signature

package
v0.2.13 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 22, 2026 License: MPL-2.0 Imports: 9 Imported by: 0

Documentation

Overview

Package signature is the chassis-owned wrapper around RFC 9421 HTTP message signatures. It exposes a small Signer / Verifier interface so the rest of the chassis (and CLI) never imports the underlying library directly — that keeps the surface area we own small and gives us a swap point if we ever inline-replace the implementation.

Index

Constants

View Source
const (
	ErrMissingSignatureHeaders = "missing_signature_headers"
	ErrUnknownKey              = "unknown_key"
	ErrRevokedKey              = "revoked_key"
	ErrInvalidContentDigest    = "invalid_content_digest"
	ErrInvalidSignature        = "invalid_signature"
	ErrTimestampOutOfRange     = "timestamp_out_of_range"
	ErrNonceReplay             = "nonce_replay"
	ErrActorRevoked            = "actor_revoked"
	ErrCapabilityDenied        = "capability_denied"
)

Standard error codes — keep in sync with the design doc and middleware.

Variables

This section is empty.

Functions

This section is empty.

Types

type ActorPrivateKey

type ActorPrivateKey struct {
	KeyID      string
	PrivateKey ed25519.PrivateKey
}

ActorPrivateKey is what a CLI caller uses to sign outgoing requests.

type AuthError

type AuthError struct {
	Code  string
	Cause error
}

AuthError maps verification failures to the well-known error codes defined in internal docs/todo-chassis-auth-signed-actor-requests.md. Middleware converts these into the response JSON.

func (*AuthError) Error

func (e *AuthError) Error() string

func (*AuthError) Unwrap

func (e *AuthError) Unwrap() error

type PublicKeyResolver

type PublicKeyResolver func(keyID string) (ed25519.PublicKey, error)

PublicKeyResolver looks up a public key by its keyID and returns its Ed25519 public key. The caller (typically the auth middleware) is responsible for handling unknown / revoked keys; returning a non-nil error short-circuits Verify.

type Signer

type Signer interface {
	Sign(req *http.Request, key ActorPrivateKey) error
}

Signer signs an outgoing *http.Request in place. After Sign returns, the request carries `Content-Digest`, `Signature-Input`, and `Signature` headers.

Note: this is the SERVER-SIDE signer surface (used in chassis-side tests that need to mint a signed request, e.g. integration suites that exercise the verifier). The CLI's signing path lives in chassis/cli/signer/ — it owns its own RFC 9421 canonicalizer so it can plug in non-key backends like ssh-agent. Both paths produce byte-identical wire output verified by the same chassis verifier.

func NewSigner

func NewSigner() Signer

NewSigner returns the default RFC 9421 signer. It always covers the component set declared in signedComponents (@method, @path, @query, @authority, content-digest), uses ed25519, and embeds a fresh nonce + the current `created` timestamp on every signature.

type VerifiedSignature

type VerifiedSignature struct {
	KeyID     string
	Created   time.Time
	Nonce     string
	Algorithm string
}

VerifiedSignature is what the verifier returns on success.

type Verifier

type Verifier interface {
	Verify(req *http.Request, resolve PublicKeyResolver, opts VerifyOptions) (*VerifiedSignature, error)
}

Verifier validates an incoming *http.Request's RFC 9421 signature. On success it returns the resolved keyID + signing metadata so the caller can attach them to the request's auth context. Errors are classified by the well-known auth-error codes from the design doc.

func NewVerifier

func NewVerifier() Verifier

NewVerifier returns the default RFC 9421 verifier with the chassis's fixed covered components.

type VerifyOptions

type VerifyOptions struct {
	// NotOlderThan rejects signatures whose `created` parameter is older
	// than this. We use it for clock-skew enforcement (5min in v1).
	NotOlderThan time.Duration

	// NonceCheck is called once per request to enforce replay defense.
	// It receives the (keyID, nonce) pair. Returning a non-nil error
	// rejects the request as a replay.
	NonceCheck func(keyID, nonce string) error
}

VerifyOptions tunes the verifier's policy. None of these are part of RFC 9421 itself — they're chassis policy enforced via library hooks.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL