Documentation
¶
Overview ¶
Package signature is the chassis-owned wrapper around RFC 9421 HTTP message signatures. It exposes a small Signer / Verifier interface so the rest of the chassis (and CLI) never imports the underlying library directly — that keeps the surface area we own small and gives us a swap point if we ever inline-replace the implementation.
Index ¶
Constants ¶
const ( ErrMissingSignatureHeaders = "missing_signature_headers" ErrUnknownKey = "unknown_key" ErrRevokedKey = "revoked_key" ErrInvalidContentDigest = "invalid_content_digest" ErrInvalidSignature = "invalid_signature" ErrTimestampOutOfRange = "timestamp_out_of_range" ErrNonceReplay = "nonce_replay" ErrActorRevoked = "actor_revoked" ErrCapabilityDenied = "capability_denied" )
Standard error codes — keep in sync with the design doc and middleware.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ActorPrivateKey ¶
type ActorPrivateKey struct {
KeyID string
PrivateKey ed25519.PrivateKey
}
ActorPrivateKey is what a CLI caller uses to sign outgoing requests.
type AuthError ¶
AuthError maps verification failures to the well-known error codes defined in internal docs/todo-chassis-auth-signed-actor-requests.md. Middleware converts these into the response JSON.
type PublicKeyResolver ¶
PublicKeyResolver looks up a public key by its keyID and returns its Ed25519 public key. The caller (typically the auth middleware) is responsible for handling unknown / revoked keys; returning a non-nil error short-circuits Verify.
type Signer ¶
type Signer interface {
Sign(req *http.Request, key ActorPrivateKey) error
}
Signer signs an outgoing *http.Request in place. After Sign returns, the request carries `Content-Digest`, `Signature-Input`, and `Signature` headers.
Note: this is the SERVER-SIDE signer surface (used in chassis-side tests that need to mint a signed request, e.g. integration suites that exercise the verifier). The CLI's signing path lives in chassis/cli/signer/ — it owns its own RFC 9421 canonicalizer so it can plug in non-key backends like ssh-agent. Both paths produce byte-identical wire output verified by the same chassis verifier.
type VerifiedSignature ¶
VerifiedSignature is what the verifier returns on success.
type Verifier ¶
type Verifier interface {
Verify(req *http.Request, resolve PublicKeyResolver, opts VerifyOptions) (*VerifiedSignature, error)
}
Verifier validates an incoming *http.Request's RFC 9421 signature. On success it returns the resolved keyID + signing metadata so the caller can attach them to the request's auth context. Errors are classified by the well-known auth-error codes from the design doc.
func NewVerifier ¶
func NewVerifier() Verifier
NewVerifier returns the default RFC 9421 verifier with the chassis's fixed covered components.
type VerifyOptions ¶
type VerifyOptions struct {
// NotOlderThan rejects signatures whose `created` parameter is older
// than this. We use it for clock-skew enforcement (5min in v1).
NotOlderThan time.Duration
// NonceCheck is called once per request to enforce replay defense.
// It receives the (keyID, nonce) pair. Returning a non-nil error
// rejects the request as a replay.
NonceCheck func(keyID, nonce string) error
}
VerifyOptions tunes the verifier's policy. None of these are part of RFC 9421 itself — they're chassis policy enforced via library hooks.