3 files changed, 59 insertions, 1 deletions

diff --git a/activitypub.c b/activitypub.c
index cebefca..7a30010 100644
--- a/activitypub.c
+++ b/activitypub.c
@@ -594,7 +594,10 @@ int process_message(snac *snac, char *msg, char *req)
     }
 
     /* check the signature */
-    /* ... */
+    if (!check_signature(snac, req)) {
+        snac_log(snac, xs_fmt("bad signature"));
+        return 1;
+    }
 
     if (strcmp(type, "Follow") == 0) {
         xs *reply = msg_accept(snac, msg, actor);
diff --git a/http.c b/http.c
index 7c9b598..8062806 100644
--- a/http.c
+++ b/http.c
@@ -99,3 +99,57 @@ d_char *http_signed_request(snac *snac, char *method, char *url,
 
     return response;
 }
+
+
+int check_signature(snac *snac, char *req)
+/* check the signature */
+{
+    char *sig_hdr = xs_dict_get(req, "signature");
+    xs *keyId = NULL;
+    xs *headers = NULL;
+    xs *signature = NULL;
+    char *pubkey;
+    char *p;
+
+    {
+        /* extract the values */
+        xs *l = xs_split(sig_hdr, ",");
+        char *v;
+
+        p = l;
+        while (xs_list_iter(&p, &v)) {
+            if (xs_startswith(v, "keyId"))
+                keyId = xs_crop(xs_dup(v), 7, -1);
+            else
+            if (xs_startswith(v, "headers"))
+                headers = xs_crop(xs_dup(v), 9, -1);
+            else
+            if (xs_startswith(v, "signature"))
+                signature = xs_crop(xs_dup(v), 12, -1);
+        }
+    }
+
+    if (keyId == NULL || headers == NULL || signature == NULL) {
+        snac_debug(snac, 1, xs_fmt("bad signature header"));
+        return 0;
+    }
+
+    /* strip the # from the keyId */
+    if ((p = strchr(keyId, '#')) != NULL)
+        *p = '\0';
+
+    /* the actor must already be here */
+    xs *actor = NULL;
+    if (!valid_status(actor_get(snac, keyId, &actor))) {
+        snac_debug(snac, 1, xs_fmt("check_signature unknown actor %s", keyId));
+        return 0;
+    }
+
+    if ((p = xs_dict_get(actor, "publicKey")) == NULL ||
+        ((pubkey = xs_dict_get(p, "publicKeyPem")) == NULL)) {
+        snac_debug(snac, 1, xs_fmt("cannot get pubkey from actor %s", keyId));
+        return 0;
+    }
+
+    return 1;
+}
diff --git a/snac.h b/snac.h
index 368c9ad..392f57d 100644
--- a/snac.h
+++ b/snac.h
@@ -94,6 +94,7 @@ d_char *http_signed_request(snac *snac, char *method, char *url,
                         d_char *headers,
                         d_char *body, int b_size,
                         int *status, d_char **payload, int *p_size);
+int check_signature(snac *snac, char *req);
 
 void httpd(void);