httpsig

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 11, 2026 License: MIT Imports: 15 Imported by: 0

Documentation

Overview

Package httpsig implements HTTP Message Signatures per RFC 9421.

Overview

HTTP Message Signatures provide a mechanism for digitally signing HTTP messages, enabling authentication, integrity protection, and non-repudiation. This package implements the signature creation and verification mechanisms required by the AAuth protocol.

Covered Components

The signature covers specific components of the HTTP message:

  • @method: The HTTP method (GET, POST, etc.)
  • @target-uri: The full request target URI
  • @authority: The host from the request
  • @path: The path portion of the request target
  • @query: The query string
  • Standard headers: Any HTTP headers included in the signature base

Usage Example

// Create a signer
signer, err := httpsig.NewSigner(httpsig.SignerOptions{
    PrivateKey: privateKey,
    KeyID:      "my-key-1",
    Algorithm:  "ecdsa-p256-sha256",
})
if err != nil {
    log.Fatal(err)
}

// Sign a request
req, _ := http.NewRequest("GET", "https://api.example.com/data", nil)
if err := signer.Sign(req); err != nil {
    log.Fatal(err)
}

// Verify a request
verifier := httpsig.NewVerifier(httpsig.VerifierOptions{
    PublicKey: publicKey,
    KeyID:     "my-key-1",
})
result, err := verifier.Verify(req)

References

Index

Constants

View Source
const (
	// ComponentMethod is the HTTP request method.
	ComponentMethod = "@method"

	// ComponentTargetURI is the full target URI of the request.
	ComponentTargetURI = "@target-uri"

	// ComponentAuthority is the host/authority of the request.
	ComponentAuthority = "@authority"

	// ComponentScheme is the scheme of the request URI.
	ComponentScheme = "@scheme"

	// ComponentPath is the absolute path of the request URI.
	ComponentPath = "@path"

	// ComponentQuery is the query string (including the leading ?).
	ComponentQuery = "@query"

	// ComponentQueryParam is a specific query parameter (requires name parameter).
	ComponentQueryParam = "@query-param"

	// ComponentRequestTarget is the HTTP/1.1 request target.
	ComponentRequestTarget = "@request-target"

	// ComponentSignatureParams is the signature parameters (always included last).
	ComponentSignatureParams = "@signature-params"
)

Derived component identifiers per RFC 9421.

Variables

View Source
var AAuthCoveredComponents = []string{
	ComponentMethod,
	ComponentTargetURI,
	"content-digest",
	"signature-key",
}

AAuthCoveredComponents are the components recommended for AAuth signatures.

View Source
var DefaultCoveredComponents = []string{
	ComponentMethod,
	ComponentTargetURI,
	"content-digest",
	"authorization",
}

DefaultCoveredComponents are the default components to include in a signature.

Functions

func DeriveComponent

func DeriveComponent(req *http.Request, component string) (string, error)

DeriveComponent derives the value of a component from an HTTP request. For derived components (starting with @), it computes the value per RFC 9421. For regular headers, it returns the header value.

func FormatSignatureInput

func FormatSignatureInput(label string, params *SignatureParams) string

FormatSignatureInput formats a signature label and params for the Signature-Input header. Example: sig1=(@method @target-uri);created=123;keyid="key"

func IsValidComponent

func IsValidComponent(component string) bool

IsValidComponent checks if a component identifier is valid.

func NormalizeHeaderName

func NormalizeHeaderName(name string) string

NormalizeHeaderName normalizes a header name for signature purposes. Header names are lowercased per RFC 9421.

func ParseSignatureInput

func ParseSignatureInput(header string) (map[string]*SignatureParams, error)

ParseSignatureInput parses a Signature-Input header value. Returns a map of label -> SignatureParams.

Types

type KeyResolver

type KeyResolver interface {
	// ResolveKey returns the public key for a given key ID.
	ResolveKey(keyID string) (crypto.PublicKey, error)
}

KeyResolver resolves public keys by key ID.

type KeyResolverVerifier

type KeyResolverVerifier struct {
	Resolver           KeyResolver
	AllowedAlgorithms  []string
	RequiredComponents []string
	MaxAge             time.Duration
}

KeyResolverVerifier is a verifier that uses a KeyResolver to find keys.

func (*KeyResolverVerifier) Verify

Verify verifies a request using the key resolver to find the appropriate key.

type SignatureParams

type SignatureParams struct {
	// Components is the ordered list of covered components.
	Components []string

	// Created is the signature creation time.
	Created time.Time

	// Expires is the optional expiration time.
	Expires *time.Time

	// Nonce is an optional nonce value for replay protection.
	Nonce string

	// Algorithm is the signature algorithm identifier.
	Algorithm string

	// KeyID is the identifier for the signing key.
	KeyID string

	// Tag is an optional application-specific tag.
	Tag string
}

SignatureParams represents the parameters of a signature.

func DefaultSignatureParams

func DefaultSignatureParams(keyID, algorithm string, components []string) *SignatureParams

DefaultSignatureParams creates default signature parameters.

func ParseSignatureParams

func ParseSignatureParams(input string) (*SignatureParams, error)

ParseSignatureParams parses a Signature-Input header value into SignatureParams. Format: (component1 component2 ...);created=123;keyid="key";alg="alg"

func (*SignatureParams) Serialize

func (p *SignatureParams) Serialize() string

Serialize serializes the signature parameters to the Signature-Input format. Format: (component1 component2 ...);created=123;keyid="key";alg="alg"

type Signer

type Signer interface {
	// Sign adds Signature and Signature-Input headers to the request.
	Sign(req *http.Request) error
}

Signer signs HTTP requests per RFC 9421.

func NewSigner

func NewSigner(opts SignerOptions) (Signer, error)

NewSigner creates a new HTTP message signer.

type SignerOptions

type SignerOptions struct {
	// PrivateKey is the key used for signing.
	PrivateKey crypto.PrivateKey

	// KeyID is the identifier for the signing key.
	KeyID string

	// Algorithm is the HTTP signature algorithm identifier.
	// Supported: ecdsa-p256-sha256, ecdsa-p384-sha384, rsa-pss-sha256, ed25519
	Algorithm string

	// CoveredComponents is the list of components to include in the signature.
	// Defaults to DefaultCoveredComponents if not specified.
	CoveredComponents []string

	// Label is the signature label (defaults to "sig1").
	Label string

	// IncludeNonce adds a nonce to signatures for replay protection.
	IncludeNonce bool
}

SignerOptions configures a Signer.

type VerificationResult

type VerificationResult struct {
	// Valid is true if the signature verified successfully.
	Valid bool

	// Label is the signature label that was verified.
	Label string

	// Params contains the signature parameters.
	Params *SignatureParams

	// KeyID is the key ID from the signature.
	KeyID string
}

VerificationResult contains the result of signature verification.

type Verifier

type Verifier interface {
	// Verify checks the signature on a request.
	Verify(req *http.Request) (*VerificationResult, error)
}

Verifier verifies HTTP message signatures per RFC 9421.

func NewVerifier

func NewVerifier(opts VerifierOptions) (Verifier, error)

NewVerifier creates a new HTTP message signature verifier.

type VerifierOptions

type VerifierOptions struct {
	// PublicKey is the key used for verification.
	PublicKey crypto.PublicKey

	// KeyID is the expected key ID (optional, used for matching).
	KeyID string

	// AllowedAlgorithms restricts which algorithms are accepted.
	// If empty, all supported algorithms are allowed.
	AllowedAlgorithms []string

	// RequiredComponents specifies components that must be in the signature.
	// If empty, no specific components are required.
	RequiredComponents []string

	// MaxAge is the maximum age of a signature (based on created time).
	// If zero, no age check is performed.
	MaxAge time.Duration

	// Label specifies which signature to verify (defaults to first signature).
	Label string
}

VerifierOptions configures a Verifier.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL