1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: Apache-2.0
5 // Generate and verify permission signatures for Keep locators.
7 // See https://dev.arvados.org/projects/arvados/wiki/Keep_locator_format
23 // ErrSignatureExpired - a signature was rejected because the
24 // expiry time has passed.
25 ErrSignatureExpired = errors.New("Signature expired")
26 // ErrSignatureInvalid - a signature was rejected because it
27 // was badly formatted or did not match the given secret key.
28 ErrSignatureInvalid = errors.New("Invalid signature")
29 // ErrSignatureMissing - the given locator does not have a
31 ErrSignatureMissing = errors.New("Missing signature")
34 // makePermSignature generates a SHA-1 HMAC digest for the given blob,
35 // token, expiry, and site secret.
36 func makePermSignature(blobHash, apiToken, expiry, blobSignatureTTL string, permissionSecret []byte) string {
37 hmac := hmac.New(sha1.New, permissionSecret)
38 hmac.Write([]byte(blobHash))
39 hmac.Write([]byte("@"))
40 hmac.Write([]byte(apiToken))
41 hmac.Write([]byte("@"))
42 hmac.Write([]byte(expiry))
43 hmac.Write([]byte("@"))
44 hmac.Write([]byte(blobSignatureTTL))
45 digest := hmac.Sum(nil)
46 return fmt.Sprintf("%x", digest)
49 // SignLocator returns blobLocator with a permission signature
50 // added. If either permissionSecret or apiToken is empty, blobLocator
51 // is returned untouched.
53 // This function is intended to be used by system components and admin
54 // utilities: userland programs do not know the permissionSecret.
55 func SignLocator(blobLocator, apiToken string, expiry time.Time, blobSignatureTTL time.Duration, permissionSecret []byte) string {
56 if len(permissionSecret) == 0 || apiToken == "" {
59 // Strip off all hints: only the hash is used to sign.
60 blobHash := strings.Split(blobLocator, "+")[0]
61 timestampHex := fmt.Sprintf("%08x", expiry.Unix())
62 blobSignatureTTLHex := strconv.FormatInt(int64(blobSignatureTTL.Seconds()), 16)
64 "+A" + makePermSignature(blobHash, apiToken, timestampHex, blobSignatureTTLHex, permissionSecret) +
68 var signedLocatorRe = regexp.MustCompile(`^([[:xdigit:]]{32}).*\+A([[:xdigit:]]{40})@([[:xdigit:]]{8})`)
70 // VerifySignature returns nil if the signature on the signedLocator
71 // can be verified using the given apiToken. Otherwise it returns
72 // ErrSignatureExpired (if the signature's expiry time has passed,
73 // which is something the client could have figured out
74 // independently), ErrSignatureMissing (if there is no signature hint
75 // at all), or ErrSignatureInvalid (if the signature is present but
76 // badly formatted or incorrect).
78 // This function is intended to be used by system components and admin
79 // utilities: userland programs do not know the permissionSecret.
80 func VerifySignature(signedLocator, apiToken string, blobSignatureTTL time.Duration, permissionSecret []byte) error {
81 matches := signedLocatorRe.FindStringSubmatch(signedLocator)
83 return ErrSignatureMissing
85 blobHash := matches[1]
86 signatureHex := matches[2]
87 expiryHex := matches[3]
88 if expiryTime, err := parseHexTimestamp(expiryHex); err != nil {
89 return ErrSignatureInvalid
90 } else if expiryTime.Before(time.Now()) {
91 return ErrSignatureExpired
93 blobSignatureTTLHex := strconv.FormatInt(int64(blobSignatureTTL.Seconds()), 16)
94 if signatureHex != makePermSignature(blobHash, apiToken, expiryHex, blobSignatureTTLHex, permissionSecret) {
95 return ErrSignatureInvalid
100 func parseHexTimestamp(timestampHex string) (ts time.Time, err error) {
101 if tsInt, e := strconv.ParseInt(timestampHex, 16, 0); e == nil {
102 ts = time.Unix(tsInt, 0)
projects / arvados.git / blob