Home Explore Help
Sign In
RISCI_ATOM
/
mastodon
mirror of https://github.com/tootsuite/mastodon.git
1
0
Fork 0
Files Issues 8 Wiki
Branch: renovate/omniauth-packages
Branches Tags
mastodon
/
app
/
lib
/
activitypub
/
linked_data_signature.rb

linked_data_signature.rb 2.2 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 
  1. # frozen_string_literal: true
    2. 

  2. 

  3. class ActivityPub::LinkedDataSignature
    4. 

  4.   include JsonLdHelper
    5. 

  5. 

  6.   CONTEXT = 'https://w3id.org/identity/v1'
    7. 

  7.   SIGNATURE_CONTEXT = 'https://w3id.org/security/v1'
    8. 

  8. 

  9.   def initialize(json)
    10. 

  10.     @json = json.with_indifferent_access
    11. 

  11.   end
    12. 

  12. 

  13.   def verify_actor!
    14. 

  14.     return unless @json['signature'].is_a?(Hash)
    15. 

  15. 

  16.     type        = @json['signature']['type']
    17. 

  17.     creator_uri = @json['signature']['creator']
    18. 

  18.     signature   = @json['signature']['signatureValue']
    19. 

  19. 

  20.     return unless type == 'RsaSignature2017'
    21. 

  21. 

  22.     creator = ActivityPub::TagManager.instance.uri_to_actor(creator_uri)
    23. 

  23.     creator = ActivityPub::FetchRemoteKeyService.new.call(creator_uri) if creator&.public_key.blank?
    24. 

  24. 

  25.     return if creator.nil?
    26. 

  26. 

  27.     options_hash   = hash(@json['signature'].without('type', 'id', 'signatureValue').merge('@context' => CONTEXT))
    28. 

  28.     document_hash  = hash(@json.without('signature'))
    29. 

  29.     to_be_verified = options_hash + document_hash
    30. 

  30. 

  31.     creator if creator.keypair.public_key.verify(OpenSSL::Digest.new('SHA256'), Base64.decode64(signature), to_be_verified)
    32. 

  32.   rescue OpenSSL::PKey::RSAError
    33. 

  33.     false
    34. 

  34.   end
    35. 

  35. 

  36.   def sign!(creator, sign_with: nil)
    37. 

  37.     options = {
    38. 

  38.       'type' => 'RsaSignature2017',
    39. 

  39.       'creator' => ActivityPub::TagManager.instance.key_uri_for(creator),
    40. 

  40.       'created' => Time.now.utc.iso8601,
    41. 

  41.     }
    42. 

  42. 

  43.     options_hash  = hash(options.without('type', 'id', 'signatureValue').merge('@context' => CONTEXT))
    44. 

  44.     document_hash = hash(@json.without('signature'))
    45. 

  45.     to_be_signed  = options_hash + document_hash
    46. 

  46.     keypair       = sign_with.present? ? OpenSSL::PKey::RSA.new(sign_with) : creator.keypair
    47. 

  47. 

  48.     signature = Base64.strict_encode64(keypair.sign(OpenSSL::Digest.new('SHA256'), to_be_signed))
    49. 

  49. 

  50.     # Mastodon's context is either an array or a single URL
    51. 

  51.     context_with_security = Array(@json['@context'])
    52. 

  52.     context_with_security << 'https://w3id.org/security/v1'
    53. 

  53.     context_with_security.uniq!
    54. 

  54.     context_with_security = context_with_security.first if context_with_security.size == 1
    55. 

  55. 

  56.     @json.merge('signature' => options.merge('signatureValue' => signature), '@context' => context_with_security)
    57. 

  57.   end
    58. 

  58. 

  59.   private
    60. 

  60. 

  61.   def hash(obj)
    62. 

  62.     Digest::SHA256.hexdigest(canonicalize(obj))
    63. 

  63.   end
    64. 

  64. end
    65.