HTTP Signatures in Python

OK I am making progress, deleted my original note so I’d not waste people’s time, I’ll be back, with any luck, with a working example.

purging is sad, rather tell about your progress, please.

Are you aware of Help Needed: HTTP Signatures - #24 by mro

Fair enough, I had been using python package requests-http-signature but was having trouble specifying which headers got encrypted in the signature.

There is an alternative package written by some folks at Funkwhale who have an ActivityPub server, it’s named requests-http-message-signatures and I’ve had better luck.

I am getting a 404 from my mastodon server with the message:

Verification failed for CartyBoston@farmer.roundpond.net https://farmer.roundpond.net/actor.json using rsa-sha256 (RSASSA-PKCS

python script:

import requests_http_message_signatures

message_file = open("/var/www/html/hello-world.json", "r")
message = message_file.read()

private_key_file = open("/home/carty/keys/private.pem", "rb")
private_key = private_key_file.read()

public_key_file = open("/home/carty/keys/public.pem", "rb")
public_key = public_key_file.read()

auth = requests_http_message_signatures.HTTPSignatureHeaderAuth(
        headers=["(request-target)", "user-agent", "host", "date"],
        algorithm="rsa-sha256",
        key = private_key,
        key_id = "https://farmer.roundpond.net/actor.json#main-key")


r = requests.post("https://mastodon.roundpond.net/inbox", auth=auth, json = message)

https://farmer.roundpond.net/actor.json:

{
        "@context": [
                "https://www.w3.org/ns/activitystreams",
                "https://w3id.org/security/v1"
        ],

        "id": "https://farmer.roundpond.net/actor.json",
        "type": "Person",
        "preferredUsername": "CartyBoston",
        "inbox": "https://farmer.roundpond.net/inbox",

        "publicKey": {
                "id": "https://farmer.roundpond.net/actor.json#main-key",
                "owner": "https://farmer.roundpond.net/actor.json",
                "publicKeyPem": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnAvHQk/uSeezTMF5kgFtuK3k/YXmipII22z7z5M6zkIJfRomqbNBCL85DUt1y5x6rEwXxmGgS91PVn/FoAqITi5+Z/dHSk5X55S0SB0uC9cx0nJ6SwVHAM3p8iVdh5x5aLNK40fSfc3h85WXMQXhbPEk8MD7lEgIMU5rpR3JCaWsK3ZCNfkCBvI/V59mKE3Ij8o3Fti/VcZJvbGSAaCY4eY9C/OXLgOiaB13svq99oyYFhfnST+baYPLgt6rWO1pcsUikNbO4755i+ZdXPgIOj5Uk3zuUXAlQKaByq4slkL47vZldFVL29IjGNiBeL52M26LTWnScB5LFDBJTkBljwIDAQAB-----END PUBLIC KEY-----"
        }
}

Which appears to be the correct public key, my message doc:

{
	"@context": "https://www.w3.org/ns/activitystreams",

	"id": "https://farmer.roundpond.net/hello-world.json",
	"type": "Create",
	"actor": "https://farmer.roundpond.net/actor",

	"object": {
		"id": "https://farmer.roundpond.net/hello-world.json",
		"type": "Note",
		"published": "2022-11-24T10:33:29+00:00",
		"attributedTo": "https://farmer.roundpond.net/actor",
		"inReplyTo": "https://mastodon.roundpond.net/@CartyBoston/109389086134482031",
		"content": "<p>Carty's blood pressure is 138/88 y'all"</p>",
		"to": "https://www.w3.org/ns/activitystreams#Public"
	}
}

Request looks like:

{'User-Agent': 'python-requests/2.25.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Content-Length': '659', 'Content-Type': 'application/json', 'Date': 'Fri, 25 Nov 2022 18:54:50 GMT', 'Digest': 'SHA-256=USMTIsSA/Ye1xhThe0PKpQx7Y/RL7mkvfoJB9D4u3t0=', 'Signature': 'keyId="https://farmer.roundpond.net/actor.json#main-key",algorithm="rsa-sha256",headers="(request-target) user-agent host date digest",signature="DAt9UpVJ98KpeL8aH3Js3Z7/9ktZ+rfFcW3x++duiAUjQjca7eiVUgLdE4nHKVtGZkORQXBb/0FG3Kf2qJ1GInW4mSzrNTQQdmjqnzVF7nWsmBv53m9vl+Xt1Az44beYgt+YFr59y8t7S/kj8ze1xR+PKY9E6ebjpwMRN0+SsmJy2O2eR8lbz83BnfDlAQr5OHYe5BBnwkvAAbquQeIoj0iTxD+AEYc2CUXDb33PbHkvV5jmQOgRkXamw/iI6PyxdBXXEs5d/u07M2fxdOYJ7hHRwVcWC52SyO3FCgzRuv05cHFkD6Qi6sO6cYJiD0PEfjodvUKr49nmQT8l8tszNw=="'}

Any help or further debugging tips very much appreciated, I will come back and post a python version of script in How to implement a basic ActivityPub server - Official Mastodon Blog as soon as it works.

1 Like

I do similar succesfully implemented in OCaml - the signed headers might have to come first.