feat: add sha256 signatures to outgoing http requests (#2874)

2025-11-30 21:32:30 +00:00 · 2024-03-13 08:52:29 +00:00
--- a/app/controllers/well_known_controller.rb
+++ b/app/controllers/well_known_controller.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class WellKnownController < ApplicationController
+
+  layout false
+
+  skip_before_action :set_browser_id
+  skip_before_action :login_required
+  skip_before_action :set_timezone
+
+  def jwks
+    render json: JWT::JWK::Set.new(Postal.signer.jwk).export.to_json
+  end
+
+end
--- a/app/lib/dkim_header.rb
+++ b/app/lib/dkim_header.rb
@@ -9,7 +9,7 @@ class DKIMHeader
      @dkim_identifier = domain.dkim_identifier
    else
      @domain_name = Postal::Config.dns.return_path_domain
-      @dkim_key = Postal.signing_key
+      @dkim_key = Postal.signer.private_key
      @dkim_identifier = Postal::Config.dns.dkim_identifier
    end
    @domain = domain
--- a/app/lib/signer.rb
+++ b/app/lib/signer.rb
@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require "base64"
+
+class Signer
+
+  # Create a new Signer
+  #
+  # @param [OpenSSL::PKey::RSA] private_key The private key to use for signing
+  # @return [Signer]
+  def initialize(private_key)
+    @private_key = private_key
+  end
+
+  # Return the private key
+  #
+  # @return [OpenSSL::PKey::RSA]
+  attr_reader :private_key
+
+  # Return the public key for the private key
+  #
+  # @return [OpenSSL::PKey::RSA]
+  def public_key
+    @private_key.public_key
+  end
+
+  # Sign the given data
+  #
+  # @param [String] data The data to sign
+  # @return [String] The signature
+  def sign(data)
+    private_key.sign(OpenSSL::Digest.new("SHA256"), data)
+  end
+
+  # Sign the given data and return a Base64-encoded signature
+  #
+  # @param [String] data The data to sign
+  # @return [String] The Base64-encoded signature
+  def sign64(data)
+    Base64.strict_encode64(sign(data))
+  end
+
+  # Return a JWK for the private key
+  #
+  # @return [JWT::JWK] The JWK
+  def jwk
+    @jwk ||= JWT::JWK.new(private_key, { use: "sig", alg: "RS256" })
+  end
+
+  # Sign the given data using SHA1 (for legacy use)
+  #
+  # @param [String] data The data to sign
+  # @return [String] The signature
+  def sha1_sign(data)
+    private_key.sign(OpenSSL::Digest.new("SHA1"), data)
+  end
+
+  # Sign the given data using SHA1 (for legacy use) and return a Base64-encoded string
+  #
+  # @param [String] data The data to sign
+  # @return [String] The signature
+  def sha1_sign64(data)
+    Base64.strict_encode64(sha1_sign(data))
+  end
+
+end