commit b526632b614889f059e5aa5d29e84a9f416572da
from: Oliver Lowe <o@olowe.co>
date: Sat Mar 16 07:41:03 2024 UTC

apub: guard against empty pubkey url

A nil key gets handled by rsa.Sign* but we won't catch an empty pubkey
url until some server finds an incorrect HTTP signature.

commit - 3d0a086d672bdd0567d3e9127a231334923e3463
commit + b526632b614889f059e5aa5d29e84a9f416572da
blob - a6afe2d49dbeeb9ae3eed08968c193250a9ceadb
blob + c9e2528796cbeeb92dc9a7a05d9305cb47efb260
--- sign.go
+++ sign.go
@@ -19,6 +19,9 @@ const requiredSigHeaders = "(request-target) host date
 // Sign signs the given HTTP request with the matching private key of the
 // public key available at pubkeyURL.
 func Sign(req *http.Request, key *rsa.PrivateKey, pubkeyURL string) error {
+	if pubkeyURL == "" {
+		return fmt.Errorf("no pubkey url")
+	}
 	date := time.Now().UTC().Format(http.TimeFormat)
 	req.Header.Set("Date", date)
 	hash := sha256.New()