Draft -10

Author: yaronf

README.md

@@ -1,6 +1,6 @@
 HTTP Message Signatures, implementing [draft-ietf-httpbis-message-signatures](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures).
 
-This is a nearly feature-complete implementation of draft -09, including all test vectors.
+This is a nearly feature-complete implementation of draft -10, including all test vectors.
 
 The code follows the latest version of the draft, which may be the [Editor's Copy](https://httpwg.org/http-extensions/draft-ietf-httpbis-message-signatures.html) rather than the published draft.
 
@@ -32,7 +32,6 @@ Below is what a basic client-side integration looks like:
 ### Notes and Missing Features
 * The `Accept-Signature` header is unimplemented.
 * Inclusion of `Signature` and `Signature-Input` as trailers is optional and is not yet implemented.
-* Extracting derived components from the "related request". See [related issue](https://github.com/httpwg/http-extensions/issues/1905).
 * In responses, when using the "wrapped handler" feature, the `Content-Type` header is only signed if set explicitly by the server. This is different, but arguably more secure, than the normal `net.http` behavior.
 
 [![Go Reference](https://pkg.go.dev/badge/github.com/yaronf/httpsign.svg)](https://pkg.go.dev/github.com/yaronf/httpsign)

digest.go

@@ -87,7 +87,8 @@ func validateSchemes(schemes []string) error {
 
 // ValidateContentDigestHeader validates that the Content-Digest header complies to policy: at least
 // one of the "accepted" schemes is used, and all known schemes are associated with a correct
-// digest of the message body. Note that "received" is a string array, typically retrieved through the
+// digest of the message body. Schemes are constants defined in this file, e.g. DigestSha256.
+// Note that "received" is a string array, typically retrieved through the
 // "Values" method of the header. Returns nil if validation is successful.
 func ValidateContentDigestHeader(received []string, body *io.ReadCloser, accepted []string) error {
 	if len(accepted) == 0 {

signatures_test.go

@@ -1556,7 +1556,7 @@ Signature: reqres=:vR1E+sDgh0J3dZyVdPc7mK0ZbEMW3N47eDpFjXLE9g95Gx1KQLpdOmDQfedgd
 {"busy": true, "message": "Your call is very important to us"}
 `
 
-// ";req" use case from draft
+// ";req" use case from draft, Sec. 2.3 of draft -10
 func TestRequestBinding(t *testing.T) {
 	req := readRequest(httpreq6)
 	pubKey, err := parseRsaPublicKeyFromPemStr(rsaPSSPubKey)
@@ -1569,9 +1569,10 @@ func TestRequestBinding(t *testing.T) {
 	fields := *NewFields()
 	verifier, err := NewRSAPSSVerifier("test-key-rsa-pss", *pubKey, NewVerifyConfig().SetVerifyCreated(false), fields)
 	assert.NoError(t, err, "create verifier")
-	_, err = verifyRequestDebug("sig1", *verifier, req)
+	sigBase, err := verifyRequestDebug("sig1", *verifier, req)
+	_ = sigBase
 	// fmt.Println(sigBase)
-	// assert.NoError(t, err, "verify request") // TODO: does not verify
+	// assert.NoError(t, err, "verify request") // Note: does not verify
 
 	res := readResponse(httpres6)
 	pubKey2, err := parseECPublicKeyFromPemStr(p256PubKey2)