gboege
commented
4 years ago I have just stumpled upon the Go Libs for HTTP Signatures: https://github.com/99designs/httpsignatures-go https://github.com/spacemonkeygo/httpsig https://github.com/go-fed/httpsig https://github.com/manifoldco/go-signature https://github.com/KyberNetwork/httpsign-utils
Maybe it helps for inspiration
c0c0n3
Text from IDS Communication Guide
b) The second more secure option is to not only add IDS header part from the multipart-messages as an additional header to the original HTTP but also a signature following the W3C specifications for signing HTTP messages (https://tools.ietf.org/html/draft-cavage-http-signatures-11 - section 2) (the content of the header-Header is matching the example from 4.4.2 2. QueryMessage):
A digital signature helps to ensure that the message was not tampered with during transit. It calculates a signature from a constructed string following a defined schema.
It considers sequential HTTP message headers as mentioned in the (exemplary) additional headers-HTTP-Header and also the message payload if available. The procedure how to construct the concatenated signature string is described here (https://tools.ietf.org/html/draft-cavage-http-signatures-11 - section 2.3). The creation of a signature is described here (https://tools.ietf.org/html/draft-cavage-http-signatures-11 - section 2.4) and the verification of a signature is described here (https://tools.ietf.org/html/draft-cavage-http-signatures-11 - section 2.5).
The created-HTTP-Header expresses when the signature was created. The value of the keyId-HTTP-Header is providing an opaque string that the server can use to look up the component they need to validate the signature and it is depending on the content of the algorithm-HTTP-Header describing the algorithm that is being used to create the signature.
The final signature string is then added as the value to the signature-HTTP-Header.