diff --git a/boot.php b/boot.php
index 35f295d068..e1a1c5a503 100644
--- a/boot.php
+++ b/boot.php
@@ -320,13 +320,12 @@ class App {
/**
* Special handling for the webfinger/lrdd host XRD file
- * Just spit out the contents and exit.
*/
if($this->cmd === '.well-known/host-meta') {
- require_once('include/hostxrd.php');
- hostxrd();
- // NOTREACHED
+ $this->argc = 1;
+ $this->argv = array('hostxrd');
+ $this->module = 'hostxrd';
}
/**
diff --git a/include/salmon.php b/include/salmon.php
index 4994655df8..f1cef0a497 100644
--- a/include/salmon.php
+++ b/include/salmon.php
@@ -110,7 +110,7 @@ EOT;
$data_type = 'application/atom+xml';
$encoding = 'base64url';
$algorithm = 'RSA-SHA256';
- $keyhash = base64url_encode(hash('sha256',salmon_key($owner['spubkey'])));
+ $keyhash = base64url_encode(hash('sha256',salmon_key($owner['spubkey'])),true);
// Setup RSA stuff to PKCS#1 sign the data
@@ -127,11 +127,14 @@ EOT;
$precomputed = '.YXBwbGljYXRpb24vYXRvbSt4bWw=.YmFzZTY0dXJs.UlNBLVNIQTI1Ng==';
- $signature = base64url_encode($rsa->sign($data . $precomputed));
+ $signature = base64url_encode($rsa->sign(str_replace('=','',$data . $precomputed),true));
- $signature2 = base64url_encode($rsa->sign($data));
+ $signature2 = base64url_encode($rsa->sign($data . $precomputed));
+
+ $signature3 = base64url_encode($rsa->sign($data));
$salmon_tpl = get_markup_template('magicsig.tpl');
+
$salmon = replace_macros($salmon_tpl,array(
'$data' => $data,
'$encoding' => $encoding,
@@ -153,11 +156,11 @@ EOT;
if($return_code > 299) {
- logger('slapper: compliant salmon failed. Falling back to status.net hack');
+ logger('slapper: compliant salmon failed. Falling back to status.net hack2');
// Entirely likely that their salmon implementation is
// non-compliant. Let's try once more, this time only signing
- // the data, without the precomputed blob
+ // the data, without stripping '=' chars
$salmon = replace_macros($salmon_tpl,array(
'$data' => $data,
@@ -174,6 +177,30 @@ EOT;
));
$return_code = $a->get_curl_code();
+
+ if($return_code > 299) {
+
+ logger('slapper: compliant salmon failed. Falling back to status.net hack3');
+
+ // Entirely likely that their salmon implementation is
+ // non-compliant. Let's try once more, this time only signing
+ // the data, without the precomputed blob
+
+ $salmon = replace_macros($salmon_tpl,array(
+ '$data' => $data,
+ '$encoding' => $encoding,
+ '$algorithm' => $algorithm,
+ '$keyhash' => $keyhash,
+ '$signature' => $signature3
+ ));
+
+ // slap them
+ post_url($url,$salmon, array(
+ 'Content-type: application/magic-envelope+xml',
+ 'Content-length: ' . strlen($salmon)
+ ));
+ $return_code = $a->get_curl_code();
+ }
}
logger('slapper returned ' . $return_code);
if(! $return_code)
diff --git a/include/hostxrd.php b/mod/hostxrd.php
similarity index 89%
rename from include/hostxrd.php
rename to mod/hostxrd.php
index 18c3e4b1ed..c7861d26d0 100644
--- a/include/hostxrd.php
+++ b/mod/hostxrd.php
@@ -1,6 +1,6 @@
encoding;
$alg = $base->alg;
- // If we're talking to status.net or one of their ilk, they aren't following the magic envelope spec
- // and only signed the data element. We'll be nice and let them validate anyway.
+ // Salmon magic signatures have evolved and there is no way of knowing ahead of time which
+ // flavour we have. We'll try and verify it regardless.
$stnet_signed_data = $data;
+
$signed_data = $data . '.' . base64url_encode($type) . '.' . base64url_encode($encoding) . '.' . base64url_encode($alg);
+ $compliant_format = str_replace('=','',$signed_data);
+
+
// decode the data
$data = base64url_decode($data);
@@ -150,13 +154,16 @@ function salmon_post(&$a) {
$rsa->exponent = new Math_BigInteger($e, 256);
// We should have everything we need now. Let's see if it verifies.
- // If it fails with the proper data format, try again using just the data
- // (e.g. status.net)
- $verify = $rsa->verify($signed_data,$signature);
+ $verify = $rsa->verify($compliant_format,$signature);
if(! $verify) {
- logger('mod-salmon: message did not verify using protocol. Trying statusnet hack.');
+ logger('mod-salmon: message did not verify using protocol. Trying padding hack.');
+ $verify = $rsa->verify($signed_data,$signature);
+ }
+
+ if(! $verify) {
+ logger('mod-salmon: message did not verify using padding. Trying old statusnet hack.');
$verify = $rsa->verify($stnet_signed_data,$signature);
}
diff --git a/mod/xrd.php b/mod/xrd.php
index 4889639f07..c96c18f3ce 100644
--- a/mod/xrd.php
+++ b/mod/xrd.php
@@ -23,7 +23,7 @@ function xrd_content(&$a) {
if(! count($r))
killme();
- $salmon_key = salmon_key($r[0]['spubkey']);
+ $salmon_key = str_replace('=','',salmon_key($r[0]['spubkey']));
header('Access-Control-Allow-Origin: *');
header("Content-type: text/xml");
diff --git a/view/magicsig.tpl b/view/magicsig.tpl
index 622e7c5a27..75f9bc475b 100644
--- a/view/magicsig.tpl
+++ b/view/magicsig.tpl
@@ -5,5 +5,5 @@ $data
$encoding
$algorithm
-$signature
+$signature