From 217f0ac8e4c66f76908d1b3bf2142ad664147cd4 Mon Sep 17 00:00:00 2001 From: Julio Capote Date: Thu, 5 Jan 2023 18:45:17 -0500 Subject: try doing it manually --- registry/registry.go | 61 +++++++++++++++++++++++++++++++++++----------------- 1 file changed, 41 insertions(+), 20 deletions(-) diff --git a/registry/registry.go b/registry/registry.go index c84ba5b..a7d5b47 100644 --- a/registry/registry.go +++ b/registry/registry.go @@ -3,7 +3,12 @@ package registry import ( "bytes" "context" + "crypto" + "crypto/rand" + "crypto/rsa" + "crypto/sha256" "crypto/x509" + "encoding/base64" "encoding/gob" "encoding/json" "encoding/pem" @@ -256,7 +261,8 @@ func (r *Registry) deliverAcceptToInbox(url, actorUrl, actorKeyUrl *url.URL, fol privKey := &keypair.PrivateKey request, err := http.NewRequest("POST", url.String(), bytes.NewBuffer(jsonData)) - request.Header.Set("Date", time.Now().UTC().Format(http.TimeFormat)) + date := time.Now().UTC().Format(http.TimeFormat) + request.Header.Set("Date", date) request.Header.Set("Content-Type", "application/activity+json") request.Header.Set("Host", url.Host) @@ -266,9 +272,6 @@ func (r *Registry) deliverAcceptToInbox(url, actorUrl, actorKeyUrl *url.URL, fol ).With( "payload", payload, - ).With( - "digest", - request.Header.Get("digest"), ).With( "date", request.Header.Get("date"), @@ -277,25 +280,43 @@ func (r *Registry) deliverAcceptToInbox(url, actorUrl, actorKeyUrl *url.URL, fol request.Header.Get("host"), ).Debugf("signing request") + signed_string := fmt.Sprintf("(request-target): post /users/capotej/inbox\nhost: %s\ndate: %s", url.Host, date) + + digest := sha256.Sum256([]byte(signed_string)) r.mu.Lock() - prefs := []httpsig.Algorithm{} - digestAlgorithm := httpsig.DigestSha256 - // The "Date" and "Digest" headers must already be set on r, as well as r.URL. - headersToSign := []string{httpsig.RequestTarget, "host", "date", "digest", "content-type"} - signer, _, err := httpsig.NewSigner(prefs, digestAlgorithm, headersToSign, httpsig.Signature, 100) - if err != nil { - return err - } - // To sign the digest, we need to give the signer a copy of the body... - // ...but it is optional, no digest will be signed if given "nil" - // body := nil - // If r were a http.ResponseWriter, call SignResponse instead. - err = signer.SignRequest(privKey, actorKeyUrl.String(), request, jsonData) + signature, _ := rsa.SignPKCS1v15(rand.Reader, privKey, crypto.SHA256, digest[:]) r.mu.Unlock() - // HACK - oldSig := request.Header.Get("signature") - request.Header.Set("signature", strings.ReplaceAll(oldSig, "hs2019", "rsa-sha256")) + b64sig := base64.StdEncoding.EncodeToString(signature) + + h := sha256.New() + h.Write(jsonData) + var header = `keyId="https://activitybub.xyz/actors/sample#key",algorithm="rsa-sha256",headers="(request-target) content-type date digest host",signature="` + b64sig + `"` + + request.Header.Add("Digest", "SHA-256="+base64.StdEncoding.EncodeToString(h.Sum(nil))) + request.Header.Add("Content-Type", "application/activity+json") + request.Header.Add("Signature", header) + + //http sig signing code - broken? + // r.mu.Lock() + // prefs := []httpsig.Algorithm{} + // digestAlgorithm := httpsig.DigestSha256 + // // The "Date" and "Digest" headers must already be set on r, as well as r.URL. + // headersToSign := []string{httpsig.RequestTarget, "host", "date", "digest", "content-type"} + // signer, _, err := httpsig.NewSigner(prefs, digestAlgorithm, headersToSign, httpsig.Signature, 100) + // if err != nil { + // return err + // } + // // To sign the digest, we need to give the signer a copy of the body... + // // ...but it is optional, no digest will be signed if given "nil" + // // body := nil + // // If r were a http.ResponseWriter, call SignResponse instead. + // err = signer.SignRequest(privKey, actorKeyUrl.String(), request, jsonData) + // r.mu.Unlock() + + // // HACK + // oldSig := request.Header.Get("signature") + // request.Header.Set("signature", strings.ReplaceAll(oldSig, "hs2019", "rsa-sha256")) r.log.With( "type", -- cgit v1.2.3