Daemionfox

Any #PHP #cryptography geeks out there? I'm working on doing something w/ the Fediverse, but every time I go to validate the signed headers, I get a big fat NO. I'm kinda stuck, I've tried three different approaches, and all three have dropped me at the same endpoint, I'm not sure what I'm doing wrong.

#codeHelp #fediHelp #OldDogNewTricks #WhatTheHellAmIDoingWrong

Jan 13, 2024 at 10:28pmWeb
Show threadJaycieJan 13, 2024
@phpfox What's the specific issue?
Show threadDaemionfoxJan 13, 2024

@jaycie So Fedi says you've got a public/private keypair for each Actor. You should be able to validate a message signed by said actor (signature is in the header) by retrieving the pubkey and doing some not-so-handwavy openssl shenanigans.

landrok/activitypub has this built into their HttpSignature class, but that fails every time for me. I've tried an approach for Bugle, and then I re-built that approach because there's a lot of duplicated code throughout it.

All three have been "NOPE INVALID" returns. I'm on week... 4? of this headache.

Show threadDaemionfoxJan 13, 2024
@jaycie To be fair... I understand the concepts behind it, but it's just boiling down to "verify this signature w/ this Key". - NO
Show threadJaycieJan 13, 2024
@phpfox Ooph, that sounds like an absolute pain. Will need to figure that out for xir own future AP work but drawing a blank right now.
Show threadDaemionfoxJan 13, 2024

@jaycie I may just post an interim commit to my github repo and ask folks to peek at it. The concept is simple. Pull the signature out of the header. Pull the Actor's Public Key, do a validate call (Native to PHP).

And I'm just getting *fart noise*

Show threadDaemionfoxJan 13, 2024

@jaycie https://github.com/clickthulu/clickthulufed/blob/dev/activity-pub/src/Helpers/SignatureHelper.php

(Code in question)

clickthulufed/src/Helpers/SignatureHelper.php at dev/activity-pub 路 clickthulu/clickthulufed

Contribute to clickthulu/clickthulufed development by creating an account on GitHub.

GitHub
Show threadJaycieJan 13, 2024
@phpfox How odd, but then cryptography can get really complicated.
Show threadKevin Boyd (he/him) 馃嚚馃嚘Jan 13, 2024
@phpfox I don't know the answer (I haven't got there yet in my Tundra development), but when I was writing other signature-matching code, I had to be constantly vigilant that the sort order was correct, as well as the key capitalization being correct in key-value structures. And different programming languages and frameworks can have divergent opinions on the meaning of both of those things.
Show threadDaemionfoxJan 13, 2024

@kboyd Hrm. I will need to look at the sort order, cause I am technically building the string that we're comparing the validator against.

The code for this is here: https://github.com/clickthulu/clickthulufed/blob/dev/activity-pub/src/Helpers/SignatureHelper.php

The problem is, even if I DID change the sort order, how would I know?

clickthulufed/src/Helpers/SignatureHelper.php at dev/activity-pub 路 clickthulu/clickthulufed

Contribute to clickthulu/clickthulufed development by creating an account on GitHub.

GitHub
Show threadDaemionfoxJan 14, 2024

@kboyd Okay, so, sort order confirmed, it's the same as what it claims to expect. I'm not sure on quotes, because all the examples don't have quotes, and neither do I, but the data coming in does. BUT I've tried it with both quotes and no quotes and it's still no good.

I think I'm finding it especially annoying to debug because it's a bit of a black box. Insert data, get failure. Insert slightly different data, get failure. I've no way to figure out what's actually wrong, so it's kind of a shot in the dark each time.

Show threadLennart HengstmengelJan 14, 2024
@phpfox can you share any code?
Show threadDaemionfoxJan 14, 2024

@lhengstmengel

https://github.com/clickthulu/clickthulufed/blob/dev/activity-pub/src/Helpers/SignatureHelper.php

Here's my cleaned up version of a validator, its always returning false

clickthulufed/src/Helpers/SignatureHelper.php at dev/activity-pub 路 clickthulu/clickthulufed

Contribute to clickthulu/clickthulufed development by creating an account on GitHub.

GitHub
Show threadMykl WynntrsJan 14, 2024

@phpfox Compare: "Can anyone do math?" vs "Can anyone tell me how to find x in y=mx+b?"

Asking your specific question will in general yield more & better responses.

Show threadDaemionfoxJan 14, 2024
@mykl If you know anything about how this sort of coding process works, you'll know what a RubberDuck question is, and you would have avoided this next statement; If you aren't willing to be part of the solution, then at least try to not be a problem.