💾 Archived View for thebackupbox.net › ~epoch › verify_signature.txt captured on 2023-04-19 at 22:34:06.
-=-=-=-=-=-=-
#!/usr/bin/env bash
id="$1"
CALCULATED_DIGEST="$(printf "%s" "$POST_DATA" | openssl sha256 | cut '-d ' -f2)"
EXPECTED_DIGEST="$(echo "$HTTP_DIGEST" | cut -d= -f2- | base64 -d | xxd -p | tr -d '\n')"
if [ "${EXPECTED_DIGEST}" != "${CALCULATED_DIGEST}" ];then
logger "DIGESTS DO NOT MATCH. GO THE FUCK HOME"
printf "Status: 401 Not Authorized\r\n"
printf "Content-Type: text/plain\r\n\r\n"
printf "nope"
exit 0
else
logger "DIGESTS MATCH. FUCK YEAH"
fi
export HTTP_REQUEST_TARGET="$(printf "%s\n" "${REQUEST_METHOD}" | tr 'A-Z' 'a-z') ${REQUEST}"
export HTTPSIG_KEYID="$(./csv "$HTTP_SIGNATURE" keyId | jq -r)"
logger "attempting to verify message to inbox from $HTTPSIG_KEYID ..."
export HTTPSIG_HEADERS="$(./csv "$HTTP_SIGNATURE" headers | jq -r)"
export HTTPSIG_SIG="$(./csv "$HTTP_SIGNATURE" signature | jq -r)"
logger $HTTPSIG_HEADERS
### this should probably get cached ofc, but cbf atm
pubkey="$(curl -sH 'Accept: application/activity+json' "${HTTPSIG_KEYID}" | jq '. | to_entries | .[].value | select(if type == "object" then . else null end) | select(if .id == "'"${HTTPSIG_KEYID}"'" then . else null end) | .publicKeyPem' | jq -r)"
logger "GRABBED PUBKEY: $pubkey"
### generate data... probably not the safest thing.
data="$(
for name in $HTTPSIG_HEADERS;do
env_name="HTTP_$(printf "%s\n" "$name" | tr 'a-z' 'A-Z' | tr '-' '_' | tr -d '()')"
# echo ${name}
# echo ${env_name}
env | grep "^${env_name}=" | sed 's/^[^=]*=/'"${name}"': /g'
done)"
if openssl dgst \
-sha256 \
-verify <(printf "%s\n" "$pubkey") \
-signature <(printf "%s\n" "$HTTPSIG_SIG" | base64 -d) \
<(printf "%s" "$data") 2>&1 >/dev/null;then
logger "HTTP Signature Verified!"
printf "%s" "$POST_DATA" > "$id"
printf "Status: 200 Ok\r\n"
printf "Content-Type: text/plain\r\n\r\n"
printf "looks good to me, thanks.\r\n"
else
logger "Go home with your unsigned HTTP POST!"
printf "Status: 401 Not Authorized\r\n"
printf "Content-Type: text/plain\r\n\r\n"
printf "your HTTP signature didn't verify. :/\n"
printf "signed data: %s\n" "$data"
fi