1 use crate::apub::ActorType;
2 use activitystreams::ext::Extension;
3 use actix_web::HttpRequest;
4 use attohttpc::RequestBuilder;
6 use http_signature_normalization::Config;
12 sign::{Signer, Verifier},
14 use serde::{Deserialize, Serialize};
15 use std::collections::BTreeMap;
18 static ref HTTP_SIG_CONFIG: Config = Config::new();
22 pub private_key: String,
23 pub public_key: String,
26 /// Generate the asymmetric keypair for ActivityPub HTTP signatures.
27 pub fn generate_actor_keypair() -> Result<Keypair, Error> {
28 let rsa = Rsa::generate(2048)?;
29 let pkey = PKey::from_rsa(rsa)?;
30 let public_key = pkey.public_key_to_pem()?;
31 let private_key = pkey.private_key_to_pem_pkcs8()?;
33 private_key: String::from_utf8(private_key)?,
34 public_key: String::from_utf8(public_key)?,
38 // TODO is it possible to create this signature, with just the url and actor?
39 /// Signs request headers with the given keypair.
40 pub fn sign(request: &mut RequestBuilder, actor: &dyn ActorType) -> Result<String, Error> {
41 let signing_key_id = format!("{}#main-key", actor.actor_id());
47 .map(|h| -> Result<(String, String), Error> {
48 Ok((h.0.as_str().to_owned(), h.1.to_str()?.to_owned()))
50 .collect::<Result<BTreeMap<String, String>, Error>>()?;
52 let mut path_and_query = request.inspect().url().path().to_owned();
53 if let Some(query) = request.inspect().url().query() {
54 path_and_query.push_str(query);
57 let signature_header_value = HTTP_SIG_CONFIG
59 request.inspect().method().as_str(),
63 .sign(signing_key_id, |signing_string| {
64 let private_key = PKey::private_key_from_pem(actor.private_key().as_bytes())?;
65 let mut signer = Signer::new(MessageDigest::sha256(), &private_key).unwrap();
66 signer.update(signing_string.as_bytes()).unwrap();
67 Ok(base64::encode(signer.sign_to_vec()?)) as Result<_, Error>
71 Ok(signature_header_value)
74 pub fn verify(request: &HttpRequest, actor: &dyn ActorType) -> Result<(), Error> {
78 .map(|h| -> Result<(String, String), Error> {
79 Ok((h.0.as_str().to_owned(), h.1.to_str()?.to_owned()))
81 .collect::<Result<BTreeMap<String, String>, Error>>()?;
83 let verified = HTTP_SIG_CONFIG
85 request.method().as_str(),
86 request.uri().path_and_query().unwrap().as_str(),
89 .verify(|signature, signing_string| -> Result<bool, Error> {
91 "Verifying with key {}, message {}",
95 let public_key = PKey::public_key_from_pem(actor.public_key().as_bytes())?;
96 let mut verifier = Verifier::new(MessageDigest::sha256(), &public_key).unwrap();
97 verifier.update(&signing_string.as_bytes()).unwrap();
98 Ok(verifier.verify(&base64::decode(signature)?)?)
102 debug!("verified signature for {}", &request.uri());
106 "Invalid signature on request: {}",
112 // The following is taken from here:
113 // https://docs.rs/activitystreams/0.5.0-alpha.17/activitystreams/ext/index.html
115 #[derive(Clone, Debug, Default, Deserialize, Serialize)]
116 #[serde(rename_all = "camelCase")]
117 pub struct PublicKey {
120 pub public_key_pem: String,
123 #[derive(Clone, Debug, Default, Deserialize, Serialize)]
124 #[serde(rename_all = "camelCase")]
125 pub struct PublicKeyExtension {
126 pub public_key: PublicKey,
130 pub fn to_ext(&self) -> PublicKeyExtension {
132 public_key: self.to_owned(),
137 impl<T> Extension<T> for PublicKeyExtension where T: activitystreams::Actor {}