1 // Generate and verify permission signatures for Keep locators.
3 // See https://dev.arvados.org/projects/arvados/wiki/Keep_locator_format
19 ErrSignatureExpired = errors.New("Signature expired")
20 ErrSignatureInvalid = errors.New("Invalid signature")
21 ErrSignatureMalformed = errors.New("Malformed signature")
22 ErrSignatureMissing = errors.New("Missing signature")
25 // makePermSignature generates a SHA-1 HMAC digest for the given blob,
26 // token, expiry, and site secret.
27 func makePermSignature(blobHash, apiToken, expiry string, permissionSecret []byte) string {
28 hmac := hmac.New(sha1.New, permissionSecret)
29 hmac.Write([]byte(blobHash))
30 hmac.Write([]byte("@"))
31 hmac.Write([]byte(apiToken))
32 hmac.Write([]byte("@"))
33 hmac.Write([]byte(expiry))
34 digest := hmac.Sum(nil)
35 return fmt.Sprintf("%x", digest)
38 // SignLocator returns blobLocator with a permission signature
39 // added. If either permissionSecret or apiToken is empty, blobLocator
40 // is returned untouched.
42 // This function is intended to be used by system components and admin
43 // utilities: userland programs do not know the permissionSecret.
44 func SignLocator(blobLocator, apiToken string, expiry time.Time, permissionSecret []byte) string {
45 if len(permissionSecret) == 0 || apiToken == "" {
48 // Strip off all hints: only the hash is used to sign.
49 blobHash := strings.Split(blobLocator, "+")[0]
50 timestampHex := fmt.Sprintf("%08x", expiry.Unix())
52 "+A" + makePermSignature(blobHash, apiToken, timestampHex, permissionSecret) +
56 var signedLocatorRe = regexp.MustCompile(`^([[:xdigit:]]{32}).*\+A([[:xdigit:]]{40})@([[:xdigit:]]{8})`)
58 // VerifySignature returns nil if the signature on the signedLocator
59 // can be verified using the given apiToken. Otherwise it returns
60 // either ExpiredError (if the timestamp has expired, which is
61 // something the client could have figured out independently) or
64 // This function is intended to be used by system components and admin
65 // utilities: userland programs do not know the permissionSecret.
66 func VerifySignature(signedLocator, apiToken string, permissionSecret []byte) error {
67 matches := signedLocatorRe.FindStringSubmatch(signedLocator)
69 return ErrSignatureMissing
71 blobHash := matches[1]
74 if expTime, err := parseHexTimestamp(expHex); err != nil {
75 return ErrSignatureMalformed
76 } else if expTime.Before(time.Now()) {
77 return ErrSignatureExpired
79 if sigHex != makePermSignature(blobHash, apiToken, expHex, permissionSecret) {
80 return ErrSignatureInvalid
85 func parseHexTimestamp(timestampHex string) (ts time.Time, err error) {
86 if tsInt, e := strconv.ParseInt(timestampHex, 16, 0); e == nil {
87 ts = time.Unix(tsInt, 0)