Support correctly-built (request-target) pseudo-header (still using H…

…TTP Signatures draft 12)
ClearlyClaire · Dec 22, 2023 · ff3eb40 · ff3eb40
1 parent a2624ff
commit ff3eb40
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/app/controllers/concerns/signature_verification.rb b/app/controllers/concerns/signature_verification.rb
@@ -91,14 +91,21 @@ def signed_request_actor
     raise SignatureVerificationError, "Public key not found for key #{signature_params['keyId']}" if actor.nil?
 
     signature             = Base64.decode64(signature_params['signature'])
-    compare_signed_string = build_signed_string
+    compare_signed_string = build_signed_string(request_target_quirk: true)
 
     return actor unless verify_signature(actor, signature, compare_signed_string).nil?
 
+    compare_signed_string = build_signed_string(request_target_quirk: false)
+    return actor unless verify_signature(actor, signature, compare_signed_string).nil?
+
     actor = stoplight_wrap_request { actor_refresh_key!(actor) }
 
     raise SignatureVerificationError, "Could not refresh public key #{signature_params['keyId']}" if actor.nil?
 
+    compare_signed_string = build_signed_string(request_target_quirk: true)
+    return actor unless verify_signature(actor, signature, compare_signed_string).nil?
+
+    compare_signed_string = build_signed_string(request_target_quirk: false)
     return actor unless verify_signature(actor, signature, compare_signed_string).nil?
 
     fail_with! "Verification failed for #{actor.to_log_human_identifier} #{actor.uri} using rsa-sha256 (RSASSA-PKCS1-v1_5 with SHA-256)", signed_string: compare_signed_string, signature: signature_params['signature']
@@ -180,11 +187,15 @@ def verify_signature(actor, signature, compare_signed_string)
     nil
   end
 
-  def build_signed_string
+  def build_signed_string(request_target_quirk: true)
     signed_headers.map do |signed_header|
       case signed_header
       when Request::REQUEST_TARGET
-        "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"
+        if request_target_quirk
+          "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"
+        else
+          "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.original_fullpath}"
+        end
       when '(created)'
         raise SignatureVerificationError, 'Invalid pseudo-header (created) for rsa-sha256' unless signature_algorithm == 'hs2019'
         raise SignatureVerificationError, 'Pseudo-header (created) used but corresponding argument missing' if signature_params['created'].blank?