1 // Generate and verify permission signatures for Keep locators.
3 // See https://dev.arvados.org/projects/arvados/wiki/Keep_locator_format
19 // ErrSignatureExpired - a signature was rejected because the
20 // expiry time has passed.
21 ErrSignatureExpired = errors.New("Signature expired")
22 // ErrSignatureInvalid - a signature was rejected because it
23 // was badly formatted or did not match the given secret key.
24 ErrSignatureInvalid = errors.New("Invalid signature")
25 // ErrSignatureMissing - the given locator does not have a
27 ErrSignatureMissing = errors.New("Missing signature")
30 // makePermSignature generates a SHA-1 HMAC digest for the given blob,
31 // token, expiry, and site secret.
32 func makePermSignature(blobHash, apiToken, expiry, blobSignatureTTL string, permissionSecret []byte) string {
33 hmac := hmac.New(sha1.New, permissionSecret)
34 hmac.Write([]byte(blobHash))
35 hmac.Write([]byte("@"))
36 hmac.Write([]byte(apiToken))
37 hmac.Write([]byte("@"))
38 hmac.Write([]byte(expiry))
39 hmac.Write([]byte("@"))
40 hmac.Write([]byte(blobSignatureTTL))
41 digest := hmac.Sum(nil)
42 return fmt.Sprintf("%x", digest)
45 // SignLocator returns blobLocator with a permission signature
46 // added. If either permissionSecret or apiToken is empty, blobLocator
47 // is returned untouched.
49 // This function is intended to be used by system components and admin
50 // utilities: userland programs do not know the permissionSecret.
51 func SignLocator(blobLocator, apiToken string, expiry time.Time, blobSignatureTTL time.Duration, permissionSecret []byte) string {
52 if len(permissionSecret) == 0 || apiToken == "" {
55 // Strip off all hints: only the hash is used to sign.
56 blobHash := strings.Split(blobLocator, "+")[0]
57 timestampHex := fmt.Sprintf("%08x", expiry.Unix())
58 blobSignatureTTLHex := strconv.FormatInt(int64(blobSignatureTTL.Seconds()), 16)
60 "+A" + makePermSignature(blobHash, apiToken, timestampHex, blobSignatureTTLHex, permissionSecret) +
64 var signedLocatorRe = regexp.MustCompile(`^([[:xdigit:]]{32}).*\+A([[:xdigit:]]{40})@([[:xdigit:]]{8})`)
66 // VerifySignature returns nil if the signature on the signedLocator
67 // can be verified using the given apiToken. Otherwise it returns
68 // ErrSignatureExpired (if the signature's expiry time has passed,
69 // which is something the client could have figured out
70 // independently), ErrSignatureMissing (if there is no signature hint
71 // at all), or ErrSignatureInvalid (if the signature is present but
72 // badly formatted or incorrect).
74 // This function is intended to be used by system components and admin
75 // utilities: userland programs do not know the permissionSecret.
76 func VerifySignature(signedLocator, apiToken string, blobSignatureTTL time.Duration, permissionSecret []byte) error {
77 matches := signedLocatorRe.FindStringSubmatch(signedLocator)
79 return ErrSignatureMissing
81 blobHash := matches[1]
82 signatureHex := matches[2]
83 expiryHex := matches[3]
84 if expiryTime, err := parseHexTimestamp(expiryHex); err != nil {
85 return ErrSignatureInvalid
86 } else if expiryTime.Before(time.Now()) {
87 return ErrSignatureExpired
89 blobSignatureTTLHex := strconv.FormatInt(int64(blobSignatureTTL.Seconds()), 16)
90 if signatureHex != makePermSignature(blobHash, apiToken, expiryHex, blobSignatureTTLHex, permissionSecret) {
91 return ErrSignatureInvalid
96 func parseHexTimestamp(timestampHex string) (ts time.Time, err error) {
97 if tsInt, e := strconv.ParseInt(timestampHex, 16, 0); e == nil {
98 ts = time.Unix(tsInt, 0)
projects / arvados.git / blob