2018-10-02 22:25:40 +02:00
|
|
|
<?php
|
2019-02-24 12:07:41 +01:00
|
|
|
namespace Activitypub;
|
2018-10-02 22:25:40 +02:00
|
|
|
|
2023-04-02 07:59:49 +02:00
|
|
|
use DateTime;
|
|
|
|
|
use DateTimeZone;
|
2022-02-28 23:52:30 +01:00
|
|
|
|
2019-02-24 13:01:28 +01:00
|
|
|
/**
|
|
|
|
|
* ActivityPub Signature Class
|
|
|
|
|
*
|
|
|
|
|
* @author Matthias Pfefferle
|
|
|
|
|
*/
|
2019-02-24 12:07:41 +01:00
|
|
|
class Signature {
|
2018-12-08 00:02:18 +01:00
|
|
|
|
2018-10-02 22:25:40 +02:00
|
|
|
/**
|
2018-12-20 11:33:08 +01:00
|
|
|
* @param int $user_id
|
2018-10-02 22:25:40 +02:00
|
|
|
*
|
|
|
|
|
* @return mixed
|
|
|
|
|
*/
|
2018-12-20 11:33:08 +01:00
|
|
|
public static function get_public_key( $user_id, $force = false ) {
|
2019-09-27 10:12:59 +02:00
|
|
|
$key = \get_user_meta( $user_id, 'magic_sig_public_key' );
|
2018-10-02 22:25:40 +02:00
|
|
|
|
|
|
|
|
if ( $key && ! $force ) {
|
|
|
|
|
return $key[0];
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-20 11:33:08 +01:00
|
|
|
self::generate_key_pair( $user_id );
|
2019-09-27 10:12:59 +02:00
|
|
|
$key = \get_user_meta( $user_id, 'magic_sig_public_key' );
|
2018-10-02 22:25:40 +02:00
|
|
|
|
|
|
|
|
return $key[0];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2018-12-20 11:33:08 +01:00
|
|
|
* @param int $user_id
|
2018-10-02 22:25:40 +02:00
|
|
|
*
|
|
|
|
|
* @return mixed
|
|
|
|
|
*/
|
2018-12-20 11:33:08 +01:00
|
|
|
public static function get_private_key( $user_id, $force = false ) {
|
2019-09-27 10:12:59 +02:00
|
|
|
$key = \get_user_meta( $user_id, 'magic_sig_private_key' );
|
2018-10-02 22:25:40 +02:00
|
|
|
|
|
|
|
|
if ( $key && ! $force ) {
|
|
|
|
|
return $key[0];
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-20 11:33:08 +01:00
|
|
|
self::generate_key_pair( $user_id );
|
2019-09-27 10:12:59 +02:00
|
|
|
$key = \get_user_meta( $user_id, 'magic_sig_private_key' );
|
2018-10-02 22:25:40 +02:00
|
|
|
|
|
|
|
|
return $key[0];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Generates the pair keys
|
|
|
|
|
*
|
2018-12-20 11:33:08 +01:00
|
|
|
* @param int $user_id
|
2018-10-02 22:25:40 +02:00
|
|
|
*/
|
2018-12-20 11:33:08 +01:00
|
|
|
public static function generate_key_pair( $user_id ) {
|
2018-10-02 22:25:40 +02:00
|
|
|
$config = array(
|
|
|
|
|
'digest_alg' => 'sha512',
|
|
|
|
|
'private_key_bits' => 2048,
|
2020-05-12 19:42:09 +02:00
|
|
|
'private_key_type' => \OPENSSL_KEYTYPE_RSA,
|
2018-10-02 22:25:40 +02:00
|
|
|
);
|
|
|
|
|
|
2019-09-27 10:12:59 +02:00
|
|
|
$key = \openssl_pkey_new( $config );
|
2018-10-02 22:25:40 +02:00
|
|
|
$priv_key = null;
|
|
|
|
|
|
2019-09-27 10:12:59 +02:00
|
|
|
\openssl_pkey_export( $key, $priv_key );
|
2018-10-02 22:25:40 +02:00
|
|
|
|
|
|
|
|
// private key
|
2019-09-27 10:12:59 +02:00
|
|
|
\update_user_meta( $user_id, 'magic_sig_private_key', $priv_key );
|
2018-10-02 22:25:40 +02:00
|
|
|
|
2019-09-27 10:12:59 +02:00
|
|
|
$detail = \openssl_pkey_get_details( $key );
|
2018-10-02 22:25:40 +02:00
|
|
|
|
|
|
|
|
// public key
|
2019-09-27 10:12:59 +02:00
|
|
|
\update_user_meta( $user_id, 'magic_sig_public_key', $detail['key'] );
|
2018-10-02 22:25:40 +02:00
|
|
|
}
|
|
|
|
|
|
2022-11-07 00:49:53 +01:00
|
|
|
public static function generate_signature( $user_id, $http_method, $url, $date, $digest = null ) {
|
2018-12-20 11:33:08 +01:00
|
|
|
$key = self::get_private_key( $user_id );
|
2018-10-02 22:25:40 +02:00
|
|
|
|
2019-09-27 10:12:59 +02:00
|
|
|
$url_parts = \wp_parse_url( $url );
|
2018-10-02 22:25:40 +02:00
|
|
|
|
|
|
|
|
$host = $url_parts['host'];
|
|
|
|
|
$path = '/';
|
|
|
|
|
|
|
|
|
|
// add path
|
|
|
|
|
if ( ! empty( $url_parts['path'] ) ) {
|
2018-12-08 00:02:18 +01:00
|
|
|
$path = $url_parts['path'];
|
2018-10-02 22:25:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// add query
|
|
|
|
|
if ( ! empty( $url_parts['query'] ) ) {
|
|
|
|
|
$path .= '?' . $url_parts['query'];
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-10 04:23:05 +01:00
|
|
|
if ( ! empty( $digest ) ) {
|
2022-11-07 00:49:53 +01:00
|
|
|
$signed_string = "(request-target): $http_method $path\nhost: $host\ndate: $date\ndigest: SHA-256=$digest";
|
2020-12-10 04:23:05 +01:00
|
|
|
} else {
|
2022-11-07 00:49:53 +01:00
|
|
|
$signed_string = "(request-target): $http_method $path\nhost: $host\ndate: $date";
|
2020-12-10 04:23:05 +01:00
|
|
|
}
|
2018-10-02 22:25:40 +02:00
|
|
|
|
|
|
|
|
$signature = null;
|
2020-05-12 19:42:09 +02:00
|
|
|
\openssl_sign( $signed_string, $signature, $key, \OPENSSL_ALGO_SHA256 );
|
2019-09-27 10:12:59 +02:00
|
|
|
$signature = \base64_encode( $signature ); // phpcs:ignore
|
2018-10-02 22:25:40 +02:00
|
|
|
|
2019-09-27 10:12:59 +02:00
|
|
|
$key_id = \get_author_posts_url( $user_id ) . '#main-key';
|
2018-10-02 22:25:40 +02:00
|
|
|
|
2020-12-10 04:23:05 +01:00
|
|
|
if ( ! empty( $digest ) ) {
|
|
|
|
|
return \sprintf( 'keyId="%s",algorithm="rsa-sha256",headers="(request-target) host date digest",signature="%s"', $key_id, $signature );
|
|
|
|
|
} else {
|
|
|
|
|
return \sprintf( 'keyId="%s",algorithm="rsa-sha256",headers="(request-target) host date",signature="%s"', $key_id, $signature );
|
|
|
|
|
}
|
2018-10-02 22:25:40 +02:00
|
|
|
}
|
|
|
|
|
|
2023-04-03 00:38:39 +02:00
|
|
|
public static function verify_http_signature( $request = null ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
$headers = $request->get_headers();
|
2023-04-15 07:59:04 +02:00
|
|
|
$actor = isset( json_decode( $request->get_body() )->actor ) ? json_decode( $request->get_body() )->actor : '';
|
2023-04-02 07:59:49 +02:00
|
|
|
$headers['(request-target)'][0] = strtolower( $request->get_method() ) . ' /wp-json' . $request->get_route();
|
2023-04-01 18:17:56 +02:00
|
|
|
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( ! $headers ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
$headers = self::default_server_headers();
|
|
|
|
|
}
|
|
|
|
|
if ( array_key_exists( 'signature', $headers ) ) {
|
|
|
|
|
$signature_block = self::parse_signature_header( $headers['signature'] );
|
|
|
|
|
} elseif ( array_key_exists( 'authorization', $headers ) ) {
|
|
|
|
|
$signature_block = self::parse_signature_header( $headers['authorization'] );
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-15 07:53:43 +02:00
|
|
|
if ( ! isset( $signature_block ) || ! $signature_block ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$signed_headers = $signature_block['headers'];
|
|
|
|
|
if ( ! $signed_headers ) {
|
2023-04-02 07:59:49 +02:00
|
|
|
$signed_headers = array( 'date' );
|
2023-04-01 18:17:56 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$signed_data = self::get_signed_data( $signed_headers, $signature_block, $headers );
|
|
|
|
|
if ( ! $signed_data ) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$algorithm = self::get_signature_algorithm( $signature_block );
|
|
|
|
|
if ( ! $algorithm ) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( \in_array( 'digest', $signed_headers, true ) && isset( $body ) ) {
|
2023-04-15 07:53:43 +02:00
|
|
|
if ( is_array( $headers['digest'] ) ) {
|
|
|
|
|
$headers['digest'] = $headers['digest'][0];
|
|
|
|
|
}
|
2023-04-01 18:17:56 +02:00
|
|
|
$digest = explode( '=', $headers['digest'], 2 );
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( 'SHA-256' === $digest[0] ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
$hashalg = 'sha256';
|
|
|
|
|
}
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( 'SHA-512' === $digest[0] ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
$hashalg = 'sha512';
|
2022-02-28 23:52:30 +01:00
|
|
|
}
|
2022-03-01 03:32:26 +01:00
|
|
|
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( \base64_encode( \hash( $hashalg, $body, true ) ) !== $digest[1] ) { // phpcs:ignore
|
2023-04-01 18:17:56 +02:00
|
|
|
return false;
|
2022-03-20 03:19:59 +01:00
|
|
|
}
|
2023-04-01 18:17:56 +02:00
|
|
|
}
|
|
|
|
|
|
2023-04-15 07:53:43 +02:00
|
|
|
$public_key = \rtrim( \Activitypub\get_publickey_by_actor( $actor, $signature_block['keyId'] ) ); // phpcs:ignore
|
2023-04-01 18:17:56 +02:00
|
|
|
|
2023-04-02 07:59:49 +02:00
|
|
|
return \openssl_verify( $signed_data, $signature_block['signature'], $public_key, $algorithm ) > 0;
|
2023-04-01 18:17:56 +02:00
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static function default_server_headers() {
|
2023-04-02 07:59:49 +02:00
|
|
|
$headers = array(
|
2023-04-01 18:17:56 +02:00
|
|
|
'(request-target)' => strtolower( $_SERVER['REQUEST_METHOD'] ) . ' ' . $_SERVER['REQUEST_URI'],
|
|
|
|
|
'content-type' => $_SERVER['CONTENT_TYPE'],
|
|
|
|
|
'content-length' => $_SERVER['CONTENT_LENGTH'],
|
|
|
|
|
);
|
|
|
|
|
foreach ( $_SERVER as $k => $v ) {
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( \strpos( $k, 'HTTP_' ) === 0 ) {
|
|
|
|
|
$field = \str_replace( '_', '-', \strtolower( \substr( $k, 5 ) ) );
|
|
|
|
|
$headers[ $field ] = $v;
|
2022-03-20 03:19:59 +01:00
|
|
|
}
|
2022-02-28 23:52:30 +01:00
|
|
|
}
|
2023-04-01 18:17:56 +02:00
|
|
|
return $headers;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static function get_signature_algorithm( $signature_block ) {
|
|
|
|
|
switch ( $signature_block['algorithm'] ) {
|
|
|
|
|
case 'rsa-sha-512':
|
|
|
|
|
return 'sha512';
|
2023-04-05 21:25:39 +02:00
|
|
|
default:
|
|
|
|
|
return 'sha256';
|
2023-04-01 18:17:56 +02:00
|
|
|
}
|
2022-03-20 03:19:59 +01:00
|
|
|
return false;
|
2022-02-28 23:52:30 +01:00
|
|
|
}
|
|
|
|
|
|
2023-04-01 18:17:56 +02:00
|
|
|
public static function parse_signature_header( $header ) {
|
2023-04-02 07:59:49 +02:00
|
|
|
$ret = array();
|
|
|
|
|
$matches = array();
|
|
|
|
|
$h_string = \implode( ',', (array) $header[0] );
|
2022-02-28 23:52:30 +01:00
|
|
|
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( \preg_match( '/keyId="(.*?)"/ism', $h_string, $matches ) ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
$ret['keyId'] = $matches[1];
|
|
|
|
|
}
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( \preg_match( '/created=([0-9]*)/ism', $h_string, $matches ) ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
$ret['(created)'] = $matches[1];
|
|
|
|
|
}
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( \preg_match( '/expires=([0-9]*)/ism', $h_string, $matches ) ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
$ret['(expires)'] = $matches[1];
|
|
|
|
|
}
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( \preg_match( '/algorithm="(.*?)"/ism', $h_string, $matches ) ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
$ret['algorithm'] = $matches[1];
|
|
|
|
|
}
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( \preg_match( '/headers="(.*?)"/ism', $h_string, $matches ) ) {
|
|
|
|
|
$ret['headers'] = \explode( ' ', $matches[1] );
|
2023-04-01 18:17:56 +02:00
|
|
|
}
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( \preg_match( '/signature="(.*?)"/ism', $h_string, $matches ) ) {
|
|
|
|
|
$ret['signature'] = \base64_decode( preg_replace( '/\s+/', '', $matches[1] ) ); // phpcs:ignore
|
2022-02-28 23:52:30 +01:00
|
|
|
}
|
|
|
|
|
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( ( $ret['signature'] ) && ( $ret['algorithm'] ) && ( ! $ret['headers'] ) ) {
|
|
|
|
|
$ret['headers'] = array( 'date' );
|
2022-02-28 23:52:30 +01:00
|
|
|
}
|
|
|
|
|
|
2023-04-01 18:17:56 +02:00
|
|
|
return $ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static function get_signed_data( $signed_headers, $signature_block, $headers ) {
|
|
|
|
|
$signed_data = '';
|
|
|
|
|
// This also verifies time-based values by returning false if any of these are out of range.
|
|
|
|
|
foreach ( $signed_headers as $header ) {
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( \array_key_exists( $header, $headers ) ) {
|
|
|
|
|
if ( 'host' === $header ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
if ( isset( $headers['x_original_host'] ) ) {
|
2023-04-02 07:59:49 +02:00
|
|
|
$signed_data .= $header . ': ' . $headers['x_original_host'][0] . "\n";
|
2023-04-01 18:17:56 +02:00
|
|
|
} else {
|
2023-04-02 07:59:49 +02:00
|
|
|
$signed_data .= $header . ': ' . $headers[ $header ][0] . "\n";
|
2023-04-01 18:17:56 +02:00
|
|
|
}
|
|
|
|
|
} else {
|
2023-04-02 07:59:49 +02:00
|
|
|
$signed_data .= $header . ': ' . $headers[ $header ][0] . "\n";
|
2023-04-01 18:17:56 +02:00
|
|
|
}
|
|
|
|
|
}
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( '(created)' === $header ) {
|
2023-04-02 08:30:17 +02:00
|
|
|
if ( ! empty( $signature_block['(created)'] ) && \intval( $signature_block['(created)'] ) > \time() ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
// created in future
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
$signed_data .= '(created): ' . $signature_block['(created)'] . "\n";
|
|
|
|
|
}
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( '(expires)' === $header ) {
|
|
|
|
|
if ( ! empty( $signature_block['(expires)'] ) && \intval( $signature_block['(expires)'] ) < \time() ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
// expired in past
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
$signed_data .= '(expires): ' . $signature_block['(expires)'] . "\n";
|
|
|
|
|
}
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( 'content-type' === $header ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
$signed_data .= $header . ': ' . $headers['content_type'][0] . "\n";
|
|
|
|
|
}
|
2023-04-03 04:38:10 +02:00
|
|
|
if ( 'content-length' === $header ) {
|
|
|
|
|
$signed_data .= $header . ': ' . $headers['content_length'][0] . "\n";
|
|
|
|
|
}
|
2023-04-02 07:59:49 +02:00
|
|
|
if ( 'date' === $header ) {
|
2023-04-01 18:17:56 +02:00
|
|
|
// allow a bit of leeway for misconfigured clocks.
|
2023-04-02 07:59:49 +02:00
|
|
|
$d = new DateTime( $headers[ $header ][0] );
|
|
|
|
|
$d->setTimeZone( new DateTimeZone( 'UTC' ) );
|
|
|
|
|
$c = $d->format( 'U' );
|
2023-04-01 18:17:56 +02:00
|
|
|
|
2023-04-02 07:59:49 +02:00
|
|
|
$dplus = time() + ( 3 * HOUR_IN_SECONDS );
|
|
|
|
|
$dminus = time() - ( 3 * HOUR_IN_SECONDS );
|
2023-04-01 18:17:56 +02:00
|
|
|
|
|
|
|
|
if ( $c > $dplus || $c < $dminus ) {
|
|
|
|
|
// time out of range
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-04-02 07:59:49 +02:00
|
|
|
return \rtrim( $signed_data, "\n" );
|
2018-10-02 22:25:40 +02:00
|
|
|
}
|
2020-12-10 04:23:05 +01:00
|
|
|
|
|
|
|
|
public static function generate_digest( $body ) {
|
2020-12-17 17:39:35 +01:00
|
|
|
$digest = \base64_encode( \hash( 'sha256', $body, true ) ); // phpcs:ignore
|
2020-12-10 04:23:05 +01:00
|
|
|
return "$digest";
|
|
|
|
|
}
|
2018-10-02 22:25:40 +02:00
|
|
|
}
|
