2018-06-18 17:05:44 -04:00
< ? php
/**
2021-03-29 02:40:20 -04:00
* @ copyright Copyright ( C ) 2010 - 2021 , the Friendica project
2020-02-09 10:18:46 -05:00
*
* @ license GNU AGPL version 3 or any later version
*
* This program is free software : you can redistribute it and / or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation , either version 3 of the
* License , or ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU Affero General Public License for more details .
*
* You should have received a copy of the GNU Affero General Public License
* along with this program . If not , see < https :// www . gnu . org / licenses />.
*
2018-06-18 17:05:44 -04:00
*/
2020-02-09 10:18:46 -05:00
2018-06-18 17:05:44 -04:00
namespace Friendica\Util ;
2018-10-29 17:20:46 -04:00
use Friendica\Core\Logger ;
2020-12-17 13:56:10 -05:00
use Friendica\Database\Database ;
2020-03-04 16:07:05 -05:00
use Friendica\Database\DBA ;
2020-01-19 15:26:42 -05:00
use Friendica\DI ;
2018-09-26 13:24:29 -04:00
use Friendica\Model\APContact ;
2020-12-17 03:00:56 -05:00
use Friendica\Model\Contact ;
2020-03-04 16:07:05 -05:00
use Friendica\Model\User ;
2021-08-01 07:06:19 -04:00
use Friendica\Network\CurlResult ;
2021-08-25 15:12:45 -04:00
use Friendica\Network\HTTPRequestOptions ;
2021-08-24 08:17:42 -04:00
use Friendica\Network\IHTTPResult ;
2018-06-18 17:05:44 -04:00
/**
2020-01-19 01:05:23 -05:00
* Implements HTTP Signatures per draft - cavage - http - signatures - 07.
2018-06-18 17:05:44 -04:00
*
2018-06-19 07:30:55 -04:00
* Ported from Hubzilla : https :// framagit . org / hubzilla / core / blob / master / Zotlabs / Web / HTTPSig . php
2018-07-19 22:15:21 -04:00
*
2018-09-23 05:20:25 -04:00
* Other parts of the code for HTTP signing are taken from the Osada project .
* https :// framagit . org / macgirvin / osada
*
2018-06-18 17:05:44 -04:00
* @ see https :// tools . ietf . org / html / draft - cavage - http - signatures - 07
*/
2018-06-20 12:38:23 -04:00
class HTTPSignature
2018-06-18 17:05:44 -04:00
{
// See draft-cavage-http-signatures-08
2018-09-26 18:02:14 -04:00
/**
2020-01-19 01:05:23 -05:00
* Verifies a magic request
2018-09-26 18:02:14 -04:00
*
* @ param $key
*
* @ return array with verification data
2019-01-06 16:06:53 -05:00
* @ throws \Friendica\Network\HTTPException\InternalServerErrorException
2018-09-26 18:02:14 -04:00
*/
2018-09-20 14:16:14 -04:00
public static function verifyMagic ( $key )
2018-06-18 17:05:44 -04:00
{
$headers = null ;
$spoofable = false ;
$result = [
'signer' => '' ,
'header_signed' => false ,
2018-09-20 14:16:14 -04:00
'header_valid' => false
2018-06-18 17:05:44 -04:00
];
// Decide if $data arrived via controller submission or curl.
2018-09-20 14:16:14 -04:00
$headers = [];
$headers [ '(request-target)' ] = strtolower ( $_SERVER [ 'REQUEST_METHOD' ]) . ' ' . $_SERVER [ 'REQUEST_URI' ];
2018-06-18 17:05:44 -04:00
2018-09-20 14:16:14 -04:00
foreach ( $_SERVER as $k => $v ) {
if ( strpos ( $k , 'HTTP_' ) === 0 ) {
$field = str_replace ( '_' , '-' , strtolower ( substr ( $k , 5 )));
$headers [ $field ] = $v ;
2018-06-18 17:05:44 -04:00
}
}
$sig_block = null ;
2018-09-20 14:16:14 -04:00
$sig_block = self :: parseSigheader ( $headers [ 'authorization' ]);
2018-06-18 17:05:44 -04:00
if ( ! $sig_block ) {
2018-10-29 17:20:46 -04:00
Logger :: log ( 'no signature provided.' );
2018-06-18 17:05:44 -04:00
return $result ;
}
$result [ 'header_signed' ] = true ;
$signed_headers = $sig_block [ 'headers' ];
if ( ! $signed_headers ) {
$signed_headers = [ 'date' ];
}
$signed_data = '' ;
foreach ( $signed_headers as $h ) {
if ( array_key_exists ( $h , $headers )) {
$signed_data .= $h . ': ' . $headers [ $h ] . " \n " ;
}
if ( strpos ( $h , '.' )) {
$spoofable = true ;
}
}
$signed_data = rtrim ( $signed_data , " \n " );
2018-09-20 14:16:14 -04:00
$algorithm = 'sha512' ;
2018-06-18 17:05:44 -04:00
2018-06-19 10:15:28 -04:00
if ( $key && function_exists ( $key )) {
2018-06-18 17:05:44 -04:00
$result [ 'signer' ] = $sig_block [ 'keyId' ];
$key = $key ( $sig_block [ 'keyId' ]);
}
2018-11-03 17:37:08 -04:00
Logger :: log ( 'Got keyID ' . $sig_block [ 'keyId' ], Logger :: DEBUG );
2018-09-04 13:48:09 -04:00
2018-06-18 17:05:44 -04:00
if ( ! $key ) {
return $result ;
}
$x = Crypto :: rsaVerify ( $signed_data , $sig_block [ 'signature' ], $key , $algorithm );
2018-10-30 09:58:45 -04:00
Logger :: log ( 'verified: ' . $x , Logger :: DEBUG );
2018-06-18 17:05:44 -04:00
if ( ! $x ) {
return $result ;
}
if ( ! $spoofable ) {
$result [ 'header_valid' ] = true ;
}
return $result ;
}
/**
* @ param array $head
* @ param string $prvkey
* @ param string $keyid ( optional , default 'Key' )
2018-07-19 22:15:21 -04:00
*
2018-06-18 17:05:44 -04:00
* @ return array
*/
2018-09-20 14:16:14 -04:00
public static function createSig ( $head , $prvkey , $keyid = 'Key' )
2018-06-18 17:05:44 -04:00
{
$return_headers = [];
2021-08-25 07:45:00 -04:00
if ( ! empty ( $head )) {
$return_headers = $head ;
}
2018-06-18 17:05:44 -04:00
2018-09-20 14:16:14 -04:00
$alg = 'sha512' ;
$algorithm = 'rsa-sha512' ;
2018-06-18 17:05:44 -04:00
2018-09-20 14:16:14 -04:00
$x = self :: sign ( $head , $prvkey , $alg );
2018-06-18 17:05:44 -04:00
$headerval = 'keyId="' . $keyid . '",algorithm="' . $algorithm
. '",headers="' . $x [ 'headers' ] . '",signature="' . $x [ 'signature' ] . '"' ;
2021-08-25 07:45:00 -04:00
$return_headers [ 'Authorization' ] = [ 'Signature ' . $headerval ];
2018-06-18 17:05:44 -04:00
return $return_headers ;
}
/**
* @ param array $head
* @ param string $prvkey
* @ param string $alg ( optional ) default 'sha256'
2018-07-19 22:15:21 -04:00
*
2018-06-18 17:05:44 -04:00
* @ return array
*/
2018-09-20 14:16:14 -04:00
private static function sign ( $head , $prvkey , $alg = 'sha256' )
2018-06-18 17:05:44 -04:00
{
$ret = [];
$headers = '' ;
$fields = '' ;
2018-09-20 14:16:14 -04:00
foreach ( $head as $k => $v ) {
2021-08-25 07:45:00 -04:00
if ( is_array ( $v )) {
$v = implode ( ', ' , $v );
}
2018-09-20 14:16:14 -04:00
$headers .= strtolower ( $k ) . ': ' . trim ( $v ) . " \n " ;
if ( $fields ) {
$fields .= ' ' ;
2018-06-18 17:05:44 -04:00
}
2018-09-20 14:16:14 -04:00
$fields .= strtolower ( $k );
2018-06-18 17:05:44 -04:00
}
2018-09-20 14:16:14 -04:00
// strip the trailing linefeed
$headers = rtrim ( $headers , " \n " );
2018-06-18 17:05:44 -04:00
$sig = base64_encode ( Crypto :: rsaSign ( $headers , $prvkey , $alg ));
$ret [ 'headers' ] = $fields ;
$ret [ 'signature' ] = $sig ;
2018-07-19 22:15:21 -04:00
2018-06-18 17:05:44 -04:00
return $ret ;
}
/**
* @ param string $header
2020-07-14 09:48:04 -04:00
* @ return array associative array with
2018-06-18 17:05:44 -04:00
* - \e string \b keyID
2020-07-14 09:48:04 -04:00
* - \e string \b created
* - \e string \b expires
2018-06-18 17:05:44 -04:00
* - \e string \b algorithm
* - \e array \b headers
* - \e string \b signature
2019-01-06 16:06:53 -05:00
* @ throws \Friendica\Network\HTTPException\InternalServerErrorException
2018-06-18 17:05:44 -04:00
*/
public static function parseSigheader ( $header )
{
2020-07-14 09:48:04 -04:00
// Remove obsolete folds
$header = preg_replace ( '/\n\s+/' , ' ' , $header );
2018-06-18 17:05:44 -04:00
2020-07-14 09:48:04 -04:00
$token = " [!# $ %&'*+.^_`|~0-9A-Za-z-] " ;
2018-06-18 17:05:44 -04:00
2020-07-14 09:48:04 -04:00
$quotedString = '"(?:\\\\.|[^"\\\\])*"' ;
2018-06-18 17:05:44 -04:00
2020-07-14 09:48:04 -04:00
$regex = " /( $token +)=( $quotedString | $token +)/ism " ;
$matches = [];
preg_match_all ( $regex , $header , $matches , PREG_SET_ORDER );
2018-06-18 17:05:44 -04:00
2020-07-14 09:48:04 -04:00
$headers = [];
foreach ( $matches as $match ) {
$headers [ $match [ 1 ]] = trim ( $match [ 2 ] ? : $match [ 3 ], '"' );
2018-06-18 17:05:44 -04:00
}
2020-07-14 09:48:04 -04:00
// if the header is encrypted, decrypt with (default) site private key and continue
if ( ! empty ( $headers [ 'iv' ])) {
$header = self :: decryptSigheader ( $headers , DI :: config () -> get ( 'system' , 'prvkey' ));
return self :: parseSigheader ( $header );
2018-06-18 17:05:44 -04:00
}
2020-07-14 09:48:04 -04:00
$return = [
'keyId' => $headers [ 'keyId' ] ? ? '' ,
'algorithm' => $headers [ 'algorithm' ] ? ? 'rsa-sha256' ,
'created' => $headers [ 'created' ] ? ? null ,
'expires' => $headers [ 'expires' ] ? ? null ,
'headers' => explode ( ' ' , $headers [ 'headers' ] ? ? '' ),
'signature' => base64_decode ( preg_replace ( '/\s+/' , '' , $headers [ 'signature' ] ? ? '' )),
];
if ( ! empty ( $return [ 'signature' ]) && ! empty ( $return [ 'algorithm' ]) && empty ( $return [ 'headers' ])) {
$return [ 'headers' ] = [ 'date' ];
2018-06-18 17:05:44 -04:00
}
2020-07-14 09:48:04 -04:00
return $return ;
2018-06-18 17:05:44 -04:00
}
/**
2020-07-14 09:48:04 -04:00
* @ param array $headers Signature headers
* @ param string $prvkey The site private key
* @ return string Decrypted signature string
2019-01-06 16:06:53 -05:00
* @ throws \Friendica\Network\HTTPException\InternalServerErrorException
2018-06-18 17:05:44 -04:00
*/
2020-07-14 09:48:04 -04:00
private static function decryptSigheader ( array $headers , string $prvkey )
2018-06-18 17:05:44 -04:00
{
2020-07-14 09:48:04 -04:00
if ( ! empty ( $headers [ 'iv' ]) && ! empty ( $headers [ 'key' ]) && ! empty ( $headers [ 'data' ])) {
return Crypto :: unencapsulate ( $headers , $prvkey );
2018-06-18 17:05:44 -04:00
}
return '' ;
}
2018-09-20 14:16:14 -04:00
2018-09-27 08:01:16 -04:00
/*
2018-09-20 14:16:14 -04:00
* Functions for ActivityPub
*/
2018-09-26 18:02:14 -04:00
/**
2020-01-19 01:05:23 -05:00
* Transmit given data to a target for a user
2018-09-26 18:02:14 -04:00
*
2019-01-06 16:06:53 -05:00
* @ param array $data Data that is about to be send
* @ param string $target The URL of the inbox
* @ param integer $uid User id of the sender
2018-10-22 23:54:18 -04:00
*
* @ return boolean Was the transmission successful ?
2019-01-06 16:06:53 -05:00
* @ throws \Friendica\Network\HTTPException\InternalServerErrorException
2018-09-26 18:02:14 -04:00
*/
2018-09-20 14:16:14 -04:00
public static function transmit ( $data , $target , $uid )
{
$owner = User :: getOwnerDataById ( $uid );
if ( ! $owner ) {
return ;
}
2018-09-21 18:31:33 -04:00
$content = json_encode ( $data , JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE );
2018-09-20 14:16:14 -04:00
// Header data that is about to be signed.
$host = parse_url ( $target , PHP_URL_HOST );
$path = parse_url ( $target , PHP_URL_PATH );
$digest = 'SHA-256=' . base64_encode ( hash ( 'sha256' , $content , true ));
$content_length = strlen ( $content );
2019-01-14 07:10:11 -05:00
$date = DateTimeFormat :: utcNow ( DateTimeFormat :: HTTP );
2018-09-20 14:16:14 -04:00
2021-08-24 08:17:42 -04:00
$headers = [
'Date' => $date ,
'Content-Length' => $content_length ,
'Digest' => $digest ,
'Host' => $host
];
2018-09-20 14:16:14 -04:00
2019-01-14 07:10:11 -05:00
$signed_data = " (request-target): post " . $path . " \n date: " . $date . " \n content-length: " . $content_length . " \n digest: " . $digest . " \n host: " . $host ;
2018-09-20 14:16:14 -04:00
$signature = base64_encode ( Crypto :: rsaSign ( $signed_data , $owner [ 'uprvkey' ], 'sha256' ));
2021-08-24 08:17:42 -04:00
$headers [ 'Signature' ] = 'keyId="' . $owner [ 'url' ] . '#main-key' . '",algorithm="rsa-sha256",headers="(request-target) date content-length digest host",signature="' . $signature . '"' ;
2018-09-20 14:16:14 -04:00
2021-08-24 08:17:42 -04:00
$headers [ 'Content-Type' ] = 'application/activity+json' ;
2018-09-20 14:16:14 -04:00
2020-03-04 16:18:28 -05:00
$postResult = DI :: httpRequest () -> post ( $target , $content , $headers );
2018-10-22 23:54:18 -04:00
$return_code = $postResult -> getReturnCode ();
2018-11-03 17:37:08 -04:00
Logger :: log ( 'Transmit to ' . $target . ' returned ' . $return_code , Logger :: DEBUG );
2018-09-20 14:16:14 -04:00
2019-03-25 17:51:32 -04:00
$success = ( $return_code >= 200 ) && ( $return_code <= 299 );
self :: setInboxStatus ( $target , $success );
return $success ;
}
/**
2020-01-19 01:05:23 -05:00
* Set the delivery status for a given inbox
2019-03-25 17:51:32 -04:00
*
* @ param string $url The URL of the inbox
* @ param boolean $success Transmission status
2020-11-23 14:25:22 -05:00
* @ param boolean $shared The inbox is a shared inbox
2019-03-25 17:51:32 -04:00
*/
2020-11-23 14:25:22 -05:00
static public function setInboxStatus ( $url , $success , $shared = false )
2019-03-25 17:51:32 -04:00
{
$now = DateTimeFormat :: utcNow ();
$status = DBA :: selectFirst ( 'inbox-status' , [], [ 'url' => $url ]);
if ( ! DBA :: isResult ( $status )) {
2020-12-17 13:56:10 -05:00
DBA :: insert ( 'inbox-status' , [ 'url' => $url , 'created' => $now , 'shared' => $shared ], Database :: INSERT_IGNORE );
2019-03-25 17:51:32 -04:00
$status = DBA :: selectFirst ( 'inbox-status' , [], [ 'url' => $url ]);
}
if ( $success ) {
$fields = [ 'success' => $now ];
} else {
$fields = [ 'failure' => $now ];
}
if ( $status [ 'failure' ] > DBA :: NULL_DATETIME ) {
$new_previous_stamp = strtotime ( $status [ 'failure' ]);
$old_previous_stamp = strtotime ( $status [ 'previous' ]);
// Only set "previous" with at least one day difference.
// We use this to assure to not accidentally archive too soon.
if (( $new_previous_stamp - $old_previous_stamp ) >= 86400 ) {
$fields [ 'previous' ] = $status [ 'failure' ];
}
}
if ( ! $success ) {
if ( $status [ 'success' ] <= DBA :: NULL_DATETIME ) {
$stamp1 = strtotime ( $status [ 'created' ]);
} else {
$stamp1 = strtotime ( $status [ 'success' ]);
}
$stamp2 = strtotime ( $now );
$previous_stamp = strtotime ( $status [ 'previous' ]);
// Archive the inbox when there had been failures for five days.
// Additionally ensure that at least one previous attempt has to be in between.
if ((( $stamp2 - $stamp1 ) >= 86400 * 5 ) && ( $previous_stamp > $stamp1 )) {
$fields [ 'archive' ] = true ;
}
} else {
$fields [ 'archive' ] = false ;
}
DBA :: update ( 'inbox-status' , $fields , [ 'url' => $url ]);
2018-09-20 14:16:14 -04:00
}
2018-11-03 17:37:08 -04:00
/**
2020-01-19 01:05:23 -05:00
* Fetches JSON data for a user
2018-11-03 17:37:08 -04:00
*
2019-01-06 16:06:53 -05:00
* @ param string $request request url
* @ param integer $uid User id of the requester
2018-11-03 17:37:08 -04:00
*
* @ return array JSON array
2019-01-06 16:06:53 -05:00
* @ throws \Friendica\Network\HTTPException\InternalServerErrorException
2018-11-03 17:37:08 -04:00
*/
public static function fetch ( $request , $uid )
{
2020-12-15 17:56:46 -05:00
$curlResult = self :: fetchRaw ( $request , $uid );
2018-11-03 17:37:08 -04:00
2019-03-18 18:33:20 -04:00
if ( empty ( $curlResult )) {
return false ;
2018-11-03 17:37:08 -04:00
}
2019-03-18 18:33:20 -04:00
if ( ! $curlResult -> isSuccess () || empty ( $curlResult -> getBody ())) {
return false ;
}
2018-11-03 17:37:08 -04:00
2019-03-18 18:33:20 -04:00
$content = json_decode ( $curlResult -> getBody (), true );
if ( empty ( $content ) || ! is_array ( $content )) {
return false ;
}
2018-11-03 17:37:08 -04:00
2019-03-18 18:33:20 -04:00
return $content ;
}
2018-11-03 17:37:08 -04:00
2019-03-18 18:33:20 -04:00
/**
2020-01-19 01:05:23 -05:00
* Fetches raw data for a user
2019-03-18 18:33:20 -04:00
*
* @ param string $request request url
* @ param integer $uid User id of the requester
* @ param boolean $binary TRUE if asked to return binary results ( file download ) ( default is " false " )
* @ param array $opts ( optional parameters ) assoziative array with :
* 'accept_content' => supply Accept : header with 'accept_content' as the value
* 'timeout' => int Timeout in seconds , default system config value or 60 seconds
* 'nobody' => only return the header
* 'cookiejar' => path to cookie jar file
*
2021-08-24 08:17:42 -04:00
* @ return IHTTPResult CurlResult
2019-03-18 18:33:20 -04:00
* @ throws \Friendica\Network\HTTPException\InternalServerErrorException
*/
2021-08-24 08:17:42 -04:00
public static function fetchRaw ( $request , $uid = 0 , $opts = [ 'accept_content' => [ 'application/activity+json' , 'application/ld+json' ]])
2019-03-18 18:33:20 -04:00
{
2020-10-18 16:31:26 -04:00
$header = [];
2020-08-07 13:05:49 -04:00
2019-03-18 18:33:20 -04:00
if ( ! empty ( $uid )) {
$owner = User :: getOwnerDataById ( $uid );
if ( ! $owner ) {
return ;
}
2020-08-22 10:48:09 -04:00
} else {
$owner = User :: getSystemAccount ();
if ( ! $owner ) {
return ;
}
}
2018-11-03 17:37:08 -04:00
2020-08-22 10:48:09 -04:00
if ( ! empty ( $owner [ 'uprvkey' ])) {
// Header data that is about to be signed.
$host = parse_url ( $request , PHP_URL_HOST );
$path = parse_url ( $request , PHP_URL_PATH );
$date = DateTimeFormat :: utcNow ( DateTimeFormat :: HTTP );
2018-11-03 17:37:08 -04:00
2021-08-24 08:17:42 -04:00
$header [ 'Date' ] = $date ;
$header [ 'Host' ] = $host ;
2018-11-03 17:37:08 -04:00
2020-08-22 10:48:09 -04:00
$signed_data = " (request-target): get " . $path . " \n date: " . $date . " \n host: " . $host ;
2018-11-03 17:37:08 -04:00
2020-08-22 10:48:09 -04:00
$signature = base64_encode ( Crypto :: rsaSign ( $signed_data , $owner [ 'uprvkey' ], 'sha256' ));
2018-11-03 17:37:08 -04:00
2021-08-24 08:17:42 -04:00
$header [ 'Signature' ] = 'keyId="' . $owner [ 'url' ] . '#main-key' . '",algorithm="rsa-sha256",headers="(request-target) date host",signature="' . $signature . '"' ;
2018-11-03 17:37:08 -04:00
}
2019-03-18 18:33:20 -04:00
$curl_opts = $opts ;
2021-08-25 15:12:45 -04:00
$curl_opts [ HTTPRequestOptions :: HEADERS ] = $header ;
2019-03-18 18:33:20 -04:00
2020-10-20 11:19:06 -04:00
if ( ! empty ( $opts [ 'nobody' ])) {
2020-10-18 16:15:20 -04:00
$curlResult = DI :: httpRequest () -> head ( $request , $curl_opts );
} else {
$curlResult = DI :: httpRequest () -> get ( $request , $curl_opts );
}
2019-03-18 18:33:20 -04:00
$return_code = $curlResult -> getReturnCode ();
Logger :: log ( 'Fetched for user ' . $uid . ' from ' . $request . ' returned ' . $return_code , Logger :: DEBUG );
return $curlResult ;
2018-11-03 17:37:08 -04:00
}
2018-09-26 18:02:14 -04:00
/**
2020-01-19 01:05:23 -05:00
* Gets a signer from a given HTTP request
2018-09-26 18:02:14 -04:00
*
* @ param $content
* @ param $http_headers
*
2019-01-06 16:06:53 -05:00
* @ return string Signer
* @ throws \Friendica\Network\HTTPException\InternalServerErrorException
2018-09-26 18:02:14 -04:00
*/
2018-09-21 18:31:33 -04:00
public static function getSigner ( $content , $http_headers )
2018-09-20 14:16:14 -04:00
{
2019-01-15 01:31:12 -05:00
if ( empty ( $http_headers [ 'HTTP_SIGNATURE' ])) {
2021-05-01 08:32:33 -04:00
Logger :: info ( 'No HTTP_SIGNATURE header' );
2018-09-20 14:16:14 -04:00
return false ;
}
2019-01-15 01:31:12 -05:00
if ( ! empty ( $content )) {
$object = json_decode ( $content , true );
if ( empty ( $object )) {
2021-05-01 08:32:33 -04:00
Logger :: info ( 'No object' );
2019-01-15 01:31:12 -05:00
return false ;
}
$actor = JsonLD :: fetchElement ( $object , 'actor' , 'id' );
} else {
$actor = '' ;
}
2018-09-20 14:16:14 -04:00
$headers = [];
2020-08-30 13:07:46 -04:00
$headers [ '(request-target)' ] = strtolower ( $http_headers [ 'REQUEST_METHOD' ]) . ' ' . parse_url ( $http_headers [ 'REQUEST_URI' ], PHP_URL_PATH );
2018-09-20 14:16:14 -04:00
// First take every header
foreach ( $http_headers as $k => $v ) {
$field = str_replace ( '_' , '-' , strtolower ( $k ));
$headers [ $field ] = $v ;
}
// Now add every http header
foreach ( $http_headers as $k => $v ) {
if ( strpos ( $k , 'HTTP_' ) === 0 ) {
$field = str_replace ( '_' , '-' , strtolower ( substr ( $k , 5 )));
$headers [ $field ] = $v ;
}
}
$sig_block = self :: parseSigHeader ( $http_headers [ 'HTTP_SIGNATURE' ]);
if ( empty ( $sig_block ) || empty ( $sig_block [ 'headers' ]) || empty ( $sig_block [ 'keyId' ])) {
2021-05-01 08:32:33 -04:00
Logger :: info ( 'No headers or keyId' );
2018-09-20 14:16:14 -04:00
return false ;
}
$signed_data = '' ;
foreach ( $sig_block [ 'headers' ] as $h ) {
if ( array_key_exists ( $h , $headers )) {
$signed_data .= $h . ': ' . $headers [ $h ] . " \n " ;
}
}
$signed_data = rtrim ( $signed_data , " \n " );
if ( empty ( $signed_data )) {
2021-05-01 08:32:33 -04:00
Logger :: info ( 'Signed data is empty' );
2018-09-20 14:16:14 -04:00
return false ;
}
$algorithm = null ;
2020-07-04 13:12:59 -04:00
// Wildcard value where signing algorithm should be derived from keyId
// @see https://tools.ietf.org/html/draft-ietf-httpbis-message-signatures-00#section-4.1
// Defaulting to SHA256 as it seems to be the prevalent implementation
// @see https://arewehs2019yet.vpzom.click
if ( $sig_block [ 'algorithm' ] === 'hs2019' ) {
$algorithm = 'sha256' ;
}
2018-09-20 14:16:14 -04:00
if ( $sig_block [ 'algorithm' ] === 'rsa-sha256' ) {
$algorithm = 'sha256' ;
}
if ( $sig_block [ 'algorithm' ] === 'rsa-sha512' ) {
$algorithm = 'sha512' ;
}
if ( empty ( $algorithm )) {
2021-05-01 08:32:33 -04:00
Logger :: info ( 'No alagorithm' );
2018-09-20 14:16:14 -04:00
return false ;
}
$key = self :: fetchKey ( $sig_block [ 'keyId' ], $actor );
2020-12-17 03:00:56 -05:00
if ( empty ( $key )) {
2021-05-01 08:32:33 -04:00
Logger :: info ( 'Empty key' );
2020-12-17 03:00:56 -05:00
return false ;
}
if ( ! empty ( $key [ 'url' ]) && ! empty ( $key [ 'type' ]) && ( $key [ 'type' ] == 'Tombstone' )) {
Logger :: info ( 'Actor is a tombstone' , [ 'key' => $key ]);
2021-05-22 04:25:30 -04:00
if ( ! Contact :: isLocal ( $key [ 'url' ])) {
// We now delete everything that we possibly knew from this actor
Contact :: deleteContactByUrl ( $key [ 'url' ]);
}
2021-05-01 08:32:33 -04:00
return null ;
2020-12-17 03:00:56 -05:00
}
2018-09-20 14:16:14 -04:00
2020-12-17 03:00:56 -05:00
if ( empty ( $key [ 'pubkey' ])) {
2021-05-01 08:32:33 -04:00
Logger :: info ( 'Empty pubkey' );
2018-09-20 14:16:14 -04:00
return false ;
}
2018-09-21 18:31:33 -04:00
if ( ! Crypto :: rsaVerify ( $signed_data , $sig_block [ 'signature' ], $key [ 'pubkey' ], $algorithm )) {
2021-05-01 08:32:33 -04:00
Logger :: info ( 'Verification failed' );
2018-09-20 14:16:14 -04:00
return false ;
}
2019-03-19 02:44:51 -04:00
$hasGoodSignedContent = false ;
2018-09-20 14:16:14 -04:00
// Check the digest when it is part of the signed data
2019-03-19 02:44:51 -04:00
if ( ! empty ( $content ) && in_array ( 'digest' , $sig_block [ 'headers' ])) {
2018-09-20 14:16:14 -04:00
$digest = explode ( '=' , $headers [ 'digest' ], 2 );
if ( $digest [ 0 ] === 'SHA-256' ) {
$hashalg = 'sha256' ;
}
if ( $digest [ 0 ] === 'SHA-512' ) {
$hashalg = 'sha512' ;
}
/// @todo add all hashes from the rfc
if ( ! empty ( $hashalg ) && base64_encode ( hash ( $hashalg , $content , true )) != $digest [ 1 ]) {
2021-05-01 08:32:33 -04:00
Logger :: info ( 'Digest does not match' );
2018-09-20 14:16:14 -04:00
return false ;
}
2019-03-19 02:44:51 -04:00
$hasGoodSignedContent = true ;
2018-09-20 14:16:14 -04:00
}
2019-01-14 11:03:13 -05:00
// Check if the signed date field is in an acceptable range
if ( in_array ( 'date' , $sig_block [ 'headers' ])) {
$diff = abs ( strtotime ( $headers [ 'date' ]) - time ());
if ( $diff > 300 ) {
Logger :: log ( " Header date ' " . $headers [ 'date' ] . " ' is with " . $diff . " seconds out of the 300 second frame. The signature is invalid. " );
return false ;
}
2019-03-19 02:44:51 -04:00
$hasGoodSignedContent = true ;
2019-01-14 11:03:13 -05:00
}
2018-10-24 15:19:51 -04:00
2018-09-20 14:16:14 -04:00
// Check the content-length when it is part of the signed data
if ( in_array ( 'content-length' , $sig_block [ 'headers' ])) {
if ( strlen ( $content ) != $headers [ 'content-length' ]) {
2021-05-01 08:32:33 -04:00
Logger :: info ( 'Content length does not match' );
2018-09-20 14:16:14 -04:00
return false ;
}
}
2019-03-19 02:44:51 -04:00
// Ensure that the authentication had been done with some content
// Without this check someone could authenticate with fakeable data
if ( ! $hasGoodSignedContent ) {
2021-05-01 08:32:33 -04:00
Logger :: info ( 'No good signed content' );
2019-03-19 02:44:51 -04:00
return false ;
}
2018-09-21 18:31:33 -04:00
return $key [ 'url' ];
2018-09-20 14:16:14 -04:00
}
2018-09-26 18:02:14 -04:00
/**
2020-01-19 01:05:23 -05:00
* fetches a key for a given id and actor
2018-09-26 18:02:14 -04:00
*
* @ param $id
* @ param $actor
*
* @ return array with actor url and public key
2019-01-06 16:06:53 -05:00
* @ throws \Exception
2018-09-26 18:02:14 -04:00
*/
2018-09-20 14:16:14 -04:00
private static function fetchKey ( $id , $actor )
{
$url = ( strpos ( $id , '#' ) ? substr ( $id , 0 , strpos ( $id , '#' )) : $id );
2018-09-30 04:14:05 -04:00
$profile = APContact :: getByURL ( $url );
2018-09-20 14:16:14 -04:00
if ( ! empty ( $profile )) {
2021-05-25 09:18:48 -04:00
Logger :: info ( 'Taking key from id' , [ 'id' => $id ]);
2020-12-17 03:00:56 -05:00
return [ 'url' => $url , 'pubkey' => $profile [ 'pubkey' ], 'type' => $profile [ 'type' ]];
2018-09-20 14:16:14 -04:00
} elseif ( $url != $actor ) {
2018-09-30 04:14:05 -04:00
$profile = APContact :: getByURL ( $actor );
2018-09-20 14:16:14 -04:00
if ( ! empty ( $profile )) {
2021-05-25 09:18:48 -04:00
Logger :: info ( 'Taking key from actor' , [ 'actor' => $actor ]);
2020-12-17 03:00:56 -05:00
return [ 'url' => $actor , 'pubkey' => $profile [ 'pubkey' ], 'type' => $profile [ 'type' ]];
2018-09-20 14:16:14 -04:00
}
}
2021-05-25 09:18:48 -04:00
Logger :: notice ( 'Key could not be fetched' , [ 'url' => $url , 'actor' => $actor ]);
2018-09-20 14:16:14 -04:00
return false ;
}
2018-06-18 17:05:44 -04:00
}