actpub-httpsig 0.2.0

Dual-stack HTTP Message Signatures (Cavage draft-12 + RFC 9421) with RSA & Ed25519 via aws-lc-rs.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268

//! Timestamp freshness / replay-protection policy for signature verification.
//!
//! The HTTP-Signatures specs (Cavage draft-12 §2.1.2 and RFC 9421
//! §7.2.2) both warn that signatures alone do **not** protect against
//! replay attacks: an intermediary who captures a valid signed request
//! can resend it verbatim until the signer's key rotates. The standard
//! mitigation is to require each signature to carry a `created`
//! parameter (or a `Date` header) and reject anything older than a
//! configured age, bounded on the future side by a small clock-skew
//! tolerance.
//!
//! [`VerifyPolicy`] captures the tunables for this check. Callers
//! choose a policy via one of the presets ([`VerifyPolicy::mastodon`],
//! [`VerifyPolicy::strict`]) or build one directly and pass it to the
//! `*_verify_with_policy` variants.

use chrono::{DateTime, Duration, Utc};
use httpdate::parse_http_date;

use crate::error::Error;

/// Tunables governing which signed timestamps are accepted at
/// verification time.
///
/// A `max_age` of `None` disables the past-side check and a
/// `max_clock_skew_future` of `None` disables the future-side check;
/// both default to `Some(...)` in the presets.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
#[non_exhaustive]
pub struct VerifyPolicy {
    /// Maximum permissible age of a signature. A `created` (or `Date`)
    /// timestamp older than `now - max_age` is rejected. `None`
    /// disables the past-side check.
    pub max_age: Option<Duration>,

    /// Maximum permissible future skew. A timestamp claimed to be more
    /// than `max_clock_skew_future` ahead of the verifier's clock is
    /// rejected, to catch badly-set signer clocks and straight-out
    /// forgeries. `None` disables the future-side check.
    pub max_clock_skew_future: Option<Duration>,

    /// If `true`, a request carrying neither a `created` parameter nor
    /// a `Date` header is rejected. Defaults to `false` to stay
    /// compatible with servers that only emit one of the two.
    pub require_timestamp: bool,
}

impl VerifyPolicy {
    /// Returns the policy Mastodon applies to inbound federated
    /// requests: 12 hours past, 5 minutes future, timestamps optional.
    ///
    /// See <https://docs.joinmastodon.org/spec/security/>.
    #[must_use]
    pub const fn mastodon() -> Self {
        Self {
            max_age: Some(Duration::hours(12)),
            max_clock_skew_future: Some(Duration::minutes(5)),
            require_timestamp: false,
        }
    }

    /// Returns a tight policy appropriate for internal services where
    /// every hop has NTP-synchronised clocks: 5 minutes past, 1 minute
    /// future, and timestamps are mandatory.
    #[must_use]
    pub const fn strict() -> Self {
        Self {
            max_age: Some(Duration::minutes(5)),
            max_clock_skew_future: Some(Duration::minutes(1)),
            require_timestamp: true,
        }
    }

    /// Returns a policy that **disables** freshness checking entirely.
    ///
    /// Only intended for byte-level conformance tests against static
    /// RFC 9421 / Cavage fixtures that bake fixed timestamps into their
    /// inputs. Do not use in production.
    #[must_use]
    pub const fn no_freshness_check() -> Self {
        Self {
            max_age: None,
            max_clock_skew_future: None,
            require_timestamp: false,
        }
    }

    /// Evaluates the policy against a signature whose `created`
    /// parameter is `created_unix` (seconds since epoch), `expires`
    /// parameter is `expires_unix`, and whose companion `Date` header
    /// (if any) contained `date_header`. Returns `Ok` when the
    /// signature is fresh, or a specific error otherwise.
    ///
    /// # Errors
    ///
    /// Returns [`Error::TimestampMissing`] when `require_timestamp`
    /// is on and no source is available, [`Error::TimestampTooOld`]
    /// when `now - source > max_age`, [`Error::TimestampInFuture`]
    /// when the source is too far ahead of `now`, and
    /// [`Error::TimestampExpired`] when `expires` is already in the
    /// past.
    pub fn check(
        &self,
        created_unix: Option<i64>,
        expires_unix: Option<i64>,
        date_header: Option<&str>,
        now: DateTime<Utc>,
    ) -> Result<(), Error> {
        let reference = created_unix
            .and_then(unix_to_datetime)
            .or_else(|| date_header.and_then(parse_date_header));

        let Some(reference) = reference else {
            if self.require_timestamp {
                return Err(Error::TimestampMissing);
            }
            return Ok(());
        };

        if let Some(future_skew) = self.max_clock_skew_future
            && reference > now + future_skew
        {
            return Err(Error::TimestampInFuture {
                timestamp: reference,
                now,
            });
        }

        if let Some(max_age) = self.max_age
            && now.signed_duration_since(reference) > max_age
        {
            return Err(Error::TimestampTooOld {
                timestamp: reference,
                now,
            });
        }

        // `expires` is evaluated without clock-skew tolerance on the
        // past side: a signature with an `expires` parameter tells the
        // verifier *exactly* when it becomes invalid.
        if let Some(expires_unix) = expires_unix
            && let Some(expires) = unix_to_datetime(expires_unix)
            && now > expires
        {
            return Err(Error::TimestampExpired { expires, now });
        }

        Ok(())
    }
}

impl Default for VerifyPolicy {
    /// Returns [`Self::mastodon`] — the Fediverse-compatible default.
    fn default() -> Self {
        Self::mastodon()
    }
}

const fn unix_to_datetime(seconds: i64) -> Option<DateTime<Utc>> {
    DateTime::<Utc>::from_timestamp(seconds, 0)
}

fn parse_date_header(value: &str) -> Option<DateTime<Utc>> {
    let system_time = parse_http_date(value).ok()?;
    Some(DateTime::<Utc>::from(system_time))
}

#[cfg(test)]
mod tests {
    use pretty_assertions::assert_eq;

    use super::*;

    fn now() -> DateTime<Utc> {
        DateTime::<Utc>::from_timestamp(1_700_000_000, 0).expect("valid UNIX time")
    }

    #[test]
    fn default_is_mastodon_policy() {
        assert_eq!(VerifyPolicy::default(), VerifyPolicy::mastodon());
    }

    #[test]
    fn fresh_signature_with_created_passes() {
        let policy = VerifyPolicy::mastodon();
        // created 1 hour before now — within the 12h window.
        let created = now().timestamp() - 3600;
        policy
            .check(Some(created), None, None, now())
            .expect("fresh");
    }

    #[test]
    fn too_old_signature_is_rejected() {
        let policy = VerifyPolicy::mastodon();
        // created 13 hours ago — beyond the 12h window.
        let created = now().timestamp() - 13 * 3600;
        let err = policy
            .check(Some(created), None, None, now())
            .expect_err("too old");
        assert!(matches!(err, Error::TimestampTooOld { .. }));
    }

    #[test]
    fn signature_in_the_future_is_rejected() {
        let policy = VerifyPolicy::mastodon();
        // created 10 minutes in the future — beyond the 5m skew window.
        let created = now().timestamp() + 10 * 60;
        let err = policy
            .check(Some(created), None, None, now())
            .expect_err("future");
        assert!(matches!(err, Error::TimestampInFuture { .. }));
    }

    #[test]
    fn expires_in_the_past_is_rejected() {
        let policy = VerifyPolicy::mastodon();
        let created = now().timestamp() - 60;
        let expires = now().timestamp() - 30;
        let err = policy
            .check(Some(created), Some(expires), None, now())
            .expect_err("expired");
        assert!(matches!(err, Error::TimestampExpired { .. }));
    }

    #[test]
    fn date_header_is_used_when_created_is_absent() {
        let policy = VerifyPolicy::mastodon();
        // 1 hour before `now`: 2023-11-14 21:13:20 UTC (epoch 1699996400).
        let ts = DateTime::<Utc>::from_timestamp(now().timestamp() - 3600, 0).expect("valid");
        let header = httpdate::fmt_http_date(std::time::SystemTime::from(ts));
        policy
            .check(None, None, Some(&header), now())
            .expect("date-header fallback");
    }

    #[test]
    fn missing_timestamp_passes_by_default() {
        let policy = VerifyPolicy::mastodon();
        policy.check(None, None, None, now()).expect("tolerated");
    }

    #[test]
    fn missing_timestamp_fails_under_strict_policy() {
        let policy = VerifyPolicy::strict();
        let err = policy.check(None, None, None, now()).expect_err("required");
        assert!(matches!(err, Error::TimestampMissing));
    }

    #[test]
    fn malformed_date_header_is_ignored_and_treated_as_absent() {
        let policy = VerifyPolicy::mastodon();
        // With `require_timestamp=false`, a bad Date just falls through.
        policy
            .check(None, None, Some("not a date"), now())
            .expect("ignored");
    }

    #[test]
    fn no_freshness_check_preset_accepts_stale_timestamps() {
        let policy = VerifyPolicy::no_freshness_check();
        // 100 years in the past — should still pass.
        let stale = now().timestamp() - 100 * 365 * 24 * 3600;
        policy
            .check(Some(stale), None, None, now())
            .expect("stale OK");
    }
}