Write warning to log when signature creation date is not known

2022-09-12 21:02:33 +00:00 · 2022-09-12 21:02:33 +00:00 · d0f97a33b3
commit d0f97a33b3
parent 458ca3fc3d
2 changed files with 19 additions and 1 deletions
--- a/src/http_signatures/create.rs
+++ b/src/http_signatures/create.rs
@ -4,6 +4,8 @@ use rsa::RsaPrivateKey;

 use crate::utils::crypto::{sign_message, get_message_digest};

+pub const SIGNATURE_ALGORITHM: &str = "rsa-sha256";
+
 pub struct SignatureHeaders {
    pub host: String,
    pub date: String,
@ -63,8 +65,9 @@ pub fn create_http_signature(
        .collect::<Vec<String>>().join(" ");
    let signature_parameter = sign_message(actor_key, &message)?;
    let signature_header = format!(
-        r#"keyId="{}",algorithm="rsa-sha256",headers="{}",signature="{}""#,
+        r#"keyId="{}",algorithm="{}",headers="{}",signature="{}""#,
        actor_key_id,
+        SIGNATURE_ALGORITHM,
        headers_parameter,
        signature_parameter,
    );
--- a/src/http_signatures/verify.rs
+++ b/src/http_signatures/verify.rs
@ -4,6 +4,7 @@ use actix_web::{
    HttpRequest,
    http::{Method, Uri, header::HeaderMap},
 };
+use chrono::{DateTime, TimeZone, Utc};
 use regex::Regex;
 use tokio_postgres::GenericClient;

@ -48,6 +49,7 @@ struct SignatureData {
    pub key_id: String,
    pub message: String, // reconstructed message
    pub signature: String, // base64-encoded signature
+    pub created_at: Option<DateTime<Utc>>,
 }

 const SIGNATURE_PARAMETER_RE: &str = r#"^(?P<key>[a-zA-Z]+)="(?P<value>.+)"$"#;
@ -81,6 +83,14 @@ fn parse_http_signature(
    let signature = signature_parameters.get("signature")
        .ok_or(VerificationError::ParseError("signature is missing"))?
        .to_owned();
+    let maybe_created_at = if let Some(created_at) = signature_parameters.get("created") {
+        created_at.parse().ok().map(|ts| Utc.timestamp(ts, 0))
+    } else {
+        request_headers.get("date")
+            .and_then(|header| header.to_str().ok())
+            .and_then(|date| DateTime::parse_from_rfc2822(date).ok())
+            .map(|datetime| datetime.with_timezone(&Utc))
+    };

    let mut message_parts = vec![];
    for header in headers_parameter.split(' ') {
@ -113,6 +123,7 @@ fn parse_http_signature(
        key_id,
        message,
        signature,
+        created_at: maybe_created_at,
    };
    Ok(signature_data)
 }
@ -138,6 +149,9 @@ pub async fn verify_http_signature(
        request.uri(),
        request.headers(),
    )?;
+    if signature_data.created_at.is_none() {
+        log::warn!("signature creation time is missing");
+    };

    let actor_id = key_id_to_actor_id(&signature_data.key_id)?;
    let actor_profile = if no_fetch {
@ -210,6 +224,7 @@ mod tests {
            "(request-target): post /user/123/inbox\nhost: example.com",
        );
        assert_eq!(signature_data.signature, "test");
+        assert_eq!(signature_data.created_at.is_some(), false);
    }

    #[test]