-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathhttpsig.go
124 lines (106 loc) · 4.29 KB
/
httpsig.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package httpsig
import (
"context"
"crypto"
"errors"
"net/http"
)
var (
ErrUnsupportedKeyType = errors.New("unsupported key type/format")
ErrUnsupportedAlgorithm = errors.New("unknown/unsupported algorithm")
ErrInvalidKeySize = errors.New("invalid key size")
ErrNoKeyProvided = errors.New("no key provided")
ErrInvalidSignature = errors.New("invalid signature")
ErrVerificationFailed = errors.New("verification failed")
ErrContentDigestMismatch = errors.New("content digest mismatch")
ErrMalformedData = errors.New("malformed data")
ErrUnsupportedComponentIdentifier = errors.New("unsupported component identifier")
ErrInvalidComponentIdentifier = errors.New("invalid component identifier")
ErrCanonicalization = errors.New("failed to canonicalize component")
ErrMalformedSignatureParameter = errors.New("malformed signature parameter")
ErrNoApplicableDigestFound = errors.New("no applicable digest found")
ErrVerifierCreation = errors.New("verifier creation failed")
ErrParameter = errors.New("parameter error")
ErrValidity = errors.New("validity error")
ErrMissingParameter = errors.New("missing parameter error")
ErrSignatureNegotiationError = errors.New("signature negotiation error")
)
type NoApplicableSignatureError struct {
headerToAdd http.Header
}
func (e *NoApplicableSignatureError) Error() string { return "no applicable signature found" }
func (e *NoApplicableSignatureError) Is(err error) bool {
_, ok := err.(*NoApplicableSignatureError)
return ok
}
func (e *NoApplicableSignatureError) Negotiate(header http.Header) {
for name, values := range e.headerToAdd {
for _, value := range values {
header.Add(name, value)
}
}
}
const (
headerAcceptSignature = "Accept-Signature"
headerSignature = "Signature"
headerSignatureInput = "Signature-Input"
headerContentDigest = "Content-Digest"
headerWantContentDigest = "Want-Content-Digest"
componentIdentifierContentDigest = "content-digest"
)
// SignatureAlgorithm is the signature algorithm to use.
// Available algorithms are:
// - RSASSA-PKCS1-v1_5 using SHA-256 (rsa-v1_5-sha256).
// - RSASSA-PSS using SHA-512 (rsa-pss-sha512).
// - ECDSA using curve P-256 DSS and SHA-256 (ecdsa-p256-sha256).
// - ECDSA using curve P-384 DSS and SHA-384 (ecdsa-p384-sha384).
// - EdDSA using curve edwards25519 (ed25519).
// - HMAC using SHA-256 (hmac-sha256).
type SignatureAlgorithm string
const (
RsaPkcs1v15Sha256 SignatureAlgorithm = "rsa-v1_5-sha256"
RsaPkcs1v15Sha384 SignatureAlgorithm = "rsa-v1_5-sha384"
RsaPkcs1v15Sha512 SignatureAlgorithm = "rsa-v1_5-sha512"
RsaPssSha256 SignatureAlgorithm = "rsa-pss-sha256"
RsaPssSha384 SignatureAlgorithm = "rsa-pss-sha384"
RsaPssSha512 SignatureAlgorithm = "rsa-pss-sha512"
EcdsaP256Sha256 SignatureAlgorithm = "ecdsa-p256-sha256"
EcdsaP384Sha384 SignatureAlgorithm = "ecdsa-p384-sha384"
EcdsaP521Sha512 SignatureAlgorithm = "ecdsa-p521-sha512"
Ed25519 SignatureAlgorithm = "ed25519"
HmacSha256 SignatureAlgorithm = "hmac-sha256"
HmacSha384 SignatureAlgorithm = "hmac-sha384"
HmacSha512 SignatureAlgorithm = "hmac-sha512"
)
// DigestAlgorithm is the digest algorithm to use. Available algorithms are:
// - SHA-256 (sha-256).
// - SHA-512 (sha-512).
type DigestAlgorithm string
const (
Sha256 DigestAlgorithm = "sha-256"
Sha512 DigestAlgorithm = "sha-512"
)
type SignatureParameter string
const (
KeyID SignatureParameter = "keyid"
Alg SignatureParameter = "alg"
Created SignatureParameter = "created"
Expires SignatureParameter = "expires"
Nonce SignatureParameter = "nonce"
Tag SignatureParameter = "tag"
)
// Key is the key to use for signing or verifying.
type Key struct {
// KeyID is the identifier of the key.
KeyID string
// Algorithm is the cryptographic algorithm to use with the key.
Algorithm SignatureAlgorithm
// Key is the actual key material, like public, private or a secret key.
Key any
}
func (k Key) ResolveKey(_ context.Context, _ string) (Key, error) { return k, nil }
// nolint: gochecknoglobals
var supportedAlgs = map[DigestAlgorithm]crypto.Hash{
Sha256: crypto.SHA256,
Sha512: crypto.SHA512,
}