try doing it manually

1 files changed, 41 insertions, 20 deletions

diff --git a/registry/registry.go b/registry/registry.go
index c84ba5b..a7d5b47 100644
--- a/registry/registry.go
+++ b/registry/registry.go
@@ -3,7 +3,12 @@ package registry
 import (
 	"bytes"
 	"context"
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/gob"
 	"encoding/json"
 	"encoding/pem"
@@ -256,7 +261,8 @@ func (r *Registry) deliverAcceptToInbox(url, actorUrl, actorKeyUrl *url.URL, fol
 	privKey := &keypair.PrivateKey
 
 	request, err := http.NewRequest("POST", url.String(), bytes.NewBuffer(jsonData))
-	request.Header.Set("Date", time.Now().UTC().Format(http.TimeFormat))
+	date := time.Now().UTC().Format(http.TimeFormat)
+	request.Header.Set("Date", date)
 	request.Header.Set("Content-Type", "application/activity+json")
 	request.Header.Set("Host", url.Host)
 
@@ -267,9 +273,6 @@ func (r *Registry) deliverAcceptToInbox(url, actorUrl, actorKeyUrl *url.URL, fol
 		"payload",
 		payload,
 	).With(
-		"digest",
-		request.Header.Get("digest"),
-	).With(
 		"date",
 		request.Header.Get("date"),
 	).With(
@@ -277,25 +280,43 @@ func (r *Registry) deliverAcceptToInbox(url, actorUrl, actorKeyUrl *url.URL, fol
 		request.Header.Get("host"),
 	).Debugf("signing request")
 
+	signed_string := fmt.Sprintf("(request-target): post /users/capotej/inbox\nhost: %s\ndate: %s", url.Host, date)
+
+	digest := sha256.Sum256([]byte(signed_string))
 	r.mu.Lock()
-	prefs := []httpsig.Algorithm{}
-	digestAlgorithm := httpsig.DigestSha256
-	// The "Date" and "Digest" headers must already be set on r, as well as r.URL.
-	headersToSign := []string{httpsig.RequestTarget, "host", "date", "digest", "content-type"}
-	signer, _, err := httpsig.NewSigner(prefs, digestAlgorithm, headersToSign, httpsig.Signature, 100)
-	if err != nil {
-		return err
-	}
-	// To sign the digest, we need to give the signer a copy of the body...
-	// ...but it is optional, no digest will be signed if given "nil"
-	// body := nil
-	// If r were a http.ResponseWriter, call SignResponse instead.
-	err = signer.SignRequest(privKey, actorKeyUrl.String(), request, jsonData)
+	signature, _ := rsa.SignPKCS1v15(rand.Reader, privKey, crypto.SHA256, digest[:])
 	r.mu.Unlock()
 
-	// HACK
-	oldSig := request.Header.Get("signature")
-	request.Header.Set("signature", strings.ReplaceAll(oldSig, "hs2019", "rsa-sha256"))
+	b64sig := base64.StdEncoding.EncodeToString(signature)
+
+	h := sha256.New()
+	h.Write(jsonData)
+	var header = `keyId="https://activitybub.xyz/actors/sample#key",algorithm="rsa-sha256",headers="(request-target) content-type date digest host",signature="` + b64sig + `"`
+
+	request.Header.Add("Digest", "SHA-256="+base64.StdEncoding.EncodeToString(h.Sum(nil)))
+	request.Header.Add("Content-Type", "application/activity+json")
+	request.Header.Add("Signature", header)
+
+	//http sig signing code - broken?
+	// r.mu.Lock()
+	// prefs := []httpsig.Algorithm{}
+	// digestAlgorithm := httpsig.DigestSha256
+	// // The "Date" and "Digest" headers must already be set on r, as well as r.URL.
+	// headersToSign := []string{httpsig.RequestTarget, "host", "date", "digest", "content-type"}
+	// signer, _, err := httpsig.NewSigner(prefs, digestAlgorithm, headersToSign, httpsig.Signature, 100)
+	// if err != nil {
+	// 	return err
+	// }
+	// // To sign the digest, we need to give the signer a copy of the body...
+	// // ...but it is optional, no digest will be signed if given "nil"
+	// // body := nil
+	// // If r were a http.ResponseWriter, call SignResponse instead.
+	// err = signer.SignRequest(privKey, actorKeyUrl.String(), request, jsonData)
+	// r.mu.Unlock()
+
+	// // HACK
+	// oldSig := request.Header.Get("signature")
+	// request.Header.Set("signature", strings.ReplaceAll(oldSig, "hs2019", "rsa-sha256"))
 
 	r.log.With(
 		"type",