diff options
| author |  Terin Stock <terinjokes@gmail.com> | 2025-03-09 17:47:56 +0100 |
|---|---|---|
| committer | Terin Stock <terinjokes@gmail.com> | 2025-03-10 01:59:49 +0100 |
| commit | 3ac1ee16f377d31a0fb80c8dae28b6239ac4229e (patch) | |
| tree | f61faa581feaaeaba2542b9f2b8234a590684413 /vendor/github.com/go-fed/httpsig/verifying.go | |
| parent | [chore] update URLs to forked source (diff) | |
| download | gotosocial-3ac1ee16f377d31a0fb80c8dae28b6239ac4229e.tar.xz | |
[chore] remove vendor
Diffstat (limited to 'vendor/github.com/go-fed/httpsig/verifying.go')
| -rw-r--r-- | vendor/github.com/go-fed/httpsig/verifying.go | 184 |
1 files changed, 0 insertions, 184 deletions
diff --git a/vendor/github.com/go-fed/httpsig/verifying.go b/vendor/github.com/go-fed/httpsig/verifying.go deleted file mode 100644 index 6d8df02ce..000000000 --- a/vendor/github.com/go-fed/httpsig/verifying.go +++ /dev/null @@ -1,184 +0,0 @@ -package httpsig - -import ( - "crypto" - "encoding/base64" - "errors" - "fmt" - "net/http" - "strconv" - "strings" - "time" -) - -var _ Verifier = &verifier{} - -type verifier struct { - header http.Header - kId string - signature string - created int64 - expires int64 - headers []string - sigStringFn func(http.Header, []string, int64, int64) (string, error) -} - -func newVerifier(h http.Header, sigStringFn func(http.Header, []string, int64, int64) (string, error)) (*verifier, error) { - scheme, s, err := getSignatureScheme(h) - if err != nil { - return nil, err - } - kId, sig, headers, created, expires, err := getSignatureComponents(scheme, s) - if created != 0 { - //check if created is not in the future, we assume a maximum clock offset of 10 seconds - now := time.Now().Unix() - if created-now > 10 { - return nil, errors.New("created is in the future") - } - } - if expires != 0 { - //check if expires is in the past, we assume a maximum clock offset of 10 seconds - now := time.Now().Unix() - if now-expires > 10 { - return nil, errors.New("signature expired") - } - } - if err != nil { - return nil, err - } - return &verifier{ - header: h, - kId: kId, - signature: sig, - created: created, - expires: expires, - headers: headers, - sigStringFn: sigStringFn, - }, nil -} - -func (v *verifier) KeyId() string { - return v.kId -} - -func (v *verifier) Verify(pKey crypto.PublicKey, algo Algorithm) error { - s, err := signerFromString(string(algo)) - if err == nil { - return v.asymmVerify(s, pKey) - } - m, err := macerFromString(string(algo)) - if err == nil { - return v.macVerify(m, pKey) - } - return fmt.Errorf("no crypto implementation available for %q", algo) -} - -func (v *verifier) macVerify(m macer, pKey crypto.PublicKey) error { - key, ok := pKey.([]byte) - if !ok { - return fmt.Errorf("public key for MAC verifying must be of type []byte") - } - signature, err := v.sigStringFn(v.header, v.headers, v.created, v.expires) - if err != nil { - return err - } - actualMAC, err := base64.StdEncoding.DecodeString(v.signature) - if err != nil { - return err - } - ok, err = m.Equal([]byte(signature), actualMAC, key) - if err != nil { - return err - } else if !ok { - return fmt.Errorf("invalid http signature") - } - return nil -} - -func (v *verifier) asymmVerify(s signer, pKey crypto.PublicKey) error { - toHash, err := v.sigStringFn(v.header, v.headers, v.created, v.expires) - if err != nil { - return err - } - signature, err := base64.StdEncoding.DecodeString(v.signature) - if err != nil { - return err - } - err = s.Verify(pKey, []byte(toHash), signature) - if err != nil { - return err - } - return nil -} - -func getSignatureScheme(h http.Header) (scheme SignatureScheme, val string, err error) { - s := h.Get(string(Signature)) - sigHasAll := strings.Contains(s, keyIdParameter) || - strings.Contains(s, headersParameter) || - strings.Contains(s, signatureParameter) - a := h.Get(string(Authorization)) - authHasAll := strings.Contains(a, keyIdParameter) || - strings.Contains(a, headersParameter) || - strings.Contains(a, signatureParameter) - if sigHasAll && authHasAll { - err = fmt.Errorf("both %q and %q have signature parameters", Signature, Authorization) - return - } else if !sigHasAll && !authHasAll { - err = fmt.Errorf("neither %q nor %q have signature parameters", Signature, Authorization) - return - } else if sigHasAll { - val = s - scheme = Signature - return - } else { // authHasAll - val = a - scheme = Authorization - return - } -} - -func getSignatureComponents(scheme SignatureScheme, s string) (kId, sig string, headers []string, created int64, expires int64, err error) { - if as := scheme.authScheme(); len(as) > 0 { - s = strings.TrimPrefix(s, as+prefixSeparater) - } - params := strings.Split(s, parameterSeparater) - for _, p := range params { - kv := strings.SplitN(p, parameterKVSeparater, 2) - if len(kv) != 2 { - err = fmt.Errorf("malformed http signature parameter: %v", kv) - return - } - k := kv[0] - v := strings.Trim(kv[1], parameterValueDelimiter) - switch k { - case keyIdParameter: - kId = v - case createdKey: - created, err = strconv.ParseInt(v, 10, 64) - if err != nil { - return - } - case expiresKey: - expires, err = strconv.ParseInt(v, 10, 64) - if err != nil { - return - } - case algorithmParameter: - // Deprecated, ignore - case headersParameter: - headers = strings.Split(v, headerParameterValueDelim) - case signatureParameter: - sig = v - default: - // Ignore unrecognized parameters - } - } - if len(kId) == 0 { - err = fmt.Errorf("missing %q parameter in http signature", keyIdParameter) - } else if len(sig) == 0 { - err = fmt.Errorf("missing %q parameter in http signature", signatureParameter) - } else if len(headers) == 0 { // Optional - headers = defaultHeaders - } - return -} |