signed

Documentation

Overview

Package signed provides verification of requests signed with AWS Signature Version 4 machinery. Signed requests enable the usage of non-public access grants while requesting an object.

The parsing part of the package (parseSigningInfo and child types/functions) used MinIO's parsing code [0] as an edge-case reference.

The verification/re-signing part of the package (VerifySigningInfo and child types/functions) strictly follows Signature Version 4 signing process [1].

Some parts of the signing process are tuned specifically for linksharing. For example, we always assume an empty request body as we only allow HEAD and GET requests.

[0]:

• https://github.com/minio/minio/blob/e0d3a8c1f4e52bb4a7d82f7f369b6796103740b3/cmd/signature-v4-parser.go

[1]:

• https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
• https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html

Index

• Variables
• func VerifySigningInfo(r *http.Request, secretAccessKey string, currentTime time.Time, ...) error

Variables

var ErrMissingAuthorizationHeader = errs.New("missing Authorization header")

ErrMissingAuthorizationHeader indicates that the Authorization header for a particular request was not found. It's used to differentiate between signed requests that have invalid signing info and unsigned requests trying to use non-public access grant.

Functions

func VerifySigningInfo

func VerifySigningInfo(r *http.Request, secretAccessKey string, currentTime time.Time, validityTolerance time.Duration) error

VerifySigningInfo reports whether r's signature is valid and constructed with secretAccessKey. The function additionally performs signature time validity check using currentTime as the current time. Signature time skewed backward or onwards up to validityTolerance will be tolerated.

TODO(artur): add fuzz test for VerifySigningInfo vide https://pkg.go.dev/testing@master#hdr-Fuzzing.