mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
c25fed2492
For #30473 This change adds a vendored `httpsig-go` library to our repo. We cannot use the upstream library because it has not merged the change we need: https://github.com/remitly-oss/httpsig-go/pull/25 Thus, we need our own copy at this point. The instructions for keeping this library up to date (if needed) are in `UPDATE_INSTRUCTIONS`. None of the coderabbitai review comments are relevant to the code/features we are going to use for HTTP message signatures. We will use this library in subsequent PRs for the TPM-backed HTTP message signature feature. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Introduced a Go library for HTTP message signing and verification, supporting multiple cryptographic algorithms (RSA, ECDSA, Ed25519, HMAC). * Added utilities for key management, including JWK and PEM key handling. * Provided HTTP client and server helpers for automatic request signing and signature verification. * Implemented structured error handling and metadata extraction for signatures. * **Documentation** * Added comprehensive README, usage examples, and update instructions. * Included license and configuration files for third-party and testing tools. * **Tests** * Added extensive unit, integration, and fuzz tests covering signing, verification, and key handling. * Included official RFC test vectors and various test data files for robust validation. * **Chores** * Integrated continuous integration workflows and ignore files for code quality and security analysis. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|---|---|---|
| .. | ||
| .github/workflows | ||
| keyman | ||
| keyutil | ||
| sigtest | ||
| testdata | ||
| .semgrepignore | ||
| .sideignore | ||
| accept.go | ||
| accept_test.go | ||
| base.go | ||
| digest.go | ||
| digest_test.go | ||
| examples_test.go | ||
| fz_test.go | ||
| go.mod | ||
| go.sum | ||
| http.go | ||
| LICENSE | ||
| README.md | ||
| roundtrip_test.go | ||
| side.toml | ||
| sigerrors.go | ||
| sign.go | ||
| sign_test.go | ||
| signatures.go | ||
| spec_test.go | ||
| UPDATE_INSTRUCTIONS | ||
| UPSTREAM_COMMIT | ||
| verify.go | ||
| verify_test.go | ||
HTTP Message Signatures
An implementation of HTTP Message Signatures from RFC 9421.
HTTP signatures are a mechanism for signing and verifying HTTP requests and responses.
HTTP signatures can be (or will be able to) used for demonstrating proof-of-posession (DPoP) for OAuth bearer tokens.
Supported Features
The full specification is supported with the exception of the following. File a ticket or PR and support will be added Planned but not currently supported features:
- JWS algorithms
- Header parameters including trailers
net/http integration
Create net/http clients that sign requests and/or verifies repsonses.
params := httpsig.SigningOptions{
PrivateKey: nil, // Fill in your private key
Algorithm: httpsig.Algo_ECDSA_P256_SHA256,
Fields: httpsig.DefaultRequiredFields,
Metadata: []httpsig.Metadata{httpsig.MetaKeyID},
MetaKeyID: "key123",
}
// Create the signature signer
signer, _ := httpsig.NewSigner(params)
// Create a net/http Client that signs all requests
signingClient := httpsig.NewHTTPClient(nil, signer, nil)
Create net/http Handlers that verify incoming requests to the server.
myhandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Lookup the results of verification
if veriftyResult, ok := httpsig.GetVerifyResult(r.Context()); ok {
keyid, _ := veriftyResult.KeyID()
fmt.Fprintf(w, "Hello, %s", keyid)
} else {
fmt.Fprintf(w, "Hello, %q", html.EscapeString(r.URL.Path))
}
})
// Create a verifier
verifier, _ := httpsig.NewVerifier(nil, httpsig.DefaultVerifyProfile)
mux := http.NewServeMux()
// Wrap the handler with the a signature verification handler.
mux.Handle("/", httpsig.NewHandler(myhandler, verifier))
Stability
The v1.1+ release is stable and production ready.
Please file issues and bugs in the github projects issue tracker.