diff --git a/Cargo.lock b/Cargo.lock index b7899a5..741e00f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -529,6 +529,12 @@ dependencies = [ "tokio-postgres", ] +[[package]] +name = "bit-vec" +version = "0.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a4523a10839ffae575fb08aa3423026c8cb4687eef43952afb956229d4f246f7" + [[package]] name = "bitflags" version = "1.2.1" @@ -1711,8 +1717,10 @@ dependencies = [ [[package]] name = "rsa-pem" version = "0.1.0" -source = "git+https://git.asonix.dog/Aardwolf/rsa-pem#6c47c3fc377375a5bfedbb7457832fc013d3227d" +source = "git+https://git.asonix.dog/Aardwolf/rsa-pem#8dc04bd060d7993058c120f5cbfa654890113614" dependencies = [ + "bit-vec", + "log", "num-bigint", "num-bigint-dig", "num-traits", @@ -2469,6 +2477,7 @@ version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a563d10ead87e2d798e357d44f40f495ad70bcee4d5c0d3f77a5b1b7376645d9" dependencies = [ + "bit-vec", "num-bigint", ] diff --git a/src/inbox.rs b/src/inbox.rs index 7f53989..0ceaa5c 100644 --- a/src/inbox.rs +++ b/src/inbox.rs @@ -308,7 +308,7 @@ where &key_id, &mut digest, item_string, - |signing_string| state.sign(signing_string.as_bytes()), + |signing_string| state.sign(signing_string), )? .send() .await diff --git a/src/state.rs b/src/state.rs index cd97bec..ec18dfa 100644 --- a/src/state.rs +++ b/src/state.rs @@ -97,11 +97,13 @@ impl Settings { format!("relay@{}", self.hostname) } - fn sign(&self, bytes: &[u8]) -> Result { + fn sign(&self, signing_string: &str) -> Result { use rsa::{hash::Hashes, padding::PaddingScheme}; + use sha2::{Digest, Sha256}; + let hashed = Sha256::digest(signing_string.as_bytes()); let bytes = self.private_key - .sign(PaddingScheme::PKCS1v15, Some(&Hashes::SHA2_256), bytes)?; + .sign(PaddingScheme::PKCS1v15, Some(&Hashes::SHA2_256), &hashed)?; Ok(base64::encode_config(bytes, base64::URL_SAFE)) } } @@ -115,8 +117,8 @@ impl State { self.settings.generate_resource() } - pub fn sign(&self, bytes: &[u8]) -> Result { - self.settings.sign(bytes) + pub fn sign(&self, signing_string: &str) -> Result { + self.settings.sign(signing_string) } pub async fn bust_whitelist(&self, whitelist: &str) { diff --git a/src/verifier.rs b/src/verifier.rs index 5c01ede..dd707cd 100644 --- a/src/verifier.rs +++ b/src/verifier.rs @@ -1,8 +1,9 @@ use crate::{error::MyError, state::State}; use actix_web::client::Client; -use http_signature_normalization_actix::prelude::*; +use http_signature_normalization_actix::{prelude::*, verify::DeprecatedAlgorithm}; use rsa::{hash::Hashes, padding::PaddingScheme, PublicKey, RSAPublicKey}; use rsa_pem::KeyExt; +use sha2::{Digest, Sha256}; use std::{future::Future, pin::Pin, sync::Arc}; #[derive(Clone)] @@ -35,16 +36,18 @@ impl SignatureVerify for MyVerify { match algorithm { Some(Algorithm::Hs2019) => (), + Some(Algorithm::Deprecated(DeprecatedAlgorithm::RsaSha256)) => (), _ => return Err(MyError::Algorithm), }; let decoded = base64::decode(signature)?; + let hashed = Sha256::digest(signing_string.as_bytes()); public_key.verify( PaddingScheme::PKCS1v15, Some(&Hashes::SHA2_256), + &hashed, &decoded, - signing_string.as_bytes(), )?; Ok(true)