Blame

Date:
Message:
apub: handle HTTP request signing for those without body
Actions:
History | Blob | Raw File
 1 71191436 2024-02-28 o package apub

 2 71191436 2024-02-28 o 

 3 71191436 2024-02-28 o import (

 4 71191436 2024-02-28 o 	"bytes"

 5 71191436 2024-02-28 o 	"crypto"

 6 71191436 2024-02-28 o 	"crypto/rand"

 7 71191436 2024-02-28 o 	"crypto/rsa"

 8 71191436 2024-02-28 o 	"crypto/sha256"

 9 71191436 2024-02-28 o 	"encoding/base64"

10 71191436 2024-02-28 o 	"fmt"

11 71191436 2024-02-28 o 	"io"

12 71191436 2024-02-28 o 	"net/http"

13 71191436 2024-02-28 o 	"strings"

14 71191436 2024-02-28 o 	"time"

15 71191436 2024-02-28 o )

16 71191436 2024-02-28 o 

17 71191436 2024-02-28 o const requiredSigHeaders = "(request-target) host date digest"

18 71191436 2024-02-28 o 

19 71191436 2024-02-28 o // Sign signs the given HTTP request with the matching private key of the

20 71191436 2024-02-28 o // public key available at pubkeyURL.

21 71191436 2024-02-28 o func Sign(req *http.Request, key *rsa.PrivateKey, pubkeyURL string) error {

22 b526632b 2024-03-16 o 	if pubkeyURL == "" {

23 b526632b 2024-03-16 o 		return fmt.Errorf("no pubkey url")

24 b526632b 2024-03-16 o 	}

25 71191436 2024-02-28 o 	date := time.Now().UTC().Format(http.TimeFormat)

26 71191436 2024-02-28 o 	req.Header.Set("Date", date)

27 71191436 2024-02-28 o 	hash := sha256.New()

28 ed0db64a 2024-03-18 o 	toSign := []string{"(request-target)", "host", "date"}

29 71191436 2024-02-28 o 	fmt.Fprintln(hash, "(request-target):", strings.ToLower(req.Method), req.URL.Path)

30 71191436 2024-02-28 o 	fmt.Fprintln(hash, "host:", req.URL.Hostname())

31 ed0db64a 2024-03-18 o 	fmt.Fprintf(hash, "date: %s", date)

32 71191436 2024-02-28 o 

33 ed0db64a 2024-03-18 o 	if req.Body != nil {

34 ed0db64a 2024-03-18 o 		// we're adding one more entry to our signature, so one more line.

35 ed0db64a 2024-03-18 o 		fmt.Fprint(hash, "\n")

36 ed0db64a 2024-03-18 o 		buf := &bytes.Buffer{}

37 ed0db64a 2024-03-18 o 		io.Copy(buf, req.Body)

38 ed0db64a 2024-03-18 o 		req.Body.Close()

39 ed0db64a 2024-03-18 o 		req.Body = io.NopCloser(buf)

40 ed0db64a 2024-03-18 o 		digest := sha256.Sum256(buf.Bytes())

41 ed0db64a 2024-03-18 o 		d := "SHA-256=" + base64.StdEncoding.EncodeToString(digest[:])

42 ed0db64a 2024-03-18 o 		toSign = append(toSign, "digest")

43 ed0db64a 2024-03-18 o 		fmt.Fprintf(hash, "digest: %s", d)

44 ed0db64a 2024-03-18 o 		req.Header.Set("Digest", d)

45 ed0db64a 2024-03-18 o 	}

46 71191436 2024-02-28 o 	sig, err := rsa.SignPKCS1v15(rand.Reader, key, crypto.SHA256, hash.Sum(nil))

47 71191436 2024-02-28 o 	if err != nil {

48 71191436 2024-02-28 o 		return err

49 71191436 2024-02-28 o 	}

50 71191436 2024-02-28 o 	bsig := base64.StdEncoding.EncodeToString(sig)

51 71191436 2024-02-28 o 

52 ed0db64a 2024-03-18 o 	val := fmt.Sprintf("keyId=%q,algorithm=%q,headers=%q,signature=%q", pubkeyURL, "rsa-sha256", strings.Join(toSign, " "), bsig)

53 71191436 2024-02-28 o 	req.Header.Set("Signature", val)

54 71191436 2024-02-28 o 	return nil

55 71191436 2024-02-28 o }

56 71191436 2024-02-28 o 

57 71191436 2024-02-28 o type signature struct {

58 71191436 2024-02-28 o 	keyID     string

59 71191436 2024-02-28 o 	algorithm string

60 71191436 2024-02-28 o 	headers   string

61 71191436 2024-02-28 o 	signature string

62 71191436 2024-02-28 o }

63 71191436 2024-02-28 o 

64 71191436 2024-02-28 o func parseSignatureHeader(line string) (signature, error) {

65 71191436 2024-02-28 o 	var sig signature

66 71191436 2024-02-28 o 	for _, v := range strings.Split(line, ",") {

67 71191436 2024-02-28 o 		name, val, ok := strings.Cut(v, "=")

68 71191436 2024-02-28 o 		if !ok {

69 71191436 2024-02-28 o 			return sig, fmt.Errorf("bad field: %s from %s", v, line)

70 71191436 2024-02-28 o 		}

71 71191436 2024-02-28 o 		val = strings.Trim(val, `"`)

72 71191436 2024-02-28 o 		switch name {

73 71191436 2024-02-28 o 		case "keyId":

74 71191436 2024-02-28 o 			sig.keyID = val

75 71191436 2024-02-28 o 		case "algorithm":

76 71191436 2024-02-28 o 			sig.algorithm = val

77 71191436 2024-02-28 o 		case "headers":

78 71191436 2024-02-28 o 			sig.headers = val

79 71191436 2024-02-28 o 		case "signature":

80 71191436 2024-02-28 o 			sig.signature = val

81 71191436 2024-02-28 o 		default:

82 71191436 2024-02-28 o 			return signature{}, fmt.Errorf("bad field name %s", name)

83 71191436 2024-02-28 o 		}

84 71191436 2024-02-28 o 	}

85 71191436 2024-02-28 o 

86 71191436 2024-02-28 o 	if sig.keyID == "" {

87 71191436 2024-02-28 o 		return sig, fmt.Errorf("missing signature field keyId")

88 71191436 2024-02-28 o 	} else if sig.algorithm == "" {

89 71191436 2024-02-28 o 		return sig, fmt.Errorf("missing signature field algorithm")

90 71191436 2024-02-28 o 	} else if sig.headers == "" {

91 71191436 2024-02-28 o 		return sig, fmt.Errorf("missing signature field headers")

92 71191436 2024-02-28 o 	} else if sig.signature == "" {

93 71191436 2024-02-28 o 		return sig, fmt.Errorf("missing signature field signature")

94 71191436 2024-02-28 o 	}

95 71191436 2024-02-28 o 	return sig, nil

96 71191436 2024-02-28 o }