HTTP Signatures are hard to digest (pun intended). The last thing I care about is follower count, but I need help

utdliyvlyuc · October 20, 2023, 11:31am

I am livestreaming ActivityPub development: https://www.twitch.tv/utdliyvlyuc

I hope that no human or computer will actually watch 9 hour videos to see the issue that I am running to, but am linking it because I want to see if the stars align by exercising some possibility that since I am currently almost every day actively streaming it, an expert who is also passionate about ActivityPub can clearly understand the issue that I am running into. Mostly HTTP Signature-related. Specifically the context is follow requests, both incoming and outgoing.

Here is a current opinion that I would rather not think about changing yet: As much as possible, I should rely on landrok/activitypub.

Therefore, when I am inspecting the incoming requests (my test case is Mastodon @ https://activitypub.academy, the code is looking like this:

$server = $activityPubRequest->activityPubServer();

$httpSignature = new HttpSignature($server);
$incomingRequest = \Symfony\Component\HttpFoundation\Request::create(
	$_SERVER['REQUEST_URI'],
	'POST',
	$_REQUEST, // parameters
	$_COOKIE, // cookies
	[], // files
	$_SERVER // $_SERVER,
);

error_log('test1');
error_log(print_r($_SERVER, true));
error_log('test2');
error_log(print_r($httpSignature, true));
error_log('test3');
error_log(print_r($httpSignature->verify($incomingRequest) ? 'yes' : 'why', true));
error_log(print_r('test23423423424', true));
exit('test2342342342');

$httpSignature->verify($incomingRequest) never seems to return true, only false. Of course I need to be able to verify signatures from 3rd party ActivityPub servers.

Now, posting this code is only somewhat relevant at all, due to the scope of this issue.

Despite my discomfort with streaming from some angles, I think the main reason I am posting this is with a hope that someone who is both an expert on the subject and happens to click on the stream at the right time (please do not watch any 9 hour videos for this), can help guide me in a good direction for signing HTTP requests and successfully processing follow requests.

arnelson · October 20, 2023, 7:16pm

I don’t have enough context to know if this is what you need (haven’t watched the videos), but HTTP signatures were a huge problem for me when I implemented them in Tapir too. Mastodon is very finicky about them, the signed text must include only a few specific headers in a particular order.

In the end, I only managed to get it working by copying Honk’s Go implementation of HTTP signatures. My TypeScript implementation here might help if you know JavaScript; it uses the browser-compatible Web Crypto API to perform RSA-SHA256.

If you want to stick with a third-party library, also be very careful that you’re using the right public key to verify the signature. A Mastodon user’s public key is on their Actor object, so verifying a signature on a message from that actor requires making at least one HTTP request to get the actor’s JSON-LD representation (and then probably caching the public key).

grishka · October 20, 2023, 7:51pm

HTTP signatures are easy, actually. Here’s my known-working library-free implementation in Smithereen:

github.com

grishka/Smithereen/blob/4af59e0413aaec8fb962a21497afaa1b19e652ba/src/main/java/smithereen/activitypub/ActivityPub.java#L411-L483


      
          	public static Actor verifyHttpSignature(spark.Request req, Actor userHint) throws ParseException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, SQLException{
          		String sigHeader=req.headers("Signature");
          		if(sigHeader==null)
          			throw new BadRequestException("Request is missing Signature header");
          		List<Map<String, String>> values=parseSignatureHeader(sigHeader);
          		if(values.isEmpty())
          			throw new BadRequestException("Signature header has invalid format");
          		Map<String, String> supportedSig=null;
          		for(Map<String, String> sig:values){
          			if("rsa-sha256".equalsIgnoreCase(sig.get("algorithm")) || "hs2019".equalsIgnoreCase(sig.get("algorithm"))){
          				supportedSig=sig;
          				break;
          			}
          		}
          		if(supportedSig==null)
          			throw new BadRequestException("Unsupported signature algorithm \""+values.get(0).get("algorithm")+"\", expected \"rsa-sha256\" or \"hs2019\"");
          
          		if(!supportedSig.containsKey("keyId"))
          			throw new BadRequestException("Signature header is missing keyId field");
          		if(!supportedSig.containsKey("signature"))

This file has been truncated. show original

nightpool · October 20, 2023, 8:44pm

Yeah, a lot of developers have gotten HTTP Signatures working. I’ve never heard any issues about the order of the headers like arnelson mentioned, it should always just match the order you list the headers in the “headers” parameter.

Are you able to sign and verify your own signatures when communicating with your own server? If so, can you post that code?

utdliyvlyuc · October 21, 2023, 6:38pm

Thanks so much for all the great input!

Straying from the original goal of using the landrok/activitypub library for as much as I could, I’ve instead removed some dependencies entirely including that one.

Signatures on incoming Inbox requests seem to be successfully verified here:

github.com

instalution/lipupini/blob/7c3d2b2c5611cf6bb2cc0707d409bf289d05e2b9/module/Lipupini/ActivityPub/Request/Inbox.php#L52


      
          
          		if (empty($_SERVER['HTTP_SIGNATURE'])) {
          			throw new Exception('Expected request to be signed');
          		}
          
          		$remoteActor = RemoteActor::fromUrl(
          			url: $requestData->actor,
          			cacheDir: $activityPubRequest->system->dirStorage . '/cache/ap'
          		);
          
          		if (!(new Incoming\Signature)->verify(
          			$remoteActor->getPublicKeyPem(),
          			$_SERVER,
          			parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH), // Path without query string
          			$requestBody
          		)) {
          			throw new Exception('HTTP Signature did not validate');
          		}
          
          		/* BEGIN STORE INBOX ACTIVITY */

And the code behind the verify method is here:

github.com

instalution/lipupini/blob/7c3d2b2c5611cf6bb2cc0707d409bf289d05e2b9/module/Lipupini/Request/Incoming/Signature.php#L45


      
          
          		if (!isset($signatureData['headers']) || !isset($signatureData['signature'])) {
          			return [
          				'error' => 'Signature is missing headers or signature parts'
          			];
          		}
          
          		return $signatureData;
          	}
          
          	public static function verify($publicKeyPem, $inputHeaders, $path, $body) {
          		$signatureData = static::parseSignatureHeader($inputHeaders['HTTP_SIGNATURE']);
          
          		// Adapted from https://github.com/symfony/http-foundation/blob/6.3/ServerBag.php#L29
          		foreach ($inputHeaders as $key => $value) {
          			if (str_starts_with($key, 'HTTP_')) {
          				$headerName = strtolower(substr($key, 5));
          				unset($inputHeaders[$key]);
          			} else if (\in_array($key, ['CONTENT_TYPE', 'CONTENT_LENGTH', 'CONTENT_MD5'], true)) {
          				$headerName = strtolower($key);
          			} else {

When I try to send a signed outgoing Follow request (for example):

/instalution/lipupini/blob/v2.x/module/Lipupini/ActivityPub/Request/Follow.php#L55
/instalution/lipupini/blob/v2.x/module/Lipupini/ActivityPub/Request.php#L45
/instalution/lipupini/blob/v2.x/module/Lipupini/Request/Outgoing/Signature.php#L14

I think there’s still an issue with that, so it’s the next aspect to tackle.

Edit: The forum won’t let me paste more than two links, even from GitHub