mirror of https://gitlab.com/bashrc2/epicyon
Enable checking of json signatures on inbox posts
parent
b9d33296a1
commit
77f965162c
|
@ -1079,6 +1079,8 @@ class PubServer(BaseHTTPRequestHandler):
|
||||||
elif self.headers.get('content-length'):
|
elif self.headers.get('content-length'):
|
||||||
headersDict['content-length'] = self.headers['content-length']
|
headersDict['content-length'] = self.headers['content-length']
|
||||||
|
|
||||||
|
originalMessageJson = messageJson.copy()
|
||||||
|
|
||||||
# For follow activities add a 'to' field, which is a copy
|
# For follow activities add a 'to' field, which is a copy
|
||||||
# of the object field
|
# of the object field
|
||||||
messageJson, toFieldExists = \
|
messageJson, toFieldExists = \
|
||||||
|
@ -1097,7 +1099,7 @@ class PubServer(BaseHTTPRequestHandler):
|
||||||
self.server.httpPrefix,
|
self.server.httpPrefix,
|
||||||
nickname,
|
nickname,
|
||||||
self.server.domainFull,
|
self.server.domainFull,
|
||||||
messageJson,
|
messageJson, originalMessageJson,
|
||||||
messageBytesDecoded,
|
messageBytesDecoded,
|
||||||
headersDict,
|
headersDict,
|
||||||
self.path,
|
self.path,
|
||||||
|
|
44
inbox.py
44
inbox.py
|
@ -313,6 +313,7 @@ def inboxPermittedMessage(domain: str, messageJson: {},
|
||||||
def savePostToInboxQueue(baseDir: str, httpPrefix: str,
|
def savePostToInboxQueue(baseDir: str, httpPrefix: str,
|
||||||
nickname: str, domain: str,
|
nickname: str, domain: str,
|
||||||
postJsonObject: {},
|
postJsonObject: {},
|
||||||
|
originalPostJsonObject: {},
|
||||||
messageBytes: str,
|
messageBytes: str,
|
||||||
httpHeaders: {},
|
httpHeaders: {},
|
||||||
postPath: str, debug: bool) -> str:
|
postPath: str, debug: bool) -> str:
|
||||||
|
@ -437,6 +438,7 @@ def savePostToInboxQueue(baseDir: str, httpPrefix: str,
|
||||||
'httpHeaders': httpHeaders,
|
'httpHeaders': httpHeaders,
|
||||||
'path': postPath,
|
'path': postPath,
|
||||||
'post': postJsonObject,
|
'post': postJsonObject,
|
||||||
|
'original': originalPostJsonObject,
|
||||||
'digest': digest,
|
'digest': digest,
|
||||||
'filename': filename,
|
'filename': filename,
|
||||||
'destination': destination
|
'destination': destination
|
||||||
|
@ -2703,24 +2705,30 @@ def runInboxQueue(recentPostsCache: {}, maxRecentPosts: int,
|
||||||
if debug:
|
if debug:
|
||||||
print('DEBUG: http header signature check success')
|
print('DEBUG: http header signature check success')
|
||||||
|
|
||||||
if not queueJson['post'].get('signature'):
|
# should the json signature be checked?
|
||||||
print('WARN: jsonld inbox signature signature missing from ' +
|
checkJsonSignature = False
|
||||||
keyId)
|
if queueJson['original'].get('@context'):
|
||||||
# else:
|
checkJsonSignature = True
|
||||||
# if not jsonldVerify(queueJson['post'], pubKey):
|
if not queueJson['original'].get('signature'):
|
||||||
# hasJsonSig = False
|
print('WARN: jsonld inbox signature signature missing from ' +
|
||||||
# if debug:
|
keyId)
|
||||||
# print('**************************************')
|
checkJsonSignature = False
|
||||||
# print('WARN: jsonld signature check failed ' +
|
|
||||||
# str(queueJson['post']))
|
# check json signature
|
||||||
# print('--------------------------------------')
|
if checkJsonSignature:
|
||||||
# print(keyId)
|
# use the original json message received, not one which may have
|
||||||
# print(pubKey)
|
# been modified along the way
|
||||||
# print('**************************************')
|
if not jsonldVerify(queueJson['original'], pubKey):
|
||||||
# else:
|
print('WARN: jsonld signature check failed ' +
|
||||||
# if debug:
|
keyId + ' ' + pubKey + ' ' +
|
||||||
# print('jsonld inbox signature check success')
|
str(queueJson['original']))
|
||||||
#
|
if os.path.isfile(queueFilename):
|
||||||
|
os.remove(queueFilename)
|
||||||
|
if len(queue) > 0:
|
||||||
|
queue.pop(0)
|
||||||
|
continue
|
||||||
|
else:
|
||||||
|
print('jsonld inbox signature check success')
|
||||||
|
|
||||||
# set the id to the same as the post filename
|
# set the id to the same as the post filename
|
||||||
# This makes the filename and the id consistent
|
# This makes the filename and the id consistent
|
||||||
|
|
|
@ -116,6 +116,9 @@ def jsonldSign(jldDocument: {}, privateKeyPem: str) -> {}:
|
||||||
"""
|
"""
|
||||||
Produces a signed JSON-LD document with a Json Web Signature
|
Produces a signed JSON-LD document with a Json Web Signature
|
||||||
"""
|
"""
|
||||||
|
if not jldDocument.get('@context'):
|
||||||
|
print('WARN: json document must have @context to sign')
|
||||||
|
return jldDocument
|
||||||
jldDocument = deepcopy(jldDocument)
|
jldDocument = deepcopy(jldDocument)
|
||||||
normalizedJldHash = _jsonldNormalize(jldDocument)
|
normalizedJldHash = _jsonldNormalize(jldDocument)
|
||||||
jwsSignature = _signJws(normalizedJldHash, privateKeyPem)
|
jwsSignature = _signJws(normalizedJldHash, privateKeyPem)
|
||||||
|
@ -135,6 +138,11 @@ def jsonldVerify(signedJldDocument: {}, publicKeyPem: str) -> bool:
|
||||||
"""
|
"""
|
||||||
Verifies the Json Web Signature of a signed JSON-LD Document
|
Verifies the Json Web Signature of a signed JSON-LD Document
|
||||||
"""
|
"""
|
||||||
|
if not isinstance(signedJldDocument, dict):
|
||||||
|
return False
|
||||||
|
if not signedJldDocument.get('@context'):
|
||||||
|
print('json document must have @context')
|
||||||
|
return False
|
||||||
signedJldDocument = deepcopy(signedJldDocument)
|
signedJldDocument = deepcopy(signedJldDocument)
|
||||||
signature = signedJldDocument.pop('signature')
|
signature = signedJldDocument.pop('signature')
|
||||||
jwsSignature = signature['signatureValue'].encode('utf-8')
|
jwsSignature = signature['signatureValue'].encode('utf-8')
|
||||||
|
|
|
@ -234,7 +234,7 @@ def link(input_, ctx, options=None):
|
||||||
return frame(input, frame, options)
|
return frame(input, frame, options)
|
||||||
|
|
||||||
|
|
||||||
def normalize(input_, options=None):
|
def normalize(input_: {}, options=None):
|
||||||
"""
|
"""
|
||||||
Performs JSON-LD normalization.
|
Performs JSON-LD normalization.
|
||||||
|
|
||||||
|
@ -1016,6 +1016,13 @@ class JsonLdProcessor(object):
|
||||||
'Could not convert input to RDF dataset before normalization.',
|
'Could not convert input to RDF dataset before normalization.',
|
||||||
'jsonld.NormalizeError', cause=cause)
|
'jsonld.NormalizeError', cause=cause)
|
||||||
|
|
||||||
|
# check that the data is not empty
|
||||||
|
if '@default' in dataset:
|
||||||
|
if not dataset['@default']:
|
||||||
|
raise JsonLdError(
|
||||||
|
'Could not convert input to RDF dataset.',
|
||||||
|
'jsonld.NormalizeError', cause=None)
|
||||||
|
|
||||||
# do normalization
|
# do normalization
|
||||||
return self._normalize(dataset, options)
|
return self._normalize(dataset, options)
|
||||||
|
|
||||||
|
|
10
tests.py
10
tests.py
|
@ -1978,6 +1978,7 @@ def testRemoveTextFormatting():
|
||||||
def testJsonld():
|
def testJsonld():
|
||||||
print("testJsonld")
|
print("testJsonld")
|
||||||
jldDocument = {
|
jldDocument = {
|
||||||
|
"@context": "https://www.w3.org/ns/activitystreams",
|
||||||
"description": "My json document",
|
"description": "My json document",
|
||||||
"numberField": 83582,
|
"numberField": 83582,
|
||||||
"object": {
|
"object": {
|
||||||
|
@ -2031,10 +2032,11 @@ def testJsonld():
|
||||||
assert(signedDocument['signature']['type'] == 'RsaSignatureSuite2017')
|
assert(signedDocument['signature']['type'] == 'RsaSignatureSuite2017')
|
||||||
assert(jsonldVerify(signedDocument, publicKeyPem))
|
assert(jsonldVerify(signedDocument, publicKeyPem))
|
||||||
# alter the signed document
|
# alter the signed document
|
||||||
# signedDocument['object']['content'] = 'forged content'
|
signedDocument['object']['content'] = 'forged content'
|
||||||
# assert(not jsonldVerify(signedDocument, publicKeyPem))
|
assert(not jsonldVerify(signedDocument, publicKeyPem))
|
||||||
|
|
||||||
jldDocument2 = {
|
jldDocument2 = {
|
||||||
|
"@context": "https://www.w3.org/ns/activitystreams",
|
||||||
"description": "Another json document",
|
"description": "Another json document",
|
||||||
"numberField": 13353,
|
"numberField": 13353,
|
||||||
"object": {
|
"object": {
|
||||||
|
@ -2049,8 +2051,8 @@ def testJsonld():
|
||||||
if signedDocument['signature']['signatureValue'] == \
|
if signedDocument['signature']['signatureValue'] == \
|
||||||
signedDocument2['signature']['signatureValue']:
|
signedDocument2['signature']['signatureValue']:
|
||||||
print('json signature has not changed for different documents')
|
print('json signature has not changed for different documents')
|
||||||
# assert(signedDocument['signature']['signatureValue'] !=
|
assert(signedDocument['signature']['signatureValue'] !=
|
||||||
# signedDocument2['signature']['signatureValue'])
|
signedDocument2['signature']['signatureValue'])
|
||||||
|
|
||||||
|
|
||||||
def testSiteIsActive():
|
def testSiteIsActive():
|
||||||
|
|
Loading…
Reference in New Issue