Trailer fields (partial), bump SFV

yaronf · yaronf · commit 5cc16eaa3e32 · 2022-11-27T19:32:08.000+02:00
diff --git a/fields.go b/fields.go
@@ -103,14 +103,14 @@ func (f field) headerName() (bool, string) {
 
 // AddHeader appends a bare header name, e.g. "cache-control".
 func (fs *Fields) AddHeader(hdr string) *Fields {
-	return fs.AddHeaderExt(hdr, false, false, false)
+	return fs.AddHeaderExt(hdr, false, false, false, false)
 }
 
 // AddHeaderExt appends a bare header name, e.g. "cache-control". See type documentation
 // for details on optional parameters. The component can be marked as coming from an associated request.
-func (fs *Fields) AddHeaderExt(hdr string, optional, binarySequence, associatedRequest bool) *Fields {
+func (fs *Fields) AddHeaderExt(hdr string, optional bool, binarySequence bool, associatedRequest bool, trailer bool) *Fields {
 	f := fromHeaderName(hdr)
-	f.markField(optional, associatedRequest)
+	f.markField(optional, associatedRequest, trailer)
 	if binarySequence {
 		f.markBinarySequence()
 	}
@@ -139,14 +139,14 @@ func (f field) queryParam() (bool, string) {
 
 // AddQueryParam indicates a request for a specific query parameter to be signed.
 func (fs *Fields) AddQueryParam(qp string) *Fields {
-	return fs.AddQueryParamExt(qp, false, false)
+	return fs.AddQueryParamExt(qp, false, false, false)
 }
 
 // AddQueryParamExt indicates a request for a specific query parameter to be signed. See type documentation
 // for details on optional parameters. The component can be marked as coming from an associated request.
-func (fs *Fields) AddQueryParamExt(qp string, optional, associatedRequest bool) *Fields {
+func (fs *Fields) AddQueryParamExt(qp string, optional, associatedRequest, trailer bool) *Fields {
 	f := fromQueryParam(qp)
-	f.markField(optional, associatedRequest)
+	f.markField(optional, associatedRequest, trailer)
 	fs.f = append(fs.f, *f)
 	return fs
 }
@@ -169,15 +169,15 @@ func (f field) dictHeader() (ok bool, hdr, key string) {
 
 // AddDictHeader indicates that out of a header structured as a dictionary, a specific key value is signed/verified.
 func (fs *Fields) AddDictHeader(hdr, key string) *Fields {
-	return fs.AddDictHeaderExt(hdr, key, false, false)
+	return fs.AddDictHeaderExt(hdr, key, false, false, false)
 }
 
 // AddDictHeaderExt indicates that out of a header structured as a dictionary, a specific key value is signed/verified.
 // See type documentation
 // for details on optional parameters. The component can be marked as coming from an associated request.
-func (fs *Fields) AddDictHeaderExt(hdr, key string, optional, associatedRequest bool) *Fields {
+func (fs *Fields) AddDictHeaderExt(hdr, key string, optional, associatedRequest, trailer bool) *Fields {
 	f := fromDictHeader(hdr, key)
-	f.markField(optional, associatedRequest)
+	f.markField(optional, associatedRequest, trailer)
 	fs.f = append(fs.f, *f)
 	return fs
 }
@@ -200,17 +200,32 @@ func (f field) binarySequence() bool {
 	return ok && v.(bool)
 }
 
+func (f field) trailer() bool {
+	v, ok := f.Params.Get("tr")
+	return ok && v.(bool)
+}
+
+func (f field) optional() bool {
+	v, ok := f.Params.Get("optional")
+	return ok && v.(bool)
+}
+
+func (f field) associatedRequest() bool {
+	v, ok := f.Params.Get("req")
+	return ok && v.(bool)
+}
+
 // AddStructuredField indicates that a header should be interpreted as a structured field, per RFC 8941.
 func (fs *Fields) AddStructuredField(hdr string) *Fields {
-	return fs.AddStructuredFieldExt(hdr, false, false)
+	return fs.AddStructuredFieldExt(hdr, false, false, false)
 }
 
 // AddStructuredFieldExt indicates that a header should be interpreted as a structured field, per RFC 8941.
 // See type documentation
 // for details on optional parameters. The component can be marked as coming from an associated request.
-func (fs *Fields) AddStructuredFieldExt(hdr string, optional, associatedRequest bool) *Fields {
+func (fs *Fields) AddStructuredFieldExt(hdr string, optional, associatedRequest, trailer bool) *Fields {
 	f := fromStructuredField(hdr)
-	f.markField(optional, associatedRequest)
+	f.markField(optional, associatedRequest, trailer)
 	fs.f = append(fs.f, *f)
 	return fs
 }
@@ -224,34 +239,39 @@ func (f field) asSignatureBase() (string, error) {
 	return s, err
 }
 
-func (f field) markField(optional bool, associatedRequest bool) {
+func (f field) markField(optional bool, associatedRequest bool, trailer bool) {
 	if optional {
 		f.markOptional()
 	}
 	if associatedRequest {
 		f.markAssociatedRequest()
 	}
+	if trailer {
+		f.markTrailer()
+	}
 }
 
-func (f field) markOptional() {
+func (f field) markFlag(name string) {
 	if f.Params == nil {
 		f.Params = httpsfv.NewParams()
 	}
-	f.Params.Add("optional", true)
+	f.Params.Add(name, true)
+}
+
+func (f field) markOptional() {
+	f.markFlag("optional")
 }
 
 func (f field) markBinarySequence() {
-	if f.Params == nil {
-		f.Params = httpsfv.NewParams()
-	}
-	f.Params.Add("bs", true)
+	f.markFlag("bs")
 }
 
 func (f field) markAssociatedRequest() {
-	if f.Params == nil {
-		f.Params = httpsfv.NewParams()
-	}
-	f.Params.Add("req", true)
+	f.markFlag("req")
+}
+
+func (f field) markTrailer() {
+	f.markFlag("tr")
 }
 
 func (f field) unmarkOptional() {
@@ -261,45 +281,6 @@ func (f field) unmarkOptional() {
 	f.Params.Del("optional")
 }
 
-func (f field) isOptional() bool {
-	if f.Params != nil {
-		v, ok := f.Params.Get("optional")
-		if ok {
-			vv, ok2 := v.(bool)
-			if ok2 {
-				return vv
-			}
-		}
-	}
-	return false
-}
-
-func (f field) isBinarySequence() bool {
-	if f.Params != nil {
-		v, ok := f.Params.Get("bs")
-		if ok {
-			vv, ok2 := v.(bool)
-			if ok2 {
-				return vv
-			}
-		}
-	}
-	return false
-}
-
-func (f field) forAssociatedRequest() bool {
-	if f.Params != nil {
-		v, ok := f.Params.Get("req")
-		if ok {
-			vv, ok2 := v.(bool)
-			if ok2 {
-				return vv
-			}
-		}
-	}
-	return false
-}
-
 // Not a full deep copy, but good enough for mutating params
 func (f field) copy() field {
 	ff := field{
@@ -330,7 +311,7 @@ func (fs *Fields) asSignatureInput(p *httpsfv.Params) (string, error) {
 	return s, err
 }
 
-//  contains verifies that all required fields are in the given list of fields (yes, this is O(n^2)).
+// contains verifies that all required fields are in the given list of fields (yes, this is O(n^2)).
 func (fs *Fields) contains(requiredFields *Fields) bool {
 outer:
 	for _, f1 := range requiredFields.f {
diff --git a/go.mod b/go.mod
@@ -4,7 +4,7 @@ go 1.19
 
 require (
 	github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883
-	github.com/dunglas/httpsfv v1.0.0
+	github.com/dunglas/httpsfv v1.0.1
 	github.com/lestrrat-go/jwx/v2 v2.0.6
 	github.com/stretchr/testify v1.8.0
 )
diff --git a/go.sum b/go.sum
@@ -6,8 +6,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 h1:HbphB4TFFXpv7MNrT52FGrrgVXF1owhMVTHFZIlnvd4=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0/go.mod h1:DZGJHZMqrU4JJqFAWUS2UO1+lbSKsdiOoYi9Zzey7Fc=
-github.com/dunglas/httpsfv v1.0.0 h1:ckJImqjT9j782rxCxRXC/4YyFe2FJtCINs6Qs/xtIdU=
-github.com/dunglas/httpsfv v1.0.0/go.mod h1:zID2mqw9mFsnt7YC3vYQ9/cjq30q41W+1AnDwH8TiMg=
+github.com/dunglas/httpsfv v1.0.1 h1:OjTvfzHJuwjuoyUPkDL1lJzcUP//AUd7cWvn1Nvo03w=
+github.com/dunglas/httpsfv v1.0.1/go.mod h1:zID2mqw9mFsnt7YC3vYQ9/cjq30q41W+1AnDwH8TiMg=
 github.com/goccy/go-json v0.9.11 h1:/pAaQDLHEoCq/5FFmSKBswWmK6H0e8g4159Kc/X/nqk=
 github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
diff --git a/signatures_test.go b/signatures_test.go
@@ -1474,7 +1474,7 @@ func TestVerifyResponse(t *testing.T) {
 
 func TestOptionalSign(t *testing.T) {
 	req := readRequest(httpreq2)
-	f1 := NewFields().AddHeader("date").AddHeaderExt("x-optional", true, false, false)
+	f1 := NewFields().AddHeader("date").AddHeaderExt("x-optional", true, false, false, false)
 	key1 := bytes.Repeat([]byte{0x55}, 64)
 	signer1, err := NewHMACSHA256Signer("key1", key1, NewSignConfig().setFakeCreated(9999), *f1)
 	assert.NoError(t, err, "Could not create signer")
@@ -1489,7 +1489,7 @@ func TestOptionalSign(t *testing.T) {
 	assert.Equal(t, "sig1=(\"date\" \"x-optional\");created=9999;alg=\"hmac-sha256\";keyid=\"key1\"", signatureInput)
 	assert.Equal(t, "\"date\": Tue, 20 Apr 2021 02:07:55 GMT\n\"x-optional\": value\n\"@signature-params\": (\"date\" \"x-optional\");created=9999;alg=\"hmac-sha256\";keyid=\"key1\"", signatureBase)
 
-	f2 := f1.AddQueryParamExt("bla", true, false).AddQueryParamExt("bar", true, false)
+	f2 := f1.AddQueryParamExt("bla", true, false, false).AddQueryParamExt("bar", true, false, false)
 	signer2, err := NewHMACSHA256Signer("key1", key1, NewSignConfig().setFakeCreated(9999), *f2)
 	assert.NoError(t, err, "Could not create signer")
 	signatureInput, _, signatureBase, err = signRequestDebug("sig1", *signer2, req)
@@ -1499,7 +1499,7 @@ func TestOptionalSign(t *testing.T) {
 
 	res1 := readResponse(httpres2)
 	res1.Header.Set("X-Dictionary", "a=1,    b=2;x=1;y=2,    c=(a b c)")
-	f3 := NewFields().AddDictHeaderExt("x-dictionary", "a", true, false).AddDictHeaderExt("x-dictionary", "zz", true, false)
+	f3 := NewFields().AddDictHeaderExt("x-dictionary", "a", true, false, false).AddDictHeaderExt("x-dictionary", "zz", true, false, false)
 	signer3, err := NewHMACSHA256Signer("key1", key1, NewSignConfig().setFakeCreated(9999), *f3)
 	assert.NoError(t, err, "Could not create signer")
 	signatureInput, _, signatureBase, err = signResponseDebug("sig1", *signer3, res1, nil)
@@ -1509,7 +1509,7 @@ func TestOptionalSign(t *testing.T) {
 
 	res2 := readResponse(httpres2)
 	res2.Header.Set("X-Dictionary", "a=1,    b=2;x=1;y=2,    c=(a  b  c)")
-	f4 := NewFields().AddStructuredFieldExt("x-dictionary", true, false).AddStructuredFieldExt("x-not-a-dictionary", true, false)
+	f4 := NewFields().AddStructuredFieldExt("x-dictionary", true, false, false).AddStructuredFieldExt("x-not-a-dictionary", true, false, false)
 	signer4, err := NewHMACSHA256Signer("key1", key1, NewSignConfig().setFakeCreated(9999), *f4)
 	assert.NoError(t, err, "Could not create signer")
 	signatureInput, _, signatureBase, err = signResponseDebug("sig1", *signer4, res2, nil)
@@ -1523,8 +1523,8 @@ func TestAssocMessage(t *testing.T) {
 	assocReq := readRequest(httpreq2)
 	res1 := readResponse(httpres2)
 	res1.Header.Set("X-Dictionary", "a=1,    b=2;x=1;y=2,    c=(a b c)")
-	f3 := NewFields().AddDictHeaderExt("x-dictionary", "a", true, false).AddDictHeaderExt("x-dictionary", "zz", true, false).
-		AddQueryParamExt("pet", false, true)
+	f3 := NewFields().AddDictHeaderExt("x-dictionary", "a", true, false, false).AddDictHeaderExt("x-dictionary", "zz", true, false, false).
+		AddQueryParamExt("pet", false, true, false)
 	signer3, err := NewHMACSHA256Signer("key1", key1, NewSignConfig().setFakeCreated(9999), *f3)
 	assert.NoError(t, err, "Could not create signer")
 	signatureInput, signature, signatureBase, err := signResponseDebug("sig1", *signer3, res1, assocReq)
@@ -1590,7 +1590,7 @@ func TestRequestBinding(t *testing.T) {
 func TestOptionalVerify(t *testing.T) {
 	req := readRequest(httpreq2)
 	req.Header.Add("X-Opt1", "val1")
-	f1 := NewFields().AddHeader("date").AddHeaderExt("x-opt1", true, false, false)
+	f1 := NewFields().AddHeader("date").AddHeaderExt("x-opt1", true, false, false, false)
 	key1 := bytes.Repeat([]byte{0x66}, 64)
 	signer, err := NewHMACSHA256Signer("key1", key1, NewSignConfig().setFakeCreated(8888), *f1)
 	assert.NoError(t, err, "Could not create signer")
@@ -1635,13 +1635,13 @@ func TestBinarySequence(t *testing.T) {
 
 	// First signature try fails
 	signer1, err := NewP256Signer("key20", *priv, NewSignConfig(),
-		*NewFields().AddHeader("@status").AddHeaderExt("set-cookie", false, false, false))
+		*NewFields().AddHeader("@status").AddHeaderExt("set-cookie", false, false, false, false))
 	assert.NoError(t, err, "could not create signer")
 	_, _, err = SignResponse("sig2", *signer1, res, nil)
 	assert.Error(t, err, "signature should have failed")
 
 	signer2, err := NewP256Signer("key20", *priv, NewSignConfig().setFakeCreated(1659563420),
-		*NewFields().AddHeader("@status").AddHeaderExt("set-cookie", false, true, false))
+		*NewFields().AddHeader("@status").AddHeaderExt("set-cookie", false, true, false, false))
 	assert.NoError(t, err, "could not create signer")
 	sigInput, sig, sigBase, err := signResponseDebug("sig2", *signer2, res, nil)
 	assert.NoError(t, err, "could not sign response")
@@ -1651,14 +1651,14 @@ func TestBinarySequence(t *testing.T) {
 
 	// Client verifies response - should fail
 	verifier1, err := NewP256Verifier("key20", *pub, NewVerifyConfig().SetVerifyCreated(false),
-		*NewFields().AddHeader("@status").AddHeaderExt("set-cookie", false, false, false))
+		*NewFields().AddHeader("@status").AddHeaderExt("set-cookie", false, false, false, false))
 	assert.NoError(t, err, "could not create verifier")
 	err = VerifyResponse("sig2", *verifier1, res, nil)
 	assert.Error(t, err, "binary sequence verified as non-bs")
 
 	// Client verifies response - should succeed
 	verifier2, err := NewP256Verifier("key20", *pub, NewVerifyConfig().SetVerifyCreated(false),
-		*NewFields().AddHeader("@status").AddHeaderExt("set-cookie", false, true, false))
+		*NewFields().AddHeader("@status").AddHeaderExt("set-cookie", false, true, false, false))
 	assert.NoError(t, err, "could not create verifier")
 	err = VerifyResponse("sig2", *verifier2, res, nil)
 	assert.NoError(t, err, "could not verify response")
diff --git a/trailer_test.go b/trailer_test.go
@@ -0,0 +1,69 @@
+package httpsign
+
+import (
+	"bytes"
+	"net/http"
+	"net/url"
+	"reflect"
+	"testing"
+)
+
+var rawPost1 = "POST /foo HTTP/1.1\nContent-Type: text/plain\nTransfer-Encoding: chunked\nTrailer: Expires\n\n4\nHTTP\r\n7\r\nMessage\r\na\r\nSignatures\r\n0\r\nExpires: Wed, 9 Nov 2022 07:28:00 GMT\r\n\r\n"
+
+// This identical representation fails, see https://github.com/golang/go/issues/56835
+var rawPost2 = `POST /foo HTTP/1.1
+Content-Type: text/plain
+Transfer-Encoding: chunked
+Trailer: Expires
+
+4
+HTTP
+7
+Message
+a
+Signatures
+0
+Expires: Wed, 9 Nov 2022 07:28:00 GMT
+
+`
+
+func TestTrailer_Get(t *testing.T) {
+	ts := makeTestServer()
+	defer ts.Close()
+
+	c := &Client{config: ClientConfig{
+		signatureName: "sig1",
+		signer: func() *Signer {
+			signer, _ := NewHMACSHA256Signer("key1", bytes.Repeat([]byte{1}, 64), NewSignConfig(),
+				Headers("@method", "hdr"))
+			return signer
+		}(),
+		verifier:      nil,
+		fetchVerifier: nil,
+	},
+		client: *http.DefaultClient,
+	}
+	req := readRequest(rawPost1)
+
+	req.RequestURI = "" // otherwise Do will complain
+	u, err := url.Parse(ts.URL + "/foo")
+	if err != nil {
+		panic(err)
+	}
+	req.URL = u
+
+	res, err := c.Do(req)
+	var gotRes string
+	if res != nil {
+		gotRes = res.Status
+	}
+	if err != nil {
+		t.Errorf("Get() error = %v", err)
+		return
+	}
+	if !reflect.DeepEqual(gotRes, "200 OK") {
+		t.Errorf("Get() gotRes = %v", gotRes)
+	}
+
+	t.Errorf("No trailer support")
+}

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ go 1.19`
`4`	`4`
`5`	`5`	`require (`
`6`	`6`	`github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883`
`7`		`- github.com/dunglas/httpsfv v1.0.0`
	`7`	`+ github.com/dunglas/httpsfv v1.0.1`
`8`	`8`	`github.com/lestrrat-go/jwx/v2 v2.0.6`
`9`	`9`	`github.com/stretchr/testify v1.8.0`
`10`	`10`	`)`