Implement JSON-ld signature verification

Implement JSON-ld signature verification
Move signature verification functions to the proper file
This commit is contained in:
Trinity Pointard
2018-10-06 10:06:06 +02:00
parent 62c94ed463
commit 3466e55548
4 changed files with 95 additions and 73 deletions
+5 -4
View File
@@ -4,7 +4,8 @@ use rocket_contrib::{Json, Template};
use serde_json;
use validator::{Validate};
use plume_common::activity_pub::verify_http_headers;
use plume_common::activity_pub::sign::{Signable,
verify_http_headers};
use plume_models::{
admin::Admin,
comments::Comment,
@@ -198,9 +199,9 @@ fn shared_inbox(conn: DbConn, data: String, headers: Headers) -> String {
let actor_id = activity["actor"].as_str()
.unwrap_or_else(|| activity["actor"]["id"].as_str().expect("No actor ID for incoming activity, blocks by panicking"));
let sig = verify_http_headers(&User::from_url(&conn, actor_id.to_owned()).unwrap(), headers.0, data).is_secure();
if !sig {
// TODO check for valid json-ld signature
let actor = User::from_url(&conn, actor_id.to_owned()).unwrap();
if !verify_http_headers(&actor, headers.0, data).is_secure() &&
!act.clone().verify(&actor) {
return "invalid signature".to_owned();
}
+5 -4
View File
@@ -16,7 +16,8 @@ use workerpool::thunk::*;
use plume_common::activity_pub::{
ActivityStream, broadcast, Id, IntoId, ApRequest,
verify_http_headers, inbox::{FromActivity, Notify, Deletable}
inbox::{FromActivity, Notify, Deletable},
sign::{Signable, verify_http_headers}
};
use plume_common::utils;
use plume_models::{
@@ -304,9 +305,9 @@ fn inbox(name: String, conn: DbConn, data: String, headers: Headers) -> String {
let actor_id = activity["actor"].as_str()
.unwrap_or_else(|| activity["actor"]["id"].as_str().expect("User: No actor ID for incoming activity, blocks by panicking"));
let sig = verify_http_headers(&User::from_url(&conn, actor_id.to_owned()).unwrap(), headers.0, data).is_secure();
if !sig {
// TODO check for json-ld signature
let actor = User::from_url(&conn, actor_id.to_owned()).unwrap();
if !verify_http_headers(&actor, headers.0, data).is_secure() &&
!act.clone().verify(&actor) {
return "invalid signature".to_owned();
}