header

package

v0.2.1 Latest Latest Go to latest Published: Mar 22, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/agentic-research/signet

Links

Open Source Insights

README ¶

pkg/http/header

Parser for Signet-Proof HTTP headers.

Status: 🚧 Development (Parser Works!)

Wire format parser is implemented. Integration with verification is pending.

What It Does

Parses Signet-Proof headers from HTTP requests:

Signet-Proof: v1;m=compact;t=<token>;jti=<jti>;cap=<cap>;s=<sig>;n=<nonce>;ts=<timestamp>

Files

parser.go - Header parsing with security hardening

Parser Features

✅ Implemented:

Parses all header fields
Base64URL decoding
Field validation (sizes, required fields)
Duplicate field detection
Size limits (8KB header, 4KB token)
Security hardened based on review

❌ Not Yet Implemented:

Signature verification
Token validation
Request canonicalization
Integration with EPR verification

Security Hardening

Based on security review, the parser:

Rejects duplicate fields (prevents confusion attacks)
Limits header size to 8KB (prevents DoS)
Limits token size to 4KB
Validates field sizes (JTI/nonce must be 16 bytes)
Returns generic errors to clients

Usage Example

header := "v1;m=compact;t=...;jti=...;ts=1234567890;..."
proof, err := ParseSignetProof(header)
if err != nil {
    // Invalid header format
}

// Access parsed fields
jti := proof.JTI           // []byte (16 bytes)
timestamp := proof.Timestamp // int64
signature := proof.Signature // []byte (64+ bytes)

Demo Usage

See demo/http-auth/ for a working example that shows replay protection using this parser.

Next Steps for v1.0

Wire up signature verification
Implement request canonicalization
Integrate with pkg/crypto/epr for two-step verification
Add middleware adapters for popular frameworks

Documentation ¶

Index ¶

func ResetMonotonicCache()
func ValidateTimestamp(timestamp int64, maxSkew, minSkew time.Duration) error
type SignetProof
- func ParseSignetProof(header string) (*SignetProof, error)
- func ParseSignetProofWithValidation(header string, enforceMonotonic bool) (*SignetProof, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ResetMonotonicCache ¶

func ResetMonotonicCache()

ResetMonotonicCache clears the monotonicity cache - for testing only

func ValidateTimestamp ¶

func ValidateTimestamp(timestamp int64, maxSkew, minSkew time.Duration) error

ValidateTimestamp validates that a timestamp falls within acceptable clock skew

Types ¶

type SignetProof ¶

type SignetProof struct {
	Version   string
	Mode      string
	Token     []byte
	JTI       []byte
	Cap       []byte
	Signature []byte
	Nonce     []byte
	Timestamp int64
}

SignetProof represents a parsed Signet-Proof header

func ParseSignetProof ¶

func ParseSignetProof(header string) (*SignetProof, error)

ParseSignetProof parses a Signet-Proof header value Format: v1;m=compact;t=<token>;jti=<jti>;cap=<cap>;s=<sig>;n=<nonce>;ts=<timestamp>

func ParseSignetProofWithValidation ¶

func ParseSignetProofWithValidation(header string, enforceMonotonic bool) (*SignetProof, error)

ParseSignetProofWithValidation parses and validates a Signet-Proof header with security checks

Source Files ¶

View all Source files

parser.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL