-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Support for Signature Validation via HTTP Header #25
Labels
enhancement
New feature or request
Comments
tsconn23
changed the title
Add Support for Signature via HTTP Header
Add Support for Signature Validation via HTTP Header
Nov 18, 2021
husseinfakharany
added a commit
to husseinfakharany/alvarium-sdk-go
that referenced
this issue
Feb 7, 2022
* Implement HTTP PKI annotator * Implement HTTP request parser * Implement related unit tests * Made VerifySignature and DeriveHash public and updated their uses Fix project-alvarium#25 Signed-off-by: husseinfakharany <fakharany.hussein@gmail.com>
husseinfakharany
added a commit
to husseinfakharany/alvarium-sdk-go
that referenced
this issue
Feb 9, 2022
* Implement HTTP PKI annotator * Implement HTTP request parser * Implement related unit tests * Made VerifySignature and DeriveHash public and updated their uses Fix project-alvarium#25 Signed-off-by: husseinfakharany <fakharany.hussein@gmail.com>
husseinfakharany
added a commit
to husseinfakharany/alvarium-sdk-go
that referenced
this issue
Feb 10, 2022
* Implement HTTP PKI annotator * Implement HTTP request parser * Implement related unit tests * Made VerifySignature and DeriveHash public and updated their uses Fix project-alvarium#25 Signed-off-by: husseinfakharany <fakharany.hussein@gmail.com>
husseinfakharany
added a commit
to husseinfakharany/alvarium-sdk-go
that referenced
this issue
Feb 13, 2022
* Implement HTTP PKI annotator * Implement HTTP request parser * Implement related unit tests * Made VerifySignature and DeriveHash public and updated their uses Fix project-alvarium#25 Signed-off-by: husseinfakharany <fakharany.hussein@gmail.com>
husseinfakharany
added a commit
to husseinfakharany/alvarium-sdk-go
that referenced
this issue
Feb 16, 2022
* Implement HTTP PKI annotator * Implement HTTP request parser * Implement related unit tests * Made VerifySignature and DeriveHash public and updated their uses Fix project-alvarium#25 Signed-off-by: husseinfakharany <fakharany.hussein@gmail.com>
husseinfakharany
added a commit
to husseinfakharany/alvarium-sdk-go
that referenced
this issue
Feb 17, 2022
* Implement HTTP PKI annotator * Implement HTTP request parser * Implement related unit tests * Made VerifySignature and DeriveHash public and updated their uses Fix project-alvarium#25 Signed-off-by: husseinfakharany <fakharany.hussein@gmail.com>
tsconn23
pushed a commit
that referenced
this issue
Feb 18, 2022
* Implement HTTP PKI annotator * Implement HTTP request parser * Implement related unit tests * Made VerifySignature and DeriveHash public and updated their uses Fix #25 Signed-off-by: husseinfakharany <fakharany.hussein@gmail.com>
This was referenced Mar 15, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For context, see comment here:
alvarium-sdk-go/internal/annotators/pki.go
Line 67 in 884bf5e
Essentially, our current PKI annotator has some constraints in that incoming data must support unmarshaling via JSON to a type that has a
Signature
property. This eliminates our ability to annotate data that is not in JSON format or otherwise does not provide the necessary property. We need to leverage a means independent of the data payload for this capability and so I propose looking for some way to leverage the means of transport.The following IETF draft proposes using HTTP headers to support signature validation.
https://httpwg.org/http-extensions/draft-ietf-httpbis-message-signatures.html
Assuming the relevant
Signature
andSignature-Input
headers are present, in an HTTP context the Request can be passed into the annotator which would obtain the values and run the verification. Using headers would also possibly provide insight toward a relevant abstraction for a similar means of verification in pub-sub scenarios where message headers are available.The text was updated successfully, but these errors were encountered: