From 06a9a48489e0a04a19fd6bb9c6fc44c83e23bffe Mon Sep 17 00:00:00 2001
From: protheory8 <editaw5@gmail.com>
Date: Sun, 29 Nov 2020 08:35:25 +0000
Subject: [PATCH] Add Digest header

---
 routes/api.js   | 6 ++++--
 routes/inbox.js | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/routes/api.js b/routes/api.js
index d80a474..826f91e 100644
--- a/routes/api.js
+++ b/routes/api.js
@@ -30,19 +30,21 @@ function signAndSend(message, name, domain, req, res, targetDomain, inbox) {
   }
   else {
     let privkey = result.privkey;
+    const digestHash = crypto.createHash('sha256').update(JSON.stringify(message)).digest('base64');
     const signer = crypto.createSign('sha256');
     let d = new Date();
-    let stringToSign = `(request-target): post ${inboxFragment}\nhost: ${targetDomain}\ndate: ${d.toUTCString()}`;
+    let stringToSign = `(request-target): post ${inboxFragment}\nhost: ${targetDomain}\ndate: ${d.toUTCString()}\ndigest: SHA-256=${digestHash}`;
     signer.update(stringToSign);
     signer.end();
     const signature = signer.sign(privkey);
     const signature_b64 = signature.toString('base64');
-    let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date",signature="${signature_b64}"`;
+    let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date digest",signature="${signature_b64}"`;
     request({
       url: inbox,
       headers: {
         'Host': targetDomain,
         'Date': d.toUTCString(),
+        'Digest': `SHA-256=${digestHash}`,
         'Signature': header
       },
       method: 'POST',
diff --git a/routes/inbox.js b/routes/inbox.js
index 424f1ee..8436378 100644
--- a/routes/inbox.js
+++ b/routes/inbox.js
@@ -16,19 +16,21 @@ function signAndSend(message, name, domain, req, res, targetDomain) {
   }
   else {
     let privkey = result.privkey;
+    const digestHash = crypto.createHash('sha256').update(JSON.stringify(message)).digest('base64');
     const signer = crypto.createSign('sha256');
     let d = new Date();
-    let stringToSign = `(request-target): post ${inboxFragment}\nhost: ${targetDomain}\ndate: ${d.toUTCString()}`;
+    let stringToSign = `(request-target): post ${inboxFragment}\nhost: ${targetDomain}\ndate: ${d.toUTCString()}\ndigest: SHA-256=${digestHash}`;
     signer.update(stringToSign);
     signer.end();
     const signature = signer.sign(privkey);
     const signature_b64 = signature.toString('base64');
-    let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date",signature="${signature_b64}"`;
+    let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date digest",signature="${signature_b64}"`;
     request({
       url: inbox,
       headers: {
         'Host': targetDomain,
         'Date': d.toUTCString(),
+        'Digest': `SHA-256=${digestHash}`,
         'Signature': header
       },
       method: 'POST',