// PBVerifyRequest checks earlier signed http request signature using password specified to ensure request was not altered
func (p *pbe) PBVerifyRequest(req *http.Request, password string, pattern *util.SignaturePattern) bool {
keylen := p.hmac_key_length
salt_hex := req.Header.Get(REQ_HEADER_SALT)
if salt_hex == "" {
return false
}
salt, err := hex.DecodeString(salt_hex)
if err != nil {
return false
}
signature_hex := req.Header.Get(REQ_HEADER_HMAC)
if signature_hex == "" {
return false
}
// temporary remove signature header
req.Header.Del(REQ_HEADER_HMAC)
defer req.Header.Set(REQ_HEADER_HMAC, signature_hex)
signature, err := hex.DecodeString(signature_hex)
if err != nil {
return false
}
key := PBKDF2Key(password, salt, keylen)
message := util.MarshalRequest(req, pattern)
hmac_sha := hmac_sha(message, key)
return bytes.Compare(signature, hmac_sha) == 0
}
// PBSignRequest signs a http request using the password specified
// Signature changes if:
// remote address changes
// request URI changes
// request header is deleted
// request header is added
// request header is modified
//
// Signature doesn't change if:
// request header ordering is changed
func (p *pbe) PBSignRequest(req *http.Request, password string, pattern *util.SignaturePattern) error {
saltlen := p.pbkdf2_salt_length
keylen := p.hmac_key_length
salt, err := rnd.Salt(saltlen)
if err != nil {
return err
}
salt_hex := hex.EncodeToString(salt)
req.Header.Set(REQ_HEADER_SALT, salt_hex)
key := PBKDF2Key(password, salt, keylen)
message := util.MarshalRequest(req, pattern)
hmac_sha := hmac_sha(message, key)
signature_hex := hex.EncodeToString(hmac_sha)
req.Header.Set(REQ_HEADER_HMAC, signature_hex)
return nil
}
