feat(): improve HTTP signature support

- fix nil pointer bugs - upgrade dependency - improve error handling
2025-04-12 12:01:50 +00:00 · 2020-08-20 09:48:46 +00:00 · 2020-08-20 09:48:46 +00:00 · 296ab6aaa3
commit 296ab6aaa3
parent 379ed57948
8 changed files with 31 additions and 20 deletions
--- a/go.mod
+++ b/go.mod
@ -1,9 +1,9 @@
 module github.com/ncarlier/webhookd

 require (
-	github.com/go-fed/httpsig v0.1.0
+	github.com/go-fed/httpsig v1.0.0
 	github.com/mattn/go-isatty v0.0.12
-	golang.org/x/crypto v0.0.0-20200204104054-c9f3fb736b72
+	golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de
 	golang.org/x/net v0.0.0-20200202094626-16171245cfb2 // indirect
 	golang.org/x/text v0.3.2 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,11 +1,11 @@
-github.com/go-fed/httpsig v0.1.0 h1:6F2OxRVnNTN4OPN+Mc2jxs2WEay9/qiHT/jphlvAwIY=
-github.com/go-fed/httpsig v0.1.0/go.mod h1:T56HUNYZUQ1AGUzhAYPugZfp36sKApVnGBgKlIY+aIE=
+github.com/go-fed/httpsig v1.0.0 h1:/JKxvztv3Hq0fTYQd1o6sjbDBYa0fPRmTnEM5CVvIEw=
+github.com/go-fed/httpsig v1.0.0/go.mod h1:XS5xuzQuPZkqAIK73sE4qCYnRJUK9rTQJGFHZCg2g1Y=
 github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 golang.org/x/crypto v0.0.0-20180527072434-ab813273cd59/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20200204104054-c9f3fb736b72 h1:+ELyKg6m8UBf0nPFSqD0mi7zUfwPyXo23HNjMnXPz7w=
-golang.org/x/crypto v0.0.0-20200204104054-c9f3fb736b72/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de h1:ikNHVSjEfnvz6sxdSPCaPt572qowuyMDMJLLm3Db3ig=
+golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI=
--- a/pkg/api/router.go
+++ b/pkg/api/router.go
@ -25,13 +25,13 @@ func NewRouter(conf *config.Config) *http.ServeMux {
 		middlewares = append(middlewares, middleware.HSTS)
 	}

-	// Load key store...
-	keystore, err := pubkey.NewTrustStore(conf.TrustStoreFile)
+	// Load trust store...
+	trustStore, err := pubkey.NewTrustStore(conf.TrustStoreFile)
 	if err != nil {
 		logger.Warning.Printf("unable to load trust store (\"%s\"): %s\n", conf.TrustStoreFile, err)
 	}
-	if keystore != nil {
-		middlewares = append(middlewares, middleware.HTTPSignature(keystore))
+	if trustStore != nil {
+		middlewares = append(middlewares, middleware.HTTPSignature(trustStore))
 	}

 	// Load authenticator...
--- a/pkg/middleware/signature.go
+++ b/pkg/middleware/signature.go
@ -21,7 +21,7 @@ func HTTPSignature(trustStore pubkey.TrustStore) Middleware {
 			entry := trustStore.Get(pubKeyID)
 			if entry == nil {
 				w.WriteHeader(400)
-				w.Write([]byte("invalid HTTP signature: " + err.Error()))
+				w.Write([]byte("invalid HTTP signature: public key not found: " + pubKeyID))
 				return
 			}
 			err = verifier.Verify(entry.Pubkey, entry.Algorithm)
--- a/pkg/pubkey/pem_truststore.go
+++ b/pkg/pubkey/pem_truststore.go
@ -22,7 +22,7 @@ func (ts *pemTrustStore) Get(keyID string) *TrustStoreEntry {
 	return nil
 }

-func newPEMTrustStore(filename string) (*pemTrustStore, error) {
+func newPEMTrustStore(filename string) (TrustStore, error) {
 	raw, err := ioutil.ReadFile(filename)
 	if err != nil {
 		return nil, err
--- a/tooling/httpsig/go.mod
+++ b/tooling/httpsig/go.mod
@ -1,8 +1,8 @@
 module github.com/ncarlier/webhookd/tooling/httpsig

-go 1.13
+go 1.14

 require (
-	github.com/go-fed/httpsig v0.1.0
-	github.com/ncarlier/webhookd v1.7.0
+	github.com/go-fed/httpsig v1.0.0
+	github.com/ncarlier/webhookd v1.9.0
 )
--- a/tooling/httpsig/go.sum
+++ b/tooling/httpsig/go.sum
@ -1,19 +1,27 @@
 github.com/go-fed/httpsig v0.1.0 h1:6F2OxRVnNTN4OPN+Mc2jxs2WEay9/qiHT/jphlvAwIY=
 github.com/go-fed/httpsig v0.1.0/go.mod h1:T56HUNYZUQ1AGUzhAYPugZfp36sKApVnGBgKlIY+aIE=
-github.com/ncarlier/webhookd v1.7.0 h1:9oJs7Ihe8T2jG04OTyNJv9pbaKRi1nk0k8qRdaoFYZY=
-github.com/ncarlier/webhookd v1.7.0/go.mod h1:Y+KgOmrNoNpjWc3VazWaWQMvJGEm9dY+waVdhP/rxbg=
+github.com/go-fed/httpsig v1.0.0 h1:/JKxvztv3Hq0fTYQd1o6sjbDBYa0fPRmTnEM5CVvIEw=
+github.com/go-fed/httpsig v1.0.0/go.mod h1:XS5xuzQuPZkqAIK73sE4qCYnRJUK9rTQJGFHZCg2g1Y=
+github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
+github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/ncarlier/webhookd v1.9.0 h1:vBX5kANxIV29wYPUM2ZmqMf5PHKfo97MeOfmWUd3Q+g=
+github.com/ncarlier/webhookd v1.9.0/go.mod h1:8KOSUj/tM7rns0/eRoCnlsdyP3FaebeEPBPJRbvX9HE=
 golang.org/x/crypto v0.0.0-20180527072434-ab813273cd59 h1:hk3yo72LXLapY9EXVttc3Z1rLOxT9IuAPPX3GpY2+jo=
 golang.org/x/crypto v0.0.0-20180527072434-ab813273cd59/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200204104054-c9f3fb736b72 h1:+ELyKg6m8UBf0nPFSqD0mi7zUfwPyXo23HNjMnXPz7w=
 golang.org/x/crypto v0.0.0-20200204104054-c9f3fb736b72/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/sys v0.0.0-20180525142821-c11f84a56e43 h1:PvnWIWTbA7gsEBkKjt0HV9hckYfcqYv8s/ju7ArZ0do=
 golang.org/x/sys v0.0.0-20180525142821-c11f84a56e43/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42 h1:vEOn+mP2zCOVzKckCZy6YsCtDblrpj/w7B9nxGNELpg=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
--- a/tooling/httpsig/main.go
+++ b/tooling/httpsig/main.go
@ -61,8 +61,10 @@ func main() {
 	}

 	var payload io.Reader
+	var jsonBytes []byte
 	if conf.JSON != "" {
-		jsonBytes, err := ioutil.ReadFile(conf.JSON)
+		var err error
+		jsonBytes, err = ioutil.ReadFile(conf.JSON)
 		if err != nil {
 			log.Fatal(err.Error())
 		}
@ -70,8 +72,9 @@ func main() {
 	}

 	prefs := []httpsig.Algorithm{httpsig.RSA_SHA256}
+	digestAlgorithm := httpsig.DigestSha256
 	headers := []string{httpsig.RequestTarget, "date"}
-	signer, _, err := httpsig.NewSigner(prefs, headers, httpsig.Signature)
+	signer, _, err := httpsig.NewSigner(prefs, digestAlgorithm, headers, httpsig.Signature, 0)
 	if err != nil {
 		log.Fatal(err.Error())
 	}
@ -85,7 +88,7 @@ func main() {
 	}
 	req.Header.Add("date", time.Now().UTC().Format(http.TimeFormat))

-	if err = signer.SignRequest(privateKey, conf.KeyID, req); err != nil {
+	if err = signer.SignRequest(privateKey, conf.KeyID, req, jsonBytes); err != nil {
 		log.Fatal(err.Error())
 	}