Anyone have a HTTP Signatures test case?

oddevan · January 14, 2024, 3:05pm

Hi! I’m bashing my head against the wall that is HTTP Signatures. I’ve got plenty of sample code and previous examples, but I’m trying to write a reliable test for my code. I’ve tried testing against this HTTP signatures tool but another post suggests it may be inaccurate.

So what I’m wondering is: does anyone have a valid signed HTTP message with its public and private keys? (Obviously from a test account!) I want to be able to compare my program’s output to a valid output.

If you’re curious, here’s my unit test.

Thanks for any help, y’all. Appreciate the work everyone here is doing.

nightpool · January 15, 2024, 4:46am

Mastodon’s HTTP signature unit tests have a private key and signature string: mastodon/spec/requests/signature_verification_spec.rb at cc3ff66246b3d1467e5afa1d53efd9e1d3ad2ca0 · mastodon/mastodon · GitHub

mro · January 15, 2024, 11:00am

yes seppo/test/http_test.ml at 61089407a31604ef955d60fbacc571d84233551f - seppo/seppo - Codeberg.org

Edit: they keys are from draft-cavage-http-signatures-12

helge · January 15, 2024, 7:35pm

I have a few things:

fediverse-features/fedi/http_signatures.feature at main - helge/fediverse-features - Codeberg.org contains a unit test for http signatures written in Gherkin. I run this against bovine. The steps are in bovine/bovine/features/steps/http_signatures.py at main - Codeberg.org
I build HTTP Signatures - Fun Fediverse Development which can provide some feedback
Finally, https://verify.funfedi.dev/ can validate that your actor will probably interoperate with everyone (no warnings means interoperation).

oddevan · January 15, 2024, 11:07pm

Thanks a ton! I’ve turned your spec into a PHPUnit test (see unit test link) and finally figured out where my problem was.

naturzukunft · January 16, 2024, 6:01pm

wow!
Is there anywhere other than mastodon that describes how to handle the public key in the actor? Wasn’t there a recent FEP from @eprodrom regarding http signatures?

— edit —
A sample is that:

"publicKey": {
  "id": "https://activitypub.academy/users/fabocia_tuvos#main-key",
  "owner": "https://activitypub.academy/users/fabocia_tuvos",
  "publicKeyPem": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAO ...  -----END PUBLIC KEY-----"
}

they use (unspecified)

https://www.w3.org/ns/activitystreams#owner
https://www.w3.org/ns/activitystreams#publicKeyPem
https://www.w3.org/ns/activitystreams#publicKey

Do you all do it like this?

stevebate · January 16, 2024, 8:53pm

Those are defined in the “https://w3id.org/security/v1” context, right? I’d expect them to expand to:

https://w3id.org/security#owner
https://w3id.org/security#publicKeyPem
https://w3id.org/security#publicKey

helge · January 17, 2024, 9:02am

See fediverse-features/fedi/actor_to_public_key.feature at main - helge/fediverse-features - Codeberg.org for the public key test case.