902 行
32 KiB
Go
902 行
32 KiB
Go
package httpsig
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/sha256"
|
|
"crypto/x509"
|
|
"encoding/asn1"
|
|
"encoding/base64"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strconv"
|
|
"strings"
|
|
"testing"
|
|
|
|
"golang.org/x/crypto/ed25519"
|
|
)
|
|
|
|
const (
|
|
testUrl = "foo.net/bar/baz?q=test&r=ok"
|
|
testUrlPath = "bar/baz"
|
|
testDate = "Tue, 07 Jun 2014 20:51:35 GMT"
|
|
testDigest = "SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE="
|
|
testMethod = "GET"
|
|
)
|
|
|
|
type httpsigTest struct {
|
|
name string
|
|
prefs []Algorithm
|
|
digestAlg DigestAlgorithm
|
|
headers []string
|
|
body []byte
|
|
scheme SignatureScheme
|
|
privKey crypto.PrivateKey
|
|
pubKey crypto.PublicKey
|
|
pubKeyId string
|
|
expectedSignatureAlgorithm string
|
|
expectedAlgorithm Algorithm
|
|
expectErrorSigningResponse bool
|
|
expectRequestPath bool
|
|
expectedDigest string
|
|
}
|
|
|
|
type ed25519PrivKey struct {
|
|
Version int
|
|
ObjectIdentifier struct {
|
|
ObjectIdentifier asn1.ObjectIdentifier
|
|
}
|
|
PrivateKey []byte
|
|
}
|
|
|
|
type ed25519PubKey struct {
|
|
OBjectIdentifier struct {
|
|
ObjectIdentifier asn1.ObjectIdentifier
|
|
}
|
|
PublicKey asn1.BitString
|
|
}
|
|
|
|
var (
|
|
privKey *rsa.PrivateKey
|
|
macKey []byte
|
|
tests []httpsigTest
|
|
testSpecRSAPrivateKey *rsa.PrivateKey
|
|
testSpecRSAPublicKey *rsa.PublicKey
|
|
testEd25519PrivateKey ed25519.PrivateKey
|
|
testEd25519PublicKey ed25519.PublicKey
|
|
)
|
|
|
|
func init() {
|
|
var err error
|
|
privKey, err = rsa.GenerateKey(rand.Reader, 2048)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
pubEd25519Key, privEd25519Key, err := ed25519.GenerateKey(rand.Reader)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
macKey = make([]byte, 128)
|
|
err = readFullFromCrypto(macKey)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
tests = []httpsigTest{
|
|
{
|
|
name: "rsa signature",
|
|
prefs: []Algorithm{RSA_SHA512},
|
|
digestAlg: DigestSha256,
|
|
headers: []string{"Date", "Digest"},
|
|
scheme: Signature,
|
|
privKey: privKey,
|
|
pubKey: privKey.Public(),
|
|
pubKeyId: "pubKeyId",
|
|
expectedAlgorithm: RSA_SHA512,
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
},
|
|
{
|
|
name: "ed25519 signature",
|
|
prefs: []Algorithm{ED25519},
|
|
digestAlg: DigestSha512,
|
|
headers: []string{"Date", "Digest"},
|
|
scheme: Signature,
|
|
privKey: privEd25519Key,
|
|
pubKey: pubEd25519Key,
|
|
pubKeyId: "pubKeyId",
|
|
expectedAlgorithm: ED25519,
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
},
|
|
{
|
|
name: "digest on rsa signature",
|
|
prefs: []Algorithm{RSA_SHA512},
|
|
digestAlg: DigestSha256,
|
|
headers: []string{"Date", "Digest"},
|
|
body: []byte("Last night as I lay dreaming This strangest kind of feeling Revealed its secret meaning And now I know..."),
|
|
scheme: Signature,
|
|
privKey: privKey,
|
|
pubKey: privKey.Public(),
|
|
pubKeyId: "pubKeyId",
|
|
expectedAlgorithm: RSA_SHA512,
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
expectedDigest: "SHA-256=07PJQngqg8+BlomdI6zM7ieOxhINWI+iivJxBDSm3Dg=",
|
|
},
|
|
{
|
|
name: "digest on ed25519 signature",
|
|
prefs: []Algorithm{ED25519},
|
|
digestAlg: DigestSha256,
|
|
headers: []string{"Date", "Digest"},
|
|
body: []byte("Last night as I lay dreaming This strangest kind of feeling Revealed its secret meaning And now I know..."),
|
|
scheme: Signature,
|
|
privKey: privEd25519Key,
|
|
pubKey: pubEd25519Key,
|
|
pubKeyId: "pubKeyId",
|
|
expectedAlgorithm: ED25519,
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
expectedDigest: "SHA-256=07PJQngqg8+BlomdI6zM7ieOxhINWI+iivJxBDSm3Dg=",
|
|
},
|
|
{
|
|
name: "hmac signature",
|
|
prefs: []Algorithm{HMAC_SHA256},
|
|
digestAlg: DigestSha256,
|
|
headers: []string{"Date", "Digest"},
|
|
scheme: Signature,
|
|
privKey: macKey,
|
|
pubKey: macKey,
|
|
pubKeyId: "pubKeyId",
|
|
expectedAlgorithm: HMAC_SHA256,
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
},
|
|
{
|
|
name: "digest on hmac signature",
|
|
prefs: []Algorithm{HMAC_SHA256},
|
|
digestAlg: DigestSha256,
|
|
headers: []string{"Date", "Digest"},
|
|
body: []byte("I've never ever been to paradise I've never ever seen no angel's eyes You'll never ever let this magic die No matter where you are, you are my lucky star."),
|
|
scheme: Signature,
|
|
privKey: macKey,
|
|
pubKey: macKey,
|
|
pubKeyId: "pubKeyId",
|
|
expectedAlgorithm: HMAC_SHA256,
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
expectedDigest: "SHA-256=d0JoDjbDZRZF7/gUdgrazZCdKCJ9z9uUcMd6n1YKWRU=",
|
|
},
|
|
{
|
|
name: "rsa authorization",
|
|
prefs: []Algorithm{RSA_SHA512},
|
|
digestAlg: DigestSha256,
|
|
headers: []string{"Date", "Digest"},
|
|
scheme: Authorization,
|
|
privKey: privKey,
|
|
pubKey: privKey.Public(),
|
|
pubKeyId: "pubKeyId",
|
|
expectedAlgorithm: RSA_SHA512,
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
},
|
|
{
|
|
name: "ed25519 authorization",
|
|
prefs: []Algorithm{ED25519},
|
|
digestAlg: DigestSha256,
|
|
headers: []string{"Date", "Digest"},
|
|
scheme: Authorization,
|
|
privKey: privEd25519Key,
|
|
pubKey: pubEd25519Key,
|
|
pubKeyId: "pubKeyId",
|
|
expectedAlgorithm: ED25519,
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
},
|
|
{
|
|
name: "hmac authorization",
|
|
prefs: []Algorithm{HMAC_SHA256},
|
|
digestAlg: DigestSha256,
|
|
headers: []string{"Date", "Digest"},
|
|
scheme: Authorization,
|
|
privKey: macKey,
|
|
pubKey: macKey,
|
|
pubKeyId: "pubKeyId",
|
|
expectedAlgorithm: HMAC_SHA256,
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
},
|
|
{
|
|
name: "default algo",
|
|
digestAlg: DigestSha256,
|
|
headers: []string{"Date", "Digest"},
|
|
scheme: Signature,
|
|
privKey: privKey,
|
|
pubKey: privKey.Public(),
|
|
pubKeyId: "pubKeyId",
|
|
expectedAlgorithm: RSA_SHA256,
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
},
|
|
{
|
|
name: "default headers",
|
|
prefs: []Algorithm{RSA_SHA512},
|
|
digestAlg: DigestSha256,
|
|
scheme: Signature,
|
|
privKey: privKey,
|
|
pubKey: privKey.Public(),
|
|
pubKeyId: "pubKeyId",
|
|
expectedAlgorithm: RSA_SHA512,
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
},
|
|
{
|
|
name: "different pub key id",
|
|
prefs: []Algorithm{RSA_SHA512},
|
|
digestAlg: DigestSha256,
|
|
headers: []string{"Date", "Digest"},
|
|
scheme: Signature,
|
|
privKey: privKey,
|
|
pubKey: privKey.Public(),
|
|
pubKeyId: "i write code that sucks",
|
|
expectedAlgorithm: RSA_SHA512,
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
},
|
|
{
|
|
name: "with request target",
|
|
prefs: []Algorithm{RSA_SHA512},
|
|
digestAlg: DigestSha256,
|
|
headers: []string{"Date", "Digest", RequestTarget},
|
|
scheme: Signature,
|
|
privKey: privKey,
|
|
pubKey: privKey.Public(),
|
|
pubKeyId: "pubKeyId",
|
|
expectedAlgorithm: RSA_SHA512,
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
expectErrorSigningResponse: true,
|
|
expectRequestPath: true,
|
|
},
|
|
}
|
|
|
|
testSpecRSAPrivateKey, err = loadPrivateKey([]byte(testSpecPrivateKeyPEM))
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
testSpecRSAPublicKey, err = loadPublicKey([]byte(testSpecPublicKeyPEM))
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
testEd25519PrivateKey, err = loadEd25519PrivateKey([]byte(testEd25519PrivateKeyPEM))
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
testEd25519PublicKey, err = loadEd25519PublicKey([]byte(testEd25519PublicKeyPEM))
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
}
|
|
|
|
func toSignatureParameter(k, v string) string {
|
|
return fmt.Sprintf("%s%s%s%s%s", k, parameterKVSeparater, parameterValueDelimiter, v, parameterValueDelimiter)
|
|
}
|
|
|
|
func toHeaderSignatureParameters(k string, vals []string) string {
|
|
if len(vals) == 0 {
|
|
vals = defaultHeaders
|
|
}
|
|
v := strings.Join(vals, headerParameterValueDelim)
|
|
k = strings.ToLower(k)
|
|
v = strings.ToLower(v)
|
|
return fmt.Sprintf("%s%s%s%s%s", k, parameterKVSeparater, parameterValueDelimiter, v, parameterValueDelimiter)
|
|
}
|
|
|
|
func TestSignerRequest(t *testing.T) {
|
|
testFn := func(t *testing.T, test httpsigTest) {
|
|
s, a, err := NewSigner(test.prefs, test.digestAlg, test.headers, test.scheme, 0)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
if a != test.expectedAlgorithm {
|
|
t.Fatalf("got %s, want %s", a, test.expectedAlgorithm)
|
|
}
|
|
// Test request signing
|
|
req, err := http.NewRequest(testMethod, testUrl, nil)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
req.Header.Set("Date", testDate)
|
|
if test.body == nil {
|
|
req.Header.Set("Digest", testDigest)
|
|
}
|
|
err = s.SignRequest(test.privKey, test.pubKeyId, req, test.body)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
vals, ok := req.Header[string(test.scheme)]
|
|
if !ok {
|
|
t.Fatalf("not in header %s", test.scheme)
|
|
}
|
|
if len(vals) != 1 {
|
|
t.Fatalf("too many in header %s: %d", test.scheme, len(vals))
|
|
}
|
|
if p := toSignatureParameter(keyIdParameter, test.pubKeyId); !strings.Contains(vals[0], p) {
|
|
t.Fatalf("%s\ndoes not contain\n%s", vals[0], p)
|
|
} else if p := toSignatureParameter(algorithmParameter, string(test.expectedSignatureAlgorithm)); !strings.Contains(vals[0], p) {
|
|
t.Fatalf("%s\ndoes not contain\n%s", vals[0], p)
|
|
} else if p := toHeaderSignatureParameters(headersParameter, test.headers); !strings.Contains(vals[0], p) {
|
|
t.Fatalf("%s\ndoes not contain\n%s", vals[0], p)
|
|
} else if !strings.Contains(vals[0], signatureParameter) {
|
|
t.Fatalf("%s\ndoes not contain\n%s", vals[0], signatureParameter)
|
|
} else if test.body != nil && req.Header.Get("Digest") != test.expectedDigest {
|
|
t.Fatalf("%s\ndoes not match\n%s", req.Header.Get("Digest"), test.expectedDigest)
|
|
}
|
|
// For schemes with an authScheme, enforce its is present and at the beginning
|
|
if len(test.scheme.authScheme()) > 0 {
|
|
if !strings.HasPrefix(vals[0], test.scheme.authScheme()) {
|
|
t.Fatalf("%s\ndoes not start with\n%s", vals[0], test.scheme.authScheme())
|
|
}
|
|
}
|
|
}
|
|
for _, test := range tests {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
testFn(t, test)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestSignerResponse(t *testing.T) {
|
|
testFn := func(t *testing.T, test httpsigTest) {
|
|
s, _, err := NewSigner(test.prefs, test.digestAlg, test.headers, test.scheme, 0)
|
|
// Test response signing
|
|
resp := httptest.NewRecorder()
|
|
resp.HeaderMap.Set("Date", testDate)
|
|
if test.body == nil {
|
|
resp.HeaderMap.Set("Digest", testDigest)
|
|
}
|
|
err = s.SignResponse(test.privKey, test.pubKeyId, resp, test.body)
|
|
if test.expectErrorSigningResponse {
|
|
if err != nil {
|
|
// Skip rest of testing
|
|
return
|
|
} else {
|
|
t.Fatalf("expected error, got nil")
|
|
}
|
|
}
|
|
vals, ok := resp.HeaderMap[string(test.scheme)]
|
|
if !ok {
|
|
t.Fatalf("not in header %s", test.scheme)
|
|
}
|
|
if len(vals) != 1 {
|
|
t.Fatalf("too many in header %s: %d", test.scheme, len(vals))
|
|
}
|
|
if p := toSignatureParameter(keyIdParameter, test.pubKeyId); !strings.Contains(vals[0], p) {
|
|
t.Fatalf("%s\ndoes not contain\n%s", vals[0], p)
|
|
} else if p := toSignatureParameter(algorithmParameter, string(test.expectedSignatureAlgorithm)); !strings.Contains(vals[0], p) {
|
|
t.Fatalf("%s\ndoes not contain\n%s", vals[0], p)
|
|
} else if p := toHeaderSignatureParameters(headersParameter, test.headers); !strings.Contains(vals[0], p) {
|
|
t.Fatalf("%s\ndoes not contain\n%s", vals[0], p)
|
|
} else if !strings.Contains(vals[0], signatureParameter) {
|
|
t.Fatalf("%s\ndoes not contain\n%s", vals[0], signatureParameter)
|
|
} else if test.body != nil && resp.Header().Get("Digest") != test.expectedDigest {
|
|
t.Fatalf("%s\ndoes not match\n%s", resp.Header().Get("Digest"), test.expectedDigest)
|
|
}
|
|
// For schemes with an authScheme, enforce its is present and at the beginning
|
|
if len(test.scheme.authScheme()) > 0 {
|
|
if !strings.HasPrefix(vals[0], test.scheme.authScheme()) {
|
|
t.Fatalf("%s\ndoes not start with\n%s", vals[0], test.scheme.authScheme())
|
|
}
|
|
}
|
|
}
|
|
for _, test := range tests {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
testFn(t, test)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestNewSignerRequestMissingHeaders(t *testing.T) {
|
|
failingTests := []struct {
|
|
name string
|
|
prefs []Algorithm
|
|
digestAlg DigestAlgorithm
|
|
headers []string
|
|
scheme SignatureScheme
|
|
privKey crypto.PrivateKey
|
|
pubKeyId string
|
|
expectedAlgorithm Algorithm
|
|
expectedSignatureAlgorithm string
|
|
}{
|
|
{
|
|
name: "wants digest",
|
|
prefs: []Algorithm{RSA_SHA512},
|
|
digestAlg: DigestSha256,
|
|
headers: []string{"Date", "Digest"},
|
|
scheme: Signature,
|
|
privKey: privKey,
|
|
pubKeyId: "pubKeyId",
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
expectedAlgorithm: RSA_SHA512,
|
|
},
|
|
}
|
|
for _, test := range failingTests {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
test := test
|
|
s, a, err := NewSigner(test.prefs, test.digestAlg, test.headers, test.scheme, 0)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
if a != test.expectedAlgorithm {
|
|
t.Fatalf("got %s, want %s", a, test.expectedAlgorithm)
|
|
}
|
|
req, err := http.NewRequest(testMethod, testUrl, nil)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
req.Header.Set("Date", testDate)
|
|
err = s.SignRequest(test.privKey, test.pubKeyId, req, nil)
|
|
if err == nil {
|
|
t.Fatalf("expect error but got nil")
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestNewSignerResponseMissingHeaders(t *testing.T) {
|
|
failingTests := []struct {
|
|
name string
|
|
prefs []Algorithm
|
|
digestAlg DigestAlgorithm
|
|
headers []string
|
|
scheme SignatureScheme
|
|
privKey crypto.PrivateKey
|
|
pubKeyId string
|
|
expectedAlgorithm Algorithm
|
|
expectErrorSigningResponse bool
|
|
expectedSignatureAlgorithm string
|
|
}{
|
|
{
|
|
name: "want digest",
|
|
prefs: []Algorithm{RSA_SHA512},
|
|
digestAlg: DigestSha256,
|
|
headers: []string{"Date", "Digest"},
|
|
scheme: Signature,
|
|
privKey: privKey,
|
|
pubKeyId: "pubKeyId",
|
|
expectedSignatureAlgorithm: "hs2019",
|
|
expectedAlgorithm: RSA_SHA512,
|
|
},
|
|
}
|
|
for _, test := range failingTests {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
test := test
|
|
s, a, err := NewSigner(test.prefs, test.digestAlg, test.headers, test.scheme, 0)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
if a != test.expectedAlgorithm {
|
|
t.Fatalf("got %s, want %s", a, test.expectedAlgorithm)
|
|
}
|
|
resp := httptest.NewRecorder()
|
|
resp.HeaderMap.Set("Date", testDate)
|
|
resp.HeaderMap.Set("Digest", testDigest)
|
|
err = s.SignResponse(test.privKey, test.pubKeyId, resp, nil)
|
|
if err != nil {
|
|
t.Fatalf("expected error, got nil")
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestNewVerifier(t *testing.T) {
|
|
for _, test := range tests {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
test := test
|
|
// Prepare
|
|
req, err := http.NewRequest(testMethod, testUrl, nil)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
req.Header.Set("Date", testDate)
|
|
if test.body == nil {
|
|
req.Header.Set("Digest", testDigest)
|
|
}
|
|
s, _, err := NewSigner(test.prefs, test.digestAlg, test.headers, test.scheme, 0)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
err = s.SignRequest(test.privKey, test.pubKeyId, req, test.body)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
// Test verification
|
|
v, err := NewVerifier(req)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
if v.KeyId() != test.pubKeyId {
|
|
t.Fatalf("got %s, want %s", v.KeyId(), test.pubKeyId)
|
|
}
|
|
err = v.Verify(test.pubKey, test.expectedAlgorithm)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestNewResponseVerifier(t *testing.T) {
|
|
for _, test := range tests {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
test := test
|
|
if test.expectErrorSigningResponse {
|
|
return
|
|
}
|
|
// Prepare
|
|
resp := httptest.NewRecorder()
|
|
resp.HeaderMap.Set("Date", testDate)
|
|
if test.body == nil {
|
|
resp.HeaderMap.Set("Digest", testDigest)
|
|
}
|
|
s, _, err := NewSigner(test.prefs, test.digestAlg, test.headers, test.scheme, 0)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
err = s.SignResponse(test.privKey, test.pubKeyId, resp, test.body)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
// Test verification
|
|
v, err := NewResponseVerifier(resp.Result())
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
if v.KeyId() != test.pubKeyId {
|
|
t.Fatalf("got %s, want %s", v.KeyId(), test.pubKeyId)
|
|
}
|
|
err = v.Verify(test.pubKey, test.expectedAlgorithm)
|
|
if err != nil {
|
|
t.Fatalf("%s", err)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// Test_Signing_HTTP_Messages_AppendixC implement tests from Appendix C
|
|
// in the http signatures specification:
|
|
// https://tools.ietf.org/html/draft-cavage-http-signatures-10#appendix-C
|
|
func Test_Signing_HTTP_Messages_AppendixC(t *testing.T) {
|
|
specTests := []struct {
|
|
name string
|
|
headers []string
|
|
expectedSignature string
|
|
}{
|
|
{
|
|
name: "C.1. Default Test",
|
|
headers: []string{},
|
|
// NOTE: In the Appendix C tests, the following is NOT included:
|
|
// `headers="date"`
|
|
// But httpsig will ALWAYS explicitly list the headers used in its
|
|
// signature. Hence, I have introduced it here.
|
|
//
|
|
// NOTE: In verification, if there are no headers listed, the
|
|
// default headers (date) are indeed used as required by the
|
|
// specification.
|
|
expectedSignature: `Authorization: Signature keyId="Test",algorithm="hs2019",headers="date",signature="SjWJWbWN7i0wzBvtPl8rbASWz5xQW6mcJmn+ibttBqtifLN7Sazz6m79cNfwwb8DMJ5cou1s7uEGKKCs+FLEEaDV5lp7q25WqS+lavg7T8hc0GppauB6hbgEKTwblDHYGEtbGmtdHgVCk9SuS13F0hZ8FD0k/5OxEPXe5WozsbM="`,
|
|
},
|
|
{
|
|
name: "C.2. Basic Test",
|
|
headers: []string{"(request-target)", "host", "date"},
|
|
expectedSignature: `Authorization: Signature keyId="Test",algorithm="hs2019",headers="(request-target) host date",signature="qdx+H7PHHDZgy4y/Ahn9Tny9V3GP6YgBPyUXMmoxWtLbHpUnXS2mg2+SbrQDMCJypxBLSPQR2aAjn7ndmw2iicw3HMbe8VfEdKFYRqzic+efkb3nndiv/x1xSHDJWeSWkx3ButlYSuBskLu6kd9Fswtemr3lgdDEmn04swr2Os0="`,
|
|
},
|
|
{
|
|
name: "C.3. All Headers Test",
|
|
headers: []string{"(request-target)", "host", "date", "content-type", "digest", "content-length"},
|
|
expectedSignature: `Authorization: Signature keyId="Test",algorithm="hs2019",headers="(request-target) host date content-type digest content-length",signature="vSdrb+dS3EceC9bcwHSo4MlyKS59iFIrhgYkz8+oVLEEzmYZZvRs8rgOp+63LEM3v+MFHB32NfpB2bEKBIvB1q52LaEUHFv120V01IL+TAD48XaERZFukWgHoBTLMhYS2Gb51gWxpeIq8knRmPnYePbF5MOkR0Zkly4zKH7s1dE="`,
|
|
},
|
|
}
|
|
|
|
for _, test := range specTests {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
test := test
|
|
r, err := http.NewRequest("POST", "http://example.com/foo?param=value&pet=dog", bytes.NewBuffer([]byte(testSpecBody)))
|
|
if err != nil {
|
|
t.Fatalf("error creating request: %s", err)
|
|
}
|
|
|
|
r.Header["Date"] = []string{testSpecDate}
|
|
r.Header["Host"] = []string{r.URL.Host}
|
|
r.Header["Content-Length"] = []string{strconv.Itoa(len(testSpecBody))}
|
|
r.Header["Content-Type"] = []string{"application/json"}
|
|
setDigest(r)
|
|
|
|
s, _, err := NewSigner([]Algorithm{RSA_SHA256}, DigestSha256, test.headers, Authorization, 0)
|
|
if err != nil {
|
|
t.Fatalf("error creating signer: %s", err)
|
|
}
|
|
|
|
if err := s.SignRequest(testSpecRSAPrivateKey, "Test", r, nil); err != nil {
|
|
t.Fatalf("error signing request: %s", err)
|
|
}
|
|
|
|
expectedAuth := test.expectedSignature
|
|
gotAuth := fmt.Sprintf("Authorization: %s", r.Header["Authorization"][0])
|
|
if gotAuth != expectedAuth {
|
|
t.Errorf("Signature string mismatch\nGot: %s\nWant: %s", gotAuth, expectedAuth)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestSigningEd25519(t *testing.T) {
|
|
specTests := []struct {
|
|
name string
|
|
headers []string
|
|
expectedSignature string
|
|
}{
|
|
{
|
|
name: "Default Test",
|
|
headers: []string{},
|
|
// NOTE: In the Appendix C tests, the following is NOT included:
|
|
// `headers="date"`
|
|
// But httpsig will ALWAYS explicitly list the headers used in its
|
|
// signature. Hence, I have introduced it here.
|
|
//
|
|
// NOTE: In verification, if there are no headers listed, the
|
|
// default headers (date) are indeed used as required by the
|
|
// specification.
|
|
expectedSignature: `Authorization: Signature keyId="Test",algorithm="hs2019",headers="date",signature="6G9bNnUfph4pnl3j8l4UTcSPJVg6r4tM73eWFAn+w4IdIi8yzzZs65QlgM31lAuVCRKlqMzME9VGgMt16nU1AQ=="`,
|
|
},
|
|
{
|
|
name: "Basic Test",
|
|
headers: []string{"(request-target)", "host", "date"},
|
|
expectedSignature: `Authorization: Signature keyId="Test",algorithm="hs2019",headers="(request-target) host date",signature="upsoNpw5oJTD3lTIQHEnDGWTaKmlT7o2c9Lz3kqy2UTwOEpEop3Sd7F/K2bYD2lQ4AH1HRyvC4/9AcKgNBg1AA=="`,
|
|
},
|
|
{
|
|
name: "All Headers Test",
|
|
headers: []string{"(request-target)", "host", "date", "content-type", "digest", "content-length"},
|
|
expectedSignature: `Authorization: Signature keyId="Test",algorithm="hs2019",headers="(request-target) host date content-type digest content-length",signature="UkxhZl0W5/xcuCIP5xOPv4V6rX0TmaV2lmrYYGWauKhdFHihpW80tCqTNFDhyD+nYeGNCRSFRHmDS0bGm0PVAg=="`,
|
|
},
|
|
}
|
|
|
|
for _, test := range specTests {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
test := test
|
|
r, err := http.NewRequest("POST", "http://example.com/foo?param=value&pet=dog", bytes.NewBuffer([]byte(testSpecBody)))
|
|
if err != nil {
|
|
t.Fatalf("error creating request: %s", err)
|
|
}
|
|
|
|
r.Header["Date"] = []string{testSpecDate}
|
|
r.Header["Host"] = []string{r.URL.Host}
|
|
r.Header["Content-Length"] = []string{strconv.Itoa(len(testSpecBody))}
|
|
r.Header["Content-Type"] = []string{"application/json"}
|
|
setDigest(r)
|
|
|
|
s, _, err := NewSigner([]Algorithm{ED25519}, DigestSha256, test.headers, Authorization, 0)
|
|
if err != nil {
|
|
t.Fatalf("error creating signer: %s", err)
|
|
}
|
|
|
|
if err := s.SignRequest(testEd25519PrivateKey, "Test", r, nil); err != nil {
|
|
t.Fatalf("error signing request: %s", err)
|
|
}
|
|
|
|
expectedAuth := test.expectedSignature
|
|
gotAuth := fmt.Sprintf("Authorization: %s", r.Header["Authorization"][0])
|
|
if gotAuth != expectedAuth {
|
|
t.Errorf("Signature string mismatch\nGot: %s\nWant: %s", gotAuth, expectedAuth)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// Test_Verifying_HTTP_Messages_AppendixC implement tests from Appendix C
|
|
// in the http signatures specification:
|
|
// https://tools.ietf.org/html/draft-cavage-http-signatures-10#appendix-C
|
|
func Test_Verifying_HTTP_Messages_AppendixC(t *testing.T) {
|
|
specTests := []struct {
|
|
name string
|
|
headers []string
|
|
signature string
|
|
}{
|
|
{
|
|
name: "C.1. Default Test",
|
|
headers: []string{},
|
|
signature: `Signature keyId="Test",algorithm="rsa-sha256",signature="SjWJWbWN7i0wzBvtPl8rbASWz5xQW6mcJmn+ibttBqtifLN7Sazz6m79cNfwwb8DMJ5cou1s7uEGKKCs+FLEEaDV5lp7q25WqS+lavg7T8hc0GppauB6hbgEKTwblDHYGEtbGmtdHgVCk9SuS13F0hZ8FD0k/5OxEPXe5WozsbM="`,
|
|
},
|
|
{
|
|
name: "C.2. Basic Test",
|
|
headers: []string{"(request-target)", "host", "date"},
|
|
signature: `Signature keyId="Test",algorithm="rsa-sha256",headers="(request-target) host date",signature="qdx+H7PHHDZgy4y/Ahn9Tny9V3GP6YgBPyUXMmoxWtLbHpUnXS2mg2+SbrQDMCJypxBLSPQR2aAjn7ndmw2iicw3HMbe8VfEdKFYRqzic+efkb3nndiv/x1xSHDJWeSWkx3ButlYSuBskLu6kd9Fswtemr3lgdDEmn04swr2Os0="`,
|
|
},
|
|
{
|
|
name: "C.3. All Headers Test",
|
|
headers: []string{"(request-target)", "host", "date", "content-type", "digest", "content-length"},
|
|
signature: `Signature keyId="Test",algorithm="rsa-sha256",headers="(request-target) host date content-type digest content-length",signature="vSdrb+dS3EceC9bcwHSo4MlyKS59iFIrhgYkz8+oVLEEzmYZZvRs8rgOp+63LEM3v+MFHB32NfpB2bEKBIvB1q52LaEUHFv120V01IL+TAD48XaERZFukWgHoBTLMhYS2Gb51gWxpeIq8knRmPnYePbF5MOkR0Zkly4zKH7s1dE="`,
|
|
},
|
|
}
|
|
|
|
for _, test := range specTests {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
test := test
|
|
r, err := http.NewRequest("POST", "http://example.com/foo?param=value&pet=dog", bytes.NewBuffer([]byte(testSpecBody)))
|
|
if err != nil {
|
|
t.Fatalf("error creating request: %s", err)
|
|
}
|
|
|
|
r.Header["Date"] = []string{testSpecDate}
|
|
r.Header["Host"] = []string{r.URL.Host}
|
|
r.Header["Content-Length"] = []string{strconv.Itoa(len(testSpecBody))}
|
|
r.Header["Content-Type"] = []string{"application/json"}
|
|
setDigest(r)
|
|
r.Header["Authorization"] = []string{test.signature}
|
|
|
|
v, err := NewVerifier(r)
|
|
if err != nil {
|
|
t.Fatalf("error creating verifier: %s", err)
|
|
}
|
|
|
|
if "Test" != v.KeyId() {
|
|
t.Errorf("KeyId mismatch\nGot: %s\nWant: Test", v.KeyId())
|
|
}
|
|
if err := v.Verify(testSpecRSAPublicKey, RSA_SHA256); err != nil {
|
|
t.Errorf("Verification failure: %s", err)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestVerifyingEd25519(t *testing.T) {
|
|
specTests := []struct {
|
|
name string
|
|
headers []string
|
|
signature string
|
|
}{
|
|
{
|
|
name: "Default Test",
|
|
headers: []string{},
|
|
signature: `Signature keyId="Test",algorithm="hs2019",headers="date",signature="6G9bNnUfph4pnl3j8l4UTcSPJVg6r4tM73eWFAn+w4IdIi8yzzZs65QlgM31lAuVCRKlqMzME9VGgMt16nU1AQ=="`,
|
|
},
|
|
{
|
|
name: "Basic Test",
|
|
headers: []string{"(request-target)", "host", "date"},
|
|
signature: `Signature keyId="Test",algorithm="hs2019",headers="(request-target) host date",signature="upsoNpw5oJTD3lTIQHEnDGWTaKmlT7o2c9Lz3kqy2UTwOEpEop3Sd7F/K2bYD2lQ4AH1HRyvC4/9AcKgNBg1AA=="`,
|
|
},
|
|
{
|
|
name: "All Headers Test",
|
|
headers: []string{"(request-target)", "host", "date", "content-type", "digest", "content-length"},
|
|
signature: `Signature keyId="Test",algorithm="hs2019",headers="(request-target) host date content-type digest content-length",signature="UkxhZl0W5/xcuCIP5xOPv4V6rX0TmaV2lmrYYGWauKhdFHihpW80tCqTNFDhyD+nYeGNCRSFRHmDS0bGm0PVAg=="`,
|
|
},
|
|
}
|
|
|
|
for _, test := range specTests {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
test := test
|
|
r, err := http.NewRequest("POST", "http://example.com/foo?param=value&pet=dog", bytes.NewBuffer([]byte(testSpecBody)))
|
|
if err != nil {
|
|
t.Fatalf("error creating request: %s", err)
|
|
}
|
|
|
|
r.Header["Date"] = []string{testSpecDate}
|
|
r.Header["Host"] = []string{r.URL.Host}
|
|
r.Header["Content-Length"] = []string{strconv.Itoa(len(testSpecBody))}
|
|
r.Header["Content-Type"] = []string{"application/json"}
|
|
setDigest(r)
|
|
r.Header["Authorization"] = []string{test.signature}
|
|
|
|
v, err := NewVerifier(r)
|
|
if err != nil {
|
|
t.Fatalf("error creating verifier: %s", err)
|
|
}
|
|
|
|
if "Test" != v.KeyId() {
|
|
t.Errorf("KeyId mismatch\nGot: %s\nWant: Test", v.KeyId())
|
|
}
|
|
if err := v.Verify(testEd25519PublicKey, ED25519); err != nil {
|
|
t.Errorf("Verification failure: %s", err)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func loadPrivateKey(keyData []byte) (*rsa.PrivateKey, error) {
|
|
pem, _ := pem.Decode(keyData)
|
|
if pem.Type != "RSA PRIVATE KEY" {
|
|
return nil, fmt.Errorf("RSA private key is of the wrong type: %s", pem.Type)
|
|
}
|
|
|
|
return x509.ParsePKCS1PrivateKey(pem.Bytes)
|
|
}
|
|
|
|
// taken from https://blainsmith.com/articles/signing-jwts-with-gos-crypto-ed25519/
|
|
func loadEd25519PrivateKey(keyData []byte) (ed25519.PrivateKey, error) {
|
|
var block *pem.Block
|
|
block, _ = pem.Decode(keyData)
|
|
|
|
var asn1PrivKey ed25519PrivKey
|
|
asn1.Unmarshal(block.Bytes, &asn1PrivKey)
|
|
|
|
// [2:] is skipping the byte for TAG and the byte for LEN
|
|
// see also https://tools.ietf.org/html/draft-ietf-curdle-pkix-10#section-10.3
|
|
return ed25519.NewKeyFromSeed(asn1PrivKey.PrivateKey[2:]), nil
|
|
}
|
|
|
|
func loadPublicKey(keyData []byte) (*rsa.PublicKey, error) {
|
|
pem, _ := pem.Decode(keyData)
|
|
if pem.Type != "PUBLIC KEY" {
|
|
return nil, fmt.Errorf("public key is of the wrong type: %s", pem.Type)
|
|
}
|
|
|
|
key, err := x509.ParsePKIXPublicKey(pem.Bytes)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return key.(*rsa.PublicKey), nil
|
|
}
|
|
|
|
// taken from https://blainsmith.com/articles/signing-jwts-with-gos-crypto-ed25519/
|
|
func loadEd25519PublicKey(keyData []byte) (ed25519.PublicKey, error) {
|
|
var block *pem.Block
|
|
block, _ = pem.Decode(keyData)
|
|
|
|
var asn1PubKey ed25519PubKey
|
|
asn1.Unmarshal(block.Bytes, &asn1PubKey)
|
|
|
|
return ed25519.PublicKey(asn1PubKey.PublicKey.Bytes), nil
|
|
}
|
|
|
|
func setDigest(r *http.Request) ([]byte, error) {
|
|
var bodyBytes []byte
|
|
if _, ok := r.Header["Digest"]; !ok {
|
|
body := ""
|
|
if r.Body != nil {
|
|
var err error
|
|
bodyBytes, err = ioutil.ReadAll(r.Body)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error reading body. %v", err)
|
|
}
|
|
|
|
// And now set a new body, which will simulate the same data we read:
|
|
r.Body = ioutil.NopCloser(bytes.NewBuffer(bodyBytes))
|
|
body = string(bodyBytes)
|
|
}
|
|
|
|
d := sha256.Sum256([]byte(body))
|
|
r.Header["Digest"] = []string{fmt.Sprintf("SHA-256=%s", base64.StdEncoding.EncodeToString(d[:]))}
|
|
}
|
|
|
|
return bodyBytes, nil
|
|
}
|
|
|
|
const testSpecBody = `{"hello": "world"}`
|
|
|
|
const testSpecDate = `Sun, 05 Jan 2014 21:31:40 GMT`
|
|
|
|
const testSpecPrivateKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
|
|
MIICXgIBAAKBgQDCFENGw33yGihy92pDjZQhl0C36rPJj+CvfSC8+q28hxA161QF
|
|
NUd13wuCTUcq0Qd2qsBe/2hFyc2DCJJg0h1L78+6Z4UMR7EOcpfdUE9Hf3m/hs+F
|
|
UR45uBJeDK1HSFHD8bHKD6kv8FPGfJTotc+2xjJwoYi+1hqp1fIekaxsyQIDAQAB
|
|
AoGBAJR8ZkCUvx5kzv+utdl7T5MnordT1TvoXXJGXK7ZZ+UuvMNUCdN2QPc4sBiA
|
|
QWvLw1cSKt5DsKZ8UETpYPy8pPYnnDEz2dDYiaew9+xEpubyeW2oH4Zx71wqBtOK
|
|
kqwrXa/pzdpiucRRjk6vE6YY7EBBs/g7uanVpGibOVAEsqH1AkEA7DkjVH28WDUg
|
|
f1nqvfn2Kj6CT7nIcE3jGJsZZ7zlZmBmHFDONMLUrXR/Zm3pR5m0tCmBqa5RK95u
|
|
412jt1dPIwJBANJT3v8pnkth48bQo/fKel6uEYyboRtA5/uHuHkZ6FQF7OUkGogc
|
|
mSJluOdc5t6hI1VsLn0QZEjQZMEOWr+wKSMCQQCC4kXJEsHAve77oP6HtG/IiEn7
|
|
kpyUXRNvFsDE0czpJJBvL/aRFUJxuRK91jhjC68sA7NsKMGg5OXb5I5Jj36xAkEA
|
|
gIT7aFOYBFwGgQAQkWNKLvySgKbAZRTeLBacpHMuQdl1DfdntvAyqpAZ0lY0RKmW
|
|
G6aFKaqQfOXKCyWoUiVknQJAXrlgySFci/2ueKlIE1QqIiLSZ8V8OlpFLRnb1pzI
|
|
7U1yQXnTAEFYM560yJlzUpOb1V4cScGd365tiSMvxLOvTA==
|
|
-----END RSA PRIVATE KEY-----`
|
|
|
|
const testSpecPublicKeyPEM = `-----BEGIN PUBLIC KEY-----
|
|
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCFENGw33yGihy92pDjZQhl0C3
|
|
6rPJj+CvfSC8+q28hxA161QFNUd13wuCTUcq0Qd2qsBe/2hFyc2DCJJg0h1L78+6
|
|
Z4UMR7EOcpfdUE9Hf3m/hs+FUR45uBJeDK1HSFHD8bHKD6kv8FPGfJTotc+2xjJw
|
|
oYi+1hqp1fIekaxsyQIDAQAB
|
|
-----END PUBLIC KEY-----`
|
|
|
|
const testEd25519PrivateKeyPEM = `-----BEGIN PRIVATE KEY-----
|
|
MC4CAQAwBQYDK2VwBCIEIAP+PK4NtdzCe04sbtwBvf9IShlky298SMMBqkCCToHn
|
|
-----END PRIVATE KEY-----`
|
|
|
|
const testEd25519PublicKeyPEM = `-----BEGIN PUBLIC KEY-----
|
|
MCowBQYDK2VwAyEAhyP+7zpNCsr7/ipGJjK0zVszTEQ5tooyX3VLAnBSc1c=
|
|
-----END PUBLIC KEY-----`
|