saulteafarmer/castopod
1
0
Fork 0
mirror of https://code.castopod.org/adaures/castopod synced 2025-06-06 18:31:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(http-signature): update SIGNATURE_PATTERN allowing signature keys to be sent in any order

Browse Source 
set algorithm key as optional and set defaults for both algorithm (rsa-sha256) and headers (date)
keys
This commit is contained in:
Yassine Doghri 2022-01-30 16:32:11 +00:00
parent 7bc2d42c8e
commit b7f285e4e2
1 changed files with 38 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
modules/Fediverse/HttpSignature.php
View File

@ -28,18 +28,14 @@ class HttpSignature
/** /**
* @var string * @var string
*/ */
private const SIGNATURE_PATTERN = '/^ private const SIGNATURE_PATTERN = '/
keyId="(?P<keyId> (?=.*(keyId="(?P<keyId>https?:\/\/[\w\-\.]+[\w]+(:[\d]+)?[\w\-\.#\/@]+)"))
(https?:\/\/[\w\-\.]+[\w]+) (?=.*(signature="(?P<signature>[\w+\/]+={0,2})"))
(:[\d]+)? (?=.*(headers="\(request-target\)(?P<headers>[\w\\-\s]+)"))?
([\w\-\.#\/@]+) (?=.*(algorithm="(?P<algorithm>[\w\-]+)"))?
)",
algorithm="(?P<algorithm>[\w\-]+)",
(headers="\(request-target\) (?P<headers>[\w\\-\s]+)",)?
signature="(?P<signature>[\w+\/]+={0,2})"
/x'; /x';
protected ?IncomingRequest $request = null; protected IncomingRequest $request;
public function __construct(IncomingRequest $request = null) public function __construct(IncomingRequest $request = null)
{ {
@ -66,7 +62,8 @@ class HttpSignature
$requestTime = Time::createFromFormat('D, d M Y H:i:s T', $dateHeader->getValue()); $requestTime = Time::createFromFormat('D, d M Y H:i:s T', $dateHeader->getValue());
$diff = $requestTime->difference($currentTime); $diff = $requestTime->difference($currentTime);
if ($diff->getSeconds() > 3600) { $diffSeconds = $diff->getSeconds();
if ($diffSeconds > 3600 || $diffSeconds < 0) {
throw new Exception('Request must be made within the last hour.'); throw new Exception('Request must be made within the last hour.');
} }
@ -74,6 +71,7 @@ class HttpSignature
if (! ($digestHeader = $this->request->header('digest'))) { if (! ($digestHeader = $this->request->header('digest'))) {
throw new Exception('Request must include a digest header'); throw new Exception('Request must include a digest header');
} }
// compute body digest and compare with header digest // compute body digest and compare with header digest
$bodyDigest = hash('sha256', $this->request->getBody(), true); $bodyDigest = hash('sha256', $this->request->getBody(), true);
$digest = 'SHA-256=' . base64_encode($bodyDigest); $digest = 'SHA-256=' . base64_encode($bodyDigest);
@ -94,7 +92,8 @@ class HttpSignature
// set $keyId, $headers and $signature variables // set $keyId, $headers and $signature variables
$keyId = $parts['keyId']; $keyId = $parts['keyId'];
$headers = $parts['headers']; $algorithm = $parts['algorithm'];
$headers = $parts['headers'] ?? 'date';
$signature = $parts['signature']; $signature = $parts['signature'];
// Fetch the public key linked from keyId // Fetch the public key linked from keyId
@ -102,19 +101,14 @@ class HttpSignature
$actorResponse = $actorRequest->get(); $actorResponse = $actorRequest->get();
$actor = json_decode($actorResponse->getBody(), false, 512, JSON_THROW_ON_ERROR); $actor = json_decode($actorResponse->getBody(), false, 512, JSON_THROW_ON_ERROR);
$publicKeyPem = $actor->publicKey->publicKeyPem; $publicKeyPem = (string) $actor->publicKey->publicKeyPem;
// Create a comparison string from the plaintext headers we got // Create a comparison string from the plaintext headers we got
// in the same order as was given in the signature header, // in the same order as was given in the signature header,
$data = $this->getPlainText(explode(' ', trim($headers))); $data = $this->getPlainText(explode(' ', trim($headers)));
// Verify that string using the public key and the original signature. // Verify the data string using the public key and the original signature.
$rsa = new RSA(); return $this->verifySignature($publicKeyPem, $data, $signature, $algorithm);
$rsa->setHash('sha256');
$rsa->setSignatureMode(RSA::SIGNATURE_PKCS1);
$rsa->loadKey($publicKeyPem);
return $rsa->verify($data, base64_decode($signature, true));
} }
/** /**
@ -124,7 +118,7 @@ class HttpSignature
*/ */
private function splitSignature(string $signature): array | false private function splitSignature(string $signature): array | false
{ {
if (! preg_match(self::SIGNATURE_PATTERN, $signature, $matches)) { if (! preg_match(self::SIGNATURE_PATTERN, $signature, $matches, PREG_UNMATCHED_AS_NULL)) {
// Signature pattern failed // Signature pattern failed
return false; return false;
} }
@ -162,4 +156,27 @@ class HttpSignature
return implode("\n", $strings); return implode("\n", $strings);
} }
/**
* Verifies the signature depending on the algorithm sent
*/
private function verifySignature(
string $publicKeyPem,
string $data,
string $signature,
string $algorithm = 'rsa-sha256'
): bool {
if ($algorithm === 'rsa-sha512' || $algorithm === 'rsa-sha256') {
$hash = substr($algorithm, strpos($algorithm, '-') + 1);
$rsa = new RSA();
$rsa->setHash($hash);
$rsa->setSignatureMode(RSA::SIGNATURE_PKCS1);
$rsa->loadKey($publicKeyPem);
return $rsa->verify($data, (string) base64_decode($signature, true));
}
// not implemented
return false;
}
} }