Clean up HTTP signature verification code

This commit is contained in:
Anthony Wang 2023-01-19 22:09:55 +00:00
parent 7cbb9f7e49
commit f7403f75da
No known key found for this signature in database
GPG key ID: 1DDC6BC38786C595

View file

@ -64,10 +64,9 @@ class fuwuqi(SimpleHTTPRequestHandler):
username = search('^/users/(.*)\.(in|out)box$', self.path).group(1)
# Get actor public key
keyid = search('keyId="(.*?)"', self.headers['Signature']).group(1)
actor = iri_to_actor(keyid)
pubkeypem = actor['publicKey']['publicKeyPem'].encode('utf8')
# Get signer public key
signer = iri_to_actor(search('keyId="(.*?)"', self.headers['Signature']).group(1))
pubkeypem = signer['publicKey']['publicKeyPem'].encode('utf8')
pubkey = serialization.load_pem_public_key(pubkeypem, None)
# Assemble headers
@ -84,11 +83,10 @@ class fuwuqi(SimpleHTTPRequestHandler):
signature = search('signature="(.*?)"', self.headers['Signature']).group(1)
pubkey.verify(b64decode(signature), message[:-1].encode('utf8'), padding.PKCS1v15(), hashes.SHA256())
# Make sure activity doer matches HTTP signature
actor = keyid.removesuffix('#main-key')
if ('actor' in activity and activity['actor'] != actor) or \
('attributedTo' in activity and activity['attributedTo'] != actor) or \
('attributedTo' in activity['object'] and activity['object']['attributedTo'] != actor):
# Make sure activity doer matches HTTP signature
if ('actor' in activity and activity['actor'] != signer['id']) or \
('attributedTo' in activity and activity['attributedTo'] != signer['id']) or \
('attributedTo' in activity['object'] and activity['object']['attributedTo'] != signer['id']):
self.send_response(401)
return