Implement rsa-sha1/rsa-sha256 algorithms #11
Conversation
| } | ||
|
|
||
| // IsValidRSA validates that the signature was signed by an RSA private key. | ||
| func (s Signature) IsValidRSA(key *rsa.PublicKey, r *http.Request) bool { |
There was a problem hiding this comment.
One thing to take note of here. I didn't want to break the existing api for IsValid, but I also don't want this code to be dealing with RSA keys as strings, and would rather just have consumers parse the public/private keys.
So, I just added the the IsValidRSA/SignRequestRSA versions of the IsValid/SignRequest methods. The downside is that this leaks details about the underlying algorithm. Alternatively, I could add a more generic IsValid<xxx>(key interface{}, r *http.Request) method as well so that you can pass a string for HMAC, or an *rsa.PublicKey for RSA.
There was a problem hiding this comment.
Note to self. Also need an AuthRequestRSA method.
|
See #12, which adds everything here as well as ecdsa-sha256. |
1 participant
This implements the rsa-sha1 and rsa-sha256 algorithms according to the most recent spec.
There's another PR for this (#3) but that PR is implemented incorrectly. In #3, verification of the signature requires access to the private key. The benefit of RSA public/private keys is that you only need access to the public key to verify that the request was signed by a private key.