HTTP signatures rewrite (#488)

* begin impl

* up and pin metrics to avoid their ahash locking

* switch around (alphabetical order :D )

* move to lib dir

* move blocking library to lib, rename to blowocking

* full parsing into struct

* add span tracking and small example

* add feature

* up

* up yarn

* flake.lock: Update

Flake lock file updates:

• Updated input 'devenv':
    'github:cachix/devenv/0e68853bb27981a4ffd7a7225b59ed84f7180fc7' (2024-02-03)
  → 'github:cachix/devenv/5a30b9e5ac7c6167e61b1f4193d5130bb9f8defa' (2024-02-13)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/e92b6015881907e698782c77641aa49298330223' (2024-02-02)
  → 'github:nixos/nixpkgs/a4d4fe8c5002202493e87ec8dbc91335ff55552c' (2024-02-15)
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/61dfa5a8129f7edbe9150253c68f673f87b16fb1' (2024-02-05)
  → 'github:oxalica/rust-overlay/4ee92bf124fbc4e157cbce1bc2a35499866989fc' (2024-02-16)

* change iteration method

* use derive-builder for http-signatures

* use indexing to get rid of quotation marks

* fix for numeral values

* very important

* add subset fn over slices, add proptest to verify

* add basic checks

* define error

* logic to construct the signing string

* remove shrink to fit

* add basic test

* add tests

* up

* add construction bench

* import fmt

* add signing logic

* add verify logic

* add serialization logic

* add crypto module

* add skeleton for the easy api

* add safety checks

* move check

* add tracing

* add easy verify function

* add easy signing

* move to something like type-state

* rm outdated comment

* fix warning

* generalize param

* respect expires duration

* add clock skew adjustment

* add note about supported methods

* add documentation

* simplify

* add docs

* clock skew

* banish the booleans

* add parser for private keys

* update easy api

* up

* delete old impl

* progress

* finish port

* up hyper

* rm unused dependency

* up

* use std hint

* add tests

* typos exclude

* stuff

Cargo.toml

@@ -16,7 +16,6 @@ opt-level = "z"
 [workspace]
 members = [
     "crates/kitsune-activitypub",
-    "crates/kitsune-blocking",
     "crates/kitsune-cache",
     "crates/kitsune-captcha",
     "crates/kitsune-config",
@@ -27,7 +26,6 @@ members = [
     "crates/kitsune-federation",
     "crates/kitsune-federation-filter",
     "crates/kitsune-http-client",
-    "crates/kitsune-http-signatures",
     "crates/kitsune-jobs",
     "crates/kitsune-language",
     "crates/kitsune-mastodon",
@@ -47,8 +45,10 @@ members = [
     "kitsune-cli",
     "kitsune-job-runner",
     "lib/athena",
+    "lib/blowocking",
     "lib/cursiv",
     "lib/http-compat",
+    "lib/http-signatures",
     "lib/kitsune-retry-policies",
     "lib/masto-id-convert",
     "lib/post-process",
@@ -76,6 +76,7 @@ no_effect_underscore_binding = "allow"
 [workspace.lints.rust]
 forbidden_lint_groups = "allow"
 rust_2018_idioms = "forbid"
+unsafe_code = "deny"
 
 [workspace.package]
 authors = ["Kitsune developers"]

_typos.toml

@@ -1,7 +1,7 @@
 [files]
 extend-exclude = [
-    "crates/kitsune-http-signatures/tests/data.rs",
     "crates/kitsune-language/examples/basic.rs",
     "crates/kitsune-language/src/map.rs",
+    "lib/http-signatures/tests/data.rs",
     "lib/post-process/tests/input/*",
 ]

crates/kitsune-activitypub/Cargo.toml

@@ -7,7 +7,7 @@ license.workspace = true
 
 [dependencies]
 async-trait = "0.1.77"
-autometrics = { version = "1.0.0", default-features = false }
+autometrics = { version = "1.0.1", default-features = false }
 base64-simd = "0.8.0"
 diesel = "2.1.4"
 diesel-async = "0.4.1"
@@ -22,7 +22,6 @@ kitsune-db = { path = "../kitsune-db" }
 kitsune-embed = { path = "../kitsune-embed" }
 kitsune-federation-filter = { path = "../kitsune-federation-filter" }
 kitsune-http-client = { path = "../kitsune-http-client" }
-kitsune-http-signatures = { path = "../kitsune-http-signatures" }
 kitsune-language = { path = "../kitsune-language" }
 kitsune-search = { path = "../kitsune-search" }
 kitsune-service = { path = "../kitsune-service" }
@@ -33,11 +32,11 @@ mime = "0.3.17"
 mime_guess = { version = "2.0.4", default-features = false }
 rsa = "0.9.6"
 scoped-futures = "0.1.3"
-serde = "1.0.196"
+serde = "1.0.197"
 sha2 = "0.10.8"
 simd-json = "0.13.8"
 speedy-uuid = { path = "../../lib/speedy-uuid" }
-thiserror = "1.0.56"
+thiserror = "1.0.57"
 tracing = "0.1.40"
 typed-builder = "0.18.1"
 url = "2.5.0"
@@ -47,7 +46,7 @@ sha2 = { version = "0.10.8", features = ["asm"] }
 
 [dev-dependencies]
 http-body-util = "0.1.0"
-hyper = "1.1.0"
+hyper = "1.2.0"
 kitsune-config = { path = "../kitsune-config" }
 kitsune-test = { path = "../kitsune-test" }
 kitsune-webfinger = { path = "../kitsune-webfinger" }

crates/kitsune-activitypub/src/deliverer/core.rs

@@ -6,9 +6,7 @@ use kitsune_core::consts::USER_AGENT;
 use kitsune_db::model::{account::Account, user::User};
 use kitsune_federation_filter::FederationFilter;
 use kitsune_http_client::Client;
-use kitsune_http_signatures::{ring::signature::RsaKeyPair, PrivateKey};
 use kitsune_type::ap::Activity;
-use rsa::pkcs8::SecretDocument;
 use sha2::{Digest, Sha256};
 use std::pin::pin;
 use typed_builder::TypedBuilder;
@@ -52,14 +50,13 @@ impl Deliverer {
             .header("Digest", digest_header)
             .body(body.into())?;
 
-        let (_tag, pkcs8_document) = SecretDocument::from_pem(&user.private_key)?;
-        let private_key = PrivateKey::builder()
-            .key_id(&account.public_key_id)
-            .key(RsaKeyPair::from_pkcs8(pkcs8_document.as_bytes())?)
-            .build();
+        let response = self
+            .client
+            .execute_signed(request, &account.public_key_id, &user.private_key)
+            .await?;
 
-        let response = self.client.execute_signed(request, private_key).await?;
         debug!(status_code = %response.status(), "successfully executed http request");
+
         if !response.status().is_success() {
             let status_code = response.status();
             let body = response.text().await?;

crates/kitsune-activitypub/src/error.rs

@@ -1,6 +1,5 @@
 use diesel_async::pooled_connection::bb8;
 use kitsune_core::error::BoxError;
-use kitsune_http_signatures::ring;
 use rsa::pkcs8::der;
 use std::{
     convert::Infallible,
@@ -57,9 +56,6 @@ pub enum Error {
     #[error(transparent)]
     InvalidUri(#[from] http::uri::InvalidUri),
 
-    #[error(transparent)]
-    KeyRejected(#[from] ring::error::KeyRejected),
-
     #[error("Missing host")]
     MissingHost,
 

crates/kitsune-cache/Cargo.toml

@@ -10,9 +10,9 @@ deadpool-redis = "0.14.0"
 enum_dispatch = "0.3.12"
 moka = { version = "0.12.5", features = ["sync"] }
 redis = "0.24.0"
-serde = "1.0.196"
+serde = "1.0.197"
 simd-json = "0.13.8"
-thiserror = "1.0.56"
+thiserror = "1.0.57"
 tracing = "0.1.40"
 typed-builder = "0.18.1"
 

crates/kitsune-captcha/Cargo.toml

@@ -9,11 +9,11 @@ license.workspace = true
 enum_dispatch = "0.3.12"
 http = "1.0.0"
 kitsune-http-client = { path = "../kitsune-http-client" }
-serde = { version = "1.0.196", features = ["derive"] }
+serde = { version = "1.0.197", features = ["derive"] }
 serde_urlencoded = "0.7.1"
 simd-json = "0.13.8"
 strum = { version = "0.26.1", features = ["derive"] }
-thiserror = "1.0.56"
+thiserror = "1.0.57"
 typed-builder = "0.18.1"
 
 [lints]

crates/kitsune-config/Cargo.toml

@@ -7,8 +7,8 @@ license.workspace = true
 
 [dependencies]
 isolang = { version = "2.4.0", features = ["serde"] }
-miette = "7.0.0"
-serde = { version = "1.0.196", features = ["derive"] }
+miette = "7.1.0"
+serde = { version = "1.0.197", features = ["derive"] }
 smol_str = { version = "0.2.1", features = ["serde"] }
 tokio = { version = "1.36.0", features = ["fs"] }
 toml = { version = "0.8.10", default-features = false, features = ["parse"] }

crates/kitsune-core/Cargo.toml

@@ -12,9 +12,9 @@ const_format = "0.2.32"
 http = "1.0.0"
 kitsune-db = { path = "../kitsune-db" }
 kitsune-messaging = { path = "../kitsune-messaging" }
-serde = { version = "1.0.196", features = ["derive"] }
+serde = { version = "1.0.197", features = ["derive"] }
 speedy-uuid = { path = "../../lib/speedy-uuid", features = ["diesel"] }
-thiserror = "1.0.56"
+thiserror = "1.0.57"
 typed-builder = "0.18.1"
 
 [build-dependencies]

crates/kitsune-db/Cargo.toml

@@ -7,6 +7,7 @@ license.workspace = true
 build = "build.rs"
 
 [dependencies]
+blowocking = { path = "../../lib/blowocking" }
 diesel = { version = "2.1.4", features = ["uuid"] }
 diesel-async = { version = "0.4.1", features = [
     "async-connection-wrapper",
@@ -20,19 +21,18 @@ futures-util = { version = "0.3.30", default-features = false, features = [
     "alloc",
 ] }
 iso8601-timestamp = { version = "0.2.17", features = ["diesel-pg"] }
-kitsune-blocking = { path = "../kitsune-blocking" }
 kitsune-config = { path = "../kitsune-config" }
 kitsune-language = { path = "../kitsune-language" }
 kitsune-type = { path = "../kitsune-type" }
-miette = "7.0.0"
+miette = "7.1.0"
 num-derive = "0.4.2"
 num-traits = "0.2.18"
 rustls = "0.22.2"
 rustls-native-certs = "0.7.0"
-serde = { version = "1.0.196", features = ["derive"] }
+serde = { version = "1.0.197", features = ["derive"] }
 simd-json = "0.13.8"
 speedy-uuid = { path = "../../lib/speedy-uuid", features = ["diesel"] }
-thiserror = "1.0.56"
+thiserror = "1.0.57"
 tokio = { version = "1.36.0", features = ["rt"] }
 tokio-postgres = "0.7.10"
 tokio-postgres-rustls = "0.11.1"

crates/kitsune-db/src/error.rs

@@ -40,7 +40,7 @@ impl StdError for IsoCodeConversionError {}
 #[derive(Debug, Diagnostic, Error)]
 pub enum Error {
     #[error(transparent)]
-    Blocking(#[from] kitsune_blocking::Error),
+    Blocking(#[from] blowocking::Error),
 
     #[error(transparent)]
     Diesel(#[from] diesel::result::Error),

crates/kitsune-db/src/lang.rs

@@ -42,6 +42,7 @@ impl FromSql<sql_types::LanguageIsoCode, Pg> for LanguageIsoCode {
     fn from_sql(
         bytes: <Pg as diesel::backend::Backend>::RawValue<'_>,
     ) -> diesel::deserialize::Result<Self> {
+        #[allow(unsafe_code)]
         let code_txt = unsafe { str::from_utf8_unchecked(bytes.as_bytes()) };
         let lang = kitsune_language::Language::from_639_3(code_txt)
             .ok_or_else(|| IsoCodeConversionError(code_txt.to_string()))?;

crates/kitsune-db/src/lib.rs

@@ -35,7 +35,7 @@ pub const MIGRATIONS: EmbeddedMigrations = embed_migrations!();
 pub async fn connect(config: &DatabaseConfig) -> Result<PgPool> {
     LogTracer::init().ok();
 
-    kitsune_blocking::io({
+    blowocking::io({
         let conn_str = config.url.clone();
 
         move || {

crates/kitsune-db/src/pool.rs

@@ -50,8 +50,8 @@ impl PgPool {
     /// Run the code inside a context with a database transaction
     pub async fn with_transaction<'a, F, Fut, T, E>(&self, func: F) -> Result<T, PoolError<E>>
     where
-        F: for<'conn> FnOnce(&'conn mut AsyncPgConnection) -> ScopedFutureWrapper<'conn, 'a, Fut>
-            + Send,
+        for<'conn> F:
+            FnOnce(&'conn mut AsyncPgConnection) -> ScopedFutureWrapper<'conn, 'a, Fut> + Send,
         Fut: Future<Output = Result<T, E>> + Send,
         T: Send,
         E: From<diesel::result::Error> + Debug + Display + Send,

crates/kitsune-db/src/tls.rs

@@ -34,7 +34,7 @@ async fn load_certs() -> rustls::RootCertStore {
     // Load certificates on a background thread to avoid blocking the runtime
     //
     // TODO(aumetra): Maybe add a fallback to `webpki-roots`?
-    let certs = kitsune_blocking::io(rustls_native_certs::load_native_certs)
+    let certs = blowocking::io(rustls_native_certs::load_native_certs)
         .await
         .unwrap()
         .expect("Failed to load native certificates");

crates/kitsune-email/Cargo.toml

@@ -24,15 +24,15 @@ lettre = { version = "0.11.4", default-features = false, features = [
     "tokio1-rustls-tls",
     "tracing",
 ] }
-miette = "7.0.0"
-mrml = { version = "3.0.0", default-features = false, features = [
+miette = "7.1.0"
+mrml = { version = "3.0.1", default-features = false, features = [
     "orderedmap",
     "parse",
     "render",
 ] }
 scoped-futures = "0.1.3"
 speedy-uuid = { path = "../../lib/speedy-uuid" }
-thiserror = "1.0.56"
+thiserror = "1.0.57"
 typed-builder = "0.18.1"
 
 [lints]

crates/kitsune-embed/Cargo.toml

@@ -16,7 +16,7 @@ kitsune-http-client = { path = "../kitsune-http-client" }
 once_cell = "1.19.0"
 scraper = { version = "0.18.1", default-features = false }
 smol_str = "0.2.1"
-thiserror = "1.0.56"
+thiserror = "1.0.57"
 typed-builder = "0.18.1"
 
 [lints]

crates/kitsune-federation-filter/Cargo.toml

@@ -9,8 +9,8 @@ license.workspace = true
 globset = "0.4.14"
 kitsune-config = { path = "../kitsune-config" }
 kitsune-type = { path = "../kitsune-type" }
-miette = "7.0.0"
-thiserror = "1.0.56"
+miette = "7.1.0"
+thiserror = "1.0.57"
 url = "2.5.0"
 
 [lints]

crates/kitsune-http-client/Cargo.toml

@@ -11,24 +11,23 @@ bytes = "1.5.0"
 futures-util = { version = "0.3.30", default-features = false, features = [
     "alloc",
 ] }
-headers = "0.4.0"
 http-body = "1.0.0"
 http-body-util = "0.1.0"
-hyper = "1.1.0"
+http-signatures = { path = "../../lib/http-signatures" }
+hyper = "1.2.0"
 hyper-util = { version = "0.1.3", features = [
     "client-legacy",
     "http1",
     "http2",
     "tokio",
 ] }
 hyper-rustls = { version = "0.26.0", features = ["http2"] }
-kitsune-http-signatures = { path = "../kitsune-http-signatures" }
 kitsune-type = { path = "../kitsune-type" }
 pin-project = "1.1.4"
-serde = "1.0.196"
+serde = "1.0.197"
 simd-json = "0.13.8"
 tower = { version = "0.4.13", features = ["util"] }
-tower-http = { version = "0.5.1", features = [
+tower-http = { version = "0.5.2", features = [
     # Explicitly exclude `zstd`
     # It's not widely adopted and takes a long time to build
     "decompression-br",