From f14b8d8e6e7faa43db2a32c485083da82bc2f9ec Mon Sep 17 00:00:00 2001
From: Ted Unangst <tedu@tedunangst.com>
Date: Tue, 21 May 2019 15:44:58 -0400
Subject: [PATCH] if the digest is in the httpsig, we should also verify it
 matches content

---
 zig.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/zig.go b/zig.go
index 37a121f..064c143 100644
--- a/zig.go
+++ b/zig.go
@@ -139,6 +139,12 @@ func zag(req *http.Request, content []byte) (string, error) {
 			if s != serverName {
 				log.Printf("caution: servername host header mismatch")
 			}
+		case "digest":
+			s = req.Header.Get(h)
+			expv := "SHA-256=" + sb64sha256(content)
+			if s != expv {
+				return "", fmt.Errorf("digest header '%s' did not match content", s)
+			}
 		default:
 			s = req.Header.Get(h)
 		}