Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix processing LDSigned activities from actors with unknown public keys #27474

Merged
merged 2 commits into from Oct 20, 2023
Merged

Fix processing LDSigned activities from actors with unknown public keys #27474

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
09b60a9
Fix processing LDSigned activities from actors with unknown public keys
ClearlyClaire Oct 19, 2023
9713589
Add tests
ClearlyClaire Oct 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 4 additions & 2 deletions app/lib/activitypub/linked_data_signature.rb
View file
Open in desktop
Expand Up @@ -18,8 +18,8 @@ def verify_actor!

return unless type == 'RsaSignature2017'

creator = ActivityPub::TagManager.instance.uri_to_actor(creator_uri)
creator ||= ActivityPub::FetchRemoteKeyService.new.call(creator_uri, id: false)
creator = ActivityPub::TagManager.instance.uri_to_actor(creator_uri)
creator = ActivityPub::FetchRemoteKeyService.new.call(creator_uri, id: false) if creator&.public_key.blank?

return if creator.nil?

Expand All @@ -28,6 +28,8 @@ def verify_actor!
to_be_verified = options_hash + document_hash

creator if creator.keypair.public_key.verify(OpenSSL::Digest.new('SHA256'), Base64.decode64(signature), to_be_verified)
rescue OpenSSL::PKey::RSAError
false
end

def sign!(creator, sign_with: nil)
Expand Down
34 changes: 34 additions & 0 deletions spec/lib/activitypub/linked_data_signature_spec.rb
View file
Open in desktop
Expand Up @@ -34,6 +34,40 @@
end
end

context 'when local account record is missing a public key' do
let(:raw_signature) do
{
'creator' => 'http://example.com/alice',
'created' => '2017-09-23T20:21:34Z',
}
end

let(:signature) { raw_signature.merge('type' => 'RsaSignature2017', 'signatureValue' => sign(sender, raw_signature, raw_json)) }

let(:service_stub) { instance_double(ActivityPub::FetchRemoteKeyService) }

before do
# Ensure signature is computed with the old key
signature

# Unset key
old_key = sender.public_key
sender.update!(private_key: '', public_key: '')

allow(ActivityPub::FetchRemoteKeyService).to receive(:new).and_return(service_stub)

allow(service_stub).to receive(:call).with('http://example.com/alice', id: false) do
sender.update!(public_key: old_key)
sender
end
end

it 'fetches key and returns creator' do
expect(subject.verify_actor!).to eq sender
expect(service_stub).to have_received(:call).with('http://example.com/alice', id: false).once
end
end

context 'when signature is missing' do
let(:signature) { nil }

Expand Down