httpsig package - github.com/go-fed/httpsig - Go Packages
Implements HTTP request and response signing and verification. Supports the major MAC and asymmetric key signature algorithms. It has several safety restrictions: One, none of the widely known non-cryptographically safe algorithms are permitted; Two, the RSA SHA256 algorithms must be available in the binary (and it should, barring export restrictions); Finally, the library assumes either the 'Authorizationn' or 'Signature' headers are to be set (but not both).
- Constants
- func IsSupportedDigestAlgorithm(algo string) bool
- func IsSupportedHttpSigAlgorithm(algo string) bool
- func NewSSHSigner(s ssh.Signer, dAlgo DigestAlgorithm, headers []string, scheme SignatureScheme, ...) (SSHSigner, Algorithm, error)
- func NewSigner(prefs []Algorithm, dAlgo DigestAlgorithm, headers []string, ...) (Signer, Algorithm, error)
- type Algorithm
- type DigestAlgorithm
- type ECDSASignature
- type SSHSigner
- type SignatureScheme
- type Signer
- type Verifier
const (
RequestTarget = "(request-target)"
)
This section is empty.
IsSupportedDigestAlgorithm returns true if hte string is supported by this library, is not a hash known to be weak, and is supported by the hardware.
IsSupportedHttpSigAlgorithm returns true if the string is supported by this library, is not a hash known to be weak, and is supported by the hardware.
NewwSSHSigner creates a new Signer using the specified ssh.Signer At the moment only ed25519 ssh keys are supported. The headers specified will be included into the HTTP signatures.
The Digest will also be calculated on a request's body using the provided digest algorithm, if "Digest" is one of the headers listed.
The provided scheme determines which header is populated with the HTTP Signature.
NewSigner creates a new Signer with the provided algorithm preferences to make HTTP signatures. Only the first available algorithm will be used, which is returned by this function along with the Signer. If none of the preferred algorithms were available, then the default algorithm is used. The headers specified will be included into the HTTP signatures.
The Digest will also be calculated on a request's body using the provided digest algorithm, if "Digest" is one of the headers listed.
The provided scheme determines which header is populated with the HTTP Signature.
An error is returned if an unknown or a known cryptographically insecure Algorithm is provided.
Algorithm specifies a cryptography secure algorithm for signing HTTP requests and responses.
const ( HMAC_SHA224 Algorithm = hmacPrefix + "-" + sha224String HMAC_SHA256 Algorithm = hmacPrefix + "-" + sha256String HMAC_SHA384 Algorithm = hmacPrefix + "-" + sha384String HMAC_SHA512 Algorithm = hmacPrefix + "-" + sha512String HMAC_RIPEMD160 Algorithm = hmacPrefix + "-" + ripemd160String HMAC_SHA3_224 Algorithm = hmacPrefix + "-" + sha3_224String HMAC_SHA3_256 Algorithm = hmacPrefix + "-" + sha3_256String HMAC_SHA3_384 Algorithm = hmacPrefix + "-" + sha3_384String HMAC_SHA3_512 Algorithm = hmacPrefix + "-" + sha3_512String HMAC_SHA512_224 Algorithm = hmacPrefix + "-" + sha512_224String HMAC_SHA512_256 Algorithm = hmacPrefix + "-" + sha512_256String HMAC_BLAKE2S_256 Algorithm = hmacPrefix + "-" + blake2s_256String HMAC_BLAKE2B_256 Algorithm = hmacPrefix + "-" + blake2b_256String HMAC_BLAKE2B_384 Algorithm = hmacPrefix + "-" + blake2b_384String HMAC_BLAKE2B_512 Algorithm = hmacPrefix + "-" + blake2b_512String BLAKE2S_256 Algorithm = blake2s_256String BLAKE2B_256 Algorithm = blake2b_256String BLAKE2B_384 Algorithm = blake2b_384String BLAKE2B_512 Algorithm = blake2b_512String RSA_SHA1 Algorithm = rsaPrefix + "-" + sha1String RSA_SHA224 Algorithm = rsaPrefix + "-" + sha224String RSA_SHA256 Algorithm = rsaPrefix + "-" + sha256String RSA_SHA384 Algorithm = rsaPrefix + "-" + sha384String RSA_SHA512 Algorithm = rsaPrefix + "-" + sha512String RSA_RIPEMD160 Algorithm = rsaPrefix + "-" + ripemd160String ECDSA_SHA224 Algorithm = ecdsaPrefix + "-" + sha224String ECDSA_SHA256 Algorithm = ecdsaPrefix + "-" + sha256String ECDSA_SHA384 Algorithm = ecdsaPrefix + "-" + sha384String ECDSA_SHA512 Algorithm = ecdsaPrefix + "-" + sha512String ECDSA_RIPEMD160 Algorithm = ecdsaPrefix + "-" + ripemd160String ED25519 Algorithm = ed25519Prefix )
const ( DigestSha256 DigestAlgorithm = "SHA-256" DigestSha512 = "SHA-512" )
Signers will sign HTTP requests or responses based on the algorithms and headers selected at creation time.
Signers are not safe to use between multiple goroutines.
Note that signatures do set the deprecated 'algorithm' parameter for backwards compatibility.
HTTP Signatures can be applied to different HTTP headers, depending on the expected application behavior.
const ( Signature SignatureScheme = "Signature" Authorization SignatureScheme = "Authorization" )
Signers will sign HTTP requests or responses based on the algorithms and headers selected at creation time.
Signers are not safe to use between multiple goroutines.
Note that signatures do set the deprecated 'algorithm' parameter for backwards compatibility.
Verifier verifies HTTP Signatures.
It will determine which of the supported headers has the parameters that define the signature.
Verifiers are not safe to use between multiple goroutines.
Note that verification ignores the deprecated 'algorithm' parameter.
NewResponseVerifier verifies the given response. It returns errors under the same conditions as NewVerifier.
NewVerifier verifies the given request. It returns an error if the HTTP Signature parameters are not present in any headers, are present in more than one header, are malformed, or are missing required parameters. It ignores unknown HTTP Signature parameters.