Browse Source

http signature consolidation

master
zotlabs 1 year ago
parent
commit
cf844cb27c
22 changed files with 296 additions and 177 deletions
  1. +1
    -1
      Zotlabs/Lib/Activity.php
  2. +1
    -1
      Zotlabs/Lib/JSalmon.php
  3. +1
    -1
      Zotlabs/Lib/Libzot.php
  4. +1
    -1
      Zotlabs/Lib/ZotURL.php
  5. +1
    -1
      Zotlabs/Lib/Zotfinger.php
  6. +3
    -2
      Zotlabs/Module/Cdav.php
  7. +1
    -1
      Zotlabs/Module/Channel.php
  8. +5
    -4
      Zotlabs/Module/Dav.php
  9. +4
    -2
      Zotlabs/Module/Getfile.php
  10. +1
    -1
      Zotlabs/Module/Id.php
  11. +1
    -1
      Zotlabs/Module/Item.php
  12. +4
    -3
      Zotlabs/Module/Magic.php
  13. +4
    -2
      Zotlabs/Module/Owa.php
  14. +4
    -4
      Zotlabs/Module/Zfinger.php
  15. +1
    -1
      Zotlabs/Module/Zot_probe.php
  16. +244
    -118
      Zotlabs/Web/HTTPSig.php
  17. +4
    -3
      Zotlabs/Zot/Finger.php
  18. +2
    -3
      Zotlabs/Zot6/Finger.php
  19. +4
    -2
      include/import.php
  20. +1
    -1
      include/xchan.php
  21. +2
    -3
      include/zot.php
  22. +6
    -21
      tests/unit/Web/HttpSigTest.php

+ 1
- 1
Zotlabs/Lib/Activity.php View File

@@ -3,7 +3,7 @@
namespace Zotlabs\Lib;

use Zotlabs\Daemon\Master;
use Zotlabs\Zot6\HTTPSig;
use Zotlabs\Web\HTTPSig;

require_once('include/event.php');



+ 1
- 1
Zotlabs/Lib/JSalmon.php View File

@@ -2,7 +2,7 @@

namespace Zotlabs\Lib;

use Zotlabs\Zot6\HTTPSig;
use Zotlabs\Web\HTTPSig;

class JSalmon {



+ 1
- 1
Zotlabs/Lib/Libzot.php View File

@@ -2,7 +2,7 @@

namespace Zotlabs\Lib;

use Zotlabs\Zot6\HTTPSig;
use Zotlabs\Web\HTTPSig;
use Zotlabs\Access\Permissions;
use Zotlabs\Access\PermissionLimits;
use Zotlabs\Daemon\Master;


+ 1
- 1
Zotlabs/Lib/ZotURL.php View File

@@ -2,7 +2,7 @@

namespace Zotlabs\Lib;

use Zotlabs\Zot6\HTTPSig;
use Zotlabs\Web\HTTPSig;


class ZotURL {


+ 1
- 1
Zotlabs/Lib/Zotfinger.php View File

@@ -2,7 +2,7 @@

namespace Zotlabs\Lib;

use Zotlabs\Zot6\HTTPSig;
use Zotlabs\Web\HTTPSig;

class Zotfinger {



+ 3
- 2
Zotlabs/Module/Cdav.php View File

@@ -4,6 +4,7 @@ namespace Zotlabs\Module;
use App;
use Zotlabs\Lib\Apps;
use Zotlabs\Web\Controller;
use Zotlabs\Web\HTTPSig;

require_once('include/event.php');

@@ -41,7 +42,7 @@ class Cdav extends Controller {
continue;
}

$sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]);
$sigblock = HTTPSig::parse_sigheader($_SERVER[$head]);
if($sigblock) {
$keyId = str_replace('acct:','',$sigblock['keyId']);
if($keyId) {
@@ -64,7 +65,7 @@ class Cdav extends Controller {
continue;

if($record) {
$verified = \Zotlabs\Web\HTTPSig::verify('',$record['channel']['channel_pubkey']);
$verified = HTTPSig::verify('',$record['channel']['channel_pubkey']);
if(! ($verified && $verified['header_signed'] && $verified['header_valid'])) {
$record = null;
}


+ 1
- 1
Zotlabs/Module/Channel.php View File

@@ -6,7 +6,7 @@ namespace Zotlabs\Module;
use App;
use Zotlabs\Web\Controller;
use Zotlabs\Lib\PermissionDescription;
use Zotlabs\Zot6\HTTPSig;
use Zotlabs\Web\HTTPSig;
use Zotlabs\Lib\Libzot;

require_once('include/items.php');


+ 5
- 4
Zotlabs/Module/Dav.php View File

@@ -8,8 +8,9 @@

namespace Zotlabs\Module;

use \Sabre\DAV as SDAV;
use \Zotlabs\Storage;
use Sabre\DAV as SDAV;
use Zotlabs\Storage;
use Zotlabs\Web\HTTPSig;

require_once('include/attach.php');
require_once('include/auth.php');
@@ -46,7 +47,7 @@ class Dav extends \Zotlabs\Web\Controller {
continue;
}

$sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]);
$sigblock = HTTPSig::parse_sigheader($_SERVER[$head]);
if($sigblock) {
$keyId = str_replace('acct:','',$sigblock['keyId']);
if($keyId) {
@@ -69,7 +70,7 @@ class Dav extends \Zotlabs\Web\Controller {
continue;

if($record) {
$verified = \Zotlabs\Web\HTTPSig::verify('',$record['channel']['channel_pubkey']);
$verified = HTTPSig::verify('',$record['channel']['channel_pubkey']);
if(! ($verified && $verified['header_signed'] && $verified['header_valid'])) {
$record = null;
}


+ 4
- 2
Zotlabs/Module/Getfile.php View File

@@ -1,6 +1,8 @@
<?php
namespace Zotlabs\Module;

use Zotlabs\Web\HTTPSig;

/**
* module: getfile
*
@@ -46,7 +48,7 @@ class Getfile extends \Zotlabs\Web\Controller {
continue;
}

$sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]);
$sigblock = HTTPSig::parse_sigheader($_SERVER[$head]);
if($sigblock) {
$keyId = $sigblock['keyId'];

@@ -57,7 +59,7 @@ class Getfile extends \Zotlabs\Web\Controller {
);
if($r) {
$hubloc = $r[0];
$verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']);
$verified = HTTPSig::verify('',$hubloc['xchan_pubkey']);
if($verified && $verified['header_signed'] && $verified['header_valid'] && $hash == $hubloc['hubloc_hash']) {
$header_verified = true;
}


+ 1
- 1
Zotlabs/Module/Id.php View File

@@ -12,7 +12,7 @@ namespace Zotlabs\Module;
use Zotlabs\Lib\Activity;
use Zotlabs\Lib\ActivityStreams;
use Zotlabs\Lib\LDSignatures;
use Zotlabs\Zot6\HTTPSig;
use Zotlabs\Web\HTTPSig;
use Zotlabs\Web\Controller;
use Zotlabs\Lib\Libzot;
use Zotlabs\Lib\ThreadListener;


+ 1
- 1
Zotlabs/Module/Item.php View File

@@ -9,7 +9,7 @@ use Zotlabs\Daemon\Master;
use Zotlabs\Lib\Activity;
use Zotlabs\Lib\ActivityStreams;
use Zotlabs\Lib\LDSignatures;
use Zotlabs\Zot6\HTTPSig;
use Zotlabs\Web\HTTPSig;
use Zotlabs\Lib\Libzot;
use Zotlabs\Lib\ThreadListener;
use App;


+ 4
- 3
Zotlabs/Module/Magic.php View File

@@ -1,6 +1,8 @@
<?php
namespace Zotlabs\Module;

use Zotlabs\Web\HTTPSig;

@require_once('include/zot.php');


@@ -152,10 +154,9 @@ class Magic extends \Zotlabs\Web\Controller {
$headers['Accept'] = 'application/x-zot+json' ;
$headers['X-Open-Web-Auth'] = random_string();
$headers['Host'] = $parsed['host'];
$headers['Digest'] = 'SHA-256=' . \Zotlabs\Web\HTTPSig::generate_digest($data,false);
$headers['Digest'] = HTTPSig::generate_digest_header($data);

$headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],
'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512');
$headers = HTTPSig::create_sig($headers,$channel['channel_prvkey'], 'acct:' . channel_reddress($channel),true,'sha512');
$x = z_post_url($basepath . '/owa',$data,$redirects,[ 'headers' => $headers ]);

if($x['success']) {


+ 4
- 2
Zotlabs/Module/Owa.php View File

@@ -2,6 +2,8 @@

namespace Zotlabs\Module;

use Zotlabs\Web\HTTPSig;

/**
* OpenWebAuth verifier and token generator
* See https://macgirvin.com/wiki/mike/OpenWebAuth/Home
@@ -25,7 +27,7 @@ class Owa extends \Zotlabs\Web\Controller {
continue;
}

$sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]);
$sigblock = HTTPSig::parse_sigheader($_SERVER[$head]);
if($sigblock) {
$keyId = $sigblock['keyId'];

@@ -65,7 +67,7 @@ class Owa extends \Zotlabs\Web\Controller {
if ($r) {
foreach($r as $hubloc) {
$verified = \Zotlabs\Web\HTTPSig::verify(file_get_contents('php://input'),$hubloc['xchan_pubkey']);
$verified = HTTPSig::verify(file_get_contents('php://input'),$hubloc['xchan_pubkey']);
if($verified && $verified['header_signed'] && $verified['header_valid']) {
logger('OWA header: ' . print_r($verified,true),LOGGER_DATA);
logger('OWA success: ' . $hubloc['hubloc_addr'],LOGGER_DATA);


+ 4
- 4
Zotlabs/Module/Zfinger.php View File

@@ -1,6 +1,7 @@
<?php
namespace Zotlabs\Module;

use Zotlabs\Web\HTTPSig;

class Zfinger extends \Zotlabs\Web\Controller {

@@ -23,10 +24,9 @@ class Zfinger extends \Zotlabs\Web\Controller {
$ret = json_encode($x);

if($chan) {
$hash = \Zotlabs\Web\HTTPSig::generate_digest($ret,false);
$headers['Digest'] = 'SHA-256=' . $hash;
\Zotlabs\Web\HTTPSig::create_sig('',$headers,$chan['channel_prvkey'],
'acct:' . $chan['channel_address'] . '@' . \App::get_hostname(),true);
$headers['Digest'] = HTTPSig::generate_digest_header($ret);
$h = HTTPSig::create_sig($headers,$chan['channel_prvkey'],'acct:' . channel_reddress($chan));
HTTPSig::set_headers($h);
}
else {
foreach($headers as $k => $v) {


+ 1
- 1
Zotlabs/Module/Zot_probe.php View File

@@ -3,7 +3,7 @@
namespace Zotlabs\Module;

use Zotlabs\Lib\Zotfinger;
use Zotlabs\Zot6\HTTPSig;
use Zotlabs\Web\HTTPSig;

class Zot_probe extends \Zotlabs\Web\Controller {



+ 244
- 118
Zotlabs/Web/HTTPSig.php View File

@@ -2,11 +2,17 @@

namespace Zotlabs\Web;

use Zotlabs\Lib\ActivityStreams;
use Zotlabs\Lib\Webfinger;
use Zotlabs\Web\HTTPHeaders;
use Zotlabs\Lib\Libzot;

/**
* @brief Implements HTTP Signatures per draft-cavage-http-signatures-07.
* @brief Implements HTTP Signatures per draft-cavage-http-signatures-10.
*
* @see https://tools.ietf.org/html/draft-cavage-http-signatures-07
* @see https://tools.ietf.org/html/draft-cavage-http-signatures-10
*/

class HTTPSig {

/**
@@ -15,41 +21,32 @@ class HTTPSig {
* @see https://tools.ietf.org/html/rfc5843
*
* @param string $body The value to create the digest for
* @param boolean $set (optional, default true)
* If set send a Digest HTTP header
* @return string The generated digest of $body
* @param string $alg hash algorithm (one of 'sha256','sha512')
* @return string The generated digest header string for $body
*/
static function generate_digest($body, $set = true) {
$digest = base64_encode(hash('sha256', $body, true));

if($set) {
header('Digest: SHA-256=' . $digest);
static function generate_digest_header($body,$alg = 'sha256') {

$digest = base64_encode(hash($alg, $body, true));
switch($alg) {
case 'sha512':
return 'SHA-512=' . $digest;
case 'sha256':
default:
return 'SHA-256=' . $digest;
break;
}
return $digest;
}

// See draft-cavage-http-signatures-08

static function verify($data,$key = '') {

$body = $data;
$headers = null;
$spoofable = false;

$result = [
'signer' => '',
'header_signed' => false,
'header_valid' => false,
'content_signed' => false,
'content_valid' => false
];
static function find_headers($data,&$body) {

// decide if $data arrived via controller submission or curl

if(is_array($data) && $data['header']) {
if(! $data['success'])
return $result;
return [];

$h = new \Zotlabs\Web\HTTPHeaders($data['header']);
$h = new HTTPHeaders($data['header']);
$headers = $h->fetcharr();
$body = $data['body'];
$headers['(request-target)'] = $data['request_target'];
@@ -57,9 +54,7 @@ class HTTPSig {

else {
$headers = [];
$headers['(request-target)'] =
strtolower($_SERVER['REQUEST_METHOD']) . ' ' .
$_SERVER['REQUEST_URI'];
$headers['(request-target)'] = strtolower($_SERVER['REQUEST_METHOD']) . ' ' . $_SERVER['REQUEST_URI'];
$headers['content-type'] = $_SERVER['CONTENT_TYPE'];
$headers['content-length'] = $_SERVER['CONTENT_LENGTH'];

@@ -71,9 +66,35 @@ class HTTPSig {
}
}

// logger('SERVER: ' . print_r($_SERVER,true), LOGGER_ALL);
//logger('SERVER: ' . print_r($_SERVER,true), LOGGER_ALL);

//logger('headers: ' . print_r($headers,true), LOGGER_ALL);

return $headers;
}


// See draft-cavage-http-signatures-10

static function verify($data,$key = '') {

$body = $data;
$headers = null;

$result = [
'signer' => '',
'portable_id' => '',
'header_signed' => false,
'header_valid' => false,
'content_signed' => false,
'content_valid' => false
];


$headers = self::find_headers($data,$body);

// logger('headers: ' . print_r($headers,true), LOGGER_ALL);
if(! $headers)
return $result;

$sig_block = null;

@@ -85,7 +106,7 @@ class HTTPSig {
}

if(! $sig_block) {
logger('no signature provided.');
logger('no signature provided.', LOGGER_DEBUG);
return $result;
}

@@ -103,9 +124,6 @@ class HTTPSig {
if(array_key_exists($h,$headers)) {
$signed_data .= $h . ': ' . $headers[$h] . "\n";
}
if(strpos($h,'.')) {
$spoofable = true;
}
if($h === 'date') {
$d = new \DateTime($headers[$h]);
$d->setTimeZone(new \DateTimeZone('UTC'));
@@ -128,63 +146,89 @@ class HTTPSig {
$algorithm = 'sha512';
}

if($key && function_exists($key)) {
$result['signer'] = $sig_block['keyId'];
$key = $key($sig_block['keyId']);
}
if(! array_key_exists('keyId',$sig_block))
return $result;

if(! $key) {
$result['signer'] = $sig_block['keyId'];
$key = self::get_activitypub_key($sig_block['keyId']);
}
$result['signer'] = $sig_block['keyId'];

if(! $key)
$key = self::get_key($key,$result['signer']);

if(! ($key && $key['public_key'])) {
return $result;
}

$x = rsa_verify($signed_data,$sig_block['signature'],$key,$algorithm);
$x = rsa_verify($signed_data,$sig_block['signature'],$key['public_key'],$algorithm);

logger('verified: ' . $x, LOGGER_DEBUG);

if(! $x)
if(! $x) {
logger('verify failed for ' . $result['signer'] . ' alg=' . $algorithm . (($key['public_key']) ? '' : ' no key'));
$sig_block['signature'] = base64_encode($sig_block['signature']);
logger('affected sigblock: ' . print_r($sig_block,true));
logger('signed_data: ' . print_r($signed_data,true));
logger('headers: ' . print_r($headers,true));
logger('server: ' . print_r($_SERVER,true));
return $result;
}

if(! $spoofable)
$result['header_valid'] = true;
$result['portable_id'] = $key['portable_id'];
$result['header_valid'] = true;

if(in_array('digest',$signed_headers)) {
$result['content_signed'] = true;
$digest = explode('=', $headers['digest']);
$digest = explode('=', $headers['digest'], 2);
if($digest[0] === 'SHA-256')
$hashalg = 'sha256';
if($digest[0] === 'SHA-512')
$hashalg = 'sha512';

// The explode operation will have stripped the '=' padding, so compare against unpadded base64
if(rtrim(base64_encode(hash($hashalg,$body,true)),'=') === $digest[1]) {
if(base64_encode(hash($hashalg,$body,true)) === $digest[1]) {
$result['content_valid'] = true;
}

logger('Content_Valid: ' . (($result['content_valid']) ? 'true' : 'false'));
}

return $result;
}

if(in_array('x-zot-digest',$signed_headers)) {
$result['content_signed'] = true;
$digest = explode('=', $headers['x-zot-digest']);
if($digest[0] === 'SHA-256')
$hashalg = 'sha256';
if($digest[0] === 'SHA-512')
$hashalg = 'sha512';
static function get_key($key,$id) {

// The explode operation will have stripped the '=' padding, so compare against unpadded base64
if(rtrim(base64_encode(hash($hashalg,$_POST['data'],true)),'=') === $digest[1]) {
$result['content_valid'] = true;
if($key) {
if(function_exists($key)) {
return $key($id);
}
return [ 'public_key' => $key ];
}

logger('Content_Valid: ' . (($result['content_valid']) ? 'true' : 'false'));
if(strpos($id,'#') === false) {
$key = self::get_webfinger_key($id);
}

if(! $key) {
$key = self::get_activitystreams_key($id);
}

return $key;

}


function convertKey($key) {

if(strstr($key,'RSA ')) {
return rsatopem($key);
}
elseif(substr($key,0,5) === 'data:') {
return convert_salmon_key($key);
}
else {
return $key;
}

return $result;
}


/**
* @brief
*
@@ -192,57 +236,131 @@ class HTTPSig {
* @return boolean|string
* false if no pub key found, otherwise return the pub key
*/
function get_activitypub_key($id) {

if(strpos($id,'acct:') === 0) {
$x = q("select xchan_pubkey from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' limit 1",
dbesc(str_replace('acct:','',$id))
);
function get_activitystreams_key($id) {

// remove fragment

$url = ((strpos($id,'#')) ? substr($id,0,strpos($id,'#')) : $id);

$x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1",
dbesc(str_replace('acct:','',$url)),
dbesc($url)
);

if($x && $x[0]['xchan_pubkey']) {
return [ 'portable_id' => $x[0]['xchan_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ];
}
else {
$x = q("select xchan_pubkey from xchan where xchan_hash = '%s' and xchan_network = 'activitypub' ",
dbesc($id)
);

$r = ActivityStreams::fetch($id);

if($r) {
if(array_key_exists('publicKey',$r) && array_key_exists('publicKeyPem',$r['publicKey']) && array_key_exists('id',$r['publicKey'])) {
if($r['publicKey']['id'] === $id || $r['id'] === $id) {
$portable_id = ((array_key_exists('owner',$r['publicKey'])) ? $r['publicKey']['owner'] : EMPTY_STR);
return [ 'public_key' => self::convertKey($r['publicKey']['publicKeyPem']), 'portable_id' => $portable_id, 'hubloc' => [] ];
}
}
}
return false;
}


function get_webfinger_key($id) {

$x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1",
dbesc(str_replace('acct:','',$id)),
dbesc($id)
);

if($x && $x[0]['xchan_pubkey']) {
return ($x[0]['xchan_pubkey']);
return [ 'portable_id' => $x[0]['xchan_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ];
}

if(function_exists('as_fetch'))
$r = as_fetch($id);
$wf = Webfinger::exec($id);
$key = [ 'portable_id' => '', 'public_key' => '', 'hubloc' => [] ];

if($r) {
$j = json_decode($r,true);
if($wf) {
if(array_key_exists('properties',$wf) && array_key_exists('https://w3id.org/security/v1#publicKeyPem',$wf['properties'])) {
$key['public_key'] = self::convertKey($wf['properties']['https://w3id.org/security/v1#publicKeyPem']);
}
if(array_key_exists('links', $wf) && is_array($wf['links'])) {
foreach($wf['links'] as $l) {
if(! (is_array($l) && array_key_exists('rel',$l))) {
continue;
}
if($l['rel'] === 'magic-public-key' && array_key_exists('href',$l) && $key['public_key'] === EMPTY_STR) {
$key['public_key'] = self::convertKey($l['href']);
}
}
}
}

return (($key['public_key']) ? $key : false);
}


function get_zotfinger_key($id) {

$x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1",
dbesc(str_replace('acct:','',$id)),
dbesc($id)
);
if($x && $x[0]['xchan_pubkey']) {
return [ 'portable_id' => $x[0]['xchan_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ];
}

if(array_key_exists('publicKey',$j) && array_key_exists('publicKeyPem',$j['publicKey'])) {
if((array_key_exists('id',$j['publicKey']) && $j['publicKey']['id'] !== $id) && $j['id'] !== $id)
return false;
$wf = Webfinger::exec($id);
$key = [ 'portable_id' => '', 'public_key' => '', 'hubloc' => [] ];

return($j['publicKey']['publicKeyPem']);
if($wf) {
if(array_key_exists('properties',$wf) && array_key_exists('https://w3id.org/security/v1#publicKeyPem',$wf['properties'])) {
$key['public_key'] = self::convertKey($wf['properties']['https://w3id.org/security/v1#publicKeyPem']);
}
if(array_key_exists('links', $wf) && is_array($wf['links'])) {
foreach($wf['links'] as $l) {
if(! (is_array($l) && array_key_exists('rel',$l))) {
continue;
}
if($l['rel'] === 'http://purl.org/zot/protocol/6.0' && array_key_exists('href',$l) && $l['href'] !== EMPTY_STR) {
$z = \Zotlabs\Lib\Zotfinger::exec($l['href']);
if($z) {
$i = Libzot::import_xchan($z['data']);
if($i['success']) {
$key['portable_id'] = $i['hash'];

$x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_id_url = '%s' limit 1",
dbesc($l['href'])
);
if($x) {
$key['hubloc'] = $x[0];
}
}
}
}
if($l['rel'] === 'magic-public-key' && array_key_exists('href',$l) && $key['public_key'] === EMPTY_STR) {
$key['public_key'] = self::convertKey($l['href']);
}
}
}
}

return false;
return (($key['public_key']) ? $key : false);
}


/**
* @brief
*
* @param string $request
* @param array $head
* @param string $prvkey
* @param string $keyid (optional, default 'Key')
* @param boolean $send_headers (optional, default false)
* If set send a HTTP header
* @param string $keyid (optional, default '')
* @param boolean $auth (optional, default false)
* @param string $alg (optional, default 'sha256')
* @param string $crypt_key (optional, default null)
* @param string $crypt_algo (optional, default 'aes256ctr')
* @param array $encryption [ 'key', 'algorithm' ] or false
* @return array
*/
static function create_sig($request, $head, $prvkey, $keyid = 'Key', $send_headers = false, $auth = false,
$alg = 'sha256', $crypt_key = null, $crypt_algo = 'aes256ctr') {
static function create_sig($head, $prvkey, $keyid = EMPTY_STR, $auth = false, $alg = 'sha256', $encryption = false ) {

$return_headers = [];

@@ -253,14 +371,15 @@ class HTTPSig {
$algorithm = 'rsa-sha512';
}

$x = self::sign($request,$head,$prvkey,$alg);
$x = self::sign($head,$prvkey,$alg);

$headerval = 'keyId="' . $keyid . '",algorithm="' . $algorithm
. '",headers="' . $x['headers'] . '",signature="' . $x['signature'] . '"';
$headerval = 'keyId="' . $keyid . '",algorithm="' . $algorithm . '",headers="' . $x['headers'] . '",signature="' . $x['signature'] . '"';

if($crypt_key) {
$x = crypto_encapsulate($headerval,$crypt_key,$crypt_algo);
$headerval = 'iv="' . $x['iv'] . '",key="' . $x['key'] . '",alg="' . $x['alg'] . '",data="' . $x['data'] . '"';
if($encryption) {
$x = crypto_encapsulate($headerval,$encryption['key'],$encryption['algorithm']);
if(is_array($x)) {
$headerval = 'iv="' . $x['iv'] . '",key="' . $x['key'] . '",alg="' . $x['alg'] . '",data="' . $x['data'] . '"';
}
}

if($auth) {
@@ -272,43 +391,52 @@ class HTTPSig {

if($head) {
foreach($head as $k => $v) {
if($send_headers) {
header($k . ': ' . $v);
}
else {
$return_headers[] = $k . ': ' . $v;
// strip the request-target virtual header from the output headers
if($k === '(request-target)') {
continue;
}
$return_headers[] = $k . ': ' . $v;
}
}
if($send_headers) {
header($sighead);
}
else {
$return_headers[] = $sighead;
}
$return_headers[] = $sighead;

return $return_headers;
}

/**
* @brief set headers
*
* @param array $headers
* @return void
*/


static function set_headers($headers) {
if($headers && is_array($headers)) {
foreach($headers as $h) {
header($h);
}
}
}


/**
* @brief
*
* @param string $request
* @param array $head
* @param string $prvkey
* @param string $alg (optional) default 'sha256'
* @return array
*/
static function sign($request, $head, $prvkey, $alg = 'sha256') {

static function sign($head, $prvkey, $alg = 'sha256') {

$ret = [];

$headers = '';
$fields = '';
if($request) {
$headers = '(request-target)' . ': ' . trim($request) . "\n";
$fields = '(request-target)';
}

logger('signing: ' . print_r($head,true), LOGGER_DATA);

if($head) {
foreach($head as $k => $v) {
@@ -340,11 +468,8 @@ class HTTPSig {
* - \e array \b headers
* - \e string \b signature
*/
static function parse_sigheader($header) {

if(is_array($header)) {
btlogger('is_array: ' . print_r($header,true));
}
static function parse_sigheader($header) {

$ret = [];
$matches = [];
@@ -381,6 +506,7 @@ class HTTPSig {
* - \e string \b alg
* - \e string \b data
*/

static function decrypt_sigheader($header, $prvkey = null) {

$iv = $key = $alg = $data = null;


+ 4
- 3
Zotlabs/Zot/Finger.php View File

@@ -2,6 +2,8 @@

namespace Zotlabs\Zot;

use Zotlabs\Web\HTTPSig;

/**
* @brief Finger
*
@@ -95,8 +97,7 @@ class Finger {
$headers['X-Zot-Nonce'] = random_string();
$headers['Host'] = $parsed_host;

$xhead = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],
'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false);
$xhead = HTTPSig::create_sig($headers,$channel['channel_prvkey'],'acct:' . channel_reddress($channel));

$retries = 0;

@@ -129,7 +130,7 @@ class Finger {

$x = json_decode($result['body'], true);

$verify = \Zotlabs\Web\HTTPSig::verify($result,(($x) ? $x['key'] : ''));
$verify = HTTPSig::verify($result,(($x) ? $x['key'] : ''));

if($x && (! $verify['header_valid'])) {
$signed_token = ((is_array($x) && array_key_exists('signed_token', $x)) ? $x['signed_token'] : null);


+ 2
- 3
Zotlabs/Zot6/Finger.php View File

@@ -88,8 +88,7 @@ class Finger {
$headers = [];
$headers['X-Zot-Channel'] = $channel['channel_address'] . '@' . \App::get_hostname();
$headers['X-Zot-Nonce'] = random_string();
$xhead = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],
'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false);
$xhead = HTTPSig::create_sig($headers,$channel['channel_prvkey'],'acct:' . channel_reddress($channel));

$retries = 0;

@@ -122,7 +121,7 @@ class Finger {

$x = json_decode($result['body'], true);

$verify = \Zotlabs\Web\HTTPSig::verify($result,(($x) ? $x['key'] : ''));
$verify = HTTPSig::verify($result,(($x) ? $x['key'] : ''));

if($x && (! $verify['header_valid'])) {
$signed_token = ((is_array($x) && array_key_exists('signed_token', $x)) ? $x['signed_token'] : null);


+ 4
- 2
include/import.php View File

@@ -2,6 +2,8 @@

use Zotlabs\Lib\IConfig;

use Zotlabs\Web\HTTPSig;

require_once('include/menu.php');
require_once('include/perm_upgrade.php');

@@ -1329,7 +1331,7 @@ function sync_files($channel, $files) {
$headers = [];
$headers['Accept'] = 'application/x-zot+json' ;
$headers['Sigtoken'] = random_string();
$headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512');
$headers = HTTPSig::create_sig($headers,$channel['channel_prvkey'], 'acct:' . channel_reddress($channel),true,'sha512');

$x = z_post_url($fetch_url,$parr,$redirects,[ 'filep' => $fp, 'headers' => $headers]);
fclose($fp);
@@ -1415,7 +1417,7 @@ function sync_files($channel, $files) {
$headers = [];
$headers['Accept'] = 'application/x-zot+json' ;
$headers['Sigtoken'] = random_string();
$headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512');
$headers = HTTPSig::create_sig($headers,$channel['channel_prvkey'],'acct:' . channel_reddress($channel),true,'sha512');

$x = z_post_url($fetch_url,$parr,$redirects,[ 'filep' => $fp, 'headers' => $headers]);
fclose($fp);


+ 1
- 1
include/xchan.php View File

@@ -1,6 +1,6 @@
<?php

use Zotlabs\Zot6\HTTPSig;
use Zotlabs\Web\HTTPSig;
use Zotlabs\Lib\Libzot;




+ 2
- 3
include/zot.php View File

@@ -303,9 +303,8 @@ function zot_zot($url, $data, $channel = null,$crypto = null) {

if($channel) {
$headers['X-Zot-Token'] = random_string();
$hash = \Zotlabs\Web\HTTPSig::generate_digest($data,false);
$headers['X-Zot-Digest'] = 'SHA-256=' . $hash;
$h = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,false,'sha512',(($crypto) ? $crypto['hubloc_sitekey'] : ''), (($crypto) ? zot_best_algorithm($crypto['site_crypto']) : ''));
$headers['X-Zot-Digest'] = \Zotlabs\Web\HTTPSig::generate_digest_header($data);
$h = \Zotlabs\Web\HTTPSig::create_sig($headers,$channel['channel_prvkey'],'acct:' . channel_reddress($channel),false,'sha512',(($crypto) ? $crypto['hubloc_sitekey'] : ''), (($crypto) ? zot_best_algorithm($crypto['site_crypto']) : ''));
}

$redirects = 0;


+ 6
- 21
tests/unit/Web/HttpSigTest.php View File

@@ -43,45 +43,30 @@ class PermissionDescriptionTest extends UnitTestCase {
function testGenerate_digest($text, $digest) {
$this->assertSame(
$digest,
HTTPSig::generate_digest($text, false)
HTTPSig::generate_digest_header($text)
);
}
public function generate_digestProvider() {
return [
'empty body text' => [
'',
'47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='
'SHA-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='
],
'sample body text' => [
'body text',
'2fu8kUkvuzuo5XyhWwORNOcJgDColXgxWkw1T5EXzPI='
'SHA-256=2fu8kUkvuzuo5XyhWwORNOcJgDColXgxWkw1T5EXzPI='
],
'NULL body text' => [
null,
'47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='
'SHA-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='
],
];
}

function testGeneratedDigestsOfDifferentTextShouldNotBeEqual() {
$this->assertNotSame(
HTTPSig::generate_digest('text1', false),
HTTPSig::generate_digest('text2', false)
);
}

/**
* Process separation needed for header() check.
* @runInSeparateProcess
*/
function testGenerate_digestSendsHttpHeader() {
$ret = HTTPSig::generate_digest('body text', true);

$this->assertSame('2fu8kUkvuzuo5XyhWwORNOcJgDColXgxWkw1T5EXzPI=', $ret);
$this->assertContains(
'Digest: SHA-256=2fu8kUkvuzuo5XyhWwORNOcJgDColXgxWkw1T5EXzPI=',
xdebug_get_headers(),
'HTTP header Digest does not match'
HTTPSig::generate_digest_header('text1'),
HTTPSig::generate_digest_header('text2')
);
}



Loading…
Cancel
Save