From 30d78417d87c5e4765e7c89cac7ffb3ee4c4cccf Mon Sep 17 00:00:00 2001 From: Django Doucet Date: Fri, 14 Apr 2023 23:53:43 -0600 Subject: [PATCH] Fixes key retrieval --- includes/class-signature.php | 15 ++++++--------- includes/rest/class-inbox.php | 10 +++++----- 2 files changed, 11 insertions(+), 14 deletions(-) diff --git a/includes/class-signature.php b/includes/class-signature.php index 3c28941..84cf612 100644 --- a/includes/class-signature.php +++ b/includes/class-signature.php @@ -112,6 +112,7 @@ class Signature { public static function verify_http_signature( $request = null ) { $headers = $request->get_headers(); + $actor = isset( json_decode( $request->get_body() )->actor ) ? json_decode( $request->get_body() )->actor : '' ; $headers['(request-target)'][0] = strtolower( $request->get_method() ) . ' /wp-json' . $request->get_route(); if ( ! $headers ) { @@ -123,7 +124,7 @@ class Signature { $signature_block = self::parse_signature_header( $headers['authorization'] ); } - if ( ! $signature_block ) { + if ( ! isset( $signature_block ) || ! $signature_block ) { return false; } @@ -143,6 +144,9 @@ class Signature { } if ( \in_array( 'digest', $signed_headers, true ) && isset( $body ) ) { + if ( is_array( $headers['digest'] ) ) { + $headers['digest'] = $headers['digest'][0]; + } $digest = explode( '=', $headers['digest'], 2 ); if ( 'SHA-256' === $digest[0] ) { $hashalg = 'sha256'; @@ -156,7 +160,7 @@ class Signature { } } - $public_key = isset( $key ) ? $key : self::get_key( $signature_block['keyId'] ); + $public_key = \rtrim( \Activitypub\get_publickey_by_actor( $actor, $signature_block['keyId'] ) ); // phpcs:ignore return \openssl_verify( $signed_data, $signature_block['signature'], $public_key, $algorithm ) > 0; @@ -218,13 +222,6 @@ class Signature { return $ret; } - public static function get_key( $keyId ) { // phpcs:ignore - $actor = \Activitypub\get_actor_from_key( $keyId ); // phpcs:ignore - $publicKeyPem = \Activitypub\get_publickey_by_actor( $actor, $keyId ); // phpcs:ignore - return \rtrim( $publicKeyPem ); // phpcs:ignore - } - - public static function get_signed_data( $signed_headers, $signature_block, $headers ) { $signed_data = ''; // This also verifies time-based values by returning false if any of these are out of range. diff --git a/includes/rest/class-inbox.php b/includes/rest/class-inbox.php index 0869533..a93d064 100644 --- a/includes/rest/class-inbox.php +++ b/includes/rest/class-inbox.php @@ -74,10 +74,6 @@ class Inbox { return $served; } - if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) { - return $served; - } - return $served; } @@ -230,9 +226,13 @@ class Inbox { $params['id'] = array( 'required' => true, 'sanitize_callback' => 'esc_url_raw', + ); + + $params['signature'] = array( + 'required' => true, 'validate_callback' => function( $param, $request, $key ) { if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) { - return false; + return false; // returns http 400 rest_invalid_param } return $param; },