From eb322d739df93319f78ce2e1f884ace46a6b88c8 Mon Sep 17 00:00:00 2001 From: Julio Capote Date: Fri, 6 Jan 2023 12:02:58 -0500 Subject: try this again --- registry/registry.go | 70 ++++++++++++++++++++++------------------------------ 1 file changed, 30 insertions(+), 40 deletions(-) diff --git a/registry/registry.go b/registry/registry.go index 6733c74..1901f0c 100644 --- a/registry/registry.go +++ b/registry/registry.go @@ -3,9 +3,6 @@ package registry import ( "bytes" "context" - "crypto" - "crypto/rand" - "crypto/rsa" "crypto/sha256" "crypto/x509" "encoding/base64" @@ -288,51 +285,44 @@ func (r *Registry) deliverAcceptToInbox(url, actorUrl, actorKeyUrl *url.URL, fol request.Header.Get("host"), ).Debugf("signing request") - digestBytes := sha256.Sum256([]byte(signedString)) - - fmt.Println() - fmt.Println() - fmt.Println("'" + signedString + "'") - fmt.Println() - fmt.Println() + //manual mode + // digestBytes := sha256.Sum256([]byte(signedString)) + // r.mu.Lock() + // signature, err := rsa.SignPKCS1v15(rand.Reader, privKey, crypto.SHA256, digestBytes[:]) + // if err != nil { + // return err + // } - r.mu.Lock() - signature, err := rsa.SignPKCS1v15(rand.Reader, privKey, crypto.SHA256, digestBytes[:]) - if err != nil { - return err - } + // // TODO sanity check: decode our own public key from our PEM representation and attempt to verify + // err = rsa.VerifyPKCS1v15(&privKey.PublicKey, crypto.SHA256, digestBytes[:], signature) + // if err != nil { + // return err + // } else { + // r.log.With("type", "delivery").Debugf("verified own signature") + // } + // r.mu.Unlock() - // sanity check: decode our own public key from our PEM representation and attempt to verify + // b64sig := base64.StdEncoding.Strict().EncodeToString(signature) + // var header = `keyId="` + actorKeyUrl.String() + `",algorithm="hs2019",headers="(request-target) date digest host",signature="` + b64sig + `"` + // request.Header.Add("Signature", header) - err = rsa.VerifyPKCS1v15(&privKey.PublicKey, crypto.SHA256, digestBytes[:], signature) + //http sig signing code - broken? + r.mu.Lock() + prefs := []httpsig.Algorithm{} + digestAlgorithm := httpsig.DigestSha256 + // The "Date" and "Digest" headers must already be set on r, as well as r.URL. + headersToSign := []string{httpsig.RequestTarget, "host", "date", "digest", "content-type"} + signer, _, err := httpsig.NewSigner(prefs, digestAlgorithm, headersToSign, httpsig.Signature, 100) if err != nil { return err - } else { - r.log.With("type", "delivery").Debugf("verified own signature") } + // To sign the digest, we need to give the signer a copy of the body... + // ...but it is optional, no digest will be signed if given "nil" + // body := nil + // If r were a http.ResponseWriter, call SignResponse instead. + err = signer.SignRequest(privKey, actorKeyUrl.String(), request, jsonData) r.mu.Unlock() - b64sig := base64.StdEncoding.Strict().EncodeToString(signature) - var header = `keyId="` + actorKeyUrl.String() + `",algorithm="hs2019",headers="(request-target) date digest host",signature="` + b64sig + `"` - request.Header.Add("Signature", header) - - //http sig signing code - broken? - // r.mu.Lock() - // prefs := []httpsig.Algorithm{} - // digestAlgorithm := httpsig.DigestSha256 - // // The "Date" and "Digest" headers must already be set on r, as well as r.URL. - // headersToSign := []string{httpsig.RequestTarget, "host", "date", "digest", "content-type"} - // signer, _, err := httpsig.NewSigner(prefs, digestAlgorithm, headersToSign, httpsig.Signature, 100) - // if err != nil { - // return err - // } - // // To sign the digest, we need to give the signer a copy of the body... - // // ...but it is optional, no digest will be signed if given "nil" - // // body := nil - // // If r were a http.ResponseWriter, call SignResponse instead. - // err = signer.SignRequest(privKey, actorKeyUrl.String(), request, jsonData) - // r.mu.Unlock() - // // HACK // oldSig := request.Header.Get("signature") // request.Header.Set("signature", strings.ReplaceAll(oldSig, "hs2019", "rsa-sha256")) -- cgit v1.2.3