Client creates a normal net/http.Request{} object using the Request() function in utils.go. The http.Request{} object is then signed using the Client's Ed25519 private key.
The HTTP Method and Path (note this is important) are hashed, as well as the request body (if any) using the FNV128a hashing algorithm.
This hash is then signed by the Client's's Ed25519 private key.
The resulting signature is then encoded to Base64 (standard encoding) and added to the HTTP headers as a Signature: header.
In addition the Client's Ed25519 public key is added to the HTTP headers as Signer:
Server:
The server calculates the same FNV128a hash of the HTTP Request Method and Path and the body (if any)
The server decodes the HTTP header Signature:
The server then uses the Client's Ed25519 public key in the HTTP header Signer: to verify the signature of the Signature: HTTP header which gives us back the original FNV128a hash the Client calculated for the request.
The server then compares the Client's hash with the expected hash to see if they compare equally.
Alternative to #177
The way this works is:
Client:
- Client creates a normal `net/http.Request{}` object using the `Request()` function in `utils.go`. The `http.Request{}` object is then signed using the Client's Ed25519 private key.
- The HTTP Method and Path (_note this is important_) are hashed, as well as the request body (if any) using the FNV128a hashing algorithm.
- This hash is then signed by the Client's's Ed25519 private key.
- The resulting signature is then encoded to Base64 (_standard encoding_) and added to the HTTP headers as a `Signature:` header.
- In addition the Client's Ed25519 public key is added to the HTTP headers as `Signer:`
Server:
- The server calculates the same FNV128a hash of the HTTP Request Method and Path and the body (if any)
- The server decodes the HTTP header `Signature:`
- The server then uses the Client's Ed25519 public key in the HTTP header `Signer:` to verify the signature of the `Signature:` HTTP header which gives us back the original FNV128a hash the Client calculated for the request.
- The server then compares the Client's hash with the expected hash to see if they compare equally.
prologic
changed title from Add support for signing and verifying HTTP requests to Add blob service and support for signing and verifying HTTP requests6 days ago
xuu
Alternative to #177
The way this works is:
Client:
net/http.Request{}object using theRequest()function inutils.go. Thehttp.Request{}object is then signed using the Client's Ed25519 private key.Signature:header.Signer:Server:
Signature:Signer:to verify the signature of theSignature:HTTP header which gives us back the original FNV128a hash the Client calculated for the request.Add support for signing and verifying HTTP requeststo Add blob service and support for signing and verifying HTTP requests 6 days agof05038c902to32bf0242155 days agoddd16c202finto master 3 days agoReviewers
ddd16c202f.