lemmy/server/src/apub/extensions/signatures.rs

102 lines
2.8 KiB
Rust
Raw Normal View History

use crate::{apub::ActorType, LemmyError};
2020-05-05 14:30:13 +00:00
use activitystreams::ext::Extension;
use actix_web::{client::ClientRequest, HttpRequest};
use http_signature_normalization_actix::{
digest::{DigestClient, SignExt},
Config,
};
2020-05-05 14:30:13 +00:00
use log::debug;
2020-05-16 14:04:08 +00:00
use openssl::{
hash::MessageDigest,
pkey::PKey,
sign::{Signer, Verifier},
};
2020-05-05 14:30:13 +00:00
use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256};
2020-04-19 17:35:40 +00:00
lazy_static! {
static ref HTTP_SIG_CONFIG: Config = Config::new();
}
/// Signs request headers with the given keypair.
pub async fn sign(
request: ClientRequest,
actor: &dyn ActorType,
activity: String,
) -> Result<DigestClient<String>, LemmyError> {
let signing_key_id = format!("{}#main-key", actor.actor_id());
let private_key = actor.private_key();
let digest_client = request
.signature_with_digest(
HTTP_SIG_CONFIG.clone(),
signing_key_id,
Sha256::new(),
activity,
move |signing_string| {
let private_key = PKey::private_key_from_pem(private_key.as_bytes())?;
let mut signer = Signer::new(MessageDigest::sha256(), &private_key).unwrap();
signer.update(signing_string.as_bytes()).unwrap();
Ok(base64::encode(signer.sign_to_vec()?)) as Result<_, LemmyError>
},
)
.await?;
Ok(digest_client)
}
2020-04-10 13:50:40 +00:00
pub fn verify(request: &HttpRequest, actor: &dyn ActorType) -> Result<(), LemmyError> {
2020-04-19 17:35:40 +00:00
let verified = HTTP_SIG_CONFIG
.begin_verify(
request.method(),
request.uri().path_and_query(),
request.headers().clone(),
2020-04-19 17:35:40 +00:00
)?
.verify(|signature, signing_string| -> Result<bool, LemmyError> {
2020-04-19 17:35:40 +00:00
debug!(
"Verifying with key {}, message {}",
&actor.public_key(),
&signing_string
2020-04-19 17:35:40 +00:00
);
let public_key = PKey::public_key_from_pem(actor.public_key().as_bytes())?;
2020-04-19 17:35:40 +00:00
let mut verifier = Verifier::new(MessageDigest::sha256(), &public_key).unwrap();
verifier.update(&signing_string.as_bytes()).unwrap();
Ok(verifier.verify(&base64::decode(signature)?)?)
})?;
if verified {
debug!("verified signature for {}", &request.uri());
Ok(())
} else {
Err(format_err!("Invalid signature on request: {}", &request.uri()).into())
2020-04-19 17:35:40 +00:00
}
}
2020-04-10 13:50:40 +00:00
// The following is taken from here:
// https://docs.rs/activitystreams/0.5.0-alpha.17/activitystreams/ext/index.html
2020-04-17 15:33:55 +00:00
#[derive(Clone, Debug, Default, Deserialize, Serialize)]
2020-04-10 13:50:40 +00:00
#[serde(rename_all = "camelCase")]
pub struct PublicKey {
pub id: String,
pub owner: String,
pub public_key_pem: String,
}
2020-04-17 15:33:55 +00:00
#[derive(Clone, Debug, Default, Deserialize, Serialize)]
2020-04-10 13:50:40 +00:00
#[serde(rename_all = "camelCase")]
pub struct PublicKeyExtension {
pub public_key: PublicKey,
}
impl PublicKey {
pub fn to_ext(&self) -> PublicKeyExtension {
PublicKeyExtension {
public_key: self.to_owned(),
}
}
}
impl<T> Extension<T> for PublicKeyExtension where T: activitystreams::Actor {}