httpsig is a go package with for HTTP Signature. It also implements extensions to the standard.
import "githhub.com/changqings/httpsig"This example signs a request and includes the date, and (request-target) header components in the signature.
// set key as a string from file read, memory, etc.
req, _ := http.NewRequest("GET", "http://example.com/path/to/resource", nil)
signer, _ := httpsig.NewRequestSigner("my-key-id", key, "rsa-sha256")
err := signer.SignRequest(req, []string{"date", "(request-target)"}, jwt)This example verifies that a request contains a signature and returns a 401 Unauthorized response if a signature is not present or not verifiable.
func HandleReq(w http.ResponseWriter, r *http.Request) {
parsed, err := ParseRequest(req)
if err != nil {
w.WriteHeader(http.StatusUnauthorized)
return
}
publicKey := lookupPubKey(parsed.KeyId())
verified, err := VerifySignature(parsed, publicKey)
if err != nil || !verified {
w.WriteHeader(http.StatusUnauthorized)
return
}
w.WriteHeader(http.StatusOK)
w.Write("Authoirzation Passed")
}
func main() {
http.HandleFunc("/", HandleReq)
http.ListenAndServe(":8080", nil)
}go get github.com/changqings/httpsig
MIT.