vendor/src/github.com/cloudflare/cfssl/auth/auth.go - third_party/github.com/moby/moby - Git at Google

 // Package auth implements an interface for providing CFSSL
 // authentication. This is meant to authenticate a client CFSSL to a
 // remote CFSSL in order to prevent unauthorised use of the signature
 // capabilities. This package provides both the interface and a
 // standard HMAC-based implementation.
 package auth

 import (
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"strings"
 )

 // An AuthenticatedRequest contains a request and authentication
 // token. The Provider may determine whether to validate the timestamp
 // and remote address.
 type AuthenticatedRequest struct {
 	// An Authenticator decides whether to use this field.
 	Timestamp     int64  `json:"timestamp,omitempty"`
 	RemoteAddress []byte `json:"remote_address,omitempty"`
 	Token         []byte `json:"token"`
 	Request       []byte `json:"request"`
 }

 // A Provider can generate tokens from a request and verify a
 // request. The handling of additional authentication data (such as
 // the IP address) is handled by the concrete type, as is any
 // serialisation and state-keeping.
 type Provider interface {
 	Token(req []byte) (token []byte, err error)
 	Verify(aReq *AuthenticatedRequest) bool
 }

 // Standard implements an HMAC-SHA-256 authentication provider. It may
 // be supplied additional data at creation time that will be used as
 // request || additional-data with the HMAC.
 type Standard struct {
 	key []byte
 	ad  []byte
 }

 // New generates a new standard authentication provider from the key
 // and additional data. The additional data will be used when
 // generating a new token.
 func New(key string, ad []byte) (*Standard, error) {
 	if splitKey := strings.SplitN(key, ":", 2); len(splitKey) == 2 {
 		switch splitKey[0] {
 		case "env":
 			key = os.Getenv(splitKey[1])
 		case "file":
 			data, err := ioutil.ReadFile(splitKey[1])
 			if err != nil {
 				return nil, err
 			}
 			key = string(data)
 		default:
 			return nil, fmt.Errorf("unknown key prefix: %s", splitKey[0])
 		}
 	}

 	keyBytes, err := hex.DecodeString(key)
 	if err != nil {
 		return nil, err
 	}

 	return &Standard{keyBytes, ad}, nil
 }

 // Token generates a new authentication token from the request.
 func (p Standard) Token(req []byte) (token []byte, err error) {
 	h := hmac.New(sha256.New, p.key)
 	h.Write(req)
 	h.Write(p.ad)
 	return h.Sum(nil), nil
 }

 // Verify determines whether an authenticated request is valid.
 func (p Standard) Verify(ad *AuthenticatedRequest) bool {
 	if ad == nil {
 		return false
 	}

 	// Standard token generation returns no error.
 	token, _ := p.Token(ad.Request)
 	if len(ad.Token) != len(token) {
 		return false
 	}

 	return hmac.Equal(token, ad.Token)
 }
	// Package auth implements an interface for providing CFSSL
	// authentication. This is meant to authenticate a client CFSSL to a
	// remote CFSSL in order to prevent unauthorised use of the signature
	// capabilities. This package provides both the interface and a
	// standard HMAC-based implementation.
	package auth

	import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
	"fmt"
	"io/ioutil"
	"os"
	"strings"
	)

	// An AuthenticatedRequest contains a request and authentication
	// token. The Provider may determine whether to validate the timestamp
	// and remote address.
	type AuthenticatedRequest struct {
	// An Authenticator decides whether to use this field.
	Timestamp int64 `json:"timestamp,omitempty"`
	RemoteAddress []byte `json:"remote_address,omitempty"`
	Token []byte `json:"token"`
	Request []byte `json:"request"`
	}

	// A Provider can generate tokens from a request and verify a
	// request. The handling of additional authentication data (such as
	// the IP address) is handled by the concrete type, as is any
	// serialisation and state-keeping.
	type Provider interface {
	Token(req []byte) (token []byte, err error)
	Verify(aReq *AuthenticatedRequest) bool
	}

	// Standard implements an HMAC-SHA-256 authentication provider. It may
	// be supplied additional data at creation time that will be used as
	// request \|\| additional-data with the HMAC.
	type Standard struct {
	key []byte
	ad []byte
	}

	// New generates a new standard authentication provider from the key
	// and additional data. The additional data will be used when
	// generating a new token.
	func New(key string, ad []byte) (*Standard, error) {
	if splitKey := strings.SplitN(key, ":", 2); len(splitKey) == 2 {
	switch splitKey[0] {
	case "env":
	key = os.Getenv(splitKey[1])
	case "file":
	data, err := ioutil.ReadFile(splitKey[1])
	if err != nil {
	return nil, err
	}
	key = string(data)
	default:
	return nil, fmt.Errorf("unknown key prefix: %s", splitKey[0])
	}
	}

	keyBytes, err := hex.DecodeString(key)
	if err != nil {
	return nil, err
	}

	return &Standard{keyBytes, ad}, nil
	}

	// Token generates a new authentication token from the request.
	func (p Standard) Token(req []byte) (token []byte, err error) {
	h := hmac.New(sha256.New, p.key)
	h.Write(req)
	h.Write(p.ad)
	return h.Sum(nil), nil
	}

	// Verify determines whether an authenticated request is valid.
	func (p Standard) Verify(ad *AuthenticatedRequest) bool {
	if ad == nil {
	return false
	}

	// Standard token generation returns no error.
	token, _ := p.Token(ad.Request)
	if len(ad.Token) != len(token) {
	return false
	}

	return hmac.Equal(token, ad.Token)
	}