Commit 877f943a authored by Eugen Rochko's avatar Eugen Rochko

Update 2018-07-03_How-to-make-friends-and-verify-people.md

parent dfe5d372
Pipeline #84 passed with stages
in 1 second
...@@ -35,7 +35,7 @@ post '/inbox' do ...@@ -35,7 +35,7 @@ post '/inbox' do
end end
``` ```
That's an absolutely basic implementation. Save it in `server.rb`. You can run the server with `ruby server.rb` (you need the Sinatra gem installed before that: `gem install sinatra`). Now on this server you can navigate to /inspect to see the contents of your inbox, and you (and anyone, really) can POST to the /inbox to add something there. That's an absolutely basic implementation. Save it in `server.rb`. You can run the server with `ruby server.rb` (you need the Sinatra gem installed before that: `gem install sinatra`). Now on this server you can navigate to `/inspect` to see the contents of your inbox, and you (and anyone, really) can POST to the `/inbox` to add something there.
Of course, anyone being able to put anything in there is not ideal. We need to check the incoming POST requests for a HTTP signature and validate it. Here is what a HTTP signature header looks like: Of course, anyone being able to put anything in there is not ideal. We need to check the incoming POST requests for a HTTP signature and validate it. Here is what a HTTP signature header looks like:
...@@ -44,6 +44,9 @@ Of course, anyone being able to put anything in there is not ideal. We need to c ...@@ -44,6 +44,9 @@ Of course, anyone being able to put anything in there is not ideal. We need to c
We need to read the `Signature` header, split it into its parts (`keyId`, `headers` and `signature`), fetch the public key linked from `keyId`, create a comparison string from the plaintext headers we got in the same order as was given in the signature header, and then verify that string using the public key and the original signature. We need to read the `Signature` header, split it into its parts (`keyId`, `headers` and `signature`), fetch the public key linked from `keyId`, create a comparison string from the plaintext headers we got in the same order as was given in the signature header, and then verify that string using the public key and the original signature.
```ruby ```ruby
require 'json'
require 'http'
post '/inbox' do post '/inbox' do
signature_header = request.headers['Signature'].split(',').map do |pair| signature_header = request.headers['Signature'].split(',').map do |pair|
pair.split('=').map do |value| pair.split('=').map do |value|
...@@ -67,12 +70,10 @@ post '/inbox' do ...@@ -67,12 +70,10 @@ post '/inbox' do
end end
if key.verify(OpenSSL::Digest::SHA256.new, signature, comparison_string) if key.verify(OpenSSL::Digest::SHA256.new, signature, comparison_string)
# The request really comes from the actor!
request.body.rewind request.body.rewind
INBOX << request.body.read INBOX << request.body.read
[200, 'OK'] [200, 'OK']
else else
# It's fake!
[401, 'Request signature could not be verified'] [401, 'Request signature could not be verified']
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment