Request-response feature

Author: yaronf

config.go

@@ -7,14 +7,16 @@ import (
 	"time"
 )
 
-// SignConfig contains additional configuration for the Signer.
+type requestResponse struct{ name, signature string }
+
+// SignConfig contains additional configuration for the signer.
 type SignConfig struct {
 	signAlg         bool
 	signCreated     bool
 	fakeCreated     int64
 	expires         int64
 	nonce           string
-	requestResponse struct{ name, signature string }
+	requestResponse *requestResponse
 }
 
 // NewSignConfig generates a default configuration.
@@ -64,18 +66,18 @@ func (c *SignConfig) SetNonce(nonce string) *SignConfig {
 // SetRequestResponse allows the server to indicate signature name and signature that
 // it had received from a client and include it in the signature input.
 func (c *SignConfig) SetRequestResponse(name, signature string) *SignConfig {
-	// TODO RequestResponse
-	c.requestResponse = struct{ name, signature string }{name, signature}
+	c.requestResponse = &requestResponse{name, signature}
 	return c
 }
 
-// VerifyConfig contains additional configuration for the Verifier.
+// VerifyConfig contains additional configuration for the verifier.
 type VerifyConfig struct {
-	verifyCreated bool
-	notNewerThan  time.Duration
-	notOlderThan  time.Duration
-	allowedAlgs   []string
-	rejectExpired bool
+	verifyCreated   bool
+	notNewerThan    time.Duration
+	notOlderThan    time.Duration
+	allowedAlgs     []string
+	rejectExpired   bool
+	requestResponse *requestResponse
 }
 
 // SetNotNewerThan sets the window for messages that appear to be newer than the current time,
@@ -114,6 +116,17 @@ func (v *VerifyConfig) SetAllowedAlgs(allowedAlgs []string) *VerifyConfig {
 	return v
 }
 
+// SetRequestResponse allows the server to indicate signature name and signature that
+// it had received from a client and include it in the signature input. Here this is configured
+// on the client side when verifying the response.
+func (v *VerifyConfig) SetRequestResponse(name, signature string) *VerifyConfig {
+	v.requestResponse = &requestResponse{
+		name:      name,
+		signature: signature,
+	}
+	return v
+}
+
 // NewVerifyConfig generates a default configuration.
 func NewVerifyConfig() *VerifyConfig {
 	return &VerifyConfig{

crypto.go

@@ -33,6 +33,9 @@ func NewHMACSHA256Signer(keyID string, key []byte, config *SignConfig, fields Fi
 	if config == nil {
 		config = NewSignConfig()
 	}
+	if fields == nil {
+		return nil, fmt.Errorf("fields must not be nil")
+	}
 	return &Signer{
 		keyID:  keyID,
 		key:    key,
@@ -54,6 +57,9 @@ func NewRSASigner(keyID string, key *rsa.PrivateKey, config *SignConfig, fields
 	if config == nil {
 		config = NewSignConfig()
 	}
+	if fields == nil {
+		return nil, fmt.Errorf("fields must not be nil")
+	}
 	return &Signer{
 		keyID:  keyID,
 		key:    key,
@@ -75,6 +81,9 @@ func NewRSAPSSSigner(keyID string, key *rsa.PrivateKey, config *SignConfig, fiel
 	if config == nil {
 		config = NewSignConfig()
 	}
+	if fields == nil {
+		return nil, fmt.Errorf("fields must not be nil")
+	}
 	return &Signer{
 		keyID:  keyID,
 		key:    key,
@@ -96,6 +105,9 @@ func NewP256Signer(keyID string, key *ecdsa.PrivateKey, config *SignConfig, fiel
 	if config == nil {
 		config = NewSignConfig()
 	}
+	if fields == nil {
+		return nil, fmt.Errorf("fields must not be nil")
+	}
 	return &Signer{
 		keyID:  keyID,
 		key:    key,
@@ -135,11 +147,11 @@ func (s Signer) sign(buff []byte) ([]byte, error) {
 
 // Verifier includes a cryptographic key (typically a public key) and configuration of what needs to be verified.
 type Verifier struct {
-	keyID string
-	key   interface{}
-	alg   string
-	c     *VerifyConfig
-	f     Fields
+	keyID  string
+	key    interface{}
+	alg    string
+	config *VerifyConfig
+	fields Fields
 }
 
 // NewHMACSHA256Verifier generates a new Verifier for HMAC-SHA256 signatures. Set config to nil for a default configuration.
@@ -155,11 +167,11 @@ func NewHMACSHA256Verifier(keyID string, key []byte, config *VerifyConfig, field
 		config = NewVerifyConfig()
 	}
 	return &Verifier{
-		keyID: keyID,
-		key:   key,
-		alg:   "hmac-sha256",
-		c:     config,
-		f:     fields,
+		keyID:  keyID,
+		key:    key,
+		alg:    "hmac-sha256",
+		config: config,
+		fields: fields,
 	}, nil
 }
 
@@ -172,12 +184,15 @@ func NewRSAVerifier(keyID string, key *rsa.PublicKey, config *VerifyConfig, fiel
 	if config == nil {
 		config = NewVerifyConfig()
 	}
+	if fields == nil {
+		return nil, fmt.Errorf("fields must not be nil")
+	}
 	return &Verifier{
-		keyID: keyID,
-		key:   key,
-		alg:   "rsa-v1_5-sha256",
-		c:     config,
-		f:     fields,
+		keyID:  keyID,
+		key:    key,
+		alg:    "rsa-v1_5-sha256",
+		config: config,
+		fields: fields,
 	}, nil
 }
 
@@ -190,12 +205,15 @@ func NewRSAPSSVerifier(keyID string, key *rsa.PublicKey, config *VerifyConfig, f
 	if config == nil {
 		config = NewVerifyConfig()
 	}
+	if fields == nil {
+		return nil, fmt.Errorf("fields must not be nil")
+	}
 	return &Verifier{
-		keyID: keyID,
-		key:   key,
-		alg:   "rsa-pss-sha512",
-		c:     config,
-		f:     fields,
+		keyID:  keyID,
+		key:    key,
+		alg:    "rsa-pss-sha512",
+		config: config,
+		fields: fields,
 	}, nil
 }
 
@@ -208,12 +226,15 @@ func NewP256Verifier(keyID string, key *ecdsa.PublicKey, config *VerifyConfig, f
 	if config == nil {
 		config = NewVerifyConfig()
 	}
+	if fields == nil {
+		return nil, fmt.Errorf("fields must not be nil")
+	}
 	return &Verifier{
-		keyID: keyID,
-		key:   key,
-		alg:   "ecdsa-p256-sha256",
-		c:     config,
-		f:     fields,
+		keyID:  keyID,
+		key:    key,
+		alg:    "ecdsa-p256-sha256",
+		config: config,
+		fields: fields,
 	}, nil
 }
 

fields.go

@@ -1,6 +1,7 @@
 package httpsign
 
 import (
+	"fmt"
 	"github.com/dunglas/httpsfv"
 	"strings"
 )
@@ -14,6 +15,10 @@ type field struct {
 	flagName, flagValue string
 }
 
+func (f *field) String() string {
+	return fmt.Sprintf("%s;%s=\"%s\"", f.name, f.flagName, f.flagValue)
+}
+
 // HeaderList is a simple way to generate a Fields list, where only simple header names and specialty headers
 // are needed.
 func HeaderList(hs []string) Fields {

signatures.go

@@ -53,7 +53,11 @@ func generateSignature(name string, signer Signer, input string) (string, error)
 	if err != nil {
 		return "", err
 	}
-	return fmt.Sprintf("%s=:%s:", name, base64.StdEncoding.EncodeToString(raw)), nil
+	return fmt.Sprintf("%s=%s", name, encodeBytes(raw)), nil
+}
+
+func encodeBytes(raw []byte) string {
+	return ":" + base64.StdEncoding.EncodeToString(raw) + ":"
 }
 
 func generateSignatureInput(message parsedMessage, fields Fields, params string) (string, error) {
@@ -110,6 +114,9 @@ func SignRequest(signatureName string, signer Signer, req *http.Request) (signat
 	if signatureName == "" {
 		return "", "", fmt.Errorf("empty signature name")
 	}
+	if signer.config.requestResponse != nil {
+		return "", "", fmt.Errorf("use request-response only to sign responses")
+	}
 	parsedMessage, err := parseRequest(req)
 	if err != nil {
 		return "", "", err
@@ -131,15 +138,22 @@ func SignResponse(signatureName string, signer Signer, res *http.Response) (sign
 	if err != nil {
 		return "", "", err
 	}
-	addPseudoHeaders(parsedMessage, *signer.config)
-	return signMessage(*signer.config, signatureName, signer, *parsedMessage, signer.fields)
+	extendedFields := addPseudoHeaders(parsedMessage, signer.config.requestResponse, signer.fields)
+	return signMessage(*signer.config, signatureName, signer, *parsedMessage, extendedFields)
 }
 
-func addPseudoHeaders(message *parsedMessage, config SignConfig) {
-	if config.requestResponse.name != "" {
-		message.components[*fromHeaderName("@request-response")] = []string{config.requestResponse.signature}
-		// TODO and what about the name? (request-response)
+// Handle the special header-like @request-response
+func addPseudoHeaders(message *parsedMessage, rr *requestResponse, fields Fields) Fields {
+	if rr != nil {
+		rrfield := field{
+			name:      "@request-response",
+			flagName:  "key",
+			flagValue: rr.name,
+		}
+		message.components[rrfield] = []string{rr.signature}
+		return append(fields, rrfield)
 	}
+	return fields
 }
 
 //
@@ -152,11 +166,14 @@ func VerifyRequest(signatureName string, verifier Verifier, req *http.Request) (
 	if signatureName == "" {
 		return fmt.Errorf("empty signature name")
 	}
+	if verifier.config.requestResponse != nil {
+		return fmt.Errorf("use request-response only to verify responses")
+	}
 	parsedMessage, err := parseRequest(req)
 	if err != nil {
 		return err
 	}
-	return verifyMessage(*verifier.c, signatureName, verifier, *parsedMessage, verifier.f)
+	return verifyMessage(*verifier.config, signatureName, verifier, *parsedMessage, verifier.fields)
 }
 
 // RequestDetails parses a signed request and returns the key ID and optionally the algorithm used in the given signature.
@@ -189,6 +206,31 @@ func ResponseDetails(signatureName string, res *http.Response) (keyID, alg strin
 	return messageKeyID(signatureName, *parsedMessage)
 }
 
+// GetRequestSignature returns the base64-encoded signature, parsed from a signed request.
+// This is useful for the request-response feature.
+func GetRequestSignature(req *http.Request, signatureName string) (string, error) {
+	if req == nil {
+		return "", fmt.Errorf("nil request")
+	}
+	if signatureName == "" {
+		return "", fmt.Errorf("empty signature name")
+	}
+	parsedMessage, err := parseRequest(req)
+	if err != nil {
+		return "", err
+	}
+	ws, found := parsedMessage.components[*fromHeaderName("signature")]
+	if !found {
+		return "", fmt.Errorf("missing \"signature\" header")
+	}
+	sigHeader := ws[0]
+	sigRaw, err := parseWantSignature(sigHeader, signatureName)
+	if err != nil {
+		return "", err
+	}
+	return encodeBytes(sigRaw), nil
+}
+
 func messageKeyID(signatureName string, parsedMessage parsedMessage) (keyID, alg string, err error) {
 	si, found := parsedMessage.components[*fromHeaderName("signature-input")]
 	if !found {
@@ -231,7 +273,8 @@ func VerifyResponse(signatureName string, verifier Verifier, res *http.Response)
 	if err != nil {
 		return err
 	}
-	return verifyMessage(*verifier.c, signatureName, verifier, *parsedMessage, verifier.f)
+	extendedFields := addPseudoHeaders(parsedMessage, verifier.config.requestResponse, verifier.fields)
+	return verifyMessage(*verifier.config, signatureName, verifier, *parsedMessage, extendedFields)
 }
 
 func verifyMessage(config VerifyConfig, name string, verifier Verifier, message parsedMessage, fields Fields) error {