Update rsa-pem, properly use RSA crate

2020-03-16 20:41:00 -05:00 · 2020-03-16 20:41:00 -05:00 · ea64843a59
parent 979b2a14f8
commit ea64843a59
4 changed files with 22 additions and 8 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -529,6 +529,12 @@ dependencies = [
 "tokio-postgres",
 ]

+[[package]]
+name = "bit-vec"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4523a10839ffae575fb08aa3423026c8cb4687eef43952afb956229d4f246f7"
+
 [[package]]
 name = "bitflags"
 version = "1.2.1"
@ -1711,8 +1717,10 @@ dependencies = [
 [[package]]
 name = "rsa-pem"
 version = "0.1.0"
-source = "git+https://git.asonix.dog/Aardwolf/rsa-pem#6c47c3fc377375a5bfedbb7457832fc013d3227d"
+source = "git+https://git.asonix.dog/Aardwolf/rsa-pem#8dc04bd060d7993058c120f5cbfa654890113614"
 dependencies = [
+ "bit-vec",
+ "log",
 "num-bigint",
 "num-bigint-dig",
 "num-traits",
@ -2469,6 +2477,7 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a563d10ead87e2d798e357d44f40f495ad70bcee4d5c0d3f77a5b1b7376645d9"
 dependencies = [
+ "bit-vec",
 "num-bigint",
 ]

--- a/src/inbox.rs
+++ b/src/inbox.rs
@ -308,7 +308,7 @@ where
            &key_id,
            &mut digest,
            item_string,
-            |signing_string| state.sign(signing_string.as_bytes()),
+            |signing_string| state.sign(signing_string),
        )?
        .send()
        .await
--- a/src/state.rs
+++ b/src/state.rs
@ -97,11 +97,13 @@ impl Settings {
        format!("relay@{}", self.hostname)
    }

-    fn sign(&self, bytes: &[u8]) -> Result<String, crate::error::MyError> {
+    fn sign(&self, signing_string: &str) -> Result<String, crate::error::MyError> {
        use rsa::{hash::Hashes, padding::PaddingScheme};
+        use sha2::{Digest, Sha256};
+        let hashed = Sha256::digest(signing_string.as_bytes());
        let bytes =
            self.private_key
-                .sign(PaddingScheme::PKCS1v15, Some(&Hashes::SHA2_256), bytes)?;
+                .sign(PaddingScheme::PKCS1v15, Some(&Hashes::SHA2_256), &hashed)?;
        Ok(base64::encode_config(bytes, base64::URL_SAFE))
    }
 }
@ -115,8 +117,8 @@ impl State {
        self.settings.generate_resource()
    }

-    pub fn sign(&self, bytes: &[u8]) -> Result<String, crate::error::MyError> {
-        self.settings.sign(bytes)
+    pub fn sign(&self, signing_string: &str) -> Result<String, crate::error::MyError> {
+        self.settings.sign(signing_string)
    }

    pub async fn bust_whitelist(&self, whitelist: &str) {
--- a/src/verifier.rs
+++ b/src/verifier.rs
@ -1,8 +1,9 @@
 use crate::{error::MyError, state::State};
 use actix_web::client::Client;
-use http_signature_normalization_actix::prelude::*;
+use http_signature_normalization_actix::{prelude::*, verify::DeprecatedAlgorithm};
 use rsa::{hash::Hashes, padding::PaddingScheme, PublicKey, RSAPublicKey};
 use rsa_pem::KeyExt;
+use sha2::{Digest, Sha256};
 use std::{future::Future, pin::Pin, sync::Arc};

 #[derive(Clone)]
@ -35,16 +36,18 @@ impl SignatureVerify for MyVerify {

            match algorithm {
                Some(Algorithm::Hs2019) => (),
+                Some(Algorithm::Deprecated(DeprecatedAlgorithm::RsaSha256)) => (),
                _ => return Err(MyError::Algorithm),
            };

            let decoded = base64::decode(signature)?;
+            let hashed = Sha256::digest(signing_string.as_bytes());

            public_key.verify(
                PaddingScheme::PKCS1v15,
                Some(&Hashes::SHA2_256),
+                &hashed,
                &decoded,
-                signing_string.as_bytes(),
            )?;

            Ok(true)