fleet/third_party/httpsig-go/sigerrors.go

package httpsig

import (
	"errors"
	"fmt"
)

// ErrCode enumerates the reasons a signing or verification can fail
type ErrCode string

const (
	// Error Codes

	// Errors related to not being able to extract a valid signature.
	ErrNoSigInvalidHeader     ErrCode = "nosig_invalid_header"
	ErrNoSigUnsupportedDigest ErrCode = "nosig_unsupported_digest"
	ErrNoSigWrongDigest       ErrCode = "nosig_wrong_digest"
	ErrNoSigMissingSignature  ErrCode = "nosig_missing_signature"
	ErrNoSigInvalidSignature  ErrCode = "nosig_invalid_signature"
	ErrNoSigMessageBody       ErrCode = "nosig_message_body" // Could not read message body

	// Errors related to an individual signature.
	ErrSigInvalidSignature     ErrCode = "sig_invalid_signature"        // The signature is unparseable or in the wrong format.
	ErrSigKeyFetch             ErrCode = "sig_key_fetch"                // Failed to the key for a signature
	ErrSigVerification         ErrCode = "sig_failed_algo_verification" // The signature did not verify according to the algorithm.
	ErrSigPublicKey            ErrCode = "sig_public_key"               // The public key for the signature is invalid or missing.
	ErrSigSecretKey            ErrCode = "sig_secret_key"               // The secret key for the signature is invalid or missing.
	ErrSigUnsupportedAlgorithm ErrCode = "sig_unsupported_algorithm"    // unsupported or invalid algorithm.
	ErrSigProfile              ErrCode = "sig_failed_profile"           // The signature was valid but failed the verify profile check

	// Signing
	ErrInvalidSignatureOptions ErrCode = "invalid_signature_options"
	ErrInvalidComponent        ErrCode = "invalid_component"
	ErrInvalidMetadata         ErrCode = "invalid_metadata"

	// Accept Signature
	ErrInvalidAcceptSignature ErrCode = "invalid_accept_signature"
	ErrMissingAcceptSignature ErrCode = "missing_accept_signature" // The Accept-Signature field was present but had an empty value.

	// General
	ErrInternal    ErrCode = "internal_error"
	ErrUnsupported ErrCode = "unsupported" // A particular feature of the spec is not supported
)

type SignatureError struct {
	Cause   error // may be nil
	Code    ErrCode
	Message string
}

func (se *SignatureError) Error() string {
	return se.Message
}

func (se *SignatureError) Unwrap() error {
	return se.Cause
}

func (se *SignatureError) GoString() string {
	cause := ""
	if se.Cause != nil {
		cause = fmt.Sprintf("Cause: %s\n", se.Cause)
	}
	return fmt.Sprintf("Code: %s\nMessage: %s\n%s", se.Code, se.Message, cause)
}

func newError(code ErrCode, msg string, cause ...error) *SignatureError {
	var rootErr error
	if len(cause) > 0 {
		rootErr = cause[0]
	}
	return &SignatureError{
		Cause:   rootErr,
		Code:    code,
		Message: msg,
	}
}

func errCode(err error) (ec ErrCode) {
	if err == nil {
		return ""
	}
	var se *SignatureError
	if errors.As(err, &se) {
		return se.Code
	}

	return ""
}
Added a vendored version of httpsig-go. (#30820) For #30473 This change adds a vendored `httpsig-go` library to our repo. We cannot use the upstream library because it has not merged the change we need: https://github.com/remitly-oss/httpsig-go/pull/25 Thus, we need our own copy at this point. The instructions for keeping this library up to date (if needed) are in `UPDATE_INSTRUCTIONS`. None of the coderabbitai review comments are relevant to the code/features we are going to use for HTTP message signatures. We will use this library in subsequent PRs for the TPM-backed HTTP message signature feature. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Introduced a Go library for HTTP message signing and verification, supporting multiple cryptographic algorithms (RSA, ECDSA, Ed25519, HMAC). * Added utilities for key management, including JWK and PEM key handling. * Provided HTTP client and server helpers for automatic request signing and signature verification. * Implemented structured error handling and metadata extraction for signatures. * Documentation * Added comprehensive README, usage examples, and update instructions. * Included license and configuration files for third-party and testing tools. * Tests * Added extensive unit, integration, and fuzz tests covering signing, verification, and key handling. * Included official RFC test vectors and various test data files for robust validation. * Chores * Integrated continuous integration workflows and ignore files for code quality and security analysis. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-14 18:26:50 +00:00			`package httpsig`

			`import (`
			`"errors"`
			`"fmt"`
			`)`

			`// ErrCode enumerates the reasons a signing or verification can fail`
			`type ErrCode string`

			`const (`
			`// Error Codes`

			`// Errors related to not being able to extract a valid signature.`
			`ErrNoSigInvalidHeader ErrCode = "nosig_invalid_header"`
			`ErrNoSigUnsupportedDigest ErrCode = "nosig_unsupported_digest"`
			`ErrNoSigWrongDigest ErrCode = "nosig_wrong_digest"`
			`ErrNoSigMissingSignature ErrCode = "nosig_missing_signature"`
			`ErrNoSigInvalidSignature ErrCode = "nosig_invalid_signature"`
			`ErrNoSigMessageBody ErrCode = "nosig_message_body" // Could not read message body`

			`// Errors related to an individual signature.`
			`ErrSigInvalidSignature ErrCode = "sig_invalid_signature" // The signature is unparseable or in the wrong format.`
			`ErrSigKeyFetch ErrCode = "sig_key_fetch" // Failed to the key for a signature`
			`ErrSigVerification ErrCode = "sig_failed_algo_verification" // The signature did not verify according to the algorithm.`
			`ErrSigPublicKey ErrCode = "sig_public_key" // The public key for the signature is invalid or missing.`
			`ErrSigSecretKey ErrCode = "sig_secret_key" // The secret key for the signature is invalid or missing.`
			`ErrSigUnsupportedAlgorithm ErrCode = "sig_unsupported_algorithm" // unsupported or invalid algorithm.`
			`ErrSigProfile ErrCode = "sig_failed_profile" // The signature was valid but failed the verify profile check`

			`// Signing`
			`ErrInvalidSignatureOptions ErrCode = "invalid_signature_options"`
			`ErrInvalidComponent ErrCode = "invalid_component"`
			`ErrInvalidMetadata ErrCode = "invalid_metadata"`

			`// Accept Signature`
			`ErrInvalidAcceptSignature ErrCode = "invalid_accept_signature"`
			`ErrMissingAcceptSignature ErrCode = "missing_accept_signature" // The Accept-Signature field was present but had an empty value.`

			`// General`
			`ErrInternal ErrCode = "internal_error"`
			`ErrUnsupported ErrCode = "unsupported" // A particular feature of the spec is not supported`
			`)`

			`type SignatureError struct {`
			`Cause error // may be nil`
			`Code ErrCode`
			`Message string`
			`}`

			`func (se *SignatureError) Error() string {`
			`return se.Message`
			`}`

			`func (se *SignatureError) Unwrap() error {`
			`return se.Cause`
			`}`

			`func (se *SignatureError) GoString() string {`
			`cause := ""`
			`if se.Cause != nil {`
			`cause = fmt.Sprintf("Cause: %s\n", se.Cause)`
			`}`
			`return fmt.Sprintf("Code: %s\nMessage: %s\n%s", se.Code, se.Message, cause)`
			`}`

			`func newError(code ErrCode, msg string, cause ...error) *SignatureError {`
			`var rootErr error`
			`if len(cause) > 0 {`
			`rootErr = cause[0]`
			`}`
			`return &SignatureError{`
			`Cause: rootErr,`
			`Code: code,`
			`Message: msg,`
			`}`
			`}`

			`func errCode(err error) (ec ErrCode) {`
			`if err == nil {`
			`return ""`
			`}`
			`var se *SignatureError`
			`if errors.As(err, &se) {`
			`return se.Code`
			`}`

			`return ""`
			`}`