Testing HttpSignatures (mastodon)

Hi there, i try to post an activity to mastodon as described here
But get a “401 Unauthorized from POST https://mastodon.social/inbox

I think there are problems with the signature, but have no idea. Does anybody have an idea, how i can test whats wrong (without setting up / debugging a mastodon instance)

I’m using GitHub - tomitribe/http-signatures-java: Java Client Library for HTTP Signatures

Thanks Fredy

@grishka how did you solve the httpsignature “problem” ?

Uh, I didn’t have it in the first place. I followed that tutorial too but did everything from scratch (it’s really not worthy of being a library). Here’s my entire implementation.

You can also try sending requests to my instance (friends.grishka.me) as I’m returning somewhat more informative errors.

Ah, and yes, that tutorial is now outdated. Mastodon now requires the Digest header since about several months ago.

ok, i will take a look at your links! thanks

I pinged Eugen to update that tutorial.


Is there also a global inbox like https://friends.grishka.me/inbox ?

Yes, https://friends.grishka.me/activitypub/sharedInbox. But don’t hardcode it, servers that support it have it in actor objects in the endpoints field.

its just for the first tests :wink:

i get a: 404 Not Found from POST https://friends.grishka.me/activitypub/sharedInbox

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target :thinking:

You don’t have your SSL certificate set up correctly, it’s self-signed and thus not trusted by anything that doesn’t have your root installed.

Снимок экрана 2021-05-16 в 20.17.50

So it failed while trying to fetch the actor object and (misleadingly) returned a 404 because it wasn’t able to find the actor. I should probably return a 400 in this case.

BTW, it’s helpful to log the response body.

1 Like

ups, i thougt you get onother certificate. i’ll check.

currently working on the logging

ok, i’m not really an environment expert and sure not with certificate stuff :wink:
But now i do not have the ssl error any more. i think i get an http 500 from your server?

you don’t like my json:

<500,<h1 style='color: red;'>Unhandled exception</h1><pre>org.json.JSONException: Unterminated string at 414 [character 0 line 16]
	at smithereen.activitypub.ActivityPub.fetchRemoteObject(ActivityPub.java:90)
	at smithereen.ObjectLinkResolver.resolve(ObjectLinkResolver.java:83)
	at smithereen.routes.ActivityPubRoutes.inbox(ActivityPubRoutes.java:569)
	at smithereen.routes.ActivityPubRoutes.sharedInbox(ActivityPubRoutes.java:256)
	at spark.RouteImpl$1.handle(RouteImpl.java:72)
	at spark.http.matching.Routes.execute(Routes.java:61)
	at spark.http.matching.MatcherFilter.doFilter(MatcherFilter.java:134)
	at spark.embeddedserver.jetty.JettyHandler.doHandle(JettyHandler.java:50)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1671)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
	at org.eclipse.jetty.server.Server.handle(Server.java:505)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:698)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:804)
	at java.base/java.lang.Thread.run(Unknown Source)

i expect, that you receive:

	"@context": "https://www.w3.org/ns/activitystreams",

	"id": "https://naturzukunft.ddnss.de/create-hello-world",
	"type": "Create",
	"actor": "https://naturzukunft.ddnss.de/actor",

	"object": {
		"id": "https://naturzukunft.ddnss.de/hello-world",
		"type": "Note",
		"published": "2018-06-23T17:17:11Z",
		"attributedTo": "https://naturzukunft.ddnss.de/actor",
		"inReplyTo": "https://mastodon.social/@Gargron/100254678717223630",
		"content": "<p>Hello world</p>",
		"to": "https://www.w3.org/ns/activitystreams#Public"

Actually it’s parsing the activity itself just fine, it’s the actor that fails. Though I can’t look at it right now because you turned your server off.

My guess would be that you wrote the json by hand and pasted the public key with line breaks without replacing them with \n

the server is up again

no, the public key should be “dynamic” it’s not hardcoded.

ah, i see. there is a mismatch now. the public key is the old one. and the private is a new one. i’ve to fix that! But enough for today :wink:
Thank you!!

btw. i added the digest, but mastodon still says it has problems parsing the headers.