Initial commit

.gitignore

@@ -0,0 +1,2 @@
+userdb
+data

config.ini

@@ -0,0 +1,5 @@
+[general]
+
+baseURL = https://anticristo.ddns.net
+storage = data ; can be relative or absolute path
+userAgent = "Chtorr Fediverse Server"

doc.go

@@ -0,0 +1,6 @@
+// chtorr project doc.go
+
+/*
+chtorr document
+*/
+package main

go.mod

@@ -0,0 +1,24 @@
+module chtorr
+
+go 1.18
+
+require (
+	github.com/gologme/log v1.3.0
+	github.com/peterbourgon/diskv/v3 v3.0.1
+	github.com/writeas/activityserve v0.0.0-20200409150223-d7ab3eaa4481
+)
+
+require (
+	github.com/captncraig/cors v0.0.0-20190703115713-e80254a89df1 // indirect
+	github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5 // indirect
+	github.com/go-fed/httpsig v0.1.1-0.20200204213531-0ef28562fabe // indirect
+	github.com/google/btree v1.0.0 // indirect
+	github.com/gorilla/mux v1.7.4 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/smartystreets/goconvey v1.7.2 // indirect
+	github.com/writeas/go-webfinger v1.1.0 // indirect
+	github.com/writefreely/go-nodeinfo v1.2.0 // indirect
+	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 // indirect
+	golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a // indirect
+	gopkg.in/ini.v1 v1.55.0 // indirect
+)

go.sum

@@ -0,0 +1,42 @@
+github.com/captncraig/cors v0.0.0-20190703115713-e80254a89df1 h1:AFSJaASPGYNbkUa5c8ZybrcW9pP3Cy7+z5dnpcc/qG8=
+github.com/captncraig/cors v0.0.0-20190703115713-e80254a89df1/go.mod h1:EIlIeMufZ8nqdUhnesledB15xLRl4wIJUppwDLPrdrQ=
+github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5 h1:RAV05c0xOkJ3dZGS0JFybxFKZ2WMLabgx3uXnd7rpGs=
+github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5/go.mod h1:GgB8SF9nRG+GqaDtLcwJZsQFhcogVCJ79j4EdT0c2V4=
+github.com/go-fed/httpsig v0.1.1-0.20200204213531-0ef28562fabe h1:U71giCx5NjRn4Lb71UuprPHqhjxGv3Jqonb9fgcaJH8=
+github.com/go-fed/httpsig v0.1.1-0.20200204213531-0ef28562fabe/go.mod h1:T56HUNYZUQ1AGUzhAYPugZfp36sKApVnGBgKlIY+aIE=
+github.com/gologme/log v1.2.0/go.mod h1:gq31gQ8wEHkR+WekdWsqDuf8pXTUZA9BnnzTuPz1Y9U=
+github.com/gologme/log v1.3.0 h1:l781G4dE+pbigClDSDzSaaYKtiueHCILUa/qSDsmHAo=
+github.com/gologme/log v1.3.0/go.mod h1:yKT+DvIPdDdDoPtqFrFxheooyVmoqi0BAsw+erN3wA4=
+github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gorilla/mux v1.7.4 h1:VuZ8uybHlWmqV03+zRzdwKL4tUnIp1MAQtp1mIFE1bc=
+github.com/gorilla/mux v1.7.4/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
+github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/peterbourgon/diskv/v3 v3.0.1 h1:x06SQA46+PKIUftmEujdwSEpIx8kR+M9eLYsUxeYveU=
+github.com/peterbourgon/diskv/v3 v3.0.1/go.mod h1:kJ5Ny7vLdARGU3WUuy6uzO6T0nb/2gWcT1JiBvRmb5o=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/smartystreets/assertions v1.2.0 h1:42S6lae5dvLc7BrLu/0ugRtcFVjoJNMC/N3yZFZkDFs=
+github.com/smartystreets/assertions v1.2.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
+github.com/smartystreets/goconvey v1.7.2 h1:9RBaZCeXEQ3UselpuwUQHltGVXvdwm6cv1hgR6gDIPg=
+github.com/smartystreets/goconvey v1.7.2/go.mod h1:Vw0tHAZW6lzCRk3xgdin6fKYcG+G3Pg9vgXWeJpQFMM=
+github.com/writeas/activityserve v0.0.0-20200409150223-d7ab3eaa4481 h1:BiSivIxLQFcKoUorpNN3rNwwFG5bITPnqUSyIccfdh0=
+github.com/writeas/activityserve v0.0.0-20200409150223-d7ab3eaa4481/go.mod h1:4akDJSl+sSp+QhrQKMqzAqdV1gJ1pPx6XPI77zgMM8o=
+github.com/writeas/go-webfinger v1.1.0 h1:MzNyt0ry/GMsRmJGftn2o9mPwqK1Q5MLdh4VuJCfb1Q=
+github.com/writeas/go-webfinger v1.1.0/go.mod h1:w2VxyRO/J5vfNjJHYVubsjUGHd3RLDoVciz0DE3ApOc=
+github.com/writefreely/go-nodeinfo v1.2.0 h1:La+YbTCvmpTwFhBSlebWDDL81N88Qf/SCAvRLR7F8ss=
+github.com/writefreely/go-nodeinfo v1.2.0/go.mod h1:UTvE78KpcjYOlRHupZIiSEFcXHioTXuacCbHU+CAcPg=
+golang.org/x/crypto v0.0.0-20180527072434-ab813273cd59/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/sys v0.0.0-20180525142821-c11f84a56e43/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a h1:1BGLXjeY4akVXGgbC9HugT3Jv3hCI0z56oJR5vAMgBU=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+gopkg.in/ini.v1 v1.55.0 h1:E8yzL5unfpW3M6fz/eB7Cb5MQAYSZ7GKo4Qth+N2sgQ=
+gopkg.in/ini.v1 v1.55.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=

main.go

@@ -0,0 +1,62 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+
+	"github.com/gologme/log"
+	"github.com/writeas/activityserve"
+)
+
+func init() {
+
+	debugFlag := flag.Bool("debug", true, "set to true to get debugging information in the console")
+	flag.Parse()
+
+	if *debugFlag {
+		log.EnableLevel("info")
+		log.EnableLevel("error")
+	} else {
+		log.DisableLevel("info")
+	}
+
+	activityserve.Setup("config.ini", *debugFlag)
+
+	UserDbInit()
+}
+
+func startActor(a activityserve.Actor) {
+
+	a.OnReceiveContent = func(activity map[string]interface{}) {
+		object := activity["object"].(map[string]interface{})
+		fmt.Println(object["content"].(string))
+	}
+}
+
+func main() {
+
+	var actors []activityserve.Actor
+
+	for acct := range Userdb.Keys(nil) {
+
+		acTemp, _ := activityserve.GetActor(acct, "This is an activityserver test actor", "Service")
+		log.Info("Created actor for user: ", acTemp.Name)
+		actors = append(actors, acTemp)
+		startActor(acTemp)
+
+	}
+
+	for _, ac := range actors {
+
+		ac.Follow("https://bbs.keinpfusch.net/uriel")
+		ac.CreateNote("Hello from: "+ac.Name, "")
+
+	}
+
+	// creating a default listener
+
+	instance, _ := activityserve.GetActor("inbox", "This is an activityserver test actor", "Service")
+	startActor(instance)
+	activityserve.ServeSingleActor(instance)
+
+}

userdb.go

@@ -0,0 +1,47 @@
+package main
+
+import (
+	"crypto/md5"
+	"fmt"
+
+	"github.com/gologme/log"
+	"github.com/peterbourgon/diskv/v3"
+)
+
+var Userdb *diskv.Diskv
+
+func flatTransform(s string) []string {
+
+	t := fmt.Sprintf("%x", md5.Sum([]byte(s)))
+	return []string{t}
+
+}
+
+func UserDbInit() {
+	// Simplest transform function: put all the data files into the base dir.
+	// flatTransform := func(s string) []string { return []string{} }
+
+	// Initialize a new diskv store, rooted at "my-data-dir", with a 1MB cache.
+	Userdb = diskv.New(diskv.Options{
+		BasePath:     "userdb",
+		Transform:    flatTransform,
+		CacheSizeMax: 1024 * 1024,
+	})
+
+	log.Info("Users Database Created")
+
+	if err := Userdb.WriteString("Uriel", "futura password criptata"); err == nil {
+		log.Info("User UserTest Created")
+	} else {
+		log.Info("Error while creating user", err.Error())
+	}
+
+	if err := Userdb.WriteString("Loweel", "futura password criptata"); err == nil {
+		log.Info("User LoweelTest Created")
+	} else {
+		log.Info("Error while creating user", err.Error())
+	}
+
+	log.Info("Users Created")
+
+}

vendor/github.com/captncraig/cors/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Craig Peterson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vendor/github.com/captncraig/cors/README.md

@@ -0,0 +1,53 @@
+
+cors gives you easy control over Cross Origin Resource Sharing for your site.
+
+It allows you to whitelist particular domains per route, or to simply allow all domains `*` If desired you may customize nearly every aspect of the specification.
+
+### Syntax
+
+```
+cors [path] [domains...] {
+	origin            [origin]
+	origin_regexp     [regexp]
+	methods           [methods]
+	allow_credentials [allowCredentials]
+	max_age           [maxAge]
+	allowed_headers   [allowedHeaders]
+	exposed_headers   [exposedHeaders]
+}
+```
+
+*   **path** is the file or directory this applies to (default is /).
+*   **domains** is a space-seperated list of domains to allow. If ommitted, all domains will be granted access.
+*   **origin** is a domain to grant access to. May be specified multiple times or ommitted.
+*   **origin_regexp** is a regexp that will be matched to the `Origin` header. Access will be granted accordingly. It can be used in conjonction with the `origin` config (executed as a fallback to `origin`). May be specified multiple times or ommitted.
+*   **methods** is set of http methods to allow. Default is these: POST,GET,OPTIONS,PUT,DELETE.
+*   **allow_credentials** sets the value of the Access-Control-Allow-Credentials header. Can be true or false. By default, header will not be included.
+*   **max_age** is the length of time in seconds to cache preflight info. Not set by default.
+*   **allowed_headers** is a comma-seperated list of request headers a client may send.
+*   **exposed_headers** is a comma-seperated list of response headers a client may access.
+
+### Examples
+
+Simply allow all domains to request any path:
+
+<code class="block"><span class="hl-directive">cors</span></code>
+
+Protect specific paths only, and only allow a few domains:
+
+<code class="block"><span class="hl-directive">cors</span> <span class="hl-arg">/foo http://mysite.com http://anothertrustedsite.com</span></code>
+
+Full configuration:
+
+```
+cors / {
+  origin            http://allowedSite.com
+  origin            http://anotherSite.org https://anotherSite.org
+  origin_regexp     .+\.example\.com$
+  methods           POST,PUT
+  allow_credentials false
+  max_age           3600
+  allowed_headers   X-Custom-Header,X-Foobar
+  exposed_headers   X-Something-Special,SomethingElse
+}
+```

vendor/github.com/captncraig/cors/cors.go

@@ -0,0 +1,117 @@
+package cors
+
+import (
+	"fmt"
+	"net/http"
+	"regexp"
+)
+
+const (
+	allowOriginKey      string = "Access-Control-Allow-Origin"
+	allowCredentialsKey        = "Access-Control-Allow-Credentials"
+	allowHeadersKey            = "Access-Control-Allow-Headers"
+	allowMethodsKey            = "Access-Control-Allow-Methods"
+	maxAgeKey                  = "Access-Control-Max-Age"
+
+	originKey         = "Origin"
+	varyKey           = "Vary"
+	requestMethodKey  = "Access-Control-Request-Method"
+	requestHeadersKey = "Access-Control-Request-Headers"
+	exposeHeadersKey  = "Access-Control-Expose-Headers"
+	options           = "OPTIONS"
+)
+
+type Config struct {
+	AllowedOrigins   []string
+	OriginRegexps    []*regexp.Regexp
+	AllowedMethods   string
+	AllowedHeaders   string
+	ExposedHeaders   string
+	AllowCredentials *bool
+	MaxAge           int
+}
+
+func Default() *Config {
+	return &Config{
+		AllowedOrigins:   []string{"*"},
+		OriginRegexps:    []*regexp.Regexp{},
+		AllowedMethods:   "POST, GET, OPTIONS, PUT, DELETE",
+		AllowedHeaders:   "",
+		ExposedHeaders:   "",
+		MaxAge:           0,
+		AllowCredentials: nil,
+	}
+}
+
+// Read the request, setting response headers as appropriate.
+// Will NOT write anything to response in any circumstances.
+func (c *Config) HandleRequest(w http.ResponseWriter, r *http.Request) {
+	requestOrigin := r.Header.Get(originKey)
+	if requestOrigin == "" {
+		return
+	}
+
+	//check origin against allowed origins
+	for _, ao := range c.AllowedOrigins {
+		if ao == "*" || ao == requestOrigin {
+			responseOrigin := "*"
+			if ao != "*" {
+				responseOrigin = requestOrigin
+			}
+			addAllowOriginHeader(w, responseOrigin)
+			break
+		}
+	}
+
+	if w.Header().Get(allowOriginKey) == "" {
+		if c.anyOriginRegexpMatch(requestOrigin) {
+			addAllowOriginHeader(w, requestOrigin)
+		} else {
+			return //if we didn't set a valid allow-origin, none of the other headers matter
+		}
+	}
+
+	if IsPreflight(r) {
+		w.Header().Set(allowMethodsKey, c.AllowedMethods)
+		if c.AllowedHeaders != "" {
+			if c.AllowedHeaders != "*" {
+				w.Header().Set(allowHeadersKey, c.AllowedHeaders)
+			} else {
+				w.Header().Set(allowHeadersKey, r.Header.Get(requestHeadersKey))
+			}
+
+		}
+		if c.MaxAge > 0 {
+			w.Header().Set(maxAgeKey, fmt.Sprint(c.MaxAge))
+		}
+	} else {
+		//regular request
+		if c.ExposedHeaders != "" {
+			w.Header().Set(exposeHeadersKey, c.ExposedHeaders)
+		}
+	}
+
+	if c.AllowCredentials != nil {
+		w.Header().Set(allowCredentialsKey, fmt.Sprint(*c.AllowCredentials))
+	}
+
+}
+
+func IsPreflight(r *http.Request) bool {
+	return r.Method == options && r.Header.Get(requestMethodKey) != ""
+}
+
+func addAllowOriginHeader(w http.ResponseWriter, allowedOrigin string) {
+	w.Header().Set(allowOriginKey, allowedOrigin)
+	w.Header().Add(varyKey, originKey)
+}
+
+func (c *Config) anyOriginRegexpMatch(origin string) bool {
+	for _, r := range c.OriginRegexps {
+		if r.MatchString(origin) {
+			return true
+		}
+	}
+
+	return false
+}

vendor/github.com/dchest/uniuri/.travis.yml

@@ -0,0 +1,6 @@
+language: go
+
+go:
+  - 1.3
+  - 1.4
+  - tip

vendor/github.com/dchest/uniuri/COPYING

@@ -0,0 +1,121 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display,
+     communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+     likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+     subject to the limitations in paragraph 4(a), below;
+  v. rights protecting the extraction, dissemination, use and reuse of data
+     in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+     European Parliament and of the Council of 11 March 1996 on the legal
+     protection of databases, and under any national implementation
+     thereof, including any amended or successor version of such
+     directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+     world based on applicable law or treaty, and any national
+     implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+    surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+    warranties of any kind concerning the Work, express, implied,
+    statutory or otherwise, including without limitation warranties of
+    title, merchantability, fitness for a particular purpose, non
+    infringement, or the absence of latent or other defects, accuracy, or
+    the present or absence of errors, whether or not discoverable, all to
+    the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+    that may apply to the Work or any use thereof, including without
+    limitation any person's Copyright and Related Rights in the Work.
+    Further, Affirmer disclaims responsibility for obtaining any necessary
+    consents, permissions or other rights required for any use of the
+    Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+    party to this document and has no duty or obligation with respect to
+    this CC0 or use of the Work.

vendor/github.com/dchest/uniuri/README.md

@@ -0,0 +1,97 @@
+Package uniuri
+=====================
+
+[![Build Status](https://travis-ci.org/dchest/uniuri.svg)](https://travis-ci.org/dchest/uniuri)
+
+```go
+import "github.com/dchest/uniuri"
+```
+
+Package uniuri generates random strings good for use in URIs to identify
+unique objects.
+
+Example usage:
+
+```go
+s := uniuri.New() // s is now "apHCJBl7L1OmC57n"
+```
+
+A standard string created by New() is 16 bytes in length and consists of
+Latin upper and lowercase letters, and numbers (from the set of 62 allowed
+characters), which means that it has ~95 bits of entropy. To get more
+entropy, you can use NewLen(UUIDLen), which returns 20-byte string, giving
+~119 bits of entropy, or any other desired length.
+
+Functions read from crypto/rand random source, and panic if they fail to
+read from it.
+
+
+Constants
+---------
+
+```go
+const (
+	// StdLen is a standard length of uniuri string to achive ~95 bits of entropy.
+	StdLen = 16
+	// UUIDLen is a length of uniuri string to achive ~119 bits of entropy, closest
+	// to what can be losslessly converted to UUIDv4 (122 bits).
+	UUIDLen = 20
+)
+
+```
+
+
+
+Variables
+---------
+
+```go
+var StdChars = []byte("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
+```
+
+
+StdChars is a set of standard characters allowed in uniuri string.
+
+
+Functions
+---------
+
+### func New
+
+```go
+func New() string
+```
+
+New returns a new random string of the standard length, consisting of
+standard characters.
+
+### func NewLen
+
+```go
+func NewLen(length int) string
+```
+
+NewLen returns a new random string of the provided length, consisting of
+standard characters.
+
+### func NewLenChars
+
+```go
+func NewLenChars(length int, chars []byte) string
+```
+
+NewLenChars returns a new random string of the provided length, consisting
+of the provided byte slice of allowed characters (maximum 256).
+
+
+
+Public domain dedication
+------------------------
+
+Written in 2011-2014 by Dmitry Chestnykh
+
+The author(s) have dedicated all copyright and related and
+neighboring rights to this software to the public domain
+worldwide. Distributed without any warranty.
+http://creativecommons.org/publicdomain/zero/1.0/
+

vendor/github.com/dchest/uniuri/uniuri.go

@@ -0,0 +1,81 @@
+// Written in 2011-2014 by Dmitry Chestnykh
+//
+// The author(s) have dedicated all copyright and related and
+// neighboring rights to this software to the public domain
+// worldwide. Distributed without any warranty.
+// http://creativecommons.org/publicdomain/zero/1.0/
+
+// Package uniuri generates random strings good for use in URIs to identify
+// unique objects.
+//
+// Example usage:
+//
+//	s := uniuri.New() // s is now "apHCJBl7L1OmC57n"
+//
+// A standard string created by New() is 16 bytes in length and consists of
+// Latin upper and lowercase letters, and numbers (from the set of 62 allowed
+// characters), which means that it has ~95 bits of entropy. To get more
+// entropy, you can use NewLen(UUIDLen), which returns 20-byte string, giving
+// ~119 bits of entropy, or any other desired length.
+//
+// Functions read from crypto/rand random source, and panic if they fail to
+// read from it.
+package uniuri
+
+import "crypto/rand"
+
+const (
+	// StdLen is a standard length of uniuri string to achive ~95 bits of entropy.
+	StdLen = 16
+	// UUIDLen is a length of uniuri string to achive ~119 bits of entropy, closest
+	// to what can be losslessly converted to UUIDv4 (122 bits).
+	UUIDLen = 20
+)
+
+// StdChars is a set of standard characters allowed in uniuri string.
+var StdChars = []byte("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
+
+// New returns a new random string of the standard length, consisting of
+// standard characters.
+func New() string {
+	return NewLenChars(StdLen, StdChars)
+}
+
+// NewLen returns a new random string of the provided length, consisting of
+// standard characters.
+func NewLen(length int) string {
+	return NewLenChars(length, StdChars)
+}
+
+// NewLenChars returns a new random string of the provided length, consisting
+// of the provided byte slice of allowed characters (maximum 256).
+func NewLenChars(length int, chars []byte) string {
+	if length == 0 {
+		return ""
+	}
+	clen := len(chars)
+	if clen < 2 || clen > 256 {
+		panic("uniuri: wrong charset length for NewLenChars")
+	}
+	maxrb := 255 - (256 % clen)
+	b := make([]byte, length)
+	r := make([]byte, length+(length/4)) // storage for random bytes.
+	i := 0
+	for {
+		if _, err := rand.Read(r); err != nil {
+			panic("uniuri: error reading random bytes: " + err.Error())
+		}
+		for _, rb := range r {
+			c := int(rb)
+			if c > maxrb {
+				// Skip this number to avoid modulo bias.
+				continue
+			}
+			b[i] = chars[c%clen]
+			i++
+			if i == length {
+				return string(b)
+			}
+		}
+	}
+}

vendor/github.com/go-fed/httpsig/LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2018, go-fed
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/go-fed/httpsig/README.md

@@ -0,0 +1,94 @@
+# httpsig
+
+`go get github.com/go-fed/httpsig`
+
+Implementation of [HTTP Signatures](https://tools.ietf.org/html/draft-cavage-http-signatures).
+
+Supports many different combinations of MAC, HMAC signing of hash, or RSA
+signing of hash schemes. Its goals are:
+
+* Have a very simple interface for signing and validating
+* Support a variety of signing algorithms and combinations
+* Support setting either headers (`Authorization` or `Signature`)
+* Remaining flexible with headers included in the signing string
+* Support both HTTP requests and responses
+* Explicitly not support known-cryptographically weak algorithms
+* Support automatic signing and validating Digest headers
+
+## How to use
+
+`import "github.com/go-fed/httpsig"`
+
+### Signing
+
+Signing a request or response requires creating a new `Signer` and using it:
+
+```
+func sign(privateKey crypto.PrivateKey, pubKeyId string, r *http.Request) error {
+	prefs := []httpsig.Algorithm{httpsig.RSA_SHA512, httpsig.RSA_SHA256}
+	digestAlgorithm := DigestSha256
+	// The "Date" and "Digest" headers must already be set on r, as well as r.URL.
+	headersToSign := []string{httpsig.RequestTarget, "date", "digest"}
+	signer, chosenAlgo, err := httpsig.NewSigner(prefs, digestAlgorithm, headersToSign, httpsig.Signature)
+	if err != nil {
+		return err
+	}
+	// To sign the digest, we need to give the signer a copy of the body...
+	// ...but it is optional, no digest will be signed if given "nil"
+	body := ...
+	// If r were a http.ResponseWriter, call SignResponse instead.
+	return signer.SignRequest(privateKey, pubKeyId, r, body)
+}
+```
+
+`Signer`s are not safe for concurrent use by goroutines, so be sure to guard
+access:
+
+```
+type server struct {
+	signer httpsig.Signer
+	mu *sync.Mutex
+}
+
+func (s *server) handlerFunc(w http.ResponseWriter, r *http.Request) {
+	privateKey := ...
+	pubKeyId := ...
+	// Set headers and such on w
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	// To sign the digest, we need to give the signer a copy of the response body...
+	// ...but it is optional, no digest will be signed if given "nil"
+	body := ...
+	err := s.signer.SignResponse(privateKey, pubKeyId, w, body)
+	if err != nil {
+		...
+	}
+	...
+}
+```
+
+The `pubKeyId` will be used at verification time.
+
+### Verifying
+
+Verifying requires an application to use the `pubKeyId` to both retrieve the key
+needed for verification as well as determine the algorithm to use. Use a
+`Verifier`:
+
+```
+func verify(r *http.Request) error {
+	verifier, err := httpsig.NewVerifier(r)
+	if err != nil {
+		return err
+	}
+	pubKeyId := verifier.KeyId()
+	var algo httpsig.Algorithm = ...
+	var pubKey crypto.PublicKey = ...
+	// The verifier will verify the Digest in addition to the HTTP signature
+	return verifier.Verify(pubKey, algo)
+}
+```
+
+`Verifier`s are not safe for concurrent use by goroutines, but since they are
+constructed on a per-request or per-response basis it should not be a common
+restriction.

vendor/github.com/go-fed/httpsig/algorithms.go

@@ -0,0 +1,370 @@
+package httpsig
+
+import (
+	"crypto"
+	"crypto/hmac"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/subtle" // Use should trigger great care
+	"errors"
+	"fmt"
+	"golang.org/x/crypto/blake2b"
+	"golang.org/x/crypto/blake2s"
+	"golang.org/x/crypto/ripemd160"
+	"golang.org/x/crypto/sha3"
+	"hash"
+	"io"
+	"strings"
+)
+
+const (
+	hmacPrefix        = "hmac"
+	rsaPrefix         = "rsa"
+	md4String         = "md4"
+	md5String         = "md5"
+	sha1String        = "sha1"
+	sha224String      = "sha224"
+	sha256String      = "sha256"
+	sha384String      = "sha384"
+	sha512String      = "sha512"
+	md5sha1String     = "md5sha1"
+	ripemd160String   = "ripemd160"
+	sha3_224String    = "sha3-224"
+	sha3_256String    = "sha3-256"
+	sha3_384String    = "sha3-384"
+	sha3_512String    = "sha3-512"
+	sha512_224String  = "sha512-224"
+	sha512_256String  = "sha512-256"
+	blake2s_256String = "blake2s-256"
+	blake2b_256String = "blake2b-256"
+	blake2b_384String = "blake2b-384"
+	blake2b_512String = "blake2b-512"
+)
+
+var blake2Algorithms = map[crypto.Hash]bool{
+	crypto.BLAKE2s_256: true,
+	crypto.BLAKE2b_256: true,
+	crypto.BLAKE2b_384: true,
+	crypto.BLAKE2b_512: true,
+}
+
+var hashToDef = map[crypto.Hash]struct {
+	name string
+	new  func(key []byte) (hash.Hash, error) // Only MACers will accept a key
+}{
+	// Which standard names these?
+	// The spec lists the following as a canonical reference, which is dead:
+	// http://www.iana.org/assignments/signature-algorithms
+	//
+	// Note that the forbidden hashes have an invalid 'new' function.
+	crypto.MD4:         {md4String, func(key []byte) (hash.Hash, error) { return nil, nil }},
+	crypto.MD5:         {md5String, func(key []byte) (hash.Hash, error) { return nil, nil }},
+	crypto.SHA1:        {sha1String, func(key []byte) (hash.Hash, error) { return nil, nil }},
+	crypto.SHA224:      {sha224String, func(key []byte) (hash.Hash, error) { return sha256.New224(), nil }},
+	crypto.SHA256:      {sha256String, func(key []byte) (hash.Hash, error) { return sha256.New(), nil }},
+	crypto.SHA384:      {sha384String, func(key []byte) (hash.Hash, error) { return sha512.New384(), nil }},
+	crypto.SHA512:      {sha512String, func(key []byte) (hash.Hash, error) { return sha512.New(), nil }},
+	crypto.MD5SHA1:     {md5sha1String, func(key []byte) (hash.Hash, error) { return nil, nil }},
+	crypto.RIPEMD160:   {ripemd160String, func(key []byte) (hash.Hash, error) { return ripemd160.New(), nil }},
+	crypto.SHA3_224:    {sha3_224String, func(key []byte) (hash.Hash, error) { return sha3.New224(), nil }},
+	crypto.SHA3_256:    {sha3_256String, func(key []byte) (hash.Hash, error) { return sha3.New256(), nil }},
+	crypto.SHA3_384:    {sha3_384String, func(key []byte) (hash.Hash, error) { return sha3.New384(), nil }},
+	crypto.SHA3_512:    {sha3_512String, func(key []byte) (hash.Hash, error) { return sha3.New512(), nil }},
+	crypto.SHA512_224:  {sha512_224String, func(key []byte) (hash.Hash, error) { return sha512.New512_224(), nil }},
+	crypto.SHA512_256:  {sha512_256String, func(key []byte) (hash.Hash, error) { return sha512.New512_256(), nil }},
+	crypto.BLAKE2s_256: {blake2s_256String, func(key []byte) (hash.Hash, error) { return blake2s.New256(key) }},
+	crypto.BLAKE2b_256: {blake2b_256String, func(key []byte) (hash.Hash, error) { return blake2b.New256(key) }},
+	crypto.BLAKE2b_384: {blake2b_384String, func(key []byte) (hash.Hash, error) { return blake2b.New384(key) }},
+	crypto.BLAKE2b_512: {blake2b_512String, func(key []byte) (hash.Hash, error) { return blake2b.New512(key) }},
+}
+
+var stringToHash map[string]crypto.Hash
+
+const (
+	defaultAlgorithm        = RSA_SHA256
+	defaultAlgorithmHashing = sha256String
+)
+
+func init() {
+	stringToHash = make(map[string]crypto.Hash, len(hashToDef))
+	for k, v := range hashToDef {
+		stringToHash[v.name] = k
+	}
+	// This should guarantee that at runtime the defaultAlgorithm will not
+	// result in errors when fetching a macer or signer (see algorithms.go)
+	if ok, err := isAvailable(string(defaultAlgorithmHashing)); err != nil {
+		panic(err)
+	} else if !ok {
+		panic(fmt.Sprintf("the default httpsig algorithm is unavailable: %q", defaultAlgorithm))
+	}
+}
+
+func isForbiddenHash(h crypto.Hash) bool {
+	switch h {
+	// Not actually cryptographically secure
+	case crypto.MD4:
+		fallthrough
+	case crypto.MD5:
+		fallthrough
+	case crypto.SHA1:
+		fallthrough
+	case crypto.MD5SHA1: // shorthand for crypto/tls, not actually implemented
+		return true
+	}
+	// Still cryptographically secure
+	return false
+}
+
+// signer is an internally public type.
+type signer interface {
+	Sign(rand io.Reader, p crypto.PrivateKey, sig []byte) ([]byte, error)
+	Verify(pub crypto.PublicKey, toHash, signature []byte) error
+	String() string
+}
+
+// macer is an internally public type.
+type macer interface {
+	Sign(sig, key []byte) ([]byte, error)
+	Equal(sig, actualMAC, key []byte) (bool, error)
+	String() string
+}
+
+var _ macer = &hmacAlgorithm{}
+
+type hmacAlgorithm struct {
+	fn   func(key []byte) (hash.Hash, error)
+	kind crypto.Hash
+}
+
+func (h *hmacAlgorithm) Sign(sig, key []byte) ([]byte, error) {
+	hs, err := h.fn(key)
+	if err = setSig(hs, sig); err != nil {
+		return nil, err
+	}
+	return hs.Sum(nil), nil
+}
+
+func (h *hmacAlgorithm) Equal(sig, actualMAC, key []byte) (bool, error) {
+	hs, err := h.fn(key)
+	if err != nil {
+		return false, err
+	}
+	defer hs.Reset()
+	err = setSig(hs, sig)
+	if err != nil {
+		return false, err
+	}
+	expected := hs.Sum(nil)
+	return hmac.Equal(actualMAC, expected), nil
+}
+
+func (h *hmacAlgorithm) String() string {
+	return fmt.Sprintf("%s-%s", hmacPrefix, hashToDef[h.kind].name)
+}
+
+var _ signer = &rsaAlgorithm{}
+
+type rsaAlgorithm struct {
+	hash.Hash
+	kind crypto.Hash
+}
+
+func (r *rsaAlgorithm) setSig(b []byte) error {
+	n, err := r.Write(b)
+	if err != nil {
+		r.Reset()
+		return err
+	} else if n != len(b) {
+		r.Reset()
+		return fmt.Errorf("could only write %d of %d bytes of signature to hash", n, len(b))
+	}
+	return nil
+}
+
+func (r *rsaAlgorithm) Sign(rand io.Reader, p crypto.PrivateKey, sig []byte) ([]byte, error) {
+	defer r.Reset()
+	if err := r.setSig(sig); err != nil {
+		return nil, err
+	}
+	rsaK, ok := p.(*rsa.PrivateKey)
+	if !ok {
+		return nil, errors.New("crypto.PrivateKey is not *rsa.PrivateKey")
+	}
+	return rsa.SignPKCS1v15(rand, rsaK, r.kind, r.Sum(nil))
+}
+
+func (r *rsaAlgorithm) Verify(pub crypto.PublicKey, toHash, signature []byte) error {
+	defer r.Reset()
+	rsaK, ok := pub.(*rsa.PublicKey)
+	if !ok {
+		return errors.New("crypto.PublicKey is not *rsa.PublicKey")
+	}
+	if err := r.setSig(toHash); err != nil {
+		return err
+	}
+	return rsa.VerifyPKCS1v15(rsaK, r.kind, r.Sum(nil), signature)
+}
+
+func (r *rsaAlgorithm) String() string {
+	return fmt.Sprintf("%s-%s", rsaPrefix, hashToDef[r.kind].name)
+}
+
+var _ macer = &blakeMacAlgorithm{}
+
+type blakeMacAlgorithm struct {
+	fn   func(key []byte) (hash.Hash, error)
+	kind crypto.Hash
+}
+
+func (r *blakeMacAlgorithm) Sign(sig, key []byte) ([]byte, error) {
+	hs, err := r.fn(key)
+	if err != nil {
+		return nil, err
+	}
+	if err = setSig(hs, sig); err != nil {
+		return nil, err
+	}
+	return hs.Sum(nil), nil
+}
+
+func (r *blakeMacAlgorithm) Equal(sig, actualMAC, key []byte) (bool, error) {
+	hs, err := r.fn(key)
+	if err != nil {
+		return false, err
+	}
+	defer hs.Reset()
+	err = setSig(hs, sig)
+	if err != nil {
+		return false, err
+	}
+	expected := hs.Sum(nil)
+	return subtle.ConstantTimeCompare(actualMAC, expected) == 1, nil
+}
+
+func (r *blakeMacAlgorithm) String() string {
+	return fmt.Sprintf("%s", hashToDef[r.kind].name)
+}
+
+func setSig(a hash.Hash, b []byte) error {
+	n, err := a.Write(b)
+	if err != nil {
+		a.Reset()
+		return err
+	} else if n != len(b) {
+		a.Reset()
+		return fmt.Errorf("could only write %d of %d bytes of signature to hash", n, len(b))
+	}
+	return nil
+}
+
+// IsSupportedHttpSigAlgorithm returns true if the string is supported by this
+// library, is not a hash known to be weak, and is supported by the hardware.
+func IsSupportedHttpSigAlgorithm(algo string) bool {
+	a, err := isAvailable(algo)
+	return a && err == nil
+}
+
+// isAvailable is an internally public function
+func isAvailable(algo string) (bool, error) {
+	c, ok := stringToHash[algo]
+	if !ok {
+		return false, fmt.Errorf("no match for %q", algo)
+	}
+	if isForbiddenHash(c) {
+		return false, fmt.Errorf("forbidden hash type in %q", algo)
+	}
+	return c.Available(), nil
+}
+
+func newAlgorithmConstructor(algo string) (fn func(k []byte) (hash.Hash, error), c crypto.Hash, e error) {
+	ok := false
+	c, ok = stringToHash[algo]
+	if !ok {
+		e = fmt.Errorf("no match for %q", algo)
+		return
+	}
+	if isForbiddenHash(c) {
+		e = fmt.Errorf("forbidden hash type in %q", algo)
+		return
+	}
+	algoDef, ok := hashToDef[c]
+	if !ok {
+		e = fmt.Errorf("have crypto.Hash %v but no definition", c)
+		return
+	}
+	fn = func(key []byte) (hash.Hash, error) {
+		h, err := algoDef.new(key)
+		if err != nil {
+			return nil, err
+		}
+		return h, nil
+	}
+	return
+}
+
+func newAlgorithm(algo string, key []byte) (hash.Hash, crypto.Hash, error) {
+	fn, c, err := newAlgorithmConstructor(algo)
+	if err != nil {
+		return nil, c, err
+	}
+	h, err := fn(key)
+	return h, c, err
+}
+
+// signerFromString is an internally public method constructor
+func signerFromString(s string) (signer, error) {
+	s = strings.ToLower(s)
+	if !strings.HasPrefix(s, rsaPrefix) {
+		return nil, fmt.Errorf("no signer matching %q", s)
+	}
+	algo := strings.TrimPrefix(s, rsaPrefix+"-")
+	hash, cHash, err := newAlgorithm(algo, nil)
+	if err != nil {
+		return nil, err
+	}
+	return &rsaAlgorithm{
+		Hash: hash,
+		kind: cHash,
+	}, nil
+}
+
+// macerFromString is an internally public method constructor
+func macerFromString(s string) (macer, error) {
+	s = strings.ToLower(s)
+	if strings.HasPrefix(s, hmacPrefix) {
+		algo := strings.TrimPrefix(s, hmacPrefix+"-")
+		hashFn, cHash, err := newAlgorithmConstructor(algo)
+		if err != nil {
+			return nil, err
+		}
+		// Ensure below does not panic
+		_, err = hashFn(nil)
+		if err != nil {
+			return nil, err
+		}
+		return &hmacAlgorithm{
+			fn: func(key []byte) (hash.Hash, error) {
+				return hmac.New(func() hash.Hash {
+					h, e := hashFn(nil)
+					if e != nil {
+						panic(e)
+					}
+					return h
+				}, key), nil
+			},
+			kind: cHash,
+		}, nil
+	} else if bl, ok := stringToHash[s]; ok && blake2Algorithms[bl] {
+		hashFn, cHash, err := newAlgorithmConstructor(s)
+		if err != nil {
+			return nil, err
+		}
+		return &blakeMacAlgorithm{
+			fn:   hashFn,
+			kind: cHash,
+		}, nil
+	} else {
+		return nil, fmt.Errorf("no MACer matching %q", s)
+	}
+}

vendor/github.com/go-fed/httpsig/digest.go

@@ -0,0 +1,120 @@
+package httpsig
+
+import (
+	"bytes"
+	"crypto"
+	"encoding/base64"
+	"fmt"
+	"hash"
+	"net/http"
+	"strings"
+)
+
+type DigestAlgorithm string
+
+const (
+	DigestSha256 DigestAlgorithm = "SHA-256"
+	DigestSha512                 = "SHA-512"
+)
+
+var digestToDef = map[DigestAlgorithm]crypto.Hash{
+	DigestSha256: crypto.SHA256,
+	DigestSha512: crypto.SHA512,
+}
+
+// IsSupportedDigestAlgorithm returns true if hte string is supported by this
+// library, is not a hash known to be weak, and is supported by the hardware.
+func IsSupportedDigestAlgorithm(algo string) bool {
+	uc := DigestAlgorithm(strings.ToUpper(algo))
+	c, ok := digestToDef[uc]
+	return ok && c.Available()
+}
+
+func getHash(alg DigestAlgorithm) (h hash.Hash, toUse DigestAlgorithm, err error) {
+	upper := DigestAlgorithm(strings.ToUpper(string(alg)))
+	c, ok := digestToDef[upper]
+	if !ok {
+		err = fmt.Errorf("unknown or unsupported Digest algorithm: %s", alg)
+	} else if !c.Available() {
+		err = fmt.Errorf("unavailable Digest algorithm: %s", alg)
+	} else {
+		h = c.New()
+		toUse = upper
+	}
+	return
+}
+
+const (
+	digestHeader = "Digest"
+	digestDelim  = "="
+)
+
+func addDigest(r *http.Request, algo DigestAlgorithm, b []byte) (err error) {
+	_, ok := r.Header[digestHeader]
+	if ok {
+		err = fmt.Errorf("cannot add Digest: Digest is already set")
+		return
+	}
+	var h hash.Hash
+	var a DigestAlgorithm
+	h, a, err = getHash(algo)
+	if err != nil {
+		return
+	}
+	h.Write(b)
+	sum := h.Sum(nil)
+	r.Header.Add(digestHeader,
+		fmt.Sprintf("%s%s%s",
+			a,
+			digestDelim,
+			base64.StdEncoding.EncodeToString(sum[:])))
+	return
+}
+
+func addDigestResponse(r http.ResponseWriter, algo DigestAlgorithm, b []byte) (err error) {
+	_, ok := r.Header()[digestHeader]
+	if ok {
+		err = fmt.Errorf("cannot add Digest: Digest is already set")
+		return
+	}
+	var h hash.Hash
+	var a DigestAlgorithm
+	h, a, err = getHash(algo)
+	if err != nil {
+		return
+	}
+	h.Write(b)
+	sum := h.Sum(nil)
+	r.Header().Add(digestHeader,
+		fmt.Sprintf("%s%s%s",
+			a,
+			digestDelim,
+			base64.StdEncoding.EncodeToString(sum[:])))
+	return
+}
+
+func verifyDigest(r *http.Request, body *bytes.Buffer) (err error) {
+	d := r.Header.Get(digestHeader)
+	if len(d) == 0 {
+		err = fmt.Errorf("cannot verify Digest: request has no Digest header")
+		return
+	}
+	elem := strings.SplitN(d, digestDelim, 2)
+	if len(elem) != 2 {
+		err = fmt.Errorf("cannot verify Digest: malformed Digest: %s", d)
+		return
+	}
+	var h hash.Hash
+	h, _, err = getHash(DigestAlgorithm(elem[0]))
+	if err != nil {
+		return
+	}
+	h.Write(body.Bytes())
+	sum := h.Sum(nil)
+	encSum := base64.StdEncoding.EncodeToString(sum[:])
+	if encSum != elem[1] {
+		err = fmt.Errorf("cannot verify Digest: header Digest does not match the digest of the request body")
+		return
+	}
+	return
+}

vendor/github.com/go-fed/httpsig/go.modverify

@@ -0,0 +1,2 @@
+golang.org/x/crypto v0.0.0-20180527072434-ab813273cd59 h1:hk3yo72LXLapY9EXVttc3Z1rLOxT9IuAPPX3GpY2+jo=
+golang.org/x/sys v0.0.0-20180525142821-c11f84a56e43 h1:PvnWIWTbA7gsEBkKjt0HV9hckYfcqYv8s/ju7ArZ0do=

vendor/github.com/go-fed/httpsig/httpsig.go

@@ -0,0 +1,241 @@
+// Implements HTTP request and response signing and verification. Supports the
+// major MAC and asymmetric key signature algorithms. It has several safety
+// restrictions: One, none of the widely known non-cryptographically safe
+// algorithms are permitted; Two, the RSA SHA256 algorithms must be available in
+// the binary (and it should, barring export restrictions); Finally, the library
+// assumes either the 'Authorizationn' or 'Signature' headers are to be set (but
+// not both).
+package httpsig
+
+import (
+	"crypto"
+	"fmt"
+	"net/http"
+)
+
+// Algorithm specifies a cryptography secure algorithm for signing HTTP requests
+// and responses.
+type Algorithm string
+
+const (
+	// MAC-based algoirthms.
+	HMAC_SHA224      Algorithm = hmacPrefix + "-" + sha224String
+	HMAC_SHA256      Algorithm = hmacPrefix + "-" + sha256String
+	HMAC_SHA384      Algorithm = hmacPrefix + "-" + sha384String
+	HMAC_SHA512      Algorithm = hmacPrefix + "-" + sha512String
+	HMAC_RIPEMD160   Algorithm = hmacPrefix + "-" + ripemd160String
+	HMAC_SHA3_224    Algorithm = hmacPrefix + "-" + sha3_224String
+	HMAC_SHA3_256    Algorithm = hmacPrefix + "-" + sha3_256String
+	HMAC_SHA3_384    Algorithm = hmacPrefix + "-" + sha3_384String
+	HMAC_SHA3_512    Algorithm = hmacPrefix + "-" + sha3_512String
+	HMAC_SHA512_224  Algorithm = hmacPrefix + "-" + sha512_224String
+	HMAC_SHA512_256  Algorithm = hmacPrefix + "-" + sha512_256String
+	HMAC_BLAKE2S_256 Algorithm = hmacPrefix + "-" + blake2s_256String
+	HMAC_BLAKE2B_256 Algorithm = hmacPrefix + "-" + blake2b_256String
+	HMAC_BLAKE2B_384 Algorithm = hmacPrefix + "-" + blake2b_384String
+	HMAC_BLAKE2B_512 Algorithm = hmacPrefix + "-" + blake2b_512String
+	BLAKE2S_256      Algorithm = blake2s_256String
+	BLAKE2B_256      Algorithm = blake2b_256String
+	BLAKE2B_384      Algorithm = blake2b_384String
+	BLAKE2B_512      Algorithm = blake2b_512String
+	// RSA-based algorithms.
+	RSA_SHA224 Algorithm = rsaPrefix + "-" + sha224String
+	// RSA_SHA256 is the default algorithm.
+	RSA_SHA256    Algorithm = rsaPrefix + "-" + sha256String
+	RSA_SHA384    Algorithm = rsaPrefix + "-" + sha384String
+	RSA_SHA512    Algorithm = rsaPrefix + "-" + sha512String
+	RSA_RIPEMD160 Algorithm = rsaPrefix + "-" + ripemd160String
+	// Just because you can glue things together, doesn't mean they will
+	// work. The following options are not supported.
+	rsa_SHA3_224    Algorithm = rsaPrefix + "-" + sha3_224String
+	rsa_SHA3_256    Algorithm = rsaPrefix + "-" + sha3_256String
+	rsa_SHA3_384    Algorithm = rsaPrefix + "-" + sha3_384String
+	rsa_SHA3_512    Algorithm = rsaPrefix + "-" + sha3_512String
+	rsa_SHA512_224  Algorithm = rsaPrefix + "-" + sha512_224String
+	rsa_SHA512_256  Algorithm = rsaPrefix + "-" + sha512_256String
+	rsa_BLAKE2S_256 Algorithm = rsaPrefix + "-" + blake2s_256String
+	rsa_BLAKE2B_256 Algorithm = rsaPrefix + "-" + blake2b_256String
+	rsa_BLAKE2B_384 Algorithm = rsaPrefix + "-" + blake2b_384String
+	rsa_BLAKE2B_512 Algorithm = rsaPrefix + "-" + blake2b_512String
+)
+
+// HTTP Signatures can be applied to different HTTP headers, depending on the
+// expected application behavior.
+type SignatureScheme string
+
+const (
+	// Signature will place the HTTP Signature into the 'Signature' HTTP
+	// header.
+	Signature SignatureScheme = "Signature"
+	// Authorization will place the HTTP Signature into the 'Authorization'
+	// HTTP header.
+	Authorization SignatureScheme = "Authorization"
+)
+
+const (
+	// The HTTP Signatures specification uses the "Signature" auth-scheme
+	// for the Authorization header. This is coincidentally named, but not
+	// semantically the same, as the "Signature" HTTP header value.
+	signatureAuthScheme = "Signature"
+)
+
+// There are subtle differences to the values in the header. The Authorization
+// header has an 'auth-scheme' value that must be prefixed to the rest of the
+// key and values.
+func (s SignatureScheme) authScheme() string {
+	switch s {
+	case Authorization:
+		return signatureAuthScheme
+	default:
+		return ""
+	}
+}
+
+// Signers will sign HTTP requests or responses based on the algorithms and
+// headers selected at creation time.
+//
+// Signers are not safe to use between multiple goroutines.
+//
+// Note that signatures do set the deprecated 'algorithm' parameter for
+// backwards compatibility.
+type Signer interface {
+	// SignRequest signs the request using a private key. The public key id
+	// is used by the HTTP server to identify which key to use to verify the
+	// signature.
+	//
+	// If the Signer was created using a MAC based algorithm, then the key
+	// is expected to be of type []byte. If the Signer was created using an
+	// RSA based algorithm, then the private key is expected to be of type
+	// *rsa.PrivateKey.
+	//
+	// A Digest (RFC 3230) will be added to the request. The body provided
+	// must match the body used in the request, and is allowed to be nil.
+	// The Digest ensures the request body is not tampered with in flight,
+	// and if the signer is created to also sign the "Digest" header, the
+	// HTTP Signature will then ensure both the Digest and body are not both
+	// modified to maliciously represent different content.
+	SignRequest(pKey crypto.PrivateKey, pubKeyId string, r *http.Request, body []byte) error
+	// SignResponse signs the response using a private key. The public key
+	// id is used by the HTTP client to identify which key to use to verify
+	// the signature.
+	//
+	// If the Signer was created using a MAC based algorithm, then the key
+	// is expected to be of type []byte. If the Signer was created using an
+	// RSA based algorithm, then the private key is expected to be of type
+	// *rsa.PrivateKey.
+	//
+	// A Digest (RFC 3230) will be added to the response. The body provided
+	// must match the body written in the response, and is allowed to be
+	// nil. The Digest ensures the response body is not tampered with in
+	// flight, and if the signer is created to also sign the "Digest"
+	// header, the HTTP Signature will then ensure both the Digest and body
+	// are not both modified to maliciously represent different content.
+	SignResponse(pKey crypto.PrivateKey, pubKeyId string, r http.ResponseWriter, body []byte) error
+}
+
+// NewSigner creates a new Signer with the provided algorithm preferences to
+// make HTTP signatures. Only the first available algorithm will be used, which
+// is returned by this function along with the Signer. If none of the preferred
+// algorithms were available, then the default algorithm is used. The headers
+// specified will be included into the HTTP signatures.
+//
+// The Digest will also be calculated on a request's body using the provided
+// digest algorithm, if "Digest" is one of the headers listed.
+//
+// The provided scheme determines which header is populated with the HTTP
+// Signature.
+//
+// An error is returned if an unknown or a known cryptographically insecure
+// Algorithm is provided.
+func NewSigner(prefs []Algorithm, dAlgo DigestAlgorithm, headers []string, scheme SignatureScheme) (Signer, Algorithm, error) {
+	for _, pref := range prefs {
+		s, err := newSigner(pref, dAlgo, headers, scheme)
+		if err != nil {
+			continue
+		}
+		return s, pref, err
+	}
+	s, err := newSigner(defaultAlgorithm, dAlgo, headers, scheme)
+	return s, defaultAlgorithm, err
+}
+
+// Verifier verifies HTTP Signatures.
+//
+// It will determine which of the supported headers has the parameters
+// that define the signature.
+//
+// Verifiers are not safe to use between multiple goroutines.
+//
+// Note that verification ignores the deprecated 'algorithm' parameter.
+type Verifier interface {
+	// KeyId gets the public key id that the signature is signed with.
+	//
+	// Note that the application is expected to determine the algorithm
+	// used based on metadata or out-of-band information for this key id.
+	KeyId() string
+	// Verify accepts the public key specified by KeyId and returns an
+	// error if verification fails or if the signature is malformed. The
+	// algorithm must be the one used to create the signature in order to
+	// pass verification. The algorithm is determined based on metadata or
+	// out-of-band information for the key id.
+	//
+	// If the signature was created using a MAC based algorithm, then the
+	// key is expected to be of type []byte. If the signature was created
+	// using an RSA based algorithm, then the public key is expected to be
+	// of type *rsa.PublicKey.
+	Verify(pKey crypto.PublicKey, algo Algorithm) error
+}
+
+const (
+	// host is treated specially because golang may not include it in the
+	// request header map on the server side of a request.
+	hostHeader = "Host"
+)
+
+// NewVerifier verifies the given request. It returns an error if the HTTP
+// Signature parameters are not present in any headers, are present in more than
+// one header, are malformed, or are missing required parameters. It ignores
+// unknown HTTP Signature parameters.
+func NewVerifier(r *http.Request) (Verifier, error) {
+	h := r.Header
+	if _, hasHostHeader := h[hostHeader]; len(r.Host) > 0 && !hasHostHeader {
+		h[hostHeader] = []string{r.Host}
+	}
+	return newVerifier(h, func(h http.Header, toInclude []string) (string, error) {
+		return signatureString(h, toInclude, addRequestTarget(r))
+	})
+}
+
+// NewResponseVerifier verifies the given response. It returns errors under the