marius@mariusor@metalhead.club: @silverpill to come back to this, I have added bot…

Home | Notifications | New Note | Local | Federated | Search | Logout

Note Detail

Reply to @silverpill@mitra.social
silverpill@silverpill@mitra.social (2026-05-09 17:19:46)
@mariusor

RSA secret key: 3082013b020100024100e221e7c6506e8e3932e66fbf59cc580cd3ccdf688213426f1264144143d58e3d2c478d1cc93a1ab3c1c94cfc927e32f077fa6eb6fe0d59bb656e1c7613b1d53b020301000102404394a271f023ba3979eec842c5917e57070d594f2060a52010bcfc18ad2f2b7ca8b39e75179bd5abb3d161c8c0fe9053cd8de87ae84dd9dc3a84a2749040c261022100e3fd1ddb28613f9ead9869b392fa1f9d91bef1ab625605c968c72f5312ac77b3022100fdea673212cf6da2b1277b736a3b9f04662bb993d8754b1516e9a03010b6e85902205f1a54fbf8aa2869beac575b6b321f42116bff4fa8a38da268acbe16ff31267502210096da64650377e912f75d15a3044257bf2d545cf4d16d1e26716e6b9522d90841022100a960c9d14d424fb58de781aa700d8a838a46e5978cc74dcfdfb9dc16edfcf1ee
request method: POST
request body: {}
request URI: https://verifier.example/inbox
created: 1778314593
content-digest header: sha-256=:RBNvo1WzZ4oRRq0W9+hknpT7T8If536DEMBg9hyq/4o=:
signature base:

"@method": POST
"@target-uri": https://verifier.example/inbox
"content-digest": sha-256=:RBNvo1WzZ4oRRq0W9+hknpT7T8If536DEMBg9hyq/4o=:
"@signature-params": ("@method" "@target-uri" "content-digest");keyid="https://signer.example/actor#main-key";created=1778314593;alg="rsa-v1_5-sha256"


signature header: sig1=:gJWUQjvkEcdXc86ZC+kEWKhUyiExKQomXxWd9q8mzDSm9fE6XjsA+HCoNE9LP4RRCdwAHWZ6Zeou4WPjhxpPwQ==:
signature-input header: sig1=("@method" "@target-uri" "content-digest");keyid="https://signer.example/actor#main-key";created=1778314593;alg="rsa-v1_5-sha256"
---Reply---
marius@mariusor@metalhead.club (2026-05-16 17:43:41)
@silverpill to come back to this, I have added both this example and one of your original requests to the unit-tests, and they both validate correctly.

So I still have no idea why this is failing in production. The only thing I can think of is the http proxy messing with the value of the "target-uri" parameter.


---Replies---

silverpill@silverpill@mitra.social (2026-05-17 06:37:09)
@mariusor That's possible.

@target-uri is supposed to be an absolute URI. HTTP servers typically re-construct full URI using the Host and other headers. For example, I use this method: https://docs.rs/actix-web/latest/actix_web/dev/struct.ConnectionInfo.html#method.host

Hostname is resolved through the following, in order:
Forwarded header
X-Forwarded-Host header
Host header
request target / URI
configured server hostname

If I don't configure my reverse proxy to set these headers, the full URI will be incorrect, leading to verification failure.

marius@mariusor@metalhead.club (2026-06-04 21:45:47)
https://metalhead.club/@mariusor/116691230280367219

@silverpill I wonder if this might have been also the culprit for why ONI was failing your otherwise correct RFC9421 signature requests. 

:think_bread: