Skip to content

Order of signature parameters at verify time #14

Description

@mariusor

Hello, I've done some more work integrating httpsig with my GoActivityPub library, and I've tried to use the RFC9421 examples as validation tests.

One of the issues I encountered is that httpsig uses a hard-coded ordering of the parameters for the signature verification, instead of using the order as it's listed in the Signature-Input header.

So using Example B.2.6, the string to sign is:

"date": Tue, 20 Apr 2021 02:07:55 GMT
"@method": POST
"@path": /foo
"@authority": example.com
"content-type": application/json
"content-length": 18
"@signature-params": ("date" "@method" "@path" "@authority" "content-type" "content-length");keyid="test-key-ed25519";created=1618884473

instead of the value in the example (the createdat and keyid are reversed)

"date": Tue, 20 Apr 2021 02:07:55 GMT
"@method": POST
"@path": /foo
"@authority": example.com
"content-type": application/json
"content-length": 18
"@signature-params": ("date" "@method" "@path" "@authority" "content-type" "content-length");created=1618884473;keyid="test-key-ed25519"

So I want to know if a PR that fixes this ordering issue would be useful.


The example doesn't work as stated yet as httpsig ignores the @path, to fix that see #13.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions