httpsig/
signature_params.rs

1use crate::{
2  crypto::{AlgorithmName, SigningKey},
3  error::{HttpSigError, HttpSigResult},
4  message_component::HttpMessageComponentId,
5  trace::*,
6  util::has_unique_elements,
7};
8use base64::{engine::general_purpose, Engine as _};
9use rand::Rng;
10use sfv::{FieldType, ListEntry, Parser};
11use std::time::{SystemTime, UNIX_EPOCH};
12
13const DEFAULT_DURATION: u64 = 300;
14
15/* ---------------------------------------- */
16#[derive(Debug, Clone, Default)]
17/// Struct defining Http message signature parameters
18/// https://datatracker.ietf.org/doc/html/rfc9421#name-signature-parameters
19pub struct HttpSignatureParams {
20  /// created unix timestamp.
21  pub created: Option<u64>,
22  /// signature expires unix timestamp.
23  pub expires: Option<u64>,
24  /// nonce
25  pub nonce: Option<String>,
26  /// algorithm name
27  pub alg: Option<String>,
28  /// key id.
29  pub keyid: Option<String>,
30  /// tag
31  pub tag: Option<String>,
32  /// covered component vector string: ordered message components, i.e., string of http_fields and derived_components
33  pub covered_components: Vec<HttpMessageComponentId>,
34}
35
36impl HttpSignatureParams {
37  /// Create new HttpSignatureParams object for the given covered components only with `created`` current timestamp.
38  pub fn try_new(covered_components: &[HttpMessageComponentId]) -> HttpSigResult<Self> {
39    let created = SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs();
40    if !has_unique_elements(covered_components.iter()) {
41      return Err(HttpSigError::InvalidSignatureParams(
42        "duplicate covered component ids".to_string(),
43      ));
44    }
45
46    Ok(Self {
47      created: Some(created),
48      covered_components: covered_components.to_vec(),
49      ..Default::default()
50    })
51  }
52
53  /// Set artificial `created` timestamp
54  pub fn set_created(&mut self, created: u64) -> &mut Self {
55    self.created = Some(created);
56    self
57  }
58
59  /// Set `expires` timestamp
60  pub fn set_expires(&mut self, expires: u64) -> &mut Self {
61    self.expires = Some(expires);
62    self
63  }
64
65  /// Set `nonce`
66  pub fn set_nonce(&mut self, nonce: &str) -> &mut Self {
67    self.nonce = Some(nonce.to_string());
68    self
69  }
70
71  /// Set `alg`
72  pub fn set_alg(&mut self, alg: &AlgorithmName) -> &mut Self {
73    self.alg = Some(alg.to_string());
74    self
75  }
76
77  /// Set `keyid`
78  pub fn set_keyid(&mut self, keyid: &str) -> &mut Self {
79    self.keyid = Some(keyid.to_string());
80    self
81  }
82
83  /// Set `tag`
84  pub fn set_tag(&mut self, tag: &str) -> &mut Self {
85    self.tag = Some(tag.to_string());
86    self
87  }
88
89  /// Set `keyid` and `alg` from the signing key
90  pub fn set_key_info(&mut self, key: &impl SigningKey) -> &mut Self {
91    self.keyid = Some(key.key_id().to_string());
92    self.alg = Some(key.alg().to_string());
93    self
94  }
95
96  /// Set random nonce
97  pub fn set_random_nonce(&mut self) -> &mut Self {
98    let mut rng = rand::rng();
99    let nonce = rng.random::<[u8; 32]>();
100    self.nonce = Some(general_purpose::STANDARD.encode(nonce));
101    self
102  }
103
104  /// Set `expires` timestamp from the current timestamp
105  pub fn set_expires_with_duration(&mut self, duration_secs: Option<u64>) -> &mut Self {
106    assert!(self.created.is_some(), "created timestamp is not set");
107    let duration_secs = duration_secs.unwrap_or(DEFAULT_DURATION);
108    self.expires = Some(self.created.unwrap() + duration_secs);
109    self
110  }
111
112  /// Check if the signature params is expired if `exp` field is present.
113  /// If `exp` field is not present, it always returns false.
114  pub fn is_expired(&self) -> bool {
115    if let Some(exp) = self.expires {
116      exp < SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs()
117    } else {
118      false
119    }
120  }
121}
122
123impl std::fmt::Display for HttpSignatureParams {
124  fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
125    let joined = self.covered_components.iter().fold("".to_string(), |acc, v| {
126      if acc.is_empty() {
127        v.to_string()
128      } else {
129        format!("{acc} {v}")
130      }
131    });
132    let mut s: String = format!("({})", joined);
133    if self.created.is_some() {
134      s.push_str(&format!(";created={}", self.created.unwrap()));
135    }
136    if self.expires.is_some() {
137      s.push_str(&format!(";expires={}", self.expires.unwrap()));
138    }
139    if self.nonce.is_some() {
140      s.push_str(&format!(";nonce=\"{}\"", self.nonce.as_ref().unwrap()));
141    }
142    if self.alg.is_some() {
143      s.push_str(&format!(";alg=\"{}\"", self.alg.as_ref().unwrap()));
144    }
145    if self.keyid.is_some() {
146      s.push_str(&format!(";keyid=\"{}\"", self.keyid.as_ref().unwrap()));
147    }
148    if self.tag.is_some() {
149      s.push_str(&format!(";tag=\"{}\"", self.tag.as_ref().unwrap()));
150    }
151    write!(f, "{}", s)
152  }
153}
154
155impl TryFrom<&ListEntry> for HttpSignatureParams {
156  type Error = HttpSigError;
157  /// Convert from ListEntry to HttpSignatureParams
158  fn try_from(value: &ListEntry) -> HttpSigResult<Self> {
159    if !matches!(value, ListEntry::InnerList(_)) {
160      return Err(HttpSigError::InvalidSignatureParams("Invalid signature params".to_string()));
161    }
162    let inner_list_with_params = match value {
163      ListEntry::InnerList(v) => v,
164      _ => unreachable!(),
165    };
166    let covered_components = inner_list_with_params
167      .items
168      .iter()
169      .map(|v| {
170        HttpMessageComponentId::try_from(v.serialize().as_str())
171        // v.serialize_value()
172        //   .map_err(|e| HttpSigError::ParseSFVError(e.to_string()))
173        //   .and_then(|v| HttpMessageComponentId::try_from(v.as_str()))
174      })
175      .collect::<Result<Vec<_>, _>>()?;
176
177    if !has_unique_elements(covered_components.iter()) {
178      return Err(HttpSigError::InvalidSignatureParams(
179        "duplicate covered component ids".to_string(),
180      ));
181    }
182
183    let mut params = Self {
184      created: None,
185      expires: None,
186      nonce: None,
187      alg: None,
188      keyid: None,
189      tag: None,
190      covered_components,
191    };
192
193    inner_list_with_params
194      .params
195      .iter()
196      .for_each(|(key, bare_item)| match key.as_str() {
197        "created" => params.created = bare_item.as_integer().map(|v| v.try_into().unwrap()),
198        "expires" => params.expires = bare_item.as_integer().map(|v| v.try_into().unwrap()),
199        "nonce" => params.nonce = bare_item.as_string().map(|v| v.to_string()),
200        "alg" => params.alg = bare_item.as_string().map(|v| v.to_string()),
201        "keyid" => params.keyid = bare_item.as_string().map(|v| v.to_string()),
202        "tag" => params.tag = bare_item.as_string().map(|v| v.to_string()),
203        _ => {
204          error!("Ignore invalid signature parameter: {}", key)
205        }
206      });
207    Ok(params)
208  }
209}
210
211impl TryFrom<&str> for HttpSignatureParams {
212  type Error = HttpSigError;
213  /// Convert from string to HttpSignatureParams
214  fn try_from(value: &str) -> HttpSigResult<Self> {
215    let sfv_parsed: sfv::List = Parser::new(value)
216      .parse()
217      .map_err(|e| HttpSigError::ParseSFVError(e.to_string()))?;
218    // let sfv_parsed = Parser::parse_list(value.as_bytes()).map_err(|e| HttpSigError::ParseSFVError(e.to_string()))?;
219    if sfv_parsed.len() != 1 || !matches!(sfv_parsed[0], ListEntry::InnerList(_)) {
220      return Err(HttpSigError::InvalidSignatureParams("Invalid signature params".to_string()));
221    }
222    HttpSignatureParams::try_from(&sfv_parsed[0])
223  }
224}
225
226#[cfg(test)]
227mod tests {
228  use super::*;
229  use crate::crypto::SecretKey;
230  const EDDSA_SECRET_KEY: &str = r##"-----BEGIN PRIVATE KEY-----
231MC4CAQAwBQYDK2VwBCIEIDSHAE++q1BP7T8tk+mJtS+hLf81B0o6CFyWgucDFN/C
232-----END PRIVATE KEY-----
233"##;
234  const _EDDSA_PUBLIC_KEY: &str = r##"-----BEGIN PUBLIC KEY-----
235MCowBQYDK2VwAyEA1ixMQcxO46PLlgQfYS46ivFd+n0CcDHSKUnuhm3i1O0=
236-----END PUBLIC KEY-----
237"##;
238  const EDDSA_KEY_ID: &str = "gjrE7ACMxgzYfFHgabgf4kLTg1eKIdsJ94AiFTFj1is=";
239
240  fn build_covered_components() -> Vec<HttpMessageComponentId> {
241    vec![
242      HttpMessageComponentId::try_from("@method").unwrap(),
243      HttpMessageComponentId::try_from("@path").unwrap(),
244      HttpMessageComponentId::try_from("@scheme").unwrap(),
245      HttpMessageComponentId::try_from("@authority").unwrap(),
246      HttpMessageComponentId::try_from("content-type").unwrap(),
247      HttpMessageComponentId::try_from("date").unwrap(),
248      HttpMessageComponentId::try_from("content-length").unwrap(),
249    ]
250  }
251
252  #[test]
253  fn test_try_new() {
254    let params = HttpSignatureParams::try_new(&build_covered_components());
255    assert!(params.is_ok());
256    let params = params.unwrap();
257    assert!(params.created.is_some());
258    assert!(params.expires.is_none());
259    assert!(params.nonce.is_none());
260    assert!(params.alg.is_none());
261    assert!(params.keyid.is_none());
262    assert!(params.tag.is_none());
263    assert_eq!(params.covered_components.len(), 7);
264  }
265
266  #[test]
267  fn test_set_key_info() {
268    let mut params = HttpSignatureParams::try_new(&build_covered_components()).unwrap();
269    params.set_key_info(&SecretKey::from_pem(EDDSA_SECRET_KEY).unwrap());
270    assert_eq!(params.keyid, Some(EDDSA_KEY_ID.to_string()));
271    assert_eq!(params.alg, Some("ed25519".to_string()));
272  }
273
274  #[test]
275  fn test_set_duration() {
276    let mut params = HttpSignatureParams::try_new(&build_covered_components()).unwrap();
277    params.set_expires_with_duration(Some(100));
278    assert!(params.expires.is_some());
279    assert_eq!(params.expires.unwrap(), params.created.unwrap() + 100);
280    assert!(!params.is_expired());
281
282    let created = params.created.unwrap();
283    params.set_expires(created - 1);
284    assert!(params.is_expired());
285  }
286
287  #[test]
288  fn test_from_string_signature_params_without_param() {
289    let value = r##"("@method" "@path" "@scheme" "@authority" "content-type" "date" "content-length")"##;
290    let params = HttpSignatureParams::try_from(value);
291    assert!(params.is_ok());
292    let params = params.unwrap();
293    assert!(params.created.is_none());
294    assert!(params.expires.is_none());
295    assert!(params.nonce.is_none());
296    assert!(params.alg.is_none());
297    assert!(params.keyid.is_none());
298    assert!(params.tag.is_none());
299    assert_eq!(params.covered_components.len(), 7);
300  }
301
302  #[test]
303  fn test_from_string_signature_params() {
304    const SIGPARA: &str = r##";created=1704972031;alg="ed25519";keyid="gjrE7ACMxgzYfFHgabgf4kLTg1eKIdsJ94AiFTFj1is=""##;
305    let values = vec![
306      (
307        r##""@method" "@path" "@scheme";req "@authority" "content-type";bs "date" "content-length""##,
308        SIGPARA,
309      ),
310      (r##""##, SIGPARA),
311    ];
312    for (covered, sigpara) in values {
313      let value = format!("({}){}", covered, sigpara);
314      let params = HttpSignatureParams::try_from(value.as_str());
315      assert!(params.is_ok());
316      let params = params.unwrap();
317
318      assert_eq!(params.created, Some(1704972031));
319      assert_eq!(params.expires, None);
320      assert_eq!(params.nonce, None);
321      assert_eq!(params.alg, Some("ed25519".to_string()));
322      assert_eq!(params.keyid, Some(EDDSA_KEY_ID.to_string()));
323      assert_eq!(params.tag, None);
324      let covered_components = covered
325        .split(' ')
326        .filter(|v| !v.is_empty())
327        .map(|v| HttpMessageComponentId::try_from(v).unwrap())
328        .collect::<Vec<_>>();
329      assert_eq!(params.covered_components, covered_components);
330      assert_eq!(params.to_string(), value);
331    }
332  }
333}
httpsig/signature_params.rs

httpsig/
signature_params.rs
