Double-bang requests with rfc9421 and cavage after on error

2025-05-16 16:43:24 +02:00 · 2025-05-16 16:43:24 +02:00 · 6f2686e0d3
commit 6f2686e0d3
parent 3f4f1fd9d2
2 changed files with 29 additions and 10 deletions
--- a/activitypub/import.go
+++ b/activitypub/import.go
@ -415,14 +415,29 @@ func ImportRemoteAccountByAPUrl(apUrl string) (*models.User, error) {
 		return nil, other.Error("activitypub", "failed to get server actor", err)
 	}
 	var response *http.Response
-	response, err = webshared.RequestSignedCavage("GET", apUrl, nil, linstromActor)
+	// Try a rfc9421 based signature first for the request, if it fails, fall back to cavage
+	// Reason: Implementations should be switching over from cavage to the final implementation
+	// (rfc9421) slowly, but might not support the latter. Double-knocking will work
+	// around this
+	response, err = webshared.RequestSignedRFC9421("GET", apUrl, nil, linstromActor)
 	if err != nil {
-		return nil, other.Error("activitypub", "failed to complete cavage signed request", err)
+		return nil, other.Error("activitypub", "failed to complete rfc9421 signed request", err)
 	}
-	defer response.Body.Close()
 	body, _ := io.ReadAll(response.Body)
+	response.Body.Close()
 	if response.StatusCode != 200 {
-		return nil, fmt.Errorf("activitypub: invalid status code: %v", response.StatusCode)
+		log.Debug().
+			Int("status-code", response.StatusCode).
+			Msg("RFC9421 signed request failed, trying cavage signature")
+		response, err = webshared.RequestSignedCavage("GET", apUrl, nil, linstromActor)
+		if err != nil {
+			return nil, other.Error("activitypub", "failed to complete cavage signed request", err)
+		}
+		body, _ = io.ReadAll(response.Body)
+		response.Body.Close()
+		if response.StatusCode != 200 {
+			return nil, fmt.Errorf("activitypub: invalid status code: %v", response.StatusCode)
+		}
 	}
 	var data inboundImportUser
 	err = json.Unmarshal(body, &data)
--- a/web/shared/clientRfc9421.go
+++ b/web/shared/clientRfc9421.go
@ -33,9 +33,7 @@ Links for home:
 func RequestSignedRFC9421(
 	method, target string,
 	body []byte,
-	keyId string,
-	privateKeyBytes []byte,
-	useEd bool,
+	actor *models.User,
 ) (*http.Response, error) {
 	req, err := http.NewRequest(method, target, bytes.NewBuffer(slices.Clone(body)))
 	if err != nil {
@ -46,7 +44,7 @@ func RequestSignedRFC9421(
 	signerFields := httpsign.Headers("@request-target", "content-digest")
 	if config.GlobalConfig.Experimental.UseEd25519Keys {
 		signer, err = httpsign.NewEd25519Signer(
-			privateKeyBytes,
+			actor.PrivateKeyEd,
 			httpsign.NewSignConfig(),
 			signerFields,
 		)
@ -54,7 +52,7 @@ func RequestSignedRFC9421(
 			return nil, err
 		}
 	} else {
-		key, err := x509.ParsePKCS1PrivateKey(privateKeyBytes)
+		key, err := x509.ParsePKCS1PrivateKey(actor.PrivateKeyRsa)
 		if err != nil {
 			return nil, err
 		}
@ -63,9 +61,15 @@ func RequestSignedRFC9421(
 			return nil, err
 		}
 	}
+	clientConfig := httpsign.NewClientConfig().SetSigner(signer)
+	if config.GlobalConfig.Experimental.UseEd25519Keys {
+		clientConfig = clientConfig.SetSignatureName("sig-ed")
+	} else {
+		clientConfig = clientConfig.SetSignatureName("sig-rsa")
+	}
 	client := httpsign.NewClient(
 		RequestClient,
-		httpsign.NewClientConfig().SetSigner(signer).SetSignatureName("sig1"),
+		clientConfig,
 	)
 	res, err := client.Do(req)
 	return res, err