mastodon/app/lib/activitypub/linked_data_signature.rb

# frozen_string_literal: true

class ActivityPub::LinkedDataSignature
  include JsonLdHelper

  CONTEXT = 'https://w3id.org/identity/v1'

  def initialize(json)
    @json = json.with_indifferent_access
  end

  def verify_account!
    return unless @json['signature'].is_a?(Hash)

    type        = @json['signature']['type']
    creator_uri = @json['signature']['creator']
    signature   = @json['signature']['signatureValue']

    return unless type == 'RsaSignature2017'

    creator   = ActivityPub::TagManager.instance.uri_to_resource(creator_uri, Account)
    creator ||= ActivityPub::FetchRemoteKeyService.new.call(creator_uri, id: false)

    return if creator.nil?

    options_hash   = hash(@json['signature'].without('type', 'id', 'signatureValue').merge('@context' => CONTEXT))
    document_hash  = hash(@json.without('signature'))
    to_be_verified = options_hash + document_hash

    if creator.keypair.public_key.verify(OpenSSL::Digest::SHA256.new, Base64.decode64(signature), to_be_verified)
      creator
    end
  end

  def sign!(creator)
    options = {
      'type'    => 'RsaSignature2017',
      'creator' => [ActivityPub::TagManager.instance.uri_for(creator), '#main-key'].join,
      'created' => Time.now.utc.iso8601,
    }

    options_hash  = hash(options.without('type', 'id', 'signatureValue').merge('@context' => CONTEXT))
    document_hash = hash(@json.without('signature'))
    to_be_signed  = options_hash + document_hash

    signature = Base64.strict_encode64(creator.keypair.sign(OpenSSL::Digest::SHA256.new, to_be_signed))

    @json.merge('signature' => options.merge('signatureValue' => signature))
  end

  private

  def hash(obj)
    Digest::SHA256.hexdigest(canonicalize(obj))
  end
end
Add handling of Linked Data Signatures in payloads (#4687) * Add handling of Linked Data Signatures in payloads * Add a way to sign JSON, fix canonicalization of signature options * Fix signatureValue encoding, send out signed JSON when distributing * Add missing security context 2017-08-26 13:47:38 +02:00			`# frozen_string_literal: true`

			`class ActivityPub::LinkedDataSignature`
			`include JsonLdHelper`

			`CONTEXT = 'https://w3id.org/identity/v1'`

			`def initialize(json)`
Allow Symbol keyed Hash in LinkedDataSignature (#4715) SerializarbleResource#as_json serializes to Symbol keyed Hash, but current implementation of LinkedDataSignature expects String keyed Hash. So it generates broken payload. 2017-08-27 20:35:01 +09:00			`@json = json.with_indifferent_access`
Add handling of Linked Data Signatures in payloads (#4687) * Add handling of Linked Data Signatures in payloads * Add a way to sign JSON, fix canonicalization of signature options * Fix signatureValue encoding, send out signed JSON when distributing * Add missing security context 2017-08-26 13:47:38 +02:00			`end`

			`def verify_account!`
			`return unless @json['signature'].is_a?(Hash)`

			`type = @json['signature']['type']`
			`creator_uri = @json['signature']['creator']`
			`signature = @json['signature']['signatureValue']`

			`return unless type == 'RsaSignature2017'`

			`creator = ActivityPub::TagManager.instance.uri_to_resource(creator_uri, Account)`
Validate id of ActivityPub representations (#5114) Additionally, ActivityPub::FetchRemoteStatusService no longer parses activities. OStatus::Activity::Creation no longer delegates to ActivityPub because the provided ActivityPub representations are not signed while OStatus representations are. 2017-10-04 08:13:48 +09:00			`creator \|\|= ActivityPub::FetchRemoteKeyService.new.call(creator_uri, id: false)`
Add handling of Linked Data Signatures in payloads (#4687) * Add handling of Linked Data Signatures in payloads * Add a way to sign JSON, fix canonicalization of signature options * Fix signatureValue encoding, send out signed JSON when distributing * Add missing security context 2017-08-26 13:47:38 +02:00
			`return if creator.nil?`

			`options_hash = hash(@json['signature'].without('type', 'id', 'signatureValue').merge('@context' => CONTEXT))`
			`document_hash = hash(@json.without('signature'))`
			`to_be_verified = options_hash + document_hash`

			`if creator.keypair.public_key.verify(OpenSSL::Digest::SHA256.new, Base64.decode64(signature), to_be_verified)`
			`creator`
			`end`
			`end`

			`def sign!(creator)`
			`options = {`
			`'type' => 'RsaSignature2017',`
			`'creator' => [ActivityPub::TagManager.instance.uri_for(creator), '#main-key'].join,`
			`'created' => Time.now.utc.iso8601,`
			`}`

			`options_hash = hash(options.without('type', 'id', 'signatureValue').merge('@context' => CONTEXT))`
			`document_hash = hash(@json.without('signature'))`
			`to_be_signed = options_hash + document_hash`

			`signature = Base64.strict_encode64(creator.keypair.sign(OpenSSL::Digest::SHA256.new, to_be_signed))`

Remove identity context from output of LinkedDataSignature (#4753) 2017-08-31 21:32:09 +02:00			`@json.merge('signature' => options.merge('signatureValue' => signature))`
Add handling of Linked Data Signatures in payloads (#4687) * Add handling of Linked Data Signatures in payloads * Add a way to sign JSON, fix canonicalization of signature options * Fix signatureValue encoding, send out signed JSON when distributing * Add missing security context 2017-08-26 13:47:38 +02:00			`end`

			`private`

			`def hash(obj)`
			`Digest::SHA256.hexdigest(canonicalize(obj))`
			`end`
			`end`