feat: Tidy up key logic

Author: AlexanderTar

canonicalize.go

@@ -96,7 +96,7 @@ func canonicalizeSignatureParams(out io.Writer, sp *signatureParams) error {
 type signatureParams struct {
 	items   []string
 	keyID   string
-	alg     string
+	alg     Algorithm
 	created time.Time
 	expires *time.Time
 	nonce   *string
@@ -168,7 +168,7 @@ func parseSignatureInput(in string) (*signatureParams, error) {
 		// TODO: error when not wrapped in quotes
 		switch paramParts[0] {
 		case "alg":
-			sp.alg = strings.Trim(paramParts[1], `"`)
+			sp.alg = Algorithm(strings.Trim(paramParts[1], `"`))
 		case "keyid":
 			sp.keyID = strings.Trim(paramParts[1], `"`)
 		case "nonce":

example_test.go

@@ -46,3 +46,41 @@ func Example_round_trip() {
 	// Output:
 	// 200 OK
 }
+
+type testKeyResolver struct{}
+
+func (r *testKeyResolver) Resolve(keyID string, alg httpsig.Algorithm) (httpsig.VerifyingKey, error) {
+	return &httpsig.HmacSha256VerifyingKey{Secret: []byte(secret)}, nil
+}
+
+func Example_round_trip_resolver() {
+	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/plain")
+		_, _ = io.WriteString(w, "Your request has a valid signature!")
+	})
+
+	middleware := httpsig.NewVerifyMiddleware(httpsig.WithVerifyingKeyResolver(&testKeyResolver{}))
+	http.Handle("/resolver", middleware(h))
+	go func() { _ = http.ListenAndServe("127.0.0.1:1234", http.DefaultServeMux) }()
+
+	// Give the server time to sleep. Terrible, I know.
+	time.Sleep(100 * time.Millisecond)
+
+	client := http.Client{
+		// Wrap the transport:
+		Transport: httpsig.NewSignTransport(http.DefaultTransport,
+			httpsig.WithHmacSha256("key1", []byte(secret))),
+	}
+
+	resp, err := client.Get("http://127.0.0.1:1234/")
+	if err != nil {
+		fmt.Println("got err: ", err)
+		return
+	}
+	defer resp.Body.Close()
+
+	fmt.Println(resp.Status)
+
+	// Output:
+	// 200 OK
+}

httpsig.go

@@ -27,6 +27,23 @@ func sliceHas(haystack []string, needle string) bool {
 	return false
 }
 
+type Algorithm string
+
+const (
+	AlgorithmRsaPkcs1v15Sha256 Algorithm = "rsa-v1_5-sha256"
+	AlgorithmRsaPssSha512      Algorithm = "rsa-pss-sha512"
+	AlgorithmEcdsaP256Sha256   Algorithm = "ecdsa-p256-sha256"
+	AlgorithmEcdsaP384Sha384   Algorithm = "ecdsa-p384-sha384"
+	AlgorithmEd25519           Algorithm = "ed25519"
+	AlgorithmHmacSha256        Algorithm = "hmac-sha256"
+)
+
+type SigningKey interface {
+	Sign(data []byte) ([]byte, error)
+	Algorithm() Algorithm
+	Nonce() *string
+}
+
 type Signer struct {
 	*signer
 }
@@ -87,10 +104,11 @@ func (s *Signer) Sign(r *http.Request) error {
 
 type VerifyingKey interface {
 	Verify(data []byte, signature []byte) error
+	Algorithm() Algorithm
 }
 
 type VerifyingKeyResolver interface {
-	Resolve(keyID string) VerifyingKey
+	Resolve(keyID string, alg Algorithm) (VerifyingKey, error)
 }
 
 type Verifier struct {
@@ -235,87 +253,87 @@ func WithVerifyingKeyResolver(resolver VerifyingKeyResolver) verifyOption {
 // using the given key id.
 func WithSignRsaPkcs1v15Sha256(keyID string, pk *rsa.PrivateKey) signOption {
 	return &optImpl{
-		s: func(s *signer) { s.keys.Store(keyID, signRsaPkcs1v15Sha256(pk)) },
+		s: func(s *signer) { s.keys.Store(keyID, &RsaPkcs1v15Sha256SigningKey{pk}) },
 	}
 }
 
 // WithVerifyRsaPkcs1v15Sha256 adds signature verification using `rsa-v1_5-sha256` with the
 // given public key using the given key id.
 func WithVerifyRsaPkcs1v15Sha256(keyID string, pk *rsa.PublicKey) verifyOption {
 	return &optImpl{
-		v: func(v *verifier) { v.keys.Store(keyID, verifyRsaPkcs1v15Sha256(pk)) },
+		v: func(v *verifier) { v.keys.Store(keyID, &RsaPkcs1v15Sha256VerifyingKey{pk}) },
 	}
 }
 
 // WithSignRsaPssSha512 adds signing using `rsa-pss-sha512` with the given private key
 // using the given key id.
 func WithSignRsaPssSha512(keyID string, pk *rsa.PrivateKey) signOption {
 	return &optImpl{
-		s: func(s *signer) { s.keys.Store(keyID, signRsaPssSha512(pk)) },
+		s: func(s *signer) { s.keys.Store(keyID, &RsaPssSha512SigningKey{pk}) },
 	}
 }
 
 // WithVerifyRsaPssSha512 adds signature verification using `rsa-pss-sha512` with the
 // given public key using the given key id.
 func WithVerifyRsaPssSha512(keyID string, pk *rsa.PublicKey) verifyOption {
 	return &optImpl{
-		v: func(v *verifier) { v.keys.Store(keyID, verifyRsaPssSha512(pk)) },
+		v: func(v *verifier) { v.keys.Store(keyID, &RsaPssSha512VerifyingKey{pk}) },
 	}
 }
 
 // WithSignEcdsaP256Sha256 adds signing using `ecdsa-p256-sha256` with the given private key
 // using the given key id.
 func WithSignEcdsaP256Sha256(keyID string, pk *ecdsa.PrivateKey) signOption {
 	return &optImpl{
-		s: func(s *signer) { s.keys.Store(keyID, signEccP256(pk)) },
+		s: func(s *signer) { s.keys.Store(keyID, &EcdsaP256SigningKey{pk}) },
 	}
 }
 
 // WithVerifyEcdsaP256Sha256 adds signature verification using `ecdsa-p256-sha256` with the
 // given public key using the given key id.
 func WithVerifyEcdsaP256Sha256(keyID string, pk *ecdsa.PublicKey) verifyOption {
 	return &optImpl{
-		v: func(v *verifier) { v.keys.Store(keyID, verifyEccP256(pk)) },
+		v: func(v *verifier) { v.keys.Store(keyID, &EcdsaP256VerifyingKey{pk}) },
 	}
 }
 
 // WithSignEcdsaP384Sha384 adds signing using `ecdsa-p384-sha384` with the given private key
 // using the given key id.
 func WithSignEcdsaP384Sha384(keyID string, pk *ecdsa.PrivateKey) signOption {
 	return &optImpl{
-		s: func(s *signer) { s.keys.Store(keyID, signEccP384(pk)) },
+		s: func(s *signer) { s.keys.Store(keyID, &EcdsaP384SigningKey{pk}) },
 	}
 }
 
 // WithVerifyEcdsaP384Sha384 adds signature verification using `ecdsa-p384-sha384` with the
 // given public key using the given key id.
 func WithVerifyEcdsaP384Sha384(keyID string, pk *ecdsa.PublicKey) verifyOption {
 	return &optImpl{
-		v: func(v *verifier) { v.keys.Store(keyID, verifyEccP384(pk)) },
+		v: func(v *verifier) { v.keys.Store(keyID, &EcdsaP384VerifyingKey{pk}) },
 	}
 }
 
 // WithSignEd25519 adds signing using `ed25519` with the given private key
 // using the given key id.
-func WithSignEd25519(keyID string, pk *ed25519.PrivateKey) signOption {
+func WithSignEd25519(keyID string, pk ed25519.PrivateKey) signOption {
 	return &optImpl{
-		s: func(s *signer) { s.keys.Store(keyID, signEd25519(pk)) },
+		s: func(s *signer) { s.keys.Store(keyID, &Ed25519SigningKey{pk}) },
 	}
 }
 
 // WithVerifyEd25519 adds signature verification using `ed25519` with the
 // given public key using the given key id.
-func WithVerifyEd25519(keyID string, pk *ed25519.PublicKey) verifyOption {
+func WithVerifyEd25519(keyID string, pk ed25519.PublicKey) verifyOption {
 	return &optImpl{
-		v: func(v *verifier) { v.keys.Store(keyID, verifyEd25519(pk)) },
+		v: func(v *verifier) { v.keys.Store(keyID, &Ed25519VerifyingKey{pk}) },
 	}
 }
 
 // WithHmacSha256 adds signing or signature verification using `hmac-sha256` with the
 // given shared secret using the given key id.
 func WithHmacSha256(keyID string, secret []byte) signOrVerifyOption {
 	return &optImpl{
-		s: func(s *signer) { s.keys.Store(keyID, signHmacSha256(secret)) },
-		v: func(v *verifier) { v.keys.Store(keyID, verifyHmacSha256(secret)) },
+		s: func(s *signer) { s.keys.Store(keyID, &HmacSha256SigningKey{Secret: secret}) },
+		v: func(v *verifier) { v.keys.Store(keyID, &HmacSha256VerifyingKey{Secret: secret}) },
 	}
 }