Merge pull request #6 from lestrrat-go/validate-expires

Refactor, add validation for expires

Author: lestrrat

htmsig.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/lestrrat-go/dsig"
 	"github.com/lestrrat-go/htmsig/component"
@@ -35,6 +36,7 @@ type KeyResolver interface {
 	ResolveKey(keyID string) (any, error)
 }
 
+
 // SignRequest signs an HTTP request using the provided headers.
 // Request information must be provided in context using component.WithRequestInfo.
 func SignRequest(ctx context.Context, headers http.Header, inputValue *input.Value, key any) error {
@@ -311,20 +313,31 @@ func determineAlgorithmFromKey(key any) (string, error) {
 
 // VerifyRequest verifies HTTP request signatures using the provided headers.
 // Request information must be provided in context using component.WithRequestInfo.
-func VerifyRequest(ctx context.Context, headers http.Header, keyOrResolver any) error {
+func VerifyRequest(ctx context.Context, headers http.Header, keyOrResolver any, options ...VerifyOption) error {
 	ctx = component.WithMode(ctx, component.ModeRequest)
-	return verifyWithContext(ctx, headers, keyOrResolver)
+	return verifyWithContext(ctx, headers, keyOrResolver, options...)
 }
 
 // VerifyResponse verifies HTTP response signatures using the provided headers.
 // Response information must be provided in context using component.WithResponseInfo.
-func VerifyResponse(ctx context.Context, headers http.Header, keyOrResolver any) error {
+func VerifyResponse(ctx context.Context, headers http.Header, keyOrResolver any, options ...VerifyOption) error {
 	ctx = component.WithMode(ctx, component.ModeResponse)
-	return verifyWithContext(ctx, headers, keyOrResolver)
+	return verifyWithContext(ctx, headers, keyOrResolver, options...)
 }
 
 // verifyWithContext performs the actual verification using the prepared context and headers.
-func verifyWithContext(ctx context.Context, hdr http.Header, keyOrResolver any) error {
+func verifyWithContext(ctx context.Context, hdr http.Header, keyOrResolver any, options ...VerifyOption) error {
+	// Process options
+	var validateExpires bool
+	var clock Clock = SystemClock{}
+	for _, opt := range options {
+		switch opt.Ident() {
+		case identValidateExpires{}:
+			validateExpires = opt.Value().(bool)
+		case identClock{}:
+			clock = opt.Value().(Clock)
+		}
+	}
 	// Step 1: Parse Signature and Signature-Input fields (RFC 9421 Section 3.2, step 1)
 	signatureInputHeader := hdr.Get(SignatureInputHeader)
 	if signatureInputHeader == "" {
@@ -365,6 +378,13 @@ func verifyWithContext(ctx context.Context, hdr http.Header, keyOrResolver any)
 			return fmt.Errorf("htmsig.Verify: failed to resolve key for label %q: %w", label, err)
 		}
 
+		// Validate signature expiration if configured
+		if validateExpires {
+			if err := validateSignatureExpiration(clock, def); err != nil {
+				return fmt.Errorf("htmsig.Verify: signature expired for label %q: %w", label, err)
+			}
+		}
+
 		// Step 3: Extract the signature value (RFC 9421 Section 3.2, step 3)
 		// The signature must be a byte sequence (RFC 9421 Section 3.2)
 		var signatureBytes []byte
@@ -400,6 +420,24 @@ func verifyWithContext(ctx context.Context, hdr http.Header, keyOrResolver any)
 	return nil
 }
 
+// validateSignatureExpiration validates if a signature has expired based on its expires parameter
+func validateSignatureExpiration(clock Clock, def *input.Definition) error {
+	// Check if the signature has an expires parameter
+	expiresTimestamp, hasExpires := def.Expires()
+	if !hasExpires {
+		return nil // No expiration time set, signature doesn't expire
+	}
+
+	// Check if the signature has expired
+	now := clock.Now()
+	expiresTime := time.Unix(expiresTimestamp, 0)
+	if now.After(expiresTime) {
+		return fmt.Errorf("signature expired at %v (current time: %v)", expiresTime, now)
+	}
+
+	return nil
+}
+
 // resolveKey resolves the cryptographic key for a signature definition
 // keyOrResolver can be either a raw key or a KeyResolver
 func resolveKey(keyOrResolver any, def *input.Definition) (any, error) {

htmsig_test.go

@@ -2,13 +2,19 @@ package htmsig_test
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"strings"
 	"testing"
+	"time"
 
+	"github.com/lestrrat-go/htmsig"
 	"github.com/lestrrat-go/htmsig/component"
+	"github.com/lestrrat-go/htmsig/input"
+	htmsighttp "github.com/lestrrat-go/htmsig/http"
 	"github.com/stretchr/testify/require"
 )
 
@@ -476,3 +482,104 @@ func TestServerSideTargetURIVsClientSide(t *testing.T) {
 	require.Equal(t, expectedTargetURI, serverSideValue, "Server-side should match RFC")
 	require.Equal(t, clientSideValue, serverSideValue, "Server-side and client-side should match")
 }
+
+func TestSignatureExpirationChecking(t *testing.T) {
+	// Generate RSA key for testing
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+
+	// Create an HTTP request
+	req, err := http.NewRequest("POST", "https://example.com/test", nil)
+	require.NoError(t, err)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Date", "Tue, 20 Apr 2021 02:07:55 GMT")
+
+	// Use a fixed time for deterministic testing
+	fixedTime := time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC)
+	staticClock := htmsighttp.FixedClock(fixedTime)
+
+	// Test cases
+	tests := []struct {
+		name            string
+		expiresOffset   time.Duration // offset from now to set expiration
+		validateExpires bool          // whether to enable expiration validation
+		expectError     bool          // whether verification should fail
+	}{
+		{
+			name:            "Valid signature without expiration",
+			expiresOffset:   0, // no expiration set
+			validateExpires: true,
+			expectError:     false,
+		},
+		{
+			name:            "Valid signature with future expiration",
+			expiresOffset:   time.Hour, // expires in 1 hour from fixed time
+			validateExpires: true,
+			expectError:     false,
+		},
+		{
+			name:            "Expired signature with validation enabled",
+			expiresOffset:   -time.Hour, // expired 1 hour before fixed time
+			validateExpires: true,
+			expectError:     true,
+		},
+		{
+			name:            "Expired signature with validation disabled",
+			expiresOffset:   -time.Hour, // expired 1 hour before fixed time
+			validateExpires: false,
+			expectError:     false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create signature definition
+			builder := input.NewDefinitionBuilder().
+				Label("test-sig").
+				Components(
+					component.Method(),
+					component.TargetURI(),
+					component.New("content-type"),
+					component.New("date"),
+				).
+				KeyID("test-key-id")
+
+			// Set expiration if specified
+			if tt.expiresOffset != 0 {
+				expiresTime := fixedTime.Add(tt.expiresOffset)
+				builder = builder.ExpiresTime(expiresTime)
+			}
+
+			def, err := builder.Build()
+			require.NoError(t, err)
+
+			// Create input value and sign the request
+			inputValue := input.NewValueBuilder().AddDefinition(def).MustBuild()
+			ctx := component.WithRequestInfoFromHTTP(context.Background(), req)
+			err = htmsig.SignRequest(ctx, req.Header, inputValue, privateKey)
+			require.NoError(t, err)
+
+			// Create key resolver - use StaticKeyResolver since we only have one key
+			keyResolver := htmsighttp.StaticKeyResolver(&privateKey.PublicKey)
+
+			// Create verification options
+			var options []htmsig.VerifyOption
+			if tt.validateExpires {
+				options = append(options, htmsig.WithValidateExpires(true))
+			}
+			options = append(options, htmsig.WithClock(staticClock))
+
+			// Verify the signature
+			ctx = component.WithRequestInfoFromHTTP(context.Background(), req)
+			err = htmsig.VerifyRequest(ctx, req.Header, keyResolver, options...)
+
+			if tt.expectError {
+				require.Error(t, err, "Expected verification to fail for expired signature")
+				require.Contains(t, err.Error(), "signature expired", "Error should mention expiration")
+			} else {
+				require.NoError(t, err, "Expected verification to succeed")
+			}
+		})
+	}
+}
+

http/context.go

@@ -2,15 +2,11 @@ package http
 
 import (
 	"context"
-	"net/http"
 )
 
 // Context key types for storing values in request context
 type verificationErrorKey struct{}
 type signingErrorKey struct{}
-type contextKey string
-
-const errorContextKey contextKey = "htmsig_error"
 
 // WithVerificationError adds a verification error to the context.
 func WithVerificationError(ctx context.Context, err error) context.Context {
@@ -37,12 +33,3 @@ func SigningErrorFromContext(ctx context.Context) error {
 	}
 	return nil
 }
-
-// GetError retrieves the verification error from the request context.
-// This can be used by custom error handlers to access the specific error.
-func GetError(r *http.Request) error {
-	if err, ok := r.Context().Value(errorContextKey).(error); ok {
-		return err
-	}
-	return nil
-}

http/http_test.go

@@ -1,6 +1,9 @@
 package http_test
 
 import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@@ -9,6 +12,7 @@ import (
 
 	"github.com/lestrrat-go/htmsig"
 	"github.com/lestrrat-go/htmsig/component"
+	"github.com/lestrrat-go/htmsig/input"
 	htmsighttp "github.com/lestrrat-go/htmsig/http"
 	"github.com/stretchr/testify/require"
 )
@@ -147,3 +151,52 @@ func TestRoundTrip(t *testing.T) {
 	sig := res.Header.Get(htmsig.SignatureHeader)
 	require.NotEmpty(t, sig, `response should have a signature header`)
 }
+
+func TestHTTPVerifierExpiration(t *testing.T) {
+	// Generate RSA key for testing
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+
+	// Create expired signature
+	req, err := http.NewRequest("GET", "https://example.com/test", nil)
+	require.NoError(t, err)
+	req.Header.Set("Date", "Tue, 20 Apr 2021 02:07:55 GMT")
+
+	// Use a fixed time for deterministic testing
+	fixedTime := time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC)
+	staticClock := htmsighttp.FixedClock(fixedTime)
+
+	// Sign with expiration 1 hour in the past (relative to fixed time)
+	def, err := input.NewDefinitionBuilder().
+		Label("test-sig").
+		Components(component.Method(), component.TargetURI()).
+		KeyID("test-key").
+		ExpiresTime(fixedTime.Add(-time.Hour)).
+		Build()
+	require.NoError(t, err)
+
+	inputValue := input.NewValueBuilder().AddDefinition(def).MustBuild()
+	ctx := component.WithRequestInfoFromHTTP(context.Background(), req)
+	err = htmsig.SignRequest(ctx, req.Header, inputValue, privateKey)
+	require.NoError(t, err)
+
+	keyResolver := htmsighttp.StaticKeyResolver(&privateKey.PublicKey)
+
+	t.Run("HTTP verifier with expiration validation disabled", func(t *testing.T) {
+		verifier := htmsighttp.NewVerifier(keyResolver,
+			htmsighttp.WithValidateExpires(false),
+			htmsighttp.WithClock(staticClock))
+		err := verifier.VerifyRequest(context.Background(), req)
+		require.NoError(t, err, "Should succeed when expiration validation is disabled")
+	})
+
+	t.Run("HTTP verifier with expiration validation enabled", func(t *testing.T) {
+		verifier := htmsighttp.NewVerifier(keyResolver,
+			htmsighttp.WithValidateExpires(true),
+			htmsighttp.WithClock(staticClock))
+		err := verifier.VerifyRequest(context.Background(), req)
+		require.Error(t, err, "Should fail when expiration validation is enabled")
+		require.Contains(t, err.Error(), "signature expired")
+	})
+}
+

http/options.go

@@ -27,6 +27,10 @@ type identVerifierErrorHandler struct{}
 
 func (identVerifierErrorHandler) String() string { return "WithVerifierErrorHandler" }
 
+type identValidateExpires struct{}
+
+func (identValidateExpires) String() string { return "WithValidateExpires" }
+
 type identTransport struct{}
 
 func (identTransport) String() string { return "WithTransport" }
@@ -106,6 +110,12 @@ func WithVerifierErrorHandler(handler http.Handler) VerifierOption {
 	return option.New(identVerifierErrorHandler{}, handler)
 }
 
+// WithValidateExpires configures whether to validate signature expiration times.
+// When enabled, signatures with expired 'expires' parameters will be rejected.
+func WithValidateExpires(validate bool) VerifierOption {
+	return option.New(identValidateExpires{}, validate)
+}
+
 // TransportOption configures a SigningTransport.
 type TransportOption = option.Interface