Correctly encode/decode base64, add more verifier logging

This commit is contained in:
asonix 2020-03-17 13:29:55 -05:00
parent 9fc507210a
commit 496cf571b2
2 changed files with 49 additions and 24 deletions

View file

@ -106,7 +106,7 @@ impl Settings {
let bytes = let bytes =
self.private_key self.private_key
.sign(PaddingScheme::PKCS1v15, Some(&Hashes::SHA2_256), &hashed)?; .sign(PaddingScheme::PKCS1v15, Some(&Hashes::SHA2_256), &hashed)?;
Ok(base64::encode_config(bytes, base64::URL_SAFE)) Ok(base64::encode(bytes))
} }
} }

View file

@ -1,6 +1,7 @@
use crate::{error::MyError, requests::fetch_actor, state::State}; use crate::{error::MyError, requests::fetch_actor, state::State};
use actix_web::client::Client; use actix_web::client::Client;
use http_signature_normalization_actix::{prelude::*, verify::DeprecatedAlgorithm}; use http_signature_normalization_actix::{prelude::*, verify::DeprecatedAlgorithm};
use log::{debug, error, info, warn};
use rsa::{hash::Hashes, padding::PaddingScheme, PublicKey, RSAPublicKey}; use rsa::{hash::Hashes, padding::PaddingScheme, PublicKey, RSAPublicKey};
use rsa_pem::KeyExt; use rsa_pem::KeyExt;
use sha2::{Digest, Sha256}; use sha2::{Digest, Sha256};
@ -28,29 +29,53 @@ impl SignatureVerify for MyVerify {
let client = Arc::new(self.1.clone()); let client = Arc::new(self.1.clone());
Box::pin(async move { Box::pin(async move {
let actor = fetch_actor(state, client, &key_id.parse()?).await?; verify(state, client, algorithm, key_id, signature, signing_string)
.await
let public_key = actor.public_key.ok_or(MyError::MissingKey)?; .map_err(|e| {
error!("Failed to verify, {}", e);
let public_key = RSAPublicKey::from_pem_pkcs8(&public_key.public_key_pem)?; e
})
match algorithm {
Some(Algorithm::Hs2019) => (),
Some(Algorithm::Deprecated(DeprecatedAlgorithm::RsaSha256)) => (),
_ => return Err(MyError::Algorithm),
};
let decoded = base64::decode(signature)?;
let hashed = Sha256::digest(signing_string.as_bytes());
public_key.verify(
PaddingScheme::PKCS1v15,
Some(&Hashes::SHA2_256),
&hashed,
&decoded,
)?;
Ok(true)
}) })
} }
} }
async fn verify(
state: Arc<State>,
client: Arc<Client>,
algorithm: Option<Algorithm>,
key_id: String,
signature: String,
signing_string: String,
) -> Result<bool, MyError> {
debug!("Fetching actor");
let actor = fetch_actor(state, client, &key_id.parse()?).await?;
let public_key = actor.public_key.ok_or(MyError::MissingKey)?;
debug!("Parsing public key");
let public_key = RSAPublicKey::from_pem_pkcs8(&public_key.public_key_pem)?;
match algorithm {
Some(Algorithm::Hs2019) => (),
Some(Algorithm::Deprecated(DeprecatedAlgorithm::RsaSha256)) => (),
other => {
warn!("Invalid algorithm supplied for signature, {:?}", other);
return Err(MyError::Algorithm);
}
};
debug!("Decoding base64");
let decoded = base64::decode(signature)?;
debug!("hashing");
let hashed = Sha256::digest(signing_string.as_bytes());
info!("Verifying signature for signing string, {}", signing_string);
public_key.verify(
PaddingScheme::PKCS1v15,
Some(&Hashes::SHA2_256),
&hashed,
&decoded,
)?;
Ok(true)
}