Documentation ¶
Overview ¶
Package httpsig signs and verifies HTTP requests (with body digests) according to the "HTTP Message Signatures" draft standard https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/
Example (Round_trip) ¶
package main import ( "fmt" "io" "net/http" "time" "github.com/ynodir/httpsig" ) const secret = "support-your-local-cat-bonnet-store" func main() { h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "text/plain") _, _ = io.WriteString(w, "Your request has a valid signature!") }) middleware := httpsig.NewVerifyMiddleware(httpsig.WithHmacSha256("key1", []byte(secret))) http.Handle("/", middleware(h)) go func() { _ = http.ListenAndServe("127.0.0.1:1234", http.DefaultServeMux) }() // Give the server time to sleep. Terrible, I know. time.Sleep(100 * time.Millisecond) client := http.Client{ // Wrap the transport: Transport: httpsig.NewSignTransport(http.DefaultTransport, httpsig.WithHmacSha256("key1", []byte(secret))), } resp, err := client.Get("http://127.0.0.1:1234/") if err != nil { fmt.Println("got err: ", err) return } defer resp.Body.Close() fmt.Println(resp.Status) }
Output: 200 OK
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var DefaultPorts = map[string]struct{}{
"80": {},
"443": {},
"21": {},
}
Functions ¶
func NewSignTransport ¶
func NewSignTransport(transport http.RoundTripper, opts ...SignOption) http.RoundTripper
NewSignTransport returns a new client transport that wraps the provided transport with http message signing and body digest creation.
Use the various `WithSign*` option funcs to configure signature algorithms with their provided key ids. You must provide at least one signing option. A signature for every provided key id is included on each request. Multiple included signatures allow you to gracefully introduce stronger algorithms, rotate keys, etc.
func NewVerifyMiddleware ¶
func NewVerifyMiddleware(opts ...VerifyOption) func(http.Handler) http.Handler
NewVerifyMiddleware returns a configured http server middleware that can be used to wrap multiple handlers for http message signature and digest verification.
Use the `WithVerify*` option funcs to configure signature verification algorithms that map to their provided key ids.
Requests with missing signatures, malformed signature headers, expired signatures, or invalid signatures are rejected with a `400` response. Only one valid signature is required from the known key ids. However, only the first known key id is checked.
Types ¶
type Message ¶
Message is a minimal representation of an HTTP request or response, containing the values needed to construct a signature.
func MessageFromRequest ¶
type SigHolder ¶
type SigHolder struct {
// contains filtered or unexported fields
}
func SignEccP256 ¶
func SignEccP256(pk *ecdsa.PrivateKey) SigHolder
func SignHmacSha256 ¶
func SignRsaPssSha512 ¶
func SignRsaPssSha512(pk *rsa.PrivateKey) SigHolder
type SignOption ¶
type SignOption interface {
// contains filtered or unexported methods
}
func WithHeaders ¶
func WithHeaders(hdr ...string) SignOption
WithHeaders sets the list of headers that will be included in the signature. The Digest header is always included (and the digest calculated).
If not provided, the default headers `content-type, content-length, host` are used.
func WithSignEcdsaP256Sha256 ¶
func WithSignEcdsaP256Sha256(keyID string, pk *ecdsa.PrivateKey) SignOption
WithSignEcdsaP256Sha256 adds signing using `ecdsa-p256-sha256` with the given private key using the given key id.
func WithSignRsaPssSha512 ¶
func WithSignRsaPssSha512(keyID string, pk *rsa.PrivateKey) SignOption
WithSignRsaPssSha512 adds signing using `rsa-pss-sha512` with the given private key using the given key id.
type SignOrVerifyOption ¶
type SignOrVerifyOption interface { SignOption VerifyOption }
func WithHmacSha256 ¶
func WithHmacSha256(keyID string, secret []byte) SignOrVerifyOption
WithHmacSha256 adds signing or signature verification using `hmac-sha256` with the given shared secret using the given key id.
type VerifyOption ¶
type VerifyOption interface {
// contains filtered or unexported methods
}
func WithVerifyEcdsaP256Sha256 ¶
func WithVerifyEcdsaP256Sha256(keyID string, pk *ecdsa.PublicKey) VerifyOption
WithVerifyEcdsaP256Sha256 adds signature verification using `ecdsa-p256-sha256` with the given public key using the given key id.
func WithVerifyRsaPssSha512 ¶
func WithVerifyRsaPssSha512(keyID string, pk *rsa.PublicKey) VerifyOption
WithVerifyRsaPssSha512 adds signature verification using `rsa-pss-sha512` with the given public key using the given key id.