Hello, I've done some more work integrating httpsig with my GoActivityPub library, and I've tried to use the RFC9421 examples as validation tests.
One of the issues I encountered is that httpsig uses a hard-coded ordering of the parameters for the signature verification, instead of using the order as it's listed in the Signature-Input header.
So using Example B.2.6, the string to sign is:
"date": Tue, 20 Apr 2021 02:07:55 GMT
"@method": POST
"@path": /foo
"@authority": example.com
"content-type": application/json
"content-length": 18
"@signature-params": ("date" "@method" "@path" "@authority" "content-type" "content-length");keyid="test-key-ed25519";created=1618884473
instead of the value in the example (the createdat and keyid are reversed)
"date": Tue, 20 Apr 2021 02:07:55 GMT
"@method": POST
"@path": /foo
"@authority": example.com
"content-type": application/json
"content-length": 18
"@signature-params": ("date" "@method" "@path" "@authority" "content-type" "content-length");created=1618884473;keyid="test-key-ed25519"
So I want to know if a PR that fixes this ordering issue would be useful.
The example doesn't work as stated yet as httpsig ignores the @path, to fix that see #13.
Hello, I've done some more work integrating httpsig with my GoActivityPub library, and I've tried to use the RFC9421 examples as validation tests.
One of the issues I encountered is that httpsig uses a hard-coded ordering of the parameters for the signature verification, instead of using the order as it's listed in the
Signature-Inputheader.So using Example B.2.6, the string to sign is:
instead of the value in the example (the
createdatandkeyidare reversed)So I want to know if a PR that fixes this ordering issue would be useful.
The example doesn't work as stated yet as httpsig ignores the
@path, to fix that see #13.