lemmy/crates/apub_lib/src/signatures.rs

101 lines
3.1 KiB
Rust
Raw Normal View History

use crate::APUB_JSON_CONTENT_TYPE;
2020-09-29 13:10:55 +00:00
use actix_web::HttpRequest;
use anyhow::anyhow;
2020-09-29 13:10:55 +00:00
use http::{header::HeaderName, HeaderMap, HeaderValue};
use http_signature_normalization_actix::Config as ConfigActix;
use http_signature_normalization_reqwest::prelude::{Config, SignExt};
use lemmy_utils::LemmyError;
2021-11-22 18:58:31 +00:00
use once_cell::sync::Lazy;
2020-05-16 14:04:08 +00:00
use openssl::{
hash::MessageDigest,
pkey::PKey,
sign::{Signer, Verifier},
};
use reqwest::{Client, Response};
2020-05-05 14:30:13 +00:00
use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256};
use std::str::FromStr;
2021-11-23 12:16:47 +00:00
use tracing::debug;
use url::Url;
2021-11-22 18:58:31 +00:00
static CONFIG2: Lazy<ConfigActix> = Lazy::new(ConfigActix::new);
static HTTP_SIG_CONFIG: Lazy<Config> = Lazy::new(Config::new);
2020-04-19 17:35:40 +00:00
2020-10-19 14:29:35 +00:00
/// Creates an HTTP post request to `inbox_url`, with the given `client` and `headers`, and
/// `activity` as request body. The request is signed with `private_key` and then sent.
pub async fn sign_and_send(
2020-09-29 13:10:55 +00:00
client: &Client,
2020-10-19 14:29:35 +00:00
inbox_url: &Url,
activity: String,
actor_id: &Url,
private_key: String,
) -> Result<Response, LemmyError> {
let signing_key_id = format!("{}#main-key", actor_id);
let mut headers = HeaderMap::new();
let mut host = inbox_url.domain().expect("read inbox domain").to_string();
if let Some(port) = inbox_url.port() {
host = format!("{}:{}", host, port);
2020-09-29 13:10:55 +00:00
}
headers.insert(
HeaderName::from_str("Content-Type")?,
HeaderValue::from_str(APUB_JSON_CONTENT_TYPE)?,
);
headers.insert(HeaderName::from_str("Host")?, HeaderValue::from_str(&host)?);
let response = client
2020-10-19 14:29:35 +00:00
.post(&inbox_url.to_string())
.headers(headers)
.signature_with_digest(
HTTP_SIG_CONFIG.clone(),
signing_key_id,
Sha256::new(),
activity,
move |signing_string| {
let private_key = PKey::private_key_from_pem(private_key.as_bytes())?;
let mut signer = Signer::new(MessageDigest::sha256(), &private_key)?;
signer.update(signing_string.as_bytes())?;
Ok(base64::encode(signer.sign_to_vec()?)) as Result<_, LemmyError>
},
)
.await?;
Ok(response)
}
2020-04-10 13:50:40 +00:00
2020-10-19 14:29:35 +00:00
/// Verifies the HTTP signature on an incoming inbox request.
pub fn verify_signature(request: &HttpRequest, public_key: &str) -> Result<(), LemmyError> {
2020-09-29 13:10:55 +00:00
let verified = CONFIG2
2020-04-19 17:35:40 +00:00
.begin_verify(
request.method(),
request.uri().path_and_query(),
request.headers().clone(),
2020-04-19 17:35:40 +00:00
)?
.verify(|signature, signing_string| -> Result<bool, LemmyError> {
2020-04-19 17:35:40 +00:00
debug!(
"Verifying with key {}, message {}",
&public_key, &signing_string
2020-04-19 17:35:40 +00:00
);
let public_key = PKey::public_key_from_pem(public_key.as_bytes())?;
let mut verifier = Verifier::new(MessageDigest::sha256(), &public_key)?;
2021-07-05 16:07:26 +00:00
verifier.update(signing_string.as_bytes())?;
2020-04-19 17:35:40 +00:00
Ok(verifier.verify(&base64::decode(signature)?)?)
})?;
if verified {
debug!("verified signature for {}", &request.uri());
Ok(())
} else {
Err(anyhow!("Invalid signature on request: {}", &request.uri()).into())
2020-04-19 17:35:40 +00:00
}
}
#[derive(Clone, Debug, Deserialize, Serialize)]
2020-04-10 13:50:40 +00:00
#[serde(rename_all = "camelCase")]
pub struct PublicKey {
pub(crate) id: String,
pub(crate) owner: Box<Url>,
2020-04-10 13:50:40 +00:00
pub public_key_pem: String,
}