HTTP Message Signatures, implementing RFC 9421 (the former draft-ietf-httpbis-message-signatures).
This is a nearly feature-complete implementation of the RFC, including all test vectors.
The library provides natural integration points with Go HTTP clients and servers, as well as direct usage of the sign and verify functions.
Below is what a basic client-side integration looks like. Additional examples are available in the API reference.
// Create a signer and a wrapped HTTP client
signer, _ := httpsign.NewRSAPSSSigner("key1", *prvKey,
httpsign.NewSignConfig(),
httpsign.Headers("@request-target", "content-digest")) // The Content-Digest header will be auto-generated
client := httpsign.NewDefaultClient(httpsign.NewClientConfig().SetSignatureName("sig1").SetSigner(signer)) // sign requests, don't verify responses
// Send an HTTP POST, get response -- signing happens behind the scenes
body := `{"hello": "world"}`
res, err := client.Post(ts.URL, "application/json", bufio.NewReader(strings.NewReader(body)))
if err != nil {
// handle error
}
// Read the response
serverText, _ := io.ReadAll(res.Body)
_ = res.Body.Close()
- The
Accept-Signatureheader is unimplemented. - In responses, when using the "wrapped handler" feature, the
Content-Typeheader is only signed if set explicitly by the server. This is different, but arguably more secure, than the normalnet.httpbehavior.
