package com.juick.server; import com.fasterxml.jackson.databind.ObjectMapper; import com.juick.server.api.activity.model.Context; import com.juick.server.api.activity.model.objects.Person; import com.juick.service.activities.DeleteUserEvent; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.context.ApplicationEventPublisher; import org.springframework.http.HttpEntity; import org.springframework.http.HttpHeaders; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; import org.springframework.stereotype.Component; import org.springframework.web.client.HttpClientErrorException; import org.springframework.web.client.RestTemplate; import org.springframework.web.util.UriComponentsBuilder; import org.tomitribe.auth.signatures.Signature; import org.tomitribe.auth.signatures.Signer; import org.tomitribe.auth.signatures.Verifier; import javax.inject.Inject; import java.io.IOException; import java.net.URI; import java.security.Key; import java.security.NoSuchAlgorithmException; import java.security.SignatureException; import java.time.Instant; import java.time.ZoneId; import java.time.format.DateTimeFormatter; import java.util.HashMap; import java.util.Map; import java.util.Optional; @Component public class SignatureManager { private static final Logger logger = LoggerFactory.getLogger(ActivityPubManager.class); @Inject private KeystoreManager keystoreManager; @Inject private ObjectMapper jsonMapper; @Inject private ApplicationEventPublisher applicationEventPublisher; @Inject private RestTemplate apClient; public void post(Person from, Person to, Context data) throws IOException { UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder.fromUriString(to.getInbox()); URI inbox = uriComponentsBuilder.build().toUri(); Instant now = Instant.now(); String requestDate = DateTimeFormatter.RFC_1123_DATE_TIME.withZone(ZoneId.of("UTC")).format(now); Signature templateSignature = new Signature(from.getPublicKey().getId(), "rsa-sha256", null, "(request-target)", "host", "date"); Signer signer = new Signer(keystoreManager.getPrivateKey(), templateSignature); Map headers = new HashMap<>(); headers.put("host", inbox.getHost()); headers.put("date", requestDate); Signature signature = signer.sign("POST", inbox.getPath(), headers); HttpHeaders requestHeaders = new HttpHeaders(); requestHeaders.add("Content-Type", Context.ACTIVITY_JSON_MEDIA_TYPE); requestHeaders.add("Date", requestDate); requestHeaders.add("Signature", signature.toString().substring(10)); HttpEntity request = new HttpEntity<>(Context.build(data), requestHeaders); //boolean valid = verifySignature(Signature.fromString(requestHeaders.getFirst("Signature")), // keystoreManager.getPublicKey(), "POST", inbox.getPath(), headers); logger.info("Sending context: {}", jsonMapper.writeValueAsString(data)); logger.info("Request date: {}", requestDate); try { ResponseEntity response = apClient.postForEntity(inbox, request, Void.class); logger.info("accepted follower: {}", response.getStatusCodeValue()); } catch (HttpClientErrorException e) { logger.warn("Signature exception", e); } } public boolean verifySignature(String signatureString, URI actor, String method, String path, Map headers) { Optional context = getContext(actor); if (context.isPresent() && context.get() instanceof Person) { Person person = (Person) context.get(); Key key = KeystoreManager.publicKeyOf(person); Verifier verifier = new Verifier(key, Signature.fromString(signatureString)); try { boolean result = verifier.verify(method, path, headers); logger.info("signature is valid: {}", result); return result; } catch (NoSuchAlgorithmException | SignatureException | IOException e) { logger.info("signature exception", e); return false; } } logger.info("person not found"); return false; } public Optional getContext(URI contextUri) { try { return Optional.of(apClient.getForEntity(contextUri, Context.class).getBody()); } catch (HttpClientErrorException e) { logger.warn("Cannot identify {}", contextUri); if (e.getStatusCode().equals(HttpStatus.GONE)) { logger.warn("Server report {} is gone, deleting", contextUri); applicationEventPublisher.publishEvent(new DeleteUserEvent(this, contextUri.toASCIIString())); } } return Optional.empty(); } }