fleet/third_party/httpsig-go/keyman/keyman.go

// keyman provides key management functionality
package keyman

import (
	"context"
	"fmt"
	"net/http"

	"github.com/remitly-oss/httpsig-go"
)

// KeyFetchInMemory implements KeyFetcher for public keys stored in memory.
type KeyFetchInMemory struct {
	pubkeys map[string]httpsig.KeySpec
}

func NewKeyFetchInMemory(pubkeys map[string]httpsig.KeySpec) *KeyFetchInMemory {
	if pubkeys == nil {
		pubkeys = map[string]httpsig.KeySpec{}
	}
	return &KeyFetchInMemory{pubkeys}
}

func (kf *KeyFetchInMemory) FetchByKeyID(ctx context.Context, rh http.Header, keyID string) (httpsig.KeySpecer, error) {
	ks, found := kf.pubkeys[keyID]
	if !found {
		return nil, fmt.Errorf("Key for keyid '%s' not found", keyID)
	}
	return ks, nil
}

func (kf *KeyFetchInMemory) Fetch(context.Context, http.Header, httpsig.MetadataProvider) (httpsig.KeySpecer, error) {
	return nil, fmt.Errorf("Fetch without keyid not supported")
}
Added a vendored version of httpsig-go. (#30820) For #30473 This change adds a vendored `httpsig-go` library to our repo. We cannot use the upstream library because it has not merged the change we need: https://github.com/remitly-oss/httpsig-go/pull/25 Thus, we need our own copy at this point. The instructions for keeping this library up to date (if needed) are in `UPDATE_INSTRUCTIONS`. None of the coderabbitai review comments are relevant to the code/features we are going to use for HTTP message signatures. We will use this library in subsequent PRs for the TPM-backed HTTP message signature feature. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Introduced a Go library for HTTP message signing and verification, supporting multiple cryptographic algorithms (RSA, ECDSA, Ed25519, HMAC). * Added utilities for key management, including JWK and PEM key handling. * Provided HTTP client and server helpers for automatic request signing and signature verification. * Implemented structured error handling and metadata extraction for signatures. * Documentation * Added comprehensive README, usage examples, and update instructions. * Included license and configuration files for third-party and testing tools. * Tests * Added extensive unit, integration, and fuzz tests covering signing, verification, and key handling. * Included official RFC test vectors and various test data files for robust validation. * Chores * Integrated continuous integration workflows and ignore files for code quality and security analysis. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-14 18:26:50 +00:00			`// keyman provides key management functionality`
			`package keyman`

			`import (`
			`"context"`
			`"fmt"`
			`"net/http"`

			`"github.com/remitly-oss/httpsig-go"`
			`)`

			`// KeyFetchInMemory implements KeyFetcher for public keys stored in memory.`
			`type KeyFetchInMemory struct {`
			`pubkeys map[string]httpsig.KeySpec`
			`}`

			`func NewKeyFetchInMemory(pubkeys map[string]httpsig.KeySpec) *KeyFetchInMemory {`
			`if pubkeys == nil {`
			`pubkeys = map[string]httpsig.KeySpec{}`
			`}`
			`return &KeyFetchInMemory{pubkeys}`
			`}`

			`func (kf *KeyFetchInMemory) FetchByKeyID(ctx context.Context, rh http.Header, keyID string) (httpsig.KeySpecer, error) {`
			`ks, found := kf.pubkeys[keyID]`
			`if !found {`
			`return nil, fmt.Errorf("Key for keyid '%s' not found", keyID)`
			`}`
			`return ks, nil`
			`}`

			`func (kf *KeyFetchInMemory) Fetch(context.Context, http.Header, httpsig.MetadataProvider) (httpsig.KeySpecer, error) {`
			`return nil, fmt.Errorf("Fetch without keyid not supported")`
			`}`