-
Notifications
You must be signed in to change notification settings - Fork 0
/
tsv1.go
70 lines (65 loc) · 2.48 KB
/
tsv1.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
package e3dbClients
import (
"encoding/base64"
"errors"
"fmt"
"net/http"
"github.com/google/uuid"
"golang.org/x/crypto/blake2b"
sodium "golang.org/x/crypto/nacl/sign"
)
const (
HashingAlgorithm = "BLAKE2B"
SignatureType = "ED25519"
AuthenticationMethod = "TSV1-" + SignatureType + "-" + HashingAlgorithm // TSV1-ED25519-BLAKE2B
PublicKeyBytes = 32
PrivateKeyBytes = 64
Blake2BBytes = 32
AuthorizationHeader = "Authorization"
)
var (
ErrorPrivateSigningKeyRequired = errors.New("private signing key is required but was not provided")
ErrorPublicSigningKeyRequired = errors.New("public signing key is required but was not provided")
)
// SignRequest signs (using Tozny Signature Version 1) the request
// with the provided public and private sodium signing keys, returning error (if any).
// If successful, SignRequest will overwrite any existing `AuthorizationHeader`.
func SignRequest(r *http.Request, signingKeys SigningKeys, timestamp int64, clientID string) error {
publicKey := &[PublicKeyBytes]byte{}
rawKeyBytes, err := base64.RawURLEncoding.DecodeString(signingKeys.Public.Material)
if err != nil {
return err
}
copied := copy(publicKey[:], rawKeyBytes)
if copied != PublicKeyBytes {
return fmt.Errorf("invalid number %d of public signing key byte, required %d", copied, PublicKeyBytes)
}
privateKey := &[PrivateKeyBytes]byte{}
rawKeyBytes, err = base64.RawURLEncoding.DecodeString(signingKeys.Private.Material)
if err != nil {
return err
}
copied = copy(privateKey[:], rawKeyBytes)
if copied != PrivateKeyBytes {
return fmt.Errorf("invalid number %d of private signing key byte, required %d", copied, PrivateKeyBytes)
}
callMethod := r.Method
callPath := r.URL.EscapedPath()
queryString := r.URL.Query().Encode()
nonce := uuid.New()
publicB64 := base64.RawURLEncoding.EncodeToString(publicKey[:])
headerString := fmt.Sprintf("%s; %s; %d; %s; %s", AuthenticationMethod, publicB64, timestamp, nonce, "uid:"+clientID)
strToSign := fmt.Sprintf("%s; %s; %s; %s", callPath, queryString, callMethod, headerString)
h, err := blake2b.New(Blake2BBytes, nil)
if err != nil {
return err
}
h.Write([]byte(strToSign))
hashToSign := h.Sum(nil)
fullSignature := sodium.Sign(nil, hashToSign, privateKey)
detachedSignature := fullSignature[:sodium.Overhead]
signatureB64 := base64.RawURLEncoding.EncodeToString(detachedSignature)
authHeader := fmt.Sprintf("%s; %s", headerString, signatureB64)
r.Header.Set(AuthorizationHeader, authHeader)
return err
}