Skip to content

Commit

Permalink
Add (optional) support for correctly building (request-target)
Browse files Browse the repository at this point in the history
  • Loading branch information
ClearlyClaire committed Dec 21, 2023
1 parent ac5ef54 commit 8bce826
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 5 deletions.
8 changes: 4 additions & 4 deletions app/controllers/concerns/signature_verification.rb
Original file line number Diff line number Diff line change
Expand Up @@ -91,21 +91,21 @@ def signed_request_actor
raise SignatureVerificationError, "Public key not found for key #{signature_params['keyId']}" if actor.nil?

signature = Base64.decode64(signature_params['signature'])
compare_signed_string = build_signed_string(request_target_quirk: true)
compare_signed_string = build_signed_string(request_target_quirk: false)

return actor unless verify_signature(actor, signature, compare_signed_string).nil?

compare_signed_string = build_signed_string(request_target_quirk: false)
compare_signed_string = build_signed_string(request_target_quirk: true)
return actor unless verify_signature(actor, signature, compare_signed_string).nil?

actor = stoplight_wrap_request { actor_refresh_key!(actor) }

raise SignatureVerificationError, "Could not refresh public key #{signature_params['keyId']}" if actor.nil?

compare_signed_string = build_signed_string(request_target_quirk: true)
compare_signed_string = build_signed_string(request_target_quirk: false)
return actor unless verify_signature(actor, signature, compare_signed_string).nil?

compare_signed_string = build_signed_string(request_target_quirk: false)
compare_signed_string = build_signed_string(request_target_quirk: true)
return actor unless verify_signature(actor, signature, compare_signed_string).nil?

fail_with! "Verification failed for #{actor.to_log_human_identifier} #{actor.uri} using rsa-sha256 (RSASSA-PKCS1-v1_5 with SHA-256)", signed_string: compare_signed_string, signature: signature_params['signature']
Expand Down
11 changes: 10 additions & 1 deletion app/lib/request.rb
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ def initialize(verb, url, **options)
@url = Addressable::URI.parse(url).normalize
@http_client = options.delete(:http_client)
@allow_local = options.delete(:allow_local)
@full_path = options.delete(:with_query_string)
@options = options.merge(socket_class: use_proxy? || @allow_local ? ProxySocket : Socket)
@options = @options.merge(timeout_class: PerOperationWithDeadline, timeout_options: TIMEOUT)
@options = @options.merge(proxy_url) if use_proxy?
Expand Down Expand Up @@ -146,7 +147,7 @@ def http_client
private

def set_common_headers!
@headers[REQUEST_TARGET] = "#{@verb} #{@url.path}"
@headers[REQUEST_TARGET] = request_target
@headers['User-Agent'] = Mastodon::Version.user_agent
@headers['Host'] = @url.host
@headers['Date'] = Time.now.utc.httpdate
Expand All @@ -157,6 +158,14 @@ def set_digest!
@headers['Digest'] = "SHA-256=#{Digest::SHA256.base64digest(@options[:body])}"
end

def request_target
if @url.query.nil? || !@full_path
"#{@verb} #{@url.path}"
else
"#{@verb} #{@url.path}?#{@url.query}"
end
end

def signature
algorithm = 'rsa-sha256'
signature = Base64.strict_encode64(@keypair.sign(OpenSSL::Digest.new('SHA256'), signed_string))
Expand Down

0 comments on commit 8bce826

Please sign in to comment.