repo: actpub
action: blob
revision: 
path_from: ap-verifysignature
revision_from: refs/heads/master:
path_to: 
revision_to:
git.thebackupbox.net
actpub
git clone git://git.thebackupbox.net/actpub

blob of:

actpub

/ ap-verifysignature

blob_plain of this file

refs/heads/master:/ap-verifysignature

 #!/usr/bin/env bash

 if [ "$HTTP_DIGEST" ];then #don't bother to verify digest against something that doesn't have it.
 	CALCULATED_DIGEST="$(printf "%s" "$POST_DATA" | openssl sha256 | cut '-d ' -f2)"
 	EXPECTED_DIGEST="$(echo "$HTTP_DIGEST" | cut -d= -f2- | base64 -d | xxd -p | tr -d '\n')"

 	if [ "${EXPECTED_DIGEST}" != "${CALCULATED_DIGEST}" ];then
 		logger -t actpub "digests failed to match"
 		exit 1
 #	else
 #		logger -t actpub "DIGESTS MATCH. FUCK YEAH"
 	fi
 else
 	logger -t actpub "No digest to compare. going to continue to verify (likely) GET request. (actual request method: $REQUEST_METHOD)"
 fi

 export HTTP_REQUEST_TARGET="$(printf "%s\n" "${REQUEST_METHOD}" | tr 'A-Z' 'a-z') ${REQUEST}"
 export HTTPSIG_KEYID="$(csv "$HTTP_SIGNATURE" keyId | jq -r)"

 logger -t actpub "attempting to verify message to ${REQUEST} from $HTTPSIG_KEYID ..."

 export HTTPSIG_HEADERS="$(csv "$HTTP_SIGNATURE" headers | jq -r)"
 export HTTPSIG_SIG="$(csv "$HTTP_SIGNATURE" signature | jq -r)"
 #logger $HTTPSIG_HEADERS

 sha256="$(printf "%s\n" "${HTTPSIG_KEYID}" | sha256sum | cut '-d ' -f1)"
 mkdir -p ~/.cache/ap/pubkeys/
 pubkey_cache_file=~/.cache/ap/pubkeys/"${sha256}"
 used_cache=0
 if [ ! -s "${pubkey_cache_file}" ];then
   ap-getpubkey "${HTTPSIG_KEYID}" > "${pubkey_cache_file}"
 else
   #logger "using cached pubkey for ${HTTPSIG_KEYID}"
   used_cache=1
 fi

 if [ ! -s "${pubkey_cache_file}" ];then
   type="$(jq -r '.type' <<< "$POST_DATA")"
   logger -t aactpub -p crit "was unable to obtain pubkey: ${HTTPSIG_KEYID} for activity type: $type"
   exit 1
 fi

 #logger "GRABBED PUBKEY: $(cat "${pubkey_cache_file}")"


 ### generate data... probably not the safest thing.
 data="$(
 for name in $HTTPSIG_HEADERS;do
 	env_name="HTTP_$(printf "%s\n" "$name" | tr 'a-z' 'A-Z' | tr '-' '_' | tr -d '()')"
 #	echo ${name}
 #	echo ${env_name}
 	env | grep "^${env_name}=" | sed 's/^[^=]*=/'"${name}"': /g'
 done)"

 if openssl dgst \
 		-sha256 \
 		-verify "${pubkey_cache_file}" \
 		-signature <(printf "%s\n" "$HTTPSIG_SIG" | base64 -d) \
 	       	<(printf "%s" "$data") 2>&1 >/dev/null;then
 	#logger "HTTP Signature verified!"
 	exit 0 ## WIN
 else
 	logger -t actpub "HTTP Signature NOT verified."
 	if [ "$used_cache" ];then
 		logger -t actpub -p crit "FAILED WITH CACHED PUBKEY. DELETING IT FROM CACHE."
 		rm "$pubkey_cache_file"
 	fi
 	exit 1
 fi