Fixes key retrieval
This commit is contained in:
Django Doucet
parent
e1722cd4d3
commit
30d78417d8
2 changed files with 11 additions and 14 deletions
|
|
@ -112,6 +112,7 @@ class Signature {
|
|||
|
||||
public static function verify_http_signature( $request = null ) {
|
||||
$headers = $request->get_headers();
|
||||
$actor = isset( json_decode( $request->get_body() )->actor ) ? json_decode( $request->get_body() )->actor : '' ;
|
||||
$headers['(request-target)'][0] = strtolower( $request->get_method() ) . ' /wp-json' . $request->get_route();
|
||||
|
||||
if ( ! $headers ) {
|
||||
|
|
@ -123,7 +124,7 @@ class Signature {
|
|||
$signature_block = self::parse_signature_header( $headers['authorization'] );
|
||||
}
|
||||
|
||||
if ( ! $signature_block ) {
|
||||
if ( ! isset( $signature_block ) || ! $signature_block ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -143,6 +144,9 @@ class Signature {
|
|||
}
|
||||
|
||||
if ( \in_array( 'digest', $signed_headers, true ) && isset( $body ) ) {
|
||||
if ( is_array( $headers['digest'] ) ) {
|
||||
$headers['digest'] = $headers['digest'][0];
|
||||
}
|
||||
$digest = explode( '=', $headers['digest'], 2 );
|
||||
if ( 'SHA-256' === $digest[0] ) {
|
||||
$hashalg = 'sha256';
|
||||
|
|
@ -156,7 +160,7 @@ class Signature {
|
|||
}
|
||||
}
|
||||
|
||||
$public_key = isset( $key ) ? $key : self::get_key( $signature_block['keyId'] );
|
||||
$public_key = \rtrim( \Activitypub\get_publickey_by_actor( $actor, $signature_block['keyId'] ) ); // phpcs:ignore
|
||||
|
||||
return \openssl_verify( $signed_data, $signature_block['signature'], $public_key, $algorithm ) > 0;
|
||||
|
||||
|
|
@ -218,13 +222,6 @@ class Signature {
|
|||
return $ret;
|
||||
}
|
||||
|
||||
public static function get_key( $keyId ) { // phpcs:ignore
|
||||
$actor = \Activitypub\get_actor_from_key( $keyId ); // phpcs:ignore
|
||||
$publicKeyPem = \Activitypub\get_publickey_by_actor( $actor, $keyId ); // phpcs:ignore
|
||||
return \rtrim( $publicKeyPem ); // phpcs:ignore
|
||||
}
|
||||
|
||||
|
||||
public static function get_signed_data( $signed_headers, $signature_block, $headers ) {
|
||||
$signed_data = '';
|
||||
// This also verifies time-based values by returning false if any of these are out of range.
|
||||
|
|
|
|||
|
|
@ -74,10 +74,6 @@ class Inbox {
|
|||
return $served;
|
||||
}
|
||||
|
||||
if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) {
|
||||
return $served;
|
||||
}
|
||||
|
||||
return $served;
|
||||
}
|
||||
|
||||
|
|
@ -230,9 +226,13 @@ class Inbox {
|
|||
$params['id'] = array(
|
||||
'required' => true,
|
||||
'sanitize_callback' => 'esc_url_raw',
|
||||
);
|
||||
|
||||
$params['signature'] = array(
|
||||
'required' => true,
|
||||
'validate_callback' => function( $param, $request, $key ) {
|
||||
if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) {
|
||||
return false;
|
||||
return false; // returns http 400 rest_invalid_param
|
||||
}
|
||||
return $param;
|
||||
},
|
||||
|
|
|
|||
Loading…
Reference in a new issue