// PBVerifyRequest checks earlier signed http request signature using password specified to ensure request was not altered func (p *pbe) PBVerifyRequest(req *http.Request, password string, pattern *util.SignaturePattern) bool { keylen := p.hmac_key_length salt_hex := req.Header.Get(REQ_HEADER_SALT) if salt_hex == "" { return false } salt, err := hex.DecodeString(salt_hex) if err != nil { return false } signature_hex := req.Header.Get(REQ_HEADER_HMAC) if signature_hex == "" { return false } // temporary remove signature header req.Header.Del(REQ_HEADER_HMAC) defer req.Header.Set(REQ_HEADER_HMAC, signature_hex) signature, err := hex.DecodeString(signature_hex) if err != nil { return false } key := PBKDF2Key(password, salt, keylen) message := util.MarshalRequest(req, pattern) hmac_sha := hmac_sha(message, key) return bytes.Compare(signature, hmac_sha) == 0 }
// PBSignRequest signs a http request using the password specified // Signature changes if: // remote address changes // request URI changes // request header is deleted // request header is added // request header is modified // // Signature doesn't change if: // request header ordering is changed func (p *pbe) PBSignRequest(req *http.Request, password string, pattern *util.SignaturePattern) error { saltlen := p.pbkdf2_salt_length keylen := p.hmac_key_length salt, err := rnd.Salt(saltlen) if err != nil { return err } salt_hex := hex.EncodeToString(salt) req.Header.Set(REQ_HEADER_SALT, salt_hex) key := PBKDF2Key(password, salt, keylen) message := util.MarshalRequest(req, pattern) hmac_sha := hmac_sha(message, key) signature_hex := hex.EncodeToString(hmac_sha) req.Header.Set(REQ_HEADER_HMAC, signature_hex) return nil }