diff --git a/http.c b/http.c index 8062806..1d8cc7d 100644 --- a/http.c +++ b/http.c @@ -108,6 +108,8 @@ int check_signature(snac *snac, char *req) xs *keyId = NULL; xs *headers = NULL; xs *signature = NULL; + xs *sig_bin = NULL; + int s_size; char *pubkey; char *p; @@ -151,5 +153,46 @@ int check_signature(snac *snac, char *req) return 0; } + /* now build the string to be signed */ + xs *sig_str = xs_str_new(NULL); + + { + xs *l = xs_split(headers, " "); + char *v; + + p = l; + while (xs_list_iter(&p, &v)) { + char *hc; + xs *ss = NULL; + + if (*sig_str != '\0') + sig_str = xs_str_cat(sig_str, "\n"); + + if (strcmp(v, "(request-target)") == 0) { + ss = xs_fmt("%s: post %s", v, xs_dict_get(req, "path")); + } + else { + /* add the header */ + if ((hc = xs_dict_get(req, v)) == NULL) { + snac_debug(snac, 1, + xs_fmt("check_signature cannot find header %s", v)); + + return 0; + } + + ss = xs_fmt("%s: %s", v, hc); + } + + sig_str = xs_str_cat(sig_str, ss); + } + } + + /* convert the signature to binary */ + sig_bin = xs_base64_dec(signature, &s_size); + + if (xs_evp_verify(pubkey, sig_str, strlen(sig_str), sig_bin) != 1) { + snac_debug(snac, 1, xs_fmt("rsa verify error %s", keyId)); + } + return 1; }