// Returns true if the provided message is unsigned or has a valid signature // from one of the provided signers. func authenticateMessage(signers map[string]Signer, header *message.Header, msg []byte) bool { digest := header.GetHmac() if digest != nil { var key string signer := fmt.Sprintf("%s_%d", header.GetHmacSigner(), header.GetHmacKeyVersion()) if s, ok := signers[signer]; ok { key = s.HmacKey } else { return false } var hm hash.Hash switch header.GetHmacHashFunction() { case message.Header_MD5: hm = hmac.New(md5.New, []byte(key)) case message.Header_SHA1: hm = hmac.New(sha1.New, []byte(key)) } hm.Write(msg) expectedDigest := hm.Sum(nil) if subtle.ConstantTimeCompare(digest, expectedDigest) != 1 { return false } } return true }