Structured fields

Author: yaronf

README.md

@@ -1,13 +1,13 @@
-HTTP Message Signatures, implementing [draft-ietf-httpbis-message-signatures-07](https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-07.html).
+HTTP Message Signatures, implementing [draft-ietf-httpbis-message-signatures-08](https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-08.html).
 
-This is a nearly feature-complete implementation of draft -07, including all test vectors.
+This is a nearly feature-complete implementation of draft -08, including all test vectors.
 
 ### Notes and Missing Features
 * The `Accept-Signature` header.
 * Inclusion of `Signature` and `Signature-Input` as trailers is optional and is not yet implemented.
-* Extracting specialty components from the "related request". See [related issue](https://github.com/httpwg/http-extensions/issues/1905).
+* Extracting derived components from the "related request". See [related issue](https://github.com/httpwg/http-extensions/issues/1905).
 * In responses, when using the "wrapped handler" feature, the `Content-Type` header is only signed if set explicitly by the server. This is different, but arguably more secure, than the normal `net.http` behavior.
-* The `sf` parameter, and in particular behavior when it is *not* given.
+* Test vectors are still verified to -07, update to -08 is pending.
 
 [![Go Reference](https://pkg.go.dev/badge/github.com/yaronf/httpsign.svg)](https://pkg.go.dev/github.com/yaronf/httpsign)
 [![Test](https://github.com/yaronf/httpsign/actions/workflows/test.yml/badge.svg)](https://github.com/yaronf/httpsign/actions/workflows/test.yml)

fields.go

@@ -11,6 +11,8 @@ import (
 type Fields []field
 
 // The SFV representation of a field is name;flagName="flagValue"
+// Note that this is a subset of SFV, we only support string-valued params, and only one param
+// per field for now.
 type field struct {
 	name                string
 	flagName, flagValue string
@@ -83,16 +85,35 @@ func (fs *Fields) AddDictHeader(hdr, key string) *Fields {
 	return fs
 }
 
-func (f field) asSignatureInput() (string, error) {
+func fromStructuredField(hdr string) *field {
+	h := strings.ToLower(hdr)
+	f := field{h, "sf", ""}
+	return &f
+}
+
+// AddStructuredField indicates that a header should be interpreted as a structured field, per RFC 8941
+func (fs *Fields) AddStructuredField(hdr string) *Fields {
+	f := fromStructuredField(hdr)
+	*fs = append(*fs, *f)
+	return fs
+}
+
+func (f field) toItem() httpsfv.Item {
 	p := httpsfv.NewParams()
-	if f.flagName != "" {
+	if f.flagName == "sf" { //special case
+		p.Add(f.flagName, true)
+	} else if f.flagName != "" {
 		p.Add(f.flagName, f.flagValue)
 	}
 	i := httpsfv.Item{
 		Value:  f.name,
 		Params: p,
 	}
-	s, err := httpsfv.Marshal(i)
+	return i
+}
+
+func (f field) asSignatureInput() (string, error) {
+	s, err := httpsfv.Marshal(f.toItem())
 	return s, err
 }
 
@@ -102,19 +123,7 @@ func (fs *Fields) asSignatureInput(p *httpsfv.Params) (string, error) {
 		Params: httpsfv.NewParams(),
 	}
 	for _, f := range *fs {
-		if f.flagName == "" {
-			il.Items = append(il.Items, httpsfv.Item{
-				Value:  f.name,
-				Params: httpsfv.NewParams(),
-			})
-		} else {
-			p := httpsfv.NewParams()
-			p.Add(f.flagName, f.flagValue)
-			il.Items = append(il.Items, httpsfv.Item{
-				Value:  f.name,
-				Params: p,
-			})
-		}
+		il.Items = append(il.Items, f.toItem())
 	}
 	il.Params = p
 	s, err := httpsfv.Marshal(il)

signatures.go

@@ -67,19 +67,15 @@ func generateSignatureInput(message parsedMessage, fields Fields, params string)
 }
 
 func generateFieldValues(f field, message parsedMessage) ([]string, error) {
-	if f.flagName == "" {
+	if f.flagName == "" || f.flagName == "sf" {
 		if strings.HasPrefix(f.name, "@") { // derived component
 			vv, found := message.derived[f.name]
 			if !found {
 				return nil, fmt.Errorf("derived header %s not found", f.name)
 			}
 			return []string{vv}, nil
 		}
-		vv, found := message.headers[f.name] // normal header, cannot use "Values" on lowercased header name
-		if !found {
-			return nil, fmt.Errorf("header %s not found", f.name)
-		}
-		return []string{foldFields(vv)}, nil
+		return message.getHeader(f.name, f.flagName == "sf")
 	}
 	if f.name == "@query-params" && f.flagName == "name" {
 		vals, found := message.qParams[f.flagValue]
@@ -94,6 +90,25 @@ func generateFieldValues(f field, message parsedMessage) ([]string, error) {
 	return nil, fmt.Errorf("unrecognized field %s", f)
 }
 
+func (message *parsedMessage) getHeader(hdr string, structured bool) ([]string, error) {
+	vv, found := message.headers[hdr] // normal header, cannot use "Values" on lowercased header name
+	if !found {
+		return nil, fmt.Errorf("header %s not found", hdr)
+	}
+	if !structured {
+		return []string{foldFields(vv)}, nil
+	}
+	sfv, err := httpsfv.UnmarshalDictionary(vv)
+	if err != nil {
+		return nil, fmt.Errorf("could not unmarshal %s, possibly not a structured field: %w", hdr, err)
+	}
+	s, err := httpsfv.Marshal(sfv)
+	if err != nil {
+		return nil, fmt.Errorf("could not re-marshal %s", hdr)
+	}
+	return []string{s}, nil
+}
+
 func (message *parsedMessage) getDictHeader(hdr, member string) ([]string, error) {
 	vals, found := message.headers[hdr]
 	if !found {

signatures_test.go

@@ -1257,6 +1257,18 @@ func Test_signRequestDebug(t *testing.T) {
 			wantSignatureInput:       "\"example-dictionary\": a=1,    b=2;x=1;y=2,   c=(a   b   c)\n\"@signature-params\": (\"example-dictionary\");alg=\"hmac-sha256\";keyid=\"test-key-hmac\"",
 			wantErr:                  false,
 		},
+		{
+			name: "normal header as SFV, sec. 2.1.1",
+			args: args{
+				signatureName: "sig1",
+				signer:        makeHMACSigner(*NewSignConfig().SignCreated(false), *NewFields().AddStructuredField("example-dictionary")),
+				req:           readRequest(dict1),
+			},
+			wantSignatureInputHeader: "sig1=(\"example-dictionary\";sf);alg=\"hmac-sha256\";keyid=\"test-key-hmac\"",
+			wantSignature:            "sig1=:Ts9x90TxYoMYiGHgSysuJdOI26mL7Tzg310l9FdYt7I=:",
+			wantSignatureInput:       "\"example-dictionary\";sf: a=1, b=2;x=1;y=2, c=(a b c)\n\"@signature-params\": (\"example-dictionary\";sf);alg=\"hmac-sha256\";keyid=\"test-key-hmac\"",
+			wantErr:                  false,
+		},
 		{
 			name: "cross-line header, trim",
 			args: args{
@@ -1282,6 +1294,19 @@ func Test_signRequestDebug(t *testing.T) {
 			wantSignatureInput:       "\"x-ows-header\": Leading and trailing whitespace.\n\"x-obs-fold-header\": Obsolete line folding.\n\"cache-control\": max-age=60, must-revalidate\n\"example-dictionary\": a=1,    b=2;x=1;y=2,   c=(a   b   c)\n\"@signature-params\": (\"x-ows-header\" \"x-obs-fold-header\" \"cache-control\" \"example-dictionary\");alg=\"hmac-sha256\";keyid=\"test-key-hmac\"",
 			wantErr:                  false,
 		},
+		{
+			name: "reserialized dictionary headers, Sec. 2.1.2",
+			args: args{
+				signatureName: "sig1",
+				signer: makeHMACSigner(*NewSignConfig().SignCreated(false),
+					*NewFields().AddHeaders("Cache-Control").AddDictHeader("Example-Dictionary", "a").AddDictHeader("Example-Dictionary", "b").AddDictHeader("Example-Dictionary", "c")),
+				req: readRequest(httpreq4),
+			},
+			wantSignatureInputHeader: "sig1=(\"cache-control\" \"example-dictionary\";key=\"a\" \"example-dictionary\";key=\"b\" \"example-dictionary\";key=\"c\");alg=\"hmac-sha256\";keyid=\"test-key-hmac\"",
+			wantSignature:            "sig1=:8ahOKeLf89H5O4bjk1PU6Hl/X48KUO7fxyG8l/sxOJE=:",
+			wantSignatureInput:       "\"cache-control\": max-age=60, must-revalidate\n\"example-dictionary\";key=\"a\": 1\n\"example-dictionary\";key=\"b\": 2;x=1;y=2\n\"example-dictionary\";key=\"c\": (a b c)\n\"@signature-params\": (\"cache-control\" \"example-dictionary\";key=\"a\" \"example-dictionary\";key=\"b\" \"example-dictionary\";key=\"c\");alg=\"hmac-sha256\";keyid=\"test-key-hmac\"",
+			wantErr:                  false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {