata) error
- func (p *Parser) DeleteMetadata(keyId KeyId) error
- func (p *Parser) GetMetadata(keyId KeyId) (Metadata, error)
- func (p *Parser) GetSigningMethod(alg string) (method SigningMethod)
- func (p *Parser) GetSigningMethodAlgorithms() []string
- func (p *Parser) ParseFromRequest(r *http.Request) (*Parameter, error)
- func (p *Parser) ParseVerify(r *http.Request) (Scheme, error)
- func (p *Parser) RegisterSigningMethod(alg string, f func() SigningMethod) *Parser
- func (p *Parser) Verify(r *http.Request, param *Parameter) error
- type ParserOption
- type Scheme
- type SignatureExtractor
- type SigningMethod
- type SigningMethodECDSA
- type SigningMethodEd25519
- type SigningMethodHMAC
- type SigningMethodRSA
- type SigningMethodRSAPSS
- type Validator
Constants ¶
const ( HeaderAuthorization = "Authorization" HeaderSignature = "Signature" )
const ( Date = "date" Digest = "digest" Host = "host" Nonce = "nonce" ContentLength = "content-length" RequestTarget = "(request-target)" Created = "(created)" Expires = "(expires)" )
const ( // Unspecified scheme, mean unlimited. SchemeUnspecified = iota // Authentication scheme. SchemeAuthentication // Signature http header scheme. SchemeSignature )
Variables ¶
var ( // ErrSchemeUnsupported scheme not supported with keyId. ErrSchemeUnsupported = errors.New("scheme unsupported") // ErrNoSignatureInRequest `Signature` not found in request. ErrNoSignatureInRequest = errors.New("signature not found in request") // ErrKeyIdMissing keyId not in header value. ErrKeyIdMissing = errors.New("keyId must be in header value") // ErrSignatureMissing signature not in header value. ErrSignatureMissing = errors.New("signature must be in header value") // ErrKeyIdInvalid KeyID in header does not provided. ErrKeyIdInvalid = errors.New("keyId invalid") // ErrAlgorithmMismatch Algorithm in header does not match with keyId. ErrAlgorithmMismatch = errors.New("algorithm does not match") // ErrAlgorithmUnsupported Algorithm not supported. ErrAlgorithmUnsupported = errors.New("algorithm unsupported") // ErrMinimumRequiredHeader minimum requirement header do not meet. ErrMinimumRequiredHeader = errors.New("header field is not meet minimum requirement") // ErrDateInvalid invalid 'date' in header. ErrDateInvalid = errors.New("date invalid in header") // ErrDateNotInRange 'date' not in acceptable range. ErrDateNotInRange = errors.New("date is not in acceptable range") // ErrCreatedInvalid (created) invalid. ErrCreatedInvalid = errors.New("(created) invalid") // ErrCreatedNotInRange '(created)' not in acceptable range. ErrCreatedNotInRange = errors.New("(created) is not in acceptable range") // ErrExpiresInvalid (expires) invalid. ErrExpiresInvalid = errors.New("(expires) invalid") // ErrSignatureExpired '(expires)' has expired in header ErrSignatureExpired = errors.New("signature has be expired") // ErrSignatureInvalid signing string do not match ErrSignatureInvalid = errors.New("signature invalid") // ErrDigestMismatch body do not match with submitted digest ErrDigestMismatch = errors.New("body is not match with digest") // ErrKeyInvalid key is invalid. ErrKeyInvalid = errors.New("key is invalid") // ErrKeyTypeInvalid key is invalid type ErrKeyTypeInvalid = errors.New("key is invalid type") ErrHashUnavailable = errors.New("the requested hash function is unavailable") // ErrUnterminatedParameter could not parse value ErrUnterminatedParameter = errors.New("Unterminated parameter") // ErrMissingDoubleQuote after character = not have double quote ErrMissingDoubleQuote = errors.New(`Missing " after = character`) // ErrMissingEqualCharacter there is no character = before " or , character ErrMissingEqualCharacter = errors.New(`Missing = character =`) )
var ( SigningMethodEcdsaSha256 = &SigningMethodECDSA{"ecdsa-sha256", crypto.SHA256, 32, 256} SigningMethodEcdsaSha384 = &SigningMethodECDSA{"ecdsa-sha384", crypto.SHA384, 48, 384} SigningMethodEcdsaSha512 = &SigningMethodECDSA{"ecdsa-sha512", crypto.SHA512, 66, 521} )
Specific instance ecdsa.
var ( ErrNotECPublicKey = errors.New("key is not a valid ECDSA public key") ErrNotECPrivateKey = errors.New("key is not a valid ECDSA private key") )
var ( ErrNotEdPrivateKey = errors.New("key is not a valid Ed25519 private key") ErrNotEdPublicKey = errors.New("key is not a valid Ed25519 public key") )
var ( SigningMethodHmacMd5 = &SigningMethodHMAC{"hmac-md5", crypto.MD5} SigningMethodHmacSha256 = &SigningMethodHMAC{"hmac-sha256", crypto.SHA256} SigningMethodHmacSha384 = &SigningMethodHMAC{"hmac-sha384", crypto.SHA384} SigningMethodHmacSha512 = &SigningMethodHMAC{"hmac-sha512", crypto.SHA512} )
Specific instances for hmac shaXXX
var ( SigningMethodRsaSha256 = &SigningMethodRSA{"rsa-sha256", crypto.SHA256} SigningMethodRsaSha384 = &SigningMethodRSA{"rsa-sha384", crypto.SHA256} SigningMethodRsaSha512 = &SigningMethodRSA{"rsa-sha512", crypto.SHA512} )
Specific instances for rsa shaXXX
var ( SigningMethodRsaPssSha256 = &SigningMethodRSAPSS{ SigningMethodRSA: &SigningMethodRSA{ Name: "rsa-pss-sha256", Hash: crypto.SHA256, }, Options: &rsa.PSSOptions{ SaltLength: rsa.PSSSaltLengthEqualsHash, }, VerifyOptions: &rsa.PSSOptions{ SaltLength: rsa.PSSSaltLengthAuto, }, } SigningMethodRsaPssSha384 = &SigningMethodRSAPSS{ SigningMethodRSA: &SigningMethodRSA{ Name: "rsa-pss-sha384", Hash: crypto.SHA384, }, Options: &rsa.PSSOptions{ SaltLength: rsa.PSSSaltLengthEqualsHash, }, VerifyOptions: &rsa.PSSOptions{ SaltLength: rsa.PSSSaltLengthAuto, }, } SigningMethodRsaPssSha512 = &SigningMethodRSAPSS{ SigningMethodRSA: &SigningMethodRSA{ Name: "rsa-pss-sha512", Hash: crypto.SHA512, }, Options: &rsa.PSSOptions{ SaltLength: rsa.PSSSaltLengthEqualsHash, }, VerifyOptions: &rsa.PSSOptions{ SaltLength: rsa.PSSSaltLengthAuto, }, } )
Specific instances for RS/PS and company.
var ( ErrKeyMustBePEMEncoded = errors.New("invalid key: Key must be a PEM encoded PKCS1 or PKCS8 key") ErrNotRSAPrivateKey = errors.New("key is not a valid RSA private key") ErrNotRSAPublicKey = errors.New("key is not a valid RSA public key") )
var SigningMethodEdDSA = &SigningMethodEd25519{}
Specific instance for EdDSA
Functions ¶
func ParseECPrivateKeyFromPEM ¶
func ParseECPrivateKeyFromPEM(key []byte) (*ecdsa.PrivateKey, error)
ParseECPrivateKeyFromPEM parses a PEM encoded Elliptic Curve Private Key Structure
func ParseECPublicKeyFromPEM ¶
ParseECPublicKeyFromPEM parses a PEM encoded PKCS1 or PKCS8 public key
func ParseEdPrivateKeyFromPEM ¶
func ParseEdPrivateKeyFromPEM(key []byte) (crypto.PrivateKey, error)
ParseEdPrivateKeyFromPEM parses a PEM-encoded Edwards curve private key
func ParseEdPublicKeyFromPEM ¶
ParseEdPublicKeyFromPEM parses a PEM-encoded Edwards curve public key
func ParseRSAPrivateKeyFromPEM ¶
func ParseRSAPrivateKeyFromPEM(key []byte) (*rsa.PrivateKey, error)
ParseRSAPrivateKeyFromPEM parses a PEM encoded PKCS1 or PKCS8 private key
func ParseRSAPrivateKeyFromPEMWithPassword
deprecated
func ParseRSAPrivateKeyFromPEMWithPassword(key []byte, password string) (*rsa.PrivateKey, error)
ParseRSAPrivateKeyFromPEMWithPassword parses a PEM encoded PKCS1 or PKCS8 private key protected with password
Deprecated: This function is deprecated and should not be used anymore. It uses the deprecated x509.DecryptPEMBlock function, which was deprecated since RFC 1423 is regarded insecure by design. Unfortunately, there is no alternative in the Go standard library for now. See https://github.com/golang/go/issues/8860.
Types ¶
type AuthorizationSignatureExtractor ¶
type AuthorizationSignatureExtractor string
AuthorizationSignatureExtractor is an extractor for finding a signature in a header, which the value has prefix `Signature `
func NewAuthorizationSignatureExtractor ¶
func NewAuthorizationSignatureExtractor(h string) AuthorizationSignatureExtractor
NewAuthorizationSignatureExtractor new a signature extractor instance.
type CreatedValidator ¶
type CreatedValidator struct { // Gap is max time different between client submit timestamp // and server time that considered valid. The time precision is seconds. Gap time.Duration }
CreatedValidator checking validate created range
func NewCreatedValidator ¶
func NewCreatedValidator() *CreatedValidator
NewCreatedValidator return CreatedValidator with default value (30 second)
type DateValidator ¶
type DateValidator struct { // Gap is max time different between client submit timestamp // and server time that considered valid. The time precision is millisecond. Gap time.Duration }
DateValidator checking validate by time range
func NewDateValidator ¶
func NewDateValidator() *DateValidator
NewDateValidator return DateValidator with default value (30 second)
type DigestUsingShared ¶
type DigestUsingShared struct {
// contains filtered or unexported fields
}
func NewDigestUsingShared ¶
func NewDigestUsingShared(signingMethod SigningMethod) *DigestUsingShared
type DigestUsingSharedValidator ¶
type DigestUsingSharedValidator struct{}
func NewDigestUsingSharedValidator ¶
func NewDigestUsingSharedValidator() *DigestUsingSharedValidator
NewDigestValidator return pointer of new DigestValidator
type DigestValidator ¶
type DigestValidator struct {
// contains filtered or unexported fields
}
DigestValidator checking digest in header match body
func NewDigestValidator ¶
func NewDigestValidator(digest digest.Digest) *DigestValidator
NewDigestValidator return pointer of new DigestValidator
type ExpiresValidator ¶
type ExpiresValidator struct { // Gap is max time different between client submit timestamp // and server time that considered valid. The time precision is second. Gap time.Duration }
ExpiresValidator checking validate expires.
func NewExpiresValidator ¶
func NewExpiresValidator() *ExpiresValidator
NewCreatedValidator return ExpiresValidator with default value (30 second)
type Extractor ¶
Extractor is an interface for extracting a signature from a HTTP request. The Extract method should return a signature string, Scheme or an error. If no signature is present, you must return ErrNoSignatureInRequest.
type Keystone ¶
type Keystone interface { // AddMetadata add metadata AddMetadata(KeyId, Metadata) error // DeleteMetadata delete metadata DeleteMetadata(KeyId) error // GetMetadata get metadata GetMetadata(KeyId) (Metadata, error) }
Keystone keyId mapping Metadata manager. Concurrently need to be supported.
type KeystoneMemory ¶
type KeystoneMemory struct {
// contains filtered or unexported fields
}
KeystoneMemory memory keystone
func NewKeystoneMemory ¶
func NewKeystoneMemory() *KeystoneMemory
NewKeystoneMemory new memory keystone
func (*KeystoneMemory) AddMetadata ¶
func (k *KeystoneMemory) AddMetadata(keyId KeyId, md Metadata) error
AddMetadata implements Keystone.
func (*KeystoneMemory) DeleteMetadata ¶
func (k *KeystoneMemory) DeleteMetadata(keyId KeyId) error
DeleteMetadata implements Keystone.
func (*KeystoneMemory) GetMetadata ¶
func (k *KeystoneMemory) GetMetadata(keyId KeyId) (Metadata, error)
GetMetadata implements Keystone.
type MultiExtractor ¶
type MultiExtractor []Extractor
MultiExtractor tries Extractors in order until one returns a signature string or an error occurs.
func NewMultiExtractor ¶
func NewMultiExtractor(es ...Extractor) MultiExtractor
NewMultiExtractor new multiple extractor instance.
type Parameter ¶
type Parameter struct { // REQUIRED. The `keyId` field is an opaque string that the server can // use to look up the component they need to validate the signature. KeyId KeyId // REQUIRED. The `signature` parameter is a base 64 encoded digital signature. Signature string // RECOMMENDED. The `algorithm` parameter is used to specify the // signature string construction mechanism. Algorithm string // RECOMMENDED. The `created` field expresses when the signature was created. // The value MUST be a Unix timestamp integer value. Created int64 // OPTIONAL. The `expires` field expresses when the signature ceases to // be valid. The value MUST be a Unix timestamp integer value. Expires int64 // OPTIONAL. The `headers` parameter is used to specify the list of // HTTP headers included when generating the signature for the message. Headers []string // scheme support Scheme Scheme // signing method Method SigningMethod // signing method key. Key any // contains filtered or unexported fields }
Parameter contains basic info signature parameters.
func (*Parameter) ContainsHeader ¶
ContainsHeader returns true if headers contains header. NOTE: init inner headerMap use header when first called this function.
type Parser ¶
type Parser struct {
// contains filtered or unexported fields
}
Parser definition how to parse from http request.
func NewParser ¶
func NewParser(opts ...ParserOption) *Parser
NewParser new parser instance. default value see Parser struct definition.
func (*Parser) AddMetadata ¶
AddMetadata add keyId metadata.
func (*Parser) DeleteMetadata ¶
DeleteMetadata delete the keyId metadata.
func (*Parser) GetMetadata ¶
GetMetadata returns the keyId metadata.
func (*Parser) GetSigningMethod ¶
func (p *Parser) GetSigningMethod(alg string) (method SigningMethod)
GetSigningMethod retrieves a signing method from an "alg" string. Returns nil if alg not found.
func (*Parser) GetSigningMethodAlgorithms ¶
GetSigningMethodAlgorithms returns a list of add "alg" names
func (*Parser) ParseFromRequest ¶
func (*Parser) ParseVerify ¶
ParseVerify parse from http request, and then validate all parameters.
func (*Parser) RegisterSigningMethod ¶
func (p *Parser) RegisterSigningMethod(alg string, f func() SigningMethod) *Parser
RegisterSigningMethod registers the "alg" name and a factory function for signing method.
type ParserOption ¶
type ParserOption func(*Parser)
func WithExtractor ¶
func WithExtractor(e Extractor) ParserOption
func WithKeystone ¶
func WithKeystone(ks Keystone) ParserOption
func WithMinimumRequiredHeaders ¶
func WithMinimumRequiredHeaders(headers []string) ParserOption
func WithSigningMethods ¶
func WithSigningMethods(alg string, f func() SigningMethod) ParserOption
func WithValidators ¶
func WithValidators(vs ...Validator) ParserOption
type SignatureExtractor ¶
type SignatureExtractor string
SignatureExtractor is an extractor for finding a signature in a header.
func NewSignatureExtractor ¶
func NewSignatureExtractor(h string) SignatureExtractor
NewSignatureExtractor new a signature extractor instance.
type SigningMethod ¶
type SigningMethod interface { // returns the alg identifier for this method. Alg() string // Returns nil if signature is valid Verify(signingBytes []byte, sig []byte, key any) error // Returns signature or error Sign(signingBytes []byte, key any) ([]byte, error) }
SigningMethod can be used add new methods for signing or verifying signature. It takes a decoded signature as an input in the Verify function and produces a signature in Sign. The signature is then usually base64 encoded as part of a Signature.
type SigningMethodECDSA ¶
SigningMethodECDSA implements the ECDSA family of signing methods. Expects *ecdsa.PrivateKey for signing and *ecdsa.PublicKey for verification
func (*SigningMethodECDSA) Alg ¶
func (m *SigningMethodECDSA) Alg() string
type SigningMethodEd25519 ¶
type SigningMethodEd25519 struct{}
SigningMethodEd25519 implements the EdDSA family. Expects ed25519.PrivateKey for signing and ed25519.PublicKey for verification
func (*SigningMethodEd25519) Alg ¶
func (m *SigningMethodEd25519) Alg() string
type SigningMethodHMAC ¶
SigningMethodHMAC implements the HMAC-SHA family of signing methods. Expects key type of []byte for both signing and validation
func (*SigningMethodHMAC) Alg ¶
func (m *SigningMethodHMAC) Alg() string
type SigningMethodRSA ¶
SigningMethodRSA implements the RSA family of signing methods. Expects *rsa.PrivateKey for signing and *rsa.PublicKey for validation
func (*SigningMethodRSA) Alg ¶
func (m *SigningMethodRSA) Alg() string
type SigningMethodRSAPSS ¶
type SigningMethodRSAPSS struct { *SigningMethodRSA Options *rsa.PSSOptions // VerifyOptions is optional. If set overrides Options for rsa.VerifyPPS. // Used to accept tokens signed with rsa.PSSSaltLengthAuto. VerifyOptions *rsa.PSSOptions }
SigningMethodRSAPSS implements the rsa pss shaXXX family of signing methods signing methods
Source Files ¶
- digest_using_shared.go
- errors.go
- extractor.go
- keystone.go
- keystone_memory.go
- signature.go
- signature_parser.go
- signature_parser_option.go
- signature_value_parser.go
- signing_ecdsa.go
- signing_ecdsa_utils.go
- signing_ed15519.go
- signing_ed25519_utils.go
- signing_hmac.go
- signing_method.go
- signing_rsa.go
- signing_rsa_pass.go
- signing_rsa_utils.go
- validator.go
- validator_created.go
- validator_date.go
- validator_digest.go
- validator_digest_using_shared.go
- validator_expires.go