Plume/plume-common/src/activity_pub/sign.rs

use base64;
use chrono::Utc;
use hex;
use openssl::{
    pkey::PKey,
    rsa::Rsa,
    sha::sha256
};
use super::request;
use rocket::http::HeaderMap;
use serde_json;

/// Returns (public key, private key)
pub fn gen_keypair() -> (Vec<u8>, Vec<u8>) {
    let keypair = Rsa::generate(2048).unwrap();
    let keypair = PKey::from_rsa(keypair).unwrap();
    (keypair.public_key_to_pem().unwrap(), keypair.private_key_to_pem_pkcs8().unwrap())
}

pub trait Signer {
    fn get_key_id(&self) -> String;
    
    /// Sign some data with the signer keypair
    fn sign(&self, to_sign: String) -> Vec<u8>;
    /// Verify if the signature is valid
    fn verify(&self, data: String, signature: Vec<u8>) -> bool;
}

pub trait Signable {
    fn sign<T>(&mut self, creator: &T) -> &mut Self where T: Signer;
    fn verify<T>(self, creator: &T) -> bool where T: Signer;

    fn hash(data: String) -> String {
        let bytes = data.into_bytes();
        hex::encode(sha256(&bytes[..]))
    }
}

impl Signable for serde_json::Value {
    fn sign<T: Signer>(&mut self, creator: &T) -> &mut serde_json::Value {
        let creation_date = Utc::now().to_rfc3339();
        let mut options = json!({
            "type": "RsaSignature2017",
            "creator": creator.get_key_id(),
            "created": creation_date
        });

        let options_hash  = Self::hash(json!({
            "@context": "https://w3id.org/identity/v1",
            "created": creation_date
        }).to_string());
        let document_hash = Self::hash(self.to_string());
        let to_be_signed = options_hash + &document_hash;

        let signature = base64::encode(&creator.sign(to_be_signed));

        options["signatureValue"] = serde_json::Value::String(signature);
        self["signature"] = options;
        self
    }

    fn verify<T: Signer>(mut self, creator: &T) -> bool {
        let signature_obj = if let Some(sig) = self.as_object_mut().and_then(|o| o.remove("signature")) {
            sig
        } else {
            //signature not present
            return false
        };
        let signature = if let Ok(sig) = base64::decode(&signature_obj["signatureValue"].as_str().unwrap_or("")) {
            sig
        } else {
            return false
        };
        let creation_date = &signature_obj["created"];
        let options_hash  = Self::hash(json!({
            "@context": "https://w3id.org/identity/v1",
            "created": creation_date
        }).to_string());
        let document_hash = Self::hash(self.to_string());
        let to_be_signed = options_hash + &document_hash;
        creator.verify(to_be_signed, signature)
    }
}

#[derive(Debug,Copy,Clone,PartialEq)]
pub enum SignatureValidity {
    Invalid,
    ValidNoDigest,
    Valid,
    Absent,
}

impl SignatureValidity {
    pub fn is_secure(&self) -> bool {
        self==&SignatureValidity::Valid
    }
}

pub fn verify_http_headers<S: Signer+::std::fmt::Debug>(sender: &S, all_headers: HeaderMap, data: String) -> SignatureValidity{
    let sig_header = all_headers.get_one("Signature");
    if sig_header.is_none() {
        return SignatureValidity::Absent
    }
    let sig_header = sig_header.unwrap();

    let mut _key_id = None;
    let mut _algorithm = None;
    let mut headers = None;
    let mut signature = None;
    for part in sig_header.split(',') {
        match part {
            part if part.starts_with("keyId=") => _key_id = Some(&part[7..part.len()-1]),
            part if part.starts_with("algorithm=") => _algorithm = Some(&part[11..part.len()-1]),
            part if part.starts_with("headers=") => headers = Some(&part[9..part.len()-1]),
            part if part.starts_with("signature=") => signature = Some(&part[11..part.len()-1]),
            _ => {},
        }
    }

    if signature.is_none() || headers.is_none() {//missing part of the header
        return SignatureValidity::Invalid
    }
    let headers = headers.unwrap().split_whitespace().collect::<Vec<_>>();
    let signature = signature.unwrap();
    let h = headers.iter()
        .map(|header| (header,all_headers.get_one(header)))
        .map(|(header, value)| format!("{}: {}", header.to_lowercase(), value.unwrap_or("")))
        .collect::<Vec<_>>().join("\n");

    if !sender.verify(h, base64::decode(signature).unwrap_or(Vec::new())) {
        return SignatureValidity::Invalid
    }
    if !headers.contains(&"digest") {// signature is valid, but body content is not verified
        return SignatureValidity::ValidNoDigest
    }
    let digest = all_headers.get_one("digest").unwrap_or("");
    let digest = request::Digest::from_header(digest);
    if !digest.map(|d| d.verify(data)).unwrap_or(false) {// signature was valid, but body content does not match its digest
        SignatureValidity::Invalid
    } else {
	    SignatureValidity::Valid// all check passed
    }
}
WIP: signing 2018-04-29 17:40:10 +02:00			`use base64;`
Reorganize use statements 2018-05-19 09:39:59 +02:00			`use chrono::Utc;`
WIP: signing 2018-04-29 17:40:10 +02:00			`use hex;`
Reorganize use statements 2018-05-19 09:39:59 +02:00			`use openssl::{`
			`pkey::PKey,`
			`rsa::Rsa,`
			`sha::sha256`
			`};`
Implement JSON-ld signature verification Implement JSON-ld signature verification Move signature verification functions to the proper file 2018-10-06 10:06:06 +02:00			`use super::request;`
			`use rocket::http::HeaderMap;`
WIP: signing 2018-04-29 17:40:10 +02:00			`use serde_json;`

Signing activities I hope it works correctly… Fixes #6 2018-05-03 21:11:04 +02:00			`/// Returns (public key, private key)`
			`pub fn gen_keypair() -> (Vec<u8>, Vec<u8>) {`
			`let keypair = Rsa::generate(2048).unwrap();`
			`let keypair = PKey::from_rsa(keypair).unwrap();`
			`(keypair.public_key_to_pem().unwrap(), keypair.private_key_to_pem_pkcs8().unwrap())`
			`}`

WIP: signing 2018-04-29 17:40:10 +02:00			`pub trait Signer {`
Simplify the signature of activity_pub::sign::Signer::get_key_id 2018-06-21 17:25:32 +02:00			`fn get_key_id(&self) -> String;`
WIP: signing 2018-04-29 17:40:10 +02:00
			`/// Sign some data with the signer keypair`
WIP: make it possible for users to sign activities 2018-05-03 19:12:01 +02:00			`fn sign(&self, to_sign: String) -> Vec<u8>;`
Add verify() to the Signer trait And implement it for Blog and User 2018-09-28 23:18:01 +02:00			`/// Verify if the signature is valid`
			`fn verify(&self, data: String, signature: Vec<u8>) -> bool;`
WIP: signing 2018-04-29 17:40:10 +02:00			`}`

			`pub trait Signable {`
Remove PgConnection when we don't need it Massive simplification in the ActivityPub module! 2018-06-21 17:31:42 +02:00			`fn sign<T>(&mut self, creator: &T) -> &mut Self where T: Signer;`
Implement JSON-ld signature verification Implement JSON-ld signature verification Move signature verification functions to the proper file 2018-10-06 10:06:06 +02:00			`fn verify<T>(self, creator: &T) -> bool where T: Signer;`
WIP: signing 2018-04-29 17:40:10 +02:00
			`fn hash(data: String) -> String {`
			`let bytes = data.into_bytes();`
			`hex::encode(sha256(&bytes[..]))`
			`}`
			`}`

			`impl Signable for serde_json::Value {`
Remove PgConnection when we don't need it Massive simplification in the ActivityPub module! 2018-06-21 17:31:42 +02:00			`fn sign<T: Signer>(&mut self, creator: &T) -> &mut serde_json::Value {`
WIP: make it possible for users to sign activities 2018-05-03 19:12:01 +02:00			`let creation_date = Utc::now().to_rfc3339();`
WIP: signing 2018-04-29 17:40:10 +02:00			`let mut options = json!({`
			`"type": "RsaSignature2017",`
Remove PgConnection when we don't need it Massive simplification in the ActivityPub module! 2018-06-21 17:31:42 +02:00			`"creator": creator.get_key_id(),`
WIP: make it possible for users to sign activities 2018-05-03 19:12:01 +02:00			`"created": creation_date`
WIP: signing 2018-04-29 17:40:10 +02:00			`});`

WIP: make it possible for users to sign activities 2018-05-03 19:12:01 +02:00			`let options_hash = Self::hash(json!({`
			`"@context": "https://w3id.org/identity/v1",`
			`"created": creation_date`
			`}).to_string());`
WIP: signing 2018-04-29 17:40:10 +02:00			`let document_hash = Self::hash(self.to_string());`
			`let to_be_signed = options_hash + &document_hash;`

			`let signature = base64::encode(&creator.sign(to_be_signed));`

Fix a typo in the signature module Thanks fdb-hiroshima for noticing it 2018-06-27 21:45:36 +02:00			`options["signatureValue"] = serde_json::Value::String(signature);`
WIP: signing 2018-04-29 17:40:10 +02:00			`self["signature"] = options;`
			`self`
			`}`
Implement JSON-ld signature verification Implement JSON-ld signature verification Move signature verification functions to the proper file 2018-10-06 10:06:06 +02:00
			`fn verify<T: Signer>(mut self, creator: &T) -> bool {`
			`let signature_obj = if let Some(sig) = self.as_object_mut().and_then(\|o\| o.remove("signature")) {`
			`sig`
			`} else {`
			`//signature not present`
			`return false`
			`};`
			`let signature = if let Ok(sig) = base64::decode(&signature_obj["signatureValue"].as_str().unwrap_or("")) {`
			`sig`
			`} else {`
			`return false`
			`};`
			`let creation_date = &signature_obj["created"];`
			`let options_hash = Self::hash(json!({`
			`"@context": "https://w3id.org/identity/v1",`
			`"created": creation_date`
			`}).to_string());`
			`let document_hash = Self::hash(self.to_string());`
			`let to_be_signed = options_hash + &document_hash;`
			`creator.verify(to_be_signed, signature)`
			`}`
			`}`

			`#[derive(Debug,Copy,Clone,PartialEq)]`
			`pub enum SignatureValidity {`
			`Invalid,`
			`ValidNoDigest,`
			`Valid,`
			`Absent,`
			`}`

			`impl SignatureValidity {`
			`pub fn is_secure(&self) -> bool {`
			`self==&SignatureValidity::Valid`
			`}`
			`}`

			`pub fn verify_http_headers<S: Signer+::std::fmt::Debug>(sender: &S, all_headers: HeaderMap, data: String) -> SignatureValidity{`
Code style improvement 2018-10-06 10:57:37 +02:00			`let sig_header = all_headers.get_one("Signature");`
			`if sig_header.is_none() {`
			`return SignatureValidity::Absent`
			`}`
			`let sig_header = sig_header.unwrap();`

			`let mut _key_id = None;`
			`let mut _algorithm = None;`
			`let mut headers = None;`
			`let mut signature = None;`
			`for part in sig_header.split(',') {`
			`match part {`
			`part if part.starts_with("keyId=") => _key_id = Some(&part[7..part.len()-1]),`
			`part if part.starts_with("algorithm=") => _algorithm = Some(&part[11..part.len()-1]),`
			`part if part.starts_with("headers=") => headers = Some(&part[9..part.len()-1]),`
			`part if part.starts_with("signature=") => signature = Some(&part[11..part.len()-1]),`
			`_ => {},`
Implement JSON-ld signature verification Implement JSON-ld signature verification Move signature verification functions to the proper file 2018-10-06 10:06:06 +02:00			`}`
Code style improvement 2018-10-06 10:57:37 +02:00			`}`

			`if signature.is_none() \|\| headers.is_none() {//missing part of the header`
			`return SignatureValidity::Invalid`
			`}`
			`let headers = headers.unwrap().split_whitespace().collect::<Vec<_>>();`
			`let signature = signature.unwrap();`
			`let h = headers.iter()`
			`.map(\|header\| (header,all_headers.get_one(header)))`
			`.map(\|(header, value)\| format!("{}: {}", header.to_lowercase(), value.unwrap_or("")))`
			`.collect::<Vec<_>>().join("\n");`

			`if !sender.verify(h, base64::decode(signature).unwrap_or(Vec::new())) {`
			`return SignatureValidity::Invalid`
			`}`
			`if !headers.contains(&"digest") {// signature is valid, but body content is not verified`
			`return SignatureValidity::ValidNoDigest`
			`}`
			`let digest = all_headers.get_one("digest").unwrap_or("");`
			`let digest = request::Digest::from_header(digest);`
			`if !digest.map(\|d\| d.verify(data)).unwrap_or(false) {// signature was valid, but body content does not match its digest`
			`SignatureValidity::Invalid`
Implement JSON-ld signature verification Implement JSON-ld signature verification Move signature verification functions to the proper file 2018-10-06 10:06:06 +02:00			`} else {`
Code style improvement 2018-10-06 10:57:37 +02:00			`SignatureValidity::Valid// all check passed`
Implement JSON-ld signature verification Implement JSON-ld signature verification Move signature verification functions to the proper file 2018-10-06 10:06:06 +02:00			`}`
WIP: signing 2018-04-29 17:40:10 +02:00			`}`