jbowes / httpsig Goto Github PK

View Code? Open in Web Editor NEW

24.0 3.0 8.0 41 KB

HTTP Request Signing with ✨ STANDARDS ✨

License: BSD 3-Clause "New" or "Revised" License

Go 100.00%

signature go golang http hacktoberfest

httpsig's Issues

Option to use newer Content-Digest field with sha-512

The changelog for draft-ietf-httpbis-digest-headers states:

Since draft-ietf-httpbis-digest-headers-07

   *  Introduced Repr-Digest and Want-Repr-Digest, and deprecated Digest
      and Want-Digest.  Use of Structured Fields. #1993, #1919

...

Since draft-ietf-httpbis-digest-headers-05

   ...

   *  Add Content-Digest #1542

Libraries for other languages are using the newer Content-Digest header field:

Content-Digest: sha256=:abc:,sha512=:def:

Would be nice if there was a way to do this here as well, and to select sha512 as the algorithm.

feature proposal

hellow @jbowes,

For my own uses, I have experimented with a change which I'd like to know if you're interested in before I spend more time on it for a proper PR.

Long story short, whenever you want to add support for a specific elliptic curve and a specific hasher function, you are forced to implement a specific private signer & verifier, as well as a specific public signer & verifier functions (ie: signEcdsaP256Sha256, verifyEcdsaP256Sha256, WithSignEcdsaP256Sha256, WithVerifyEcdsaP256Sha256).

I implemented WithSignEcdsa(), WithVerifyEcdsa, signEcdsa & verifyEcdsa which take an additional crypto.Hash parameter and use key.Curve.Params().Name and crypto.Hash.String() to infer the algorithm. With this, I could easily switch between curves and hash functions to support combinations that are currently unsupported in your package.

Is this something you'd be interested in ?

Body length 0 error with basic example

Hello,

Trying out the library I looked at the example in the README and came up with this as a basic example for using a POST request:

package main

import (
	"bytes"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"encoding/json"
	"fmt"
	"io"
	"log"
	"net/http"
	"net/http/httptest"

	"github.com/jbowes/httpsig"
)

func main() {
	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		fmt.Printf("%#v\n", r.Header)
		body, _ := io.ReadAll(r.Body)
		fmt.Fprintf(w, "Hello, client: %s", body)
	}))
	defer ts.Close()

	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		log.Fatal(err)
	}

	//client := http.Client{}
	client := http.Client{
		// Wrap the transport:
		Transport: httpsig.NewSignTransport(http.DefaultTransport,
			httpsig.WithSignEcdsaP256Sha256("key1", privKey)),
	}

	data := map[string]string{
		"hello": "world",
	}

	b, err := json.Marshal(data)
	if err != nil {
		log.Fatal(err)
	}

	buf := bytes.NewReader(b)

	resp, err := client.Post(ts.URL, "application/json", buf)
	if err != nil {
		log.Fatal(err)
	}
	defer resp.Body.Close()

	body, err := io.ReadAll(resp.Body)
	if err != nil {
		log.Fatal(err)
	}

	fmt.Println(string(body))
}

Trying to run this results in the following output:

go run .
2023/10/23 23:21:20 Post "http://127.0.0.1:55020": http: ContentLength=17 with Body length 0
exit status 1

I think the problem is that

httpsig/httpsig.go

Line 71 in a491aaf

r.Body = io.NopCloser(bytes.NewReader(b.Bytes()))

... should be setting nr.Body, not r.Body. I think the reason for this is the function returns transport.RoundTrip(nr) which at that point holds a reference to the original (and at that point consumed) r.Body.

jbowes / httpsig Goto Github PK

httpsig's Issues

Option to use newer Content-Digest field with sha-512

feature proposal

Body length 0 error with basic example

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent