Add support for multiple keypairs for remote accounts (#38279)

app/lib/activitypub/linked_data_signature.rb

@@ -19,16 +19,15 @@ class ActivityPub::LinkedDataSignature
 
     return unless type == 'RsaSignature2017'
 
-    creator = ActivityPub::TagManager.instance.uri_to_actor(creator_uri)
-    creator = ActivityPub::FetchRemoteKeyService.new.call(creator_uri) if creator&.public_key.blank?
-
-    return if creator.nil?
+    keypair = Keypair.from_keyid(creator_uri)
+    keypair = ActivityPub::FetchRemoteKeyService.new.call(creator_uri) if keypair&.public_key.blank?
+    return if keypair.nil? || !keypair.usable?
 
     options_hash   = hash(@json['signature'].without('type', 'id', 'signatureValue').merge('@context' => CONTEXT))
     document_hash  = hash(@json.without('signature'))
     to_be_verified = options_hash + document_hash
 
-    creator if creator.keypair.public_key.verify(OpenSSL::Digest.new('SHA256'), Base64.decode64(signature), to_be_verified)
+    keypair.actor if keypair.keypair.public_key.verify(OpenSSL::Digest.new('SHA256'), Base64.decode64(signature), to_be_verified)
   rescue OpenSSL::PKey::RSAError
     false
   end

app/lib/signed_request.rb

@@ -23,14 +23,14 @@ class SignedRequest
       %w(rsa-sha256 hs2019).include?(signature_algorithm)
     end
 
-    def verified?(actor)
+    def verified?(keypair)
       signature = Base64.decode64(signature_params['signature'])
       compare_signed_string = build_signed_string(include_query_string: true)
 
-      return true unless verify_signature(actor, signature, compare_signed_string).nil?
+      return true unless verify_signature(keypair, signature, compare_signed_string).nil?
 
       compare_signed_string = build_signed_string(include_query_string: false)
-      return true unless verify_signature(actor, signature, compare_signed_string).nil?
+      return true unless verify_signature(keypair, signature, compare_signed_string).nil?
 
       false
     end
@@ -99,8 +99,8 @@ class SignedRequest
       signature_params.fetch('headers', signature_algorithm == 'hs2019' ? '(created)' : 'date').downcase.split
     end
 
-    def verify_signature(actor, signature, compare_signed_string)
-      true if actor.keypair.public_key.verify(OpenSSL::Digest.new('SHA256'), signature, compare_signed_string)
+    def verify_signature(keypair, signature, compare_signed_string)
+      true if keypair.keypair.public_key.verify(OpenSSL::Digest.new('SHA256'), signature, compare_signed_string)
     rescue OpenSSL::PKey::RSAError
       nil
     end
@@ -170,8 +170,8 @@ class SignedRequest
       true
     end
 
-    def verified?(actor)
-      key = Linzer.new_rsa_v1_5_sha256_public_key(actor.public_key)
+    def verified?(keypair)
+      key = Linzer.new_rsa_v1_5_sha256_public_key(keypair.public_key)
 
       Linzer.verify(key, @message, @signature)
     rescue Linzer::VerifyError
@@ -243,7 +243,7 @@ class SignedRequest
       end
   end
 
-  def verified?(actor)
+  def verified?(keypair)
     missing_signature_parameters = @signature.missing_signature_parameters
     raise Mastodon::SignatureVerificationError, "Incompatible request signature. #{missing_signature_parameters.to_sentence} are required" if missing_signature_parameters
     raise Mastodon::SignatureVerificationError, 'Unsupported signature algorithm (only rsa-sha256 and hs2019 are supported)' unless @signature.algorithm_supported?
@@ -251,7 +251,7 @@ class SignedRequest
 
     @signature.verify_signature_strength!
     @signature.verify_body_digest!
-    @signature.verified?(actor)
+    @signature.verified?(keypair)
   end
 
   private