From f7403f75dab5fea8e1f3dc022a6cfdd523094e1c Mon Sep 17 00:00:00 2001 From: Anthony Wang Date: Thu, 19 Jan 2023 22:09:55 +0000 Subject: Clean up HTTP signature verification code --- server.py | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/server.py b/server.py index 3fe33ab..18fa263 100644 --- a/server.py +++ b/server.py @@ -64,10 +64,9 @@ class fuwuqi(SimpleHTTPRequestHandler): username = search('^/users/(.*)\.(in|out)box$', self.path).group(1) - # Get actor public key - keyid = search('keyId="(.*?)"', self.headers['Signature']).group(1) - actor = iri_to_actor(keyid) - pubkeypem = actor['publicKey']['publicKeyPem'].encode('utf8') + # Get signer public key + signer = iri_to_actor(search('keyId="(.*?)"', self.headers['Signature']).group(1)) + pubkeypem = signer['publicKey']['publicKeyPem'].encode('utf8') pubkey = serialization.load_pem_public_key(pubkeypem, None) # Assemble headers @@ -84,11 +83,10 @@ class fuwuqi(SimpleHTTPRequestHandler): signature = search('signature="(.*?)"', self.headers['Signature']).group(1) pubkey.verify(b64decode(signature), message[:-1].encode('utf8'), padding.PKCS1v15(), hashes.SHA256()) - # Make sure activity doer matches HTTP signature - actor = keyid.removesuffix('#main-key') - if ('actor' in activity and activity['actor'] != actor) or \ - ('attributedTo' in activity and activity['attributedTo'] != actor) or \ - ('attributedTo' in activity['object'] and activity['object']['attributedTo'] != actor): + # Make sure activity doer matches HTTP signature + if ('actor' in activity and activity['actor'] != signer['id']) or \ + ('attributedTo' in activity and activity['attributedTo'] != signer['id']) or \ + ('attributedTo' in activity['object'] and activity['object']['attributedTo'] != signer['id']): self.send_response(401) return -- cgit v1.2.3-70-g09d2