0.0.14

junkurihara · Mar 14, 2024 · ef08298 · ef08298
1 parent 9271d82
commit ef08298
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 2 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -4,7 +4,7 @@ resolver = "2"
 
 [workspace.package]
 edition = "2021"
-version = "0.0.13"
+version = "0.0.14"
 authors = ["Jun Kurihara"]
 homepage = "https://github.com/junkurihara/httpsig-rs"
 repository = "https://github.com/junkurihara/httpsig-rs"

diff --git a/httpsig-hyper/Cargo.toml b/httpsig-hyper/Cargo.toml
@@ -13,7 +13,7 @@ rust-version.workspace = true
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-httpsig = { path = "../httpsig", version = "0.0.13" }
+httpsig = { path = "../httpsig", version = "0.0.14" }
 
 thiserror = { version = "1.0.58" }
 tracing = { version = "0.1.40" }

diff --git a/httpsig-hyper/src/hyper_http.rs b/httpsig-hyper/src/hyper_http.rs
@@ -512,6 +512,23 @@ MCowBQYDK2VwAyEA1ixMQcxO46PLlgQfYS46ivFd+n0CcDHSKUnuhm3i1O0=
     assert!(verification_res.is_ok());
   }
 
+  #[tokio::test]
+  async fn test_expired_signature() {
+    let mut req = build_request().await;
+    let secret_key = SecretKey::from_pem(EDDSA_SECRET_KEY).unwrap();
+    let mut signature_params = HttpSignatureParams::try_new(&build_covered_components()).unwrap();
+    signature_params.set_key_info(&secret_key);
+    let created = signature_params.created.unwrap();
+    signature_params.set_expires(created - 1);
+    assert!(signature_params.is_expired());
+
+    req.set_message_signature(&signature_params, &secret_key, None).await.unwrap();
+
+    let public_key = PublicKey::from_pem(EDDSA_PUBLIC_KEY).unwrap();
+    let verification_res = req.verify_message_signature(&public_key, None).await;
+    assert!(verification_res.is_err());
+  }
+
   #[tokio::test]
   async fn test_set_verify_with_signature_name() {
     let mut req = build_request().await;

diff --git a/httpsig/src/error.rs b/httpsig/src/error.rs
@@ -53,6 +53,10 @@ pub enum HttpSigError {
   #[error("Failed to build signature base: {0}")]
   BuildSignatureBaseError(String),
 
+  /// Expired signature params
+  #[error("Expired signature params: {0}")]
+  ExpiredSignatureParams(String),
+
   /* ----- Other errors ----- */
   /// NotYetImplemented
   #[error("Not yet implemented: {0}")]

diff --git a/httpsig/src/signature_base.rs b/httpsig/src/signature_base.rs
@@ -197,6 +197,11 @@ impl HttpSignatureBase {
     verifying_key: &impl VerifyingKey,
     signature_headers: &HttpSignatureHeaders,
   ) -> HttpSigResult<()> {
+    if signature_headers.signature_params().is_expired() {
+      return Err(HttpSigError::ExpiredSignatureParams(
+        "Signature params is expired".to_string(),
+      ));
+    }
     let signature_bytes = signature_headers.signature.0.as_slice();
     verifying_key.verify(&self.as_bytes(), signature_bytes)
   }

diff --git a/httpsig/src/signature_params.rs b/httpsig/src/signature_params.rs
@@ -108,6 +108,16 @@ impl HttpSignatureParams {
     self.expires = Some(self.created.unwrap() + duration_secs);
     self
   }
+
+  /// Check if the signature params is expired if `exp` field is present.
+  /// If `exp` field is not present, it always returns false.
+  pub fn is_expired(&self) -> bool {
+    if let Some(exp) = self.expires {
+      exp < SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs()
+    } else {
+      false
+    }
+  }
 }
 
 impl std::fmt::Display for HttpSignatureParams {
@@ -263,6 +273,11 @@ MCowBQYDK2VwAyEA1ixMQcxO46PLlgQfYS46ivFd+n0CcDHSKUnuhm3i1O0=
     params.set_expires_with_duration(Some(100));
     assert!(params.expires.is_some());
     assert_eq!(params.expires.unwrap(), params.created.unwrap() + 100);
+    assert!(!params.is_expired());
+
+    let created = params.created.unwrap();
+    params.set_expires(created - 1);
+    assert!(params.is_expired());
   }
 
   #[test]