verisig

package module
v0.0.0-...-60d1435 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 31, 2025 License: AGPL-3.0 Imports: 16 Imported by: 0

README

verisig

verisig is a Go library allowing everyone to easily add Mastodon/ActivityPub-compatible HTTP signature to any HTTP request as well as verify the validity of a request's signature originating from an ActivityPub server.

Usage

Go Reference

Signing requests
package main

import (
	"context"
	"fmt"
	"net/http"
	"net/url"
	// ...

	"github.com/MatejLach/verisig"
)

func main() {
	// ...
	// req is the outgoing request you want to sign
	// server is i.e. an example ActivityPub server you're making the request to
	req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/user/me", server.URL), nil)
	if err != nil {
		// error handling
	}

	// public key ID of the Actor authoring the outgoing request
	keyID, err := url.Parse("http://127.0.0.1:45243/user/me#main-key")
	if err != nil {
		// error handling
	}
	
	// private key of the Actor authoring the outgoing request, in PEM format
	privKeyPEM := "-----BEGIN RSA PRIVATE KEY----- ...  -----END RSA PRIVATE KEY-----"

	// sign req
	err = verisig.SignRequest(context.Background(), req, keyID, privKeyPEM)
	if err != nil {
		// error handling
	}
}
Verifying requests
package main

import (
	"context"
	// ...

	"github.com/MatejLach/verisig"
)

func main() {
	// ...
	// req is the incoming request whose signature you want to verify
	reqSignatureIsValid, err := verisig.ReqHasValidSignature(context.Background(), req, "", 12)
	if err != nil {
		// error handling
	}
}

See the test suite for a more complete example.

Contributing

Pull requests and bug reports are welcome.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ReqHasValidSignature 

func ReqHasValidSignature(ctx context.Context, req *http.Request, reqAuthorPubKeyPem string, maxReqHoursOld int) (bool, error)

ReqHasValidSignature validates the signature of POST requests by default reqAuthorPubKeyPem can optionally be specified to be the public key (RSA-SHA256 PEM format) of the actor sending the request, if it is empty, the key is fetched using http.Get maxReqHoursOld is the maximum number of hours that can pass since a request was first made for it to still be considered valid

func SignRequest 

func SignRequest(ctx context.Context, req *http.Request, keyId *url.URL, privateKeyPem string) error

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.