Merge pull request #265 from Moopli/update-httpsig

fix: http signature should sign @method and @target-uri instead of @request-target
trustbloc · Jul 19, 2022 · 12fd8f7 · 12fd8f7
2 parents 46d5e2c + 0a9950b
commit 12fd8f7
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/spi/gnap/proof/httpsig/signer.go b/spi/gnap/proof/httpsig/signer.go
@@ -39,7 +39,7 @@ func (s *Signer) Sign(request *http.Request, requestBody []byte) (*http.Request,
 func Sign(req *http.Request, bodyBytes []byte, signingKey *jwk.JWK, digestName string) (*http.Request, error) {
 	conf := httpsign.NewSignConfig().SignAlg(false)
 
-	fields := httpsign.Headers("@request-target")
+	fields := httpsign.Headers("@method", "@target-uri")
 
 	if len(bodyBytes) > 0 {
 		body := ioutil.NopCloser(bytes.NewBuffer(bodyBytes))

diff --git a/spi/gnap/proof/httpsig/verifier.go b/spi/gnap/proof/httpsig/verifier.go
@@ -31,7 +31,7 @@ func NewVerifier(req *http.Request) *Verifier {
 func (v *Verifier) Verify(key *gnap.ClientKey) error {
 	verKey := key.JWK
 
-	fields := httpsign.Headers("@request-target")
+	fields := httpsign.Headers("@method", "@target-uri")
 
 	if v.req.Header.Get("Authorization") != "" {
 		fields.AddHeader("Authorization")