HTTP signature issues

Hey guys,

I’m trying to have my software to be accessible on the fediverse, and have been working on getting the HTTP signatures to work.
This seems to be a common issue, and I have tried to find a bunch of threads from people with the same problem, and tried to see if anything was mentioned that could possibly indicate what I am doing wrong myself.
I am testing against a mastodon instance I’ve set up purely to test my own implementation against, and I get the following error all the time:
D, [2024-05-10T04:55:55.941007 #65208] DEBUG -- : [fa42c186-f5be-4076-9a7b-344743ca9538] Signature verification failed: Verification failed for using rsa-sha256 (RSASSA-PKCS1-v1_5 with SHA-256)
Which results in a 401 Unauthorized http response back to my implementation.
I’ve tried to follow the actor from my own account on a pleroma server, which gives a 500 response, so not sure what that is about, but sending the Accept activity that I’m trying to send is still not working, although I’m not 100% sure it is because pleroma isn’t able to verify the signature.

I’ve added the content-type header to the sign data, and downgraded the rsa key to 2048 bit, but it didn’t help.
I’ve added a unit test, to make sure that I’m using the signature algorithm correctly, using test data from this spec: draft-cavage-http-signatures-12
The code is here: stonenet/src/web/ at 6f647283ad7bd9e40482551a2e7e388e803d74eb · bamidev/stonenet · GitHub , the unit test is working, I end up with the exact same (base64 encoded) signature.
I’ve verified that the public key that mastodon has stored for the user is the exact same pem as it should be, because I’ve been trying a few different key sizes.
I’ve verified that the data that mastodon checks the signature against is the exact same as the data that I create the signature with.
Both my activitypub implementation as the mastodon instance I’m testing with live on the same server, so I highly doubt it has to do with the signature having expired or something, the clocks should be set to the same time.
I’ve also tried encoding the signature with base64 without padding.

This is an example of the sign data:

(request-target): post /users/admin/inbox
date: Fri, 10 May 2024 12:20:59 GMT
digest: SHA-256=Czo0wIFa0bkV2qzyPJNyhiQUviyL7s/zEzp50YY99qI=
content-type: application/ld+json; profile=""

The string has no newline at the end. I sign the UTF8 bytes of the string, if that would make any difference, but I doubt it as there are no special characters in this string.
Here is an example of the signature header value:

keyId="", algorithm="rsa-sha2
56", headers="(request-target) host date digest content-type", signature="QlMhFzH7AERiU5CqKgbUJ+UIAEgbptM8JEvBOL/YiNmp5NS7uBQ+6U8SOOMcD+Ina4cSSZR

Has anyone got an idea what else I could check out? I feel like I’m out of options at the moment.

1 Like

Omg -.-

I’ve figured it out. Apparently, I was double-escaping my public key. So mastodon didn’t have a valid key in the first place…
Well, guess problem’s solved…

1 Like