bug fixes for hs2019 HTTP Signatures algorithm, hard coding to rsa-sha256

2023-04-16 17:38:03 -07:00 · 2023-04-16 17:38:03 -07:00 · ba38d6853b
commit ba38d6853b
--- a/activitypub.py
+++ b/activitypub.py
@ -143,12 +143,13 @@ class ActivityPub(Protocol):
        Logs details of the result. Raises :class:`werkzeug.HTTPError` if the
        signature is missing or invalid, otherwise does nothing and returns None.
        """
-        sig = request.headers.get('Signature')
+        headers = dict(request.headers)  # copy so we can modify below
+        sig = headers.get('Signature')
        if not sig:
            error('No HTTP Signature', status=401)

        logger.info('Verifying HTTP Signature')
-        logger.info(f'Headers: {json_dumps(dict(request.headers), indent=2)}')
+        logger.info(f'Headers: {json_dumps(headers, indent=2)}')

        # parse_signature_header lower-cases all keys
        sig_fields = parse_signature_header(sig)
@ -156,13 +157,18 @@ class ActivityPub(Protocol):
        if not keyId:
            error('HTTP Signature missing keyId', status=401)

-        # TODO: right now, assume hs2019 is rsa-sha256 🤷
+        # TODO: right now, assume hs2019 is rsa-sha256. the real answer is...
+        # ...complicated and unclear. 🤷
        # https://github.com/snarfed/bridgy-fed/issues/430#issuecomment-1510462267
        # https://arewehs2019yet.vpzom.click/
+        # https://socialhub.activitypub.rocks/t/state-of-http-signatures/754/23
+        # https://socialhub.activitypub.rocks/t/http-signatures-libraray/2087/2
+        # https://github.com/mastodon/mastodon/pull/14556
        if sig_fields.get('algorithm') == 'hs2019':
-            sig_fields['algorithm'] = 'rsa-sha256'
+            headers['Signature'] = headers['Signature'].replace(
+                'algorithm="hs2019"', 'algorithm=rsa-sha256')

-        digest = request.headers.get('Digest') or ''
+        digest = headers.get('Digest') or ''
        if not digest:
            error('Missing Digest header, required for HTTP Signature', status=401)

@ -188,7 +194,7 @@ class ActivityPub(Protocol):
        key = key_actor.as2.get("publicKey", {}).get('publicKeyPem')
        logger.info(f'Verifying signature for {request.path} with key {key}')
        try:
-            verified = HeaderVerifier(request.headers, key,
+            verified = HeaderVerifier(headers, key,
                                      required_headers=['Digest'],
                                      method=request.method,
                                      path=request.path,