Merge pull request 'Fix #872 Include (request-target) and Host header to HTTP Signature' (#884) from httpsig into main

Reviewed-on: https://git.joinplu.me/Plume/Plume/pulls/884
2021-02-06 19:19:36 +00:00 · 2021-02-06 19:19:36 +00:00 · ac48744aca
parent f2d2ecb247 1b9aeae53c
commit ac48744aca
3 changed files with 112 additions and 16 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -10,6 +10,7 @@
 - More translation languages (#862)
 - Proxy support (#829)
 - Riker a actor system library (#870)
 - (request-target) and Host header in HTTP Signature (#872)
 ### Changed
--- a/plume-common/src/activity_pub/mod.rs
+++ b/plume-common/src/activity_pub/mod.rs
@ -1,6 +1,6 @@
 use activitypub::{Activity, Link, Object};
 use array_tool::vec::Uniq;
-use reqwest::r#async::ClientBuilder;
+use reqwest::{header::HeaderValue, r#async::ClientBuilder, Url};
 use rocket::{
    http::Status,
    request::{FromRequest, Request},
@ -143,6 +143,22 @@ where
    for inbox in boxes {
        let body = signed.to_string();
        let mut headers = request::headers();
        let url = Url::parse(&inbox);
        if url.is_err() {
            warn!("Inbox is invalid URL: {:?}", &inbox);
            continue;
        }
        let url = url.unwrap();
        if !url.has_host() {
            warn!("Inbox doesn't have host: {:?}", &inbox);
            continue;
        };
        let host_header_value = HeaderValue::from_str(&url.host_str().expect("Unreachable"));
        if host_header_value.is_err() {
            warn!("Header value is invalid: {:?}", url.host_str());
            continue;
        }
        headers.insert("Host", host_header_value.unwrap());
        headers.insert("Digest", request::Digest::digest(&body));
        rt.spawn(
            client
@ -150,7 +166,7 @@ where
                .headers(headers.clone())
                .header(
                    "Signature",
-                    request::signature(sender, &headers)
+                    request::signature(sender, &headers, ("post", url.path(), url.query()))
                        .expect("activity_pub::broadcast: request signature error"),
                )
                .body(body)
--- a/plume-common/src/activity_pub/request.rs
+++ b/plume-common/src/activity_pub/request.rs
@ -3,6 +3,7 @@ use openssl::hash::{Hasher, MessageDigest};
 use reqwest::header::{HeaderMap, HeaderValue, ACCEPT, CONTENT_TYPE, DATE, USER_AGENT};
 use std::ops::Deref;
 use std::time::SystemTime;
 use tracing::warn;
 use crate::activity_pub::sign::Signer;
 use crate::activity_pub::{ap_accept_header, AP_CONTENT_TYPE};
@ -112,25 +113,45 @@ pub fn headers() -> HeaderMap {
    headers
 }
-pub fn signature<S: Signer>(signer: &S, headers: &HeaderMap) -> Result<HeaderValue, Error> {
+type Method<'a> = &'a str;
-    let signed_string = headers
+type Path<'a> = &'a str;
 type Query<'a> = &'a str;
 type RequestTarget<'a> = (Method<'a>, Path<'a>, Option<Query<'a>>);
 pub fn signature<S: Signer>(
    signer: &S,
    headers: &HeaderMap,
    request_target: RequestTarget,
 ) -> Result<HeaderValue, Error> {
    let (method, path, query) = request_target;
    let origin_form = if let Some(query) = query {
        format!("{}?{}", path, query)
    } else {
        path.to_string()
    };
    let mut headers_vec = Vec::with_capacity(headers.len());
    for (h, v) in headers.iter() {
        let v = v.to_str();
        if v.is_err() {
            warn!("invalid header error: {:?}", v.unwrap_err());
            return Err(Error());
        }
        headers_vec.push((h.as_str().to_lowercase(), v.expect("Unreachable")));
    }
    let request_target = format!("{} {}", method.to_lowercase(), origin_form);
    headers_vec.push(("(request-target)".to_string(), &request_target));
    let signed_string = headers_vec
        .iter()
-        .map(|(h, v)| {
+        .map(|(h, v)| format!("{}: {}", h, v))
            format!(
                "{}: {}",
                h.as_str().to_lowercase(),
                v.to_str()
                    .expect("request::signature: invalid header error")
            )
        })
        .collect::<Vec<String>>()
        .join("\n");
-    let signed_headers = headers
+    let signed_headers = headers_vec
        .iter()
-        .map(|(h, _)| h.as_str())
+        .map(|(h, _)| h.as_ref())
        .collect::<Vec<&str>>()
-        .join(" ")
+        .join(" ");
        .to_lowercase();
    let data = signer.sign(&signed_string).map_err(|_| Error())?;
    let sign = base64::encode(&data);
@ -142,3 +163,61 @@ pub fn signature<S: Signer>(signer: &S, headers: &HeaderMap) -> Result<HeaderVal
        signature = sign
    )).map_err(|_| Error())
 }
 #[cfg(test)]
 mod tests {
    use super::{signature, Error};
    use crate::activity_pub::sign::{gen_keypair, Signer};
    use openssl::{hash::MessageDigest, pkey::PKey, rsa::Rsa};
    use reqwest::header::HeaderMap;
    struct MySigner {
        public_key: String,
        private_key: String,
    }
    impl MySigner {
        fn new() -> Self {
            let (pub_key, priv_key) = gen_keypair();
            Self {
                public_key: String::from_utf8(pub_key).unwrap(),
                private_key: String::from_utf8(priv_key).unwrap(),
            }
        }
    }
    impl Signer for MySigner {
        type Error = Error;
        fn get_key_id(&self) -> String {
            "mysigner".into()
        }
        fn sign(&self, to_sign: &str) -> Result<Vec<u8>, Self::Error> {
            let key = PKey::from_rsa(Rsa::private_key_from_pem(self.private_key.as_ref()).unwrap())
                .unwrap();
            let mut signer = openssl::sign::Signer::new(MessageDigest::sha256(), &key).unwrap();
            signer.update(to_sign.as_bytes()).unwrap();
            signer.sign_to_vec().map_err(|_| Error())
        }
        fn verify(&self, data: &str, signature: &[u8]) -> Result<bool, Self::Error> {
            let key = PKey::from_rsa(Rsa::public_key_from_pem(self.public_key.as_ref()).unwrap())
                .unwrap();
            let mut verifier = openssl::sign::Verifier::new(MessageDigest::sha256(), &key).unwrap();
            verifier.update(data.as_bytes()).unwrap();
            verifier.verify(&signature).map_err(|_| Error())
        }
    }
    #[test]
    fn test_signature_request_target() {
        let signer = MySigner::new();
        let headers = HeaderMap::new();
        let result = signature(&signer, &headers, ("post", "/inbox", None)).unwrap();
        let fields: Vec<&str> = result.to_str().unwrap().split(",").collect();
        assert_eq!(r#"headers="(request-target)""#, fields[2]);
        let sign = &fields[3][11..(fields[3].len() - 1)];
        assert!(signer.verify("post /inbox", sign.as_bytes()).is_ok());
    }
 }