Breaking change: keyid is optional, now in SignConfig/VerifyConfig

yaronf · Jun 9, 2024 · 542e0a2 · 542e0a2
1 parent 5e2c5d8
commit 542e0a2
Show file tree

Hide file tree

Showing 13 changed files with 216 additions and 297 deletions.
diff --git a/client_test.go b/client_test.go
@@ -36,7 +36,7 @@ func TestClient_Get(t *testing.T) {
 			fields: fields{
 				sigName: "sig1",
 				signer: func() *Signer {
-					signer, _ := NewHMACSHA256Signer("key1", bytes.Repeat([]byte{1}, 64), NewSignConfig(), Headers("@method"))
+					signer, _ := NewHMACSHA256Signer(bytes.Repeat([]byte{1}, 64), NewSignConfig().SetKeyID("key1"), Headers("@method"))
 					return signer
 				}(),
 				verifier:      nil,
@@ -54,7 +54,7 @@ func TestClient_Get(t *testing.T) {
 			fields: fields{
 				sigName: "sig1",
 				signer: func() *Signer {
-					signer, _ := NewHMACSHA256Signer("key1", bytes.Repeat([]byte{1}, 64), NewSignConfig(), Headers("@method"))
+					signer, _ := NewHMACSHA256Signer(bytes.Repeat([]byte{1}, 64), NewSignConfig().SetKeyID("key1"), Headers("@method"))
 					return signer
 				}(),
 				verifier:      nil,
@@ -72,7 +72,7 @@ func TestClient_Get(t *testing.T) {
 			fields: fields{
 				sigName: "",
 				signer: func() *Signer {
-					signer, _ := NewHMACSHA256Signer("key1", bytes.Repeat([]byte{1}, 64), NewSignConfig(), Headers("@method"))
+					signer, _ := NewHMACSHA256Signer(bytes.Repeat([]byte{1}, 64), NewSignConfig().SetKeyID("key1"), Headers("@method"))
 					return signer
 				}(),
 				verifier:      nil,
@@ -90,7 +90,7 @@ func TestClient_Get(t *testing.T) {
 			fields: fields{
 				sigName: "sig1",
 				signer: func() *Signer {
-					signer, _ := NewHMACSHA256Signer("key1", bytes.Repeat([]byte{1}, 64), NewSignConfig(), Headers("@method"))
+					signer, _ := NewHMACSHA256Signer(bytes.Repeat([]byte{1}, 64), NewSignConfig().SetKeyID("key1"), Headers("@method"))
 					return signer
 				}(),
 				verifier: nil,
@@ -110,12 +110,12 @@ func TestClient_Get(t *testing.T) {
 			fields: fields{
 				sigName: "sig1",
 				signer: func() *Signer {
-					signer, _ := NewHMACSHA256Signer("key1", bytes.Repeat([]byte{1}, 64), NewSignConfig(), Headers("@method"))
+					signer, _ := NewHMACSHA256Signer(bytes.Repeat([]byte{1}, 64), NewSignConfig().SetKeyID("key1"), Headers("@method"))
 					return signer
 				}(),
 				verifier: nil,
 				fetchVerifier: func(res *http.Response, req *http.Request) (sigName string, verifier *Verifier) {
-					verifier, _ = NewHMACSHA256Verifier("key1", bytes.Repeat([]byte{2}, 64), NewVerifyConfig(), Headers("@method"))
+					verifier, _ = NewHMACSHA256Verifier(bytes.Repeat([]byte{2}, 64), NewVerifyConfig(), Headers("@method"))
 					return "name", verifier
 				},
 				Client: *http.DefaultClient,
@@ -196,7 +196,7 @@ func TestClient_Head(t *testing.T) {
 			fields: fields{
 				sigName: "sig1",
 				signer: func() *Signer {
-					signer, _ := NewHMACSHA256Signer("key1", bytes.Repeat([]byte{1}, 64), NewSignConfig(),
+					signer, _ := NewHMACSHA256Signer(bytes.Repeat([]byte{1}, 64), NewSignConfig().SetKeyID("key1"),
 						Headers("@method"))
 					return signer
 				}(),

diff --git a/clientex_test.go b/clientex_test.go
@@ -30,8 +30,8 @@ func ExampleClient_Get() {
 	// Client code starts here
 	// Create a signer and a wrapped HTTP client (we set SignCreated to false to make the response deterministic,
 	// don't do that in production.)
-	signer, _ := httpsign.NewHMACSHA256Signer("key1", bytes.Repeat([]byte{1}, 64),
-		httpsign.NewSignConfig().SignCreated(false), httpsign.Headers("@method"))
+	signer, _ := httpsign.NewHMACSHA256Signer(bytes.Repeat([]byte{1}, 64),
+		httpsign.NewSignConfig().SignCreated(false).SetKeyID("key1"), httpsign.Headers("@method"))
 	client := httpsign.NewDefaultClient(httpsign.NewClientConfig().SetSignatureName("sig22").SetSigner(signer)) // sign, don't verify
 
 	// Send an HTTP GET, get response -- signing and verification happen behind the scenes
@@ -107,8 +107,8 @@ func TestClientUsage(t *testing.T) {
 
 	// Client code starts here
 	// Create a signer and a wrapped HTTP client
-	signer, _ := httpsign.NewRSAPSSSigner("key1", *prvKey,
-		httpsign.NewSignConfig(),
+	signer, _ := httpsign.NewRSAPSSSigner(*prvKey,
+		httpsign.NewSignConfig().SetKeyID("key1"),
 		httpsign.Headers("@request-target", "content-digest")) // The Content-Digest header will be auto-generated
 	client := httpsign.NewDefaultClient(httpsign.NewClientConfig().SetSignatureName("sig1").SetSigner(signer)) // sign requests, don't verify responses
 

diff --git a/config.go b/config.go
@@ -16,6 +16,7 @@ type SignConfig struct {
 	expires     int64
 	nonce       string
 	tag         string
+	keyID       *string
 }
 
 // NewSignConfig generates a default configuration.
@@ -27,6 +28,7 @@ func NewSignConfig() *SignConfig {
 		expires:     0,
 		nonce:       "",
 		tag:         "", // we disallow an empty tag
+		keyID:       nil,
 	}
 }
 
@@ -70,14 +72,20 @@ func (c *SignConfig) SetTag(tag string) *SignConfig {
 	return c
 }
 
+// SetKeyID configures a keyid value that will be included as a signature parameter.
+func (c *SignConfig) SetKeyID(keyID string) *SignConfig {
+	c.keyID = &keyID
+	return c
+}
+
 // VerifyConfig contains additional configuration for the verifier.
 type VerifyConfig struct {
 	verifyCreated bool
 	notNewerThan  time.Duration
 	notOlderThan  time.Duration
 	allowedAlgs   []string
 	rejectExpired bool
-	verifyKeyID   bool
+	keyID         *string
 	dateWithin    time.Duration
 	allowedTags   []string
 }
@@ -118,11 +126,11 @@ func (v *VerifyConfig) SetAllowedAlgs(allowedAlgs []string) *VerifyConfig {
 	return v
 }
 
-// SetVerifyKeyID defines how to verify the keyid parameter, if one exists. If this value is set,
-// the signature verifies only if the value is the same as was specified in the Verifier structure.
-// Default: true.
-func (v *VerifyConfig) SetVerifyKeyID(verify bool) *VerifyConfig {
-	v.verifyKeyID = verify
+// SetKeyID defines how to verify the keyid parameter, if one exists. If this value is a non-nil string,
+// the signature verifies only if the value is the same as was specified here.
+// Default: nil.
+func (v *VerifyConfig) SetKeyID(keyID string) *VerifyConfig {
+	v.keyID = &keyID
 	return v
 }
 
@@ -150,7 +158,7 @@ func NewVerifyConfig() *VerifyConfig {
 		notOlderThan:  10 * time.Second,
 		rejectExpired: true,
 		allowedAlgs:   []string{},
-		verifyKeyID:   true,
+		keyID:         nil,
 		dateWithin:    0,   // meaning no constraint
 		allowedTags:   nil, // no constraint
 	}