Home Explore Help
Register Sign In
bida
/
bastodon
7
0
Fork 0
Files Issues 8 Pull Requests 0 Wiki
Browse Source

Fix processing LDSigned activities from actors with unknown public keys (#27474)

Claire 6 months ago
parent
688defd60d
commit
2ffce0d5f7
2 changed files with 39 additions and 5 deletions
Split View Show Diff Stats
  1. 5 5
      app/lib/activitypub/linked_data_signature.rb
  2. 34 0
      spec/lib/activitypub/linked_data_signature_spec.rb

+ 5 - 5
app/lib/activitypub/linked_data_signature.rb
View File 

@@ -18,8 +18,8 @@ class ActivityPub::LinkedDataSignature
 
 
     return unless type == 'RsaSignature2017'
 
 
-    creator   = ActivityPub::TagManager.instance.uri_to_resource(creator_uri, Account)
 
-    creator ||= ActivityPub::FetchRemoteKeyService.new.call(creator_uri, id: false)
 
+    creator = ActivityPub::TagManager.instance.uri_to_resource(creator_uri, Account)
 
+    creator = ActivityPub::FetchRemoteKeyService.new.call(creator_uri, id: false) if creator&.public_key.blank?
 
 
     return if creator.nil?
 
 
@@ -27,9 +27,9 @@ class ActivityPub::LinkedDataSignature
 
     document_hash  = hash(@json.without('signature'))
 
     to_be_verified = options_hash + document_hash
 
 
-    if creator.keypair.public_key.verify(OpenSSL::Digest.new('SHA256'), Base64.decode64(signature), to_be_verified)
 
-      creator
 
-    end
 
+    creator if creator.keypair.public_key.verify(OpenSSL::Digest.new('SHA256'), Base64.decode64(signature), to_be_verified)
 
+  rescue OpenSSL::PKey::RSAError
 
+    false
 
   end
 
 
   def sign!(creator, sign_with: nil)

+ 34 - 0
spec/lib/activitypub/linked_data_signature_spec.rb
View File 

@@ -36,6 +36,40 @@ RSpec.describe ActivityPub::LinkedDataSignature do
 
       end
 
     end
 
 
+    context 'when local account record is missing a public key' do
 
+      let(:raw_signature) do
 
+        {
 
+          'creator' => 'http://example.com/alice',
 
+          'created' => '2017-09-23T20:21:34Z',
 
+        }
 
+      end
 
+
 
+      let(:signature) { raw_signature.merge('type' => 'RsaSignature2017', 'signatureValue' => sign(sender, raw_signature, raw_json)) }
 
+
 
+      let(:service_stub) { instance_double(ActivityPub::FetchRemoteKeyService) }
 
+
 
+      before do
 
+        # Ensure signature is computed with the old key
 
+        signature
 
+
 
+        # Unset key
 
+        old_key = sender.public_key
 
+        sender.update!(private_key: '', public_key: '')
 
+
 
+        allow(ActivityPub::FetchRemoteKeyService).to receive(:new).and_return(service_stub)
 
+
 
+        allow(service_stub).to receive(:call).with('http://example.com/alice', id: false) do
 
+          sender.update!(public_key: old_key)
 
+          sender
 
+        end
 
+      end
 
+
 
+      it 'fetches key and returns creator' do
 
+        expect(subject.verify_account!).to eq sender
 
+        expect(service_stub).to have_received(:call).with('http://example.com/alice', id: false).once
 
+      end
 
+    end
 
+
 
     context 'when signature is missing' do
 
       let(:signature) { nil }