From 520f9b87e66432115695f1695c119dd02dd7f020 Mon Sep 17 00:00:00 2001 From: umonaca Date: Mon, 26 Oct 2020 00:26:30 -0400 Subject: [PATCH 1/3] Add digest to http signature for Mastodon 3.2.1 compliance Remove logs --- routes/inbox.js | 13 +++++++++---- updateFeeds.js | 13 ++++++++----- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/routes/inbox.js b/routes/inbox.js index d90f2a5..f6221f6 100644 --- a/routes/inbox.js +++ b/routes/inbox.js @@ -16,23 +16,28 @@ function signAndSend(message, name, domain, req, res, targetDomain) { return res.status(404).send(`No record found for ${name}.`); } else { + // digest + const digest = crypto.createHash('sha256').update(JSON.stringify(message)).digest('base64'); + let privkey = result.privkey; const signer = crypto.createSign('sha256'); let d = new Date(); - let stringToSign = `(request-target): post ${inboxFragment}\nhost: ${targetDomain}\ndate: ${d.toUTCString()}`; + let stringToSign = `(request-target): post ${inboxFragment}\nhost: ${targetDomain}\ndate: ${d.toUTCString()}\ndigest: SHA-256=${digest}`; signer.update(stringToSign); signer.end(); const signature = signer.sign(privkey); const signature_b64 = signature.toString('base64'); - let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date",signature="${signature_b64}"`; + let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date digest",signature="${signature_b64}"`; console.log('signature:',header); console.log('message:',message); + request({ url: inbox, headers: { 'Host': targetDomain, 'Date': d.toUTCString(), - 'Signature': header + 'Signature': header, + 'Digest': `SHA-256=${digest}` }, method: 'POST', json: true, @@ -47,7 +52,7 @@ function sendAcceptMessage(thebody, name, domain, req, res, targetDomain) { const guid = crypto.randomBytes(16).toString('hex'); console.log(thebody); let message = { - '@context': 'https://www.w3.org/ns/activitystreams', + '@context': ['https://www.w3.org/ns/activitystreams', 'https://w3id.org/security/v1'], 'id': `https://${domain}/${guid}`, 'type': 'Accept', 'actor': `https://${domain}/u/${name}`, diff --git a/updateFeeds.js b/updateFeeds.js index ad8ade3..a8e5a6d 100644 --- a/updateFeeds.js +++ b/updateFeeds.js @@ -171,22 +171,26 @@ function signAndSend(message, name, domain, req, res, targetDomain, inbox) { console.log(`No record found for ${name}.`); } else { + // digest + const digest = crypto.createHash('sha256').update(JSON.stringify(message)).digest('base64'); + let privkey = result.privkey; const signer = crypto.createSign('sha256'); let d = new Date(); - let stringToSign = `(request-target): post ${inboxFragment}\nhost: ${targetDomain}\ndate: ${d.toUTCString()}`; + let stringToSign = `(request-target): post ${inboxFragment}\nhost: ${targetDomain}\ndate: ${d.toUTCString()}\ndigest: SHA-256=${digest}`; signer.update(stringToSign); signer.end(); const signature = signer.sign(privkey); const signature_b64 = signature.toString('base64'); - let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date",signature="${signature_b64}"`; + let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date digest",signature="${signature_b64}"`; //console.log('signature:',header); request({ url: inbox, headers: { 'Host': targetDomain, 'Date': d.toUTCString(), - 'Signature': header + 'Signature': header, + 'Digest': `SHA-256=${digest}` }, method: 'POST', json: true, @@ -201,8 +205,7 @@ function createMessage(text, name, domain, item, follower, guidNote) { let d = new Date(); let out = { - '@context': 'https://www.w3.org/ns/activitystreams', - + '@context': ['https://www.w3.org/ns/activitystreams', 'https://w3id.org/security/v1'], 'id': `https://${domain}/m/${guidCreate}`, 'type': 'Create', 'actor': `https://${domain}/u/${name}`, From d7a3f8b765d827b209741aac34844e105667ee3e Mon Sep 17 00:00:00 2001 From: umonaca Date: Mon, 26 Oct 2020 01:37:34 -0400 Subject: [PATCH 2/3] Add algorithm field for Misskey compatibility --- routes/inbox.js | 3 ++- updateFeeds.js | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/routes/inbox.js b/routes/inbox.js index f6221f6..d719e4f 100644 --- a/routes/inbox.js +++ b/routes/inbox.js @@ -27,7 +27,8 @@ function signAndSend(message, name, domain, req, res, targetDomain) { signer.end(); const signature = signer.sign(privkey); const signature_b64 = signature.toString('base64'); - let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date digest",signature="${signature_b64}"`; + const algorithm = 'rsa-sha256'; + let header = `keyId="https://${domain}/u/${name}",algorithm="${algorithm}",headers="(request-target) host date digest",signature="${signature_b64}"`; console.log('signature:',header); console.log('message:',message); diff --git a/updateFeeds.js b/updateFeeds.js index a8e5a6d..39c5aca 100644 --- a/updateFeeds.js +++ b/updateFeeds.js @@ -182,7 +182,8 @@ function signAndSend(message, name, domain, req, res, targetDomain, inbox) { signer.end(); const signature = signer.sign(privkey); const signature_b64 = signature.toString('base64'); - let header = `keyId="https://${domain}/u/${name}",headers="(request-target) host date digest",signature="${signature_b64}"`; + const algorithm = 'rsa-sha256'; + let header = `keyId="https://${domain}/u/${name}",algorithm="${algorithm}",headers="(request-target) host date digest",signature="${signature_b64}"`; //console.log('signature:',header); request({ url: inbox, From 2ce39c7e6576fa2d44a08cf53983276f83500f8a Mon Sep 17 00:00:00 2001 From: umonaca Date: Mon, 26 Oct 2020 06:40:06 -0400 Subject: [PATCH 3/3] Fix content type mismatch for Pleroma --- routes/inbox.js | 4 +++- updateFeeds.js | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/routes/inbox.js b/routes/inbox.js index d719e4f..c306b33 100644 --- a/routes/inbox.js +++ b/routes/inbox.js @@ -38,7 +38,9 @@ function signAndSend(message, name, domain, req, res, targetDomain) { 'Host': targetDomain, 'Date': d.toUTCString(), 'Signature': header, - 'Digest': `SHA-256=${digest}` + 'Digest': `SHA-256=${digest}`, + 'Content-Type': 'application/activity+json', + 'Accept': 'application/activity+json' }, method: 'POST', json: true, diff --git a/updateFeeds.js b/updateFeeds.js index 39c5aca..c9c4f2c 100644 --- a/updateFeeds.js +++ b/updateFeeds.js @@ -191,7 +191,9 @@ function signAndSend(message, name, domain, req, res, targetDomain, inbox) { 'Host': targetDomain, 'Date': d.toUTCString(), 'Signature': header, - 'Digest': `SHA-256=${digest}` + 'Digest': `SHA-256=${digest}`, + 'Content-Type': 'application/activity+json', + 'Accept': 'application/activity+json' }, method: 'POST', json: true,