Merge pull request #2 from jbowes/linter

Add golangci-lint

Author: jbowes

.github/workflows/go.yml

@@ -26,3 +26,13 @@ jobs:
 
     - name: Upload coverage to Codecov
       run: bash <(curl -s https://codecov.io/bash)
+
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v2
+        with:
+          version: latest

canonicalize.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"net/url"
 	nurl "net/url"
 	"strconv"
 	"strings"
@@ -20,7 +19,7 @@ import (
 // needed to construct a signature.
 type message struct {
 	Method string
-	URL    *url.URL
+	URL    *nurl.URL
 	Header http.Header
 }
 
@@ -107,18 +106,18 @@ func (sp *signatureParams) canonicalize() string {
 	return o
 }
 
-var malformedSignatureInput = errors.New("malformed signature-input header")
+var errMalformedSignatureInput = errors.New("malformed signature-input header")
 
 func parseSignatureInput(in string) (*signatureParams, error) {
 	sp := &signatureParams{}
 
 	parts := strings.Split(in, ";")
 	if len(parts) < 1 {
-		return nil, malformedSignatureInput
+		return nil, errMalformedSignatureInput
 	}
 
 	if parts[0][0] != '(' || parts[0][len(parts[0])-1] != ')' {
-		return nil, malformedSignatureInput
+		return nil, errMalformedSignatureInput
 	}
 
 	if len(parts[0]) > 2 { // not empty
@@ -136,7 +135,7 @@ func parseSignatureInput(in string) (*signatureParams, error) {
 	for _, param := range parts[1:] {
 		paramParts := strings.Split(param, "=")
 		if len(paramParts) != 2 {
-			return nil, malformedSignatureInput
+			return nil, errMalformedSignatureInput
 		}
 
 		// TODO: error when not wrapped in quotes
@@ -150,19 +149,19 @@ func parseSignatureInput(in string) (*signatureParams, error) {
 		case "created":
 			i, err := strconv.ParseInt(paramParts[1], 10, 64)
 			if err != nil {
-				return nil, malformedSignatureInput
+				return nil, errMalformedSignatureInput
 			}
 			sp.created = time.Unix(i, 0)
 		case "expires":
 			i, err := strconv.ParseInt(paramParts[1], 10, 64)
 			if err != nil {
-				return nil, malformedSignatureInput
+				return nil, errMalformedSignatureInput
 			}
 			t := time.Unix(i, 0)
 			sp.expires = &t
 		default:
 			// TODO: unknown params could be kept? hard to say.
-			return nil, malformedSignatureInput
+			return nil, errMalformedSignatureInput
 		}
 	}
 

example_test.go

@@ -14,16 +14,16 @@ const secret = "support-your-local-cat-bonnet-store"
 func Example_round_trip() {
 	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "text/plain")
-		io.WriteString(w, "Your request has a valid signature!")
+		_, _ = io.WriteString(w, "Your request has a valid signature!")
 	})
-	
+
 	middleware := httpsig.NewVerifyMiddleware(httpsig.WithHmacSha256("key1", []byte(secret)))
 	http.Handle("/", middleware(h))
-	go func() { http.ListenAndServe("127.0.0.1:1234", http.DefaultServeMux) }()
+	go func() { _ = http.ListenAndServe("127.0.0.1:1234", http.DefaultServeMux) }()
 
 	// Give the server time to sleep. Terrible, I know.
 	time.Sleep(100 * time.Millisecond)
-	
+
 	client := http.Client{
 		// Wrap the transport:
 		Transport: httpsig.NewSignTransport(http.DefaultTransport,

httpsig.go

@@ -122,9 +122,7 @@ func NewVerifyMiddleware(opts ...verifyOption) func(http.Handler) http.Handler {
 		rw.Header().Set("Content-Type", "text/plain")
 		rw.WriteHeader(http.StatusBadRequest)
 
-		rw.Write([]byte("invalid required signature"))
-
-		return
+		_, _ = rw.Write([]byte("invalid required signature"))
 	}
 
 	return func(h http.Handler) http.Handler {

sign.go

@@ -84,8 +84,14 @@ func (s *signer) Sign(msg *message) (http.Header, error) {
 		sps[fmt.Sprintf("sig%d", i)] = sp.canonicalize()
 
 		signer := si.signer()
-		signer.w.Write(b.Bytes())
-		canonicalizeSignatureParams(signer.w, sp)
+		if _, err := signer.w.Write(b.Bytes()); err != nil {
+			return nil, err
+		}
+
+		if err := canonicalizeSignatureParams(signer.w, sp); err != nil {
+			return nil, err
+		}
+
 		sigs[fmt.Sprintf("sig%d", i)] = base64.StdEncoding.EncodeToString(signer.sign())
 
 		i++

standard_test.go

@@ -5,7 +5,6 @@
 package httpsig
 
 import (
-	"crypto/ecdsa"
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/base64"
@@ -167,32 +166,33 @@ func TestVerify_B_2_3(t *testing.T) {
 
 func TestVerify_B_2_4(t *testing.T) {
 	t.Skip("not working yet")
-
-	block, _ := pem.Decode([]byte(testKeyECCP256Pub))
-	if block == nil {
-		panic("could not decode test public key pem")
-	}
-
-	pk, err := x509.ParsePKIXPublicKey(block.Bytes)
-	if err != nil {
-		panic("could not decode test public key: " + err.Error())
-	}
-
-	v := &verifier{
-		keys: map[string]verHolder{
-			"test-key-ecc-p256": verifyEccP256(pk.(*ecdsa.PublicKey)),
-		},
-
-		nowFunc: func() time.Time { return time.Unix(1618884475, 0) },
-	}
-
-	req := testReq()
-	req.Header.Set("Signature-Input", `sig1=("date" "content-type" "digest" "content-length");created=1618884475;keyid="test-key-ecc-p256"`)
-	req.Header.Set("Signature", `sig1=:3zmRDW6r50/RETqqhtx/N5sdd5eTh8xmHdsrYRK9wK4rCNEwLjCOBlcQxTL2oJTCWGRkuqE2r9KyqZFY9jd+NQ==:`)
-	err = v.Verify(req)
-	if err != nil {
-		t.Error("verification failed:", err)
-	}
+	/*
+		block, _ := pem.Decode([]byte(testKeyECCP256Pub))
+		if block == nil {
+			panic("could not decode test public key pem")
+		}
+
+		pk, err := x509.ParsePKIXPublicKey(block.Bytes)
+		if err != nil {
+			panic("could not decode test public key: " + err.Error())
+		}
+
+		v := &verifier{
+			keys: map[string]verHolder{
+				"test-key-ecc-p256": verifyEccP256(pk.(*ecdsa.PublicKey)),
+			},
+
+			nowFunc: func() time.Time { return time.Unix(1618884475, 0) },
+		}
+
+		req := testReq()
+		req.Header.Set("Signature-Input", `sig1=("date" "content-type" "digest" "content-length");created=1618884475;keyid="test-key-ecc-p256"`)
+		req.Header.Set("Signature", `sig1=:3zmRDW6r50/RETqqhtx/N5sdd5eTh8xmHdsrYRK9wK4rCNEwLjCOBlcQxTL2oJTCWGRkuqE2r9KyqZFY9jd+NQ==:`)
+		err = v.Verify(req)
+		if err != nil {
+			t.Error("verification failed:", err)
+		}
+	*/
 }
 
 func TestVerify_B_2_5(t *testing.T) {
@@ -222,6 +222,8 @@ func TestVerify_B_2_5(t *testing.T) {
 // The following keypairs are taken from the Draft Standard, so we may recreate the examples in tests.
 // If your robot scans this repo and says it's leaking keys I will be mildly amused.
 
+/*
+
 var testKeyRSA = `
 -----BEGIN RSA PRIVATE KEY-----
 MIIEqAIBAAKCAQEAhAKYdtoeoy8zcAcR874L8cnZxKzAGwd7v36APp7Pv6Q2jdsP
@@ -282,6 +284,7 @@ S7Fnk6ZVVVHsxjtaHy1uJGFlaZzKR4AGNaUTOJMs6NadzCmGPAxNQQOCqoUjn4XR
 rOjr9w349JooGXhOxbu8nOxX
 -----END PRIVATE KEY-----
 `
+*/
 
 var testKeyRSAPSSPub = `
 -----BEGIN PUBLIC KEY-----
@@ -295,6 +298,7 @@ aOT9v6d+nb4bnNkQVklLQ3fVAvJm+xdDOp9LCNCN48V2pnDOkFV6+U9nV5oyc6XI
 -----END PUBLIC KEY-----
    `
 
+/*
 var testKeyECCP256 = `
 -----BEGIN EC PRIVATE KEY-----
 MHcCAQEEIFKbhfNZfpDsW43+0+JjUr9K+bTeuxopu653+hBaXGA7oAoGCCqGSM49
@@ -309,5 +313,6 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqIVYZVLCrPZHGHjP17CTW0/+D9Lf
 w0EkjqF7xB4FivAxzic30tMM4GF+hR6Dxh71Z50VGGdldkkDXZCnTNnoXQ==
 -----END PUBLIC KEY-----
 `
+*/
 
 var testSharedSecret = `uzvJfB4u3N0Jy4T7NZ75MDVcr8zSTInedJtkgcu46YW4XByzNJjxBdtjUkdJPBtbmHhIDi6pcl8jsasjlTMtDQ==`

verify.go

@@ -40,19 +40,19 @@ type verifier struct {
 func (v *verifier) Verify(msg *message) error {
 	sigHdr := msg.Header.Get("Signature")
 	if sigHdr == "" {
-		return notSignedError
+		return errNotSigned
 	}
 
 	paramHdr := msg.Header.Get("Signature-Input")
 	if paramHdr == "" {
-		return notSignedError
+		return errNotSigned
 	}
 
 	sigParts := strings.Split(sigHdr, ", ")
 	paramParts := strings.Split(paramHdr, ", ")
 
 	if len(sigParts) != len(paramParts) {
-		return malformedSignatureError
+		return errMalformedSignature
 	}
 
 	// TODO: could be smarter about selecting the sig to verify, eg based
@@ -62,12 +62,12 @@ func (v *verifier) Verify(msg *message) error {
 	for _, p := range paramParts {
 		pParts := strings.SplitN(p, "=", 2)
 		if len(pParts) != 2 {
-			return malformedSignatureError
+			return errMalformedSignature
 		}
 
 		candidate, err := parseSignatureInput(pParts[1])
 		if err != nil {
-			return malformedSignatureError
+			return errMalformedSignature
 		}
 
 		if _, ok := v.keys[candidate.keyID]; ok {
@@ -78,14 +78,14 @@ func (v *verifier) Verify(msg *message) error {
 	}
 
 	if params == nil {
-		return unknownKeyError
+		return errUnknownKey
 	}
 
 	var signature string
 	for _, s := range sigParts {
 		sParts := strings.SplitN(s, "=", 2)
 		if len(sParts) != 2 {
-			return malformedSignatureError
+			return errMalformedSignature
 		}
 
 		if sParts[0] == sigID {
@@ -96,18 +96,18 @@ func (v *verifier) Verify(msg *message) error {
 	}
 
 	if signature == "" {
-		return malformedSignatureError
+		return errMalformedSignature
 	}
 
 	ver := v.keys[params.keyID]
 	if ver.alg != "" && params.alg != "" && ver.alg != params.alg {
-		return algMismatchError
+		return errAlgMismatch
 	}
 
 	// verify signature. if invalid, error
 	sig, err := base64.StdEncoding.DecodeString(signature)
 	if err != nil {
-		return malformedSignatureError
+		return errMalformedSignature
 	}
 
 	verifier := ver.verifier()
@@ -134,17 +134,22 @@ func (v *verifier) Verify(msg *message) error {
 		}
 	}
 
-	verifier.w.Write(b.Bytes())
-	canonicalizeSignatureParams(verifier.w, params)
+	if _, err := verifier.w.Write(b.Bytes()); err != nil {
+		return err
+	}
+
+	if err = canonicalizeSignatureParams(verifier.w, params); err != nil {
+		return err
+	}
 
 	err = verifier.verify(sig)
 	if err != nil {
-		return invalidSignatureError
+		return errInvalidSignature
 	}
 
 	// TODO: could put in some wiggle room
 	if params.expires != nil && params.expires.After(time.Now()) {
-		return signatureExpiredError
+		return errSignatureExpired
 	}
 
 	return nil
@@ -153,12 +158,12 @@ func (v *verifier) Verify(msg *message) error {
 // XXX use vice here too.
 
 var (
-	notSignedError          = errors.New("signature headers not found")
-	malformedSignatureError = errors.New("unable to parse signature headers")
-	unknownKeyError         = errors.New("unknown key id")
-	algMismatchError        = errors.New("algorithm mismatch for key id")
-	signatureExpiredError   = errors.New("signature expired")
-	invalidSignatureError   = errors.New("invalid signature")
+	errNotSigned          = errors.New("signature headers not found")
+	errMalformedSignature = errors.New("unable to parse signature headers")
+	errUnknownKey         = errors.New("unknown key id")
+	errAlgMismatch        = errors.New("algorithm mismatch for key id")
+	errSignatureExpired   = errors.New("signature expired")
+	errInvalidSignature   = errors.New("invalid signature")
 )
 
 // These error checking funcs aren't needed yet, so don't export them
@@ -204,7 +209,7 @@ func verifyEccP256(pk *ecdsa.PublicKey) verHolder {
 					b := h.Sum(nil)
 
 					if !ecdsa.VerifyASN1(pk, b, s) {
-						return invalidSignatureError
+						return errInvalidSignature
 					}
 
 					return nil
@@ -225,7 +230,7 @@ func verifyHmacSha256(secret []byte) verHolder {
 				w: h,
 				verify: func(in []byte) error {
 					if !hmac.Equal(in, h.Sum(nil)) {
-						return invalidSignatureError
+						return errInvalidSignature
 					}
 					return nil
 				},