Clean up HTTP signature verification code

2023-01-19 22:09:55 +00:00 · 2023-01-19 22:09:55 +00:00 · f7403f75da
parent 7cbb9f7e49
commit f7403f75da
1 changed files with 7 additions and 9 deletions
--- a/server.py
+++ b/server.py
@ -64,10 +64,9 @@ class fuwuqi(SimpleHTTPRequestHandler):
        username = search('^/users/(.*)\.(in|out)box$', self.path).group(1)
-        # Get actor public key
+        # Get signer public key
-        keyid = search('keyId="(.*?)"', self.headers['Signature']).group(1)
+        signer = iri_to_actor(search('keyId="(.*?)"', self.headers['Signature']).group(1))
-        actor = iri_to_actor(keyid)
+        pubkeypem = signer['publicKey']['publicKeyPem'].encode('utf8')
        pubkeypem = actor['publicKey']['publicKeyPem'].encode('utf8')
        pubkey = serialization.load_pem_public_key(pubkeypem, None)
        # Assemble headers
@ -84,11 +83,10 @@ class fuwuqi(SimpleHTTPRequestHandler):
        signature = search('signature="(.*?)"', self.headers['Signature']).group(1)
        pubkey.verify(b64decode(signature), message[:-1].encode('utf8'), padding.PKCS1v15(), hashes.SHA256())
-        # Make sure activity doer matches HTTP signature
+        # Make sure activity doer matches HTTP signature 
-        actor = keyid.removesuffix('#main-key')
+        if ('actor' in activity and activity['actor'] != signer['id']) or \
-        if ('actor' in activity and activity['actor'] != actor) or \
+           ('attributedTo' in activity and activity['attributedTo'] != signer['id']) or \
-           ('attributedTo' in activity and activity['attributedTo'] != actor) or \
+           ('attributedTo' in activity['object'] and activity['object']['attributedTo'] != signer['id']):
           ('attributedTo' in activity['object'] and activity['object']['attributedTo'] != actor):
            self.send_response(401)
            return