Add blob service and support for signing and verifying HTTP requests #178

Merged
prologic merged 19 commits from blob2 into master 3 days ago
Owner

Alternative to #177

The way this works is:

Client:

  • Client creates a normal net/http.Request{} object using the Request() function in utils.go. The http.Request{} object is then signed using the Client's Ed25519 private key.
  • The HTTP Method and Path (note this is important) are hashed, as well as the request body (if any) using the FNV128a hashing algorithm.
  • This hash is then signed by the Client's's Ed25519 private key.
  • The resulting signature is then encoded to Base64 (standard encoding) and added to the HTTP headers as a Signature: header.
  • In addition the Client's Ed25519 public key is added to the HTTP headers as Signer:

Server:

  • The server calculates the same FNV128a hash of the HTTP Request Method and Path and the body (if any)
  • The server decodes the HTTP header Signature:
  • The server then uses the Client's Ed25519 public key in the HTTP header Signer: to verify the signature of the Signature: HTTP header which gives us back the original FNV128a hash the Client calculated for the request.
  • The server then compares the Client's hash with the expected hash to see if they compare equally.
Alternative to #177 The way this works is: Client: - Client creates a normal `net/http.Request{}` object using the `Request()` function in `utils.go`. The `http.Request{}` object is then signed using the Client's Ed25519 private key. - The HTTP Method and Path (_note this is important_) are hashed, as well as the request body (if any) using the FNV128a hashing algorithm. - This hash is then signed by the Client's's Ed25519 private key. - The resulting signature is then encoded to Base64 (_standard encoding_) and added to the HTTP headers as a `Signature:` header. - In addition the Client's Ed25519 public key is added to the HTTP headers as `Signer:` Server: - The server calculates the same FNV128a hash of the HTTP Request Method and Path and the body (if any) - The server decodes the HTTP header `Signature:` - The server then uses the Client's Ed25519 public key in the HTTP header `Signer:` to verify the signature of the `Signature:` HTTP header which gives us back the original FNV128a hash the Client calculated for the request. - The server then compares the Client's hash with the expected hash to see if they compare equally.
prologic added 4 commits 7 days ago
prologic added 1 commit 6 days ago
5d58a5dc05
Fix tests
prologic added 1 commit 6 days ago
b224fa76b8
Cleanup
prologic added 1 commit 6 days ago
87bf0abdb1
Add support for GET and HEAD
prologic added 1 commit 6 days ago
5647f930c7
Add DELETE
prologic changed title from Add support for signing and verifying HTTP requests to Add blob service and support for signing and verifying HTTP requests 6 days ago
prologic added 1 commit 6 days ago
7044b5c352
Add JWT version
prologic added 1 commit 6 days ago
d8888e54a3
Fix stuff
prologic added 1 commit 6 days ago
166a2660d1
Cleanup
prologic added 1 commit 6 days ago
prologic added 1 commit 6 days ago
596900fbd9
Add cos
xuu added 1 commit 5 days ago
880273a7d9
tests: add unittest for authreq
xuu added 1 commit 5 days ago
f05038c902
feat: add ID cache for jwt repeat verification
xuu force-pushed blob2 from f05038c902 to 32bf024215 5 days ago
xuu added 1 commit 5 days ago
273e4f3e89
tests: add e2e test for api
prologic added 1 commit 5 days ago
525ab2d5c0
Use erquire to stop tests early
prologic added 1 commit 5 days ago
e56d5b854e
Fix memory store and use for API e2e tests
prologic added 1 commit 3 days ago
6581dc6779
Add tests for PUT and GET for /api/v1/blob service
xuu approved these changes 3 days ago
prologic merged commit ddd16c202f into master 3 days ago
prologic deleted branch blob2 3 days ago

Reviewers

xuu approved these changes 3 days ago
continuous-integration/drone/pr Build is passing
The pull request has been merged as ddd16c202f.
Sign in to join this conversation.
Loading…
There is no content yet.