Skip to content
/ httpsign Public
forked from yaronf/httpsign

HTTP Message Signatures (RFC 9421) in Go

License

Apache-2.0 license
0 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cmmoran/httpsign

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

184 Commits
.github/workflows
.github/workflows
 
 
.idea
.idea
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
client.go
client.go
 
 
client_test.go
client_test.go
 
 
clientex_test.go
clientex_test.go
 
 
config.go
config.go
 
 
config_test.go
config_test.go
 
 
crypto.go
crypto.go
 
 
crypto_test.go
crypto_test.go
 
 
digest.go
digest.go
 
 
digest_test.go
digest_test.go
 
 
doc.go
doc.go
 
 
ecdsa.go
ecdsa.go
 
 
ecdsa_test.go
ecdsa_test.go
 
 
fields.go
fields.go
 
 
fields_test.go
fields_test.go
 
 
fuzz_test.go
fuzz_test.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
handler.go
handler.go
 
 
handler_test.go
handler_test.go
 
 
handlerex_test.go
handlerex_test.go
 
 
http2_test.go
http2_test.go
 
 
httpparse.go
httpparse.go
 
 
httpsign.iml
httpsign.iml
 
 
signatures.go
signatures.go
 
 
signatures_test.go
signatures_test.go
 
 
signaturesex_test.go
signaturesex_test.go
 
 
staticcheck.conf
staticcheck.conf
 
 
trailer_test.go
trailer_test.go
 
 
urlencode.go
urlencode.go
 
 

Repository files navigation

A Golang implementation of HTTP Message Signatures, as defined by RFC 9421 (the former draft-ietf-httpbis-message-signatures).

This is a nearly feature-complete implementation of the RFC, including all test vectors.

Usage

The library provides natural integration points with Go HTTP clients and servers, as well as direct usage of the sign and verify functions.

Below is what a basic client-side integration looks like. Additional examples are available in the API reference.

	// Create a signer and a wrapped HTTP client
	signer, _ := httpsign.NewRSAPSSSigner(*prvKey, httpsign.NewSignConfig(),
		httpsign.Headers("@request-target", "content-digest")) // The Content-Digest header will be auto-generated
	client := httpsign.NewDefaultClient(httpsign.NewClientConfig().SetSignatureName("sig1").SetSigner(signer)) // sign requests, don't verify responses

	// Send an HTTP POST, get response -- signing happens behind the scenes
	body := `{"hello": "world"}`
	res, _ := client.Post(ts.URL, "application/json", bufio.NewReader(strings.NewReader(body)))
	
	// Read the response
	serverText, _ := io.ReadAll(res.Body)
	_ = res.Body.Close()

Notes and Missing Features

  • The Accept-Signature header is unimplemented.
  • In responses, when using the "wrapped handler" feature, the Content-Type header is only signed if set explicitly by the server. This is different, but arguably more secure, than the normal net.http behavior.

Go Reference Test GoReportCard example

About

HTTP Message Signatures (RFC 9421) in Go

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 100.0%