Event-Federation/wordpress-activitypub
Event-Federation/wordpress-activitypub
7
1
Fork 0
Code Issues 3 Pull requests Projects Releases Wiki Activity Actions

Fixes key retrieval

Browse source
This commit is contained in:
Django Doucet 2023-04-14 23:53:43 -06:00
parent e1722cd4d3
commit 30d78417d8
2 changed files with 11 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
includes/class-signature.php
View file

@ -112,6 +112,7 @@ class Signature {
public static function verify_http_signature( $request = null ) { public static function verify_http_signature( $request = null ) {
$headers = $request->get_headers(); $headers = $request->get_headers();
$actor = isset( json_decode( $request->get_body() )->actor ) ? json_decode( $request->get_body() )->actor : '' ;
$headers['(request-target)'][0] = strtolower( $request->get_method() ) . ' /wp-json' . $request->get_route(); $headers['(request-target)'][0] = strtolower( $request->get_method() ) . ' /wp-json' . $request->get_route();
if ( ! $headers ) { if ( ! $headers ) {
@ -123,7 +124,7 @@ class Signature {
$signature_block = self::parse_signature_header( $headers['authorization'] ); $signature_block = self::parse_signature_header( $headers['authorization'] );
} }
if ( ! $signature_block ) { if ( ! isset( $signature_block ) || ! $signature_block ) {
return false; return false;
} }
@ -143,6 +144,9 @@ class Signature {
} }
if ( \in_array( 'digest', $signed_headers, true ) && isset( $body ) ) { if ( \in_array( 'digest', $signed_headers, true ) && isset( $body ) ) {
if ( is_array( $headers['digest'] ) ) {
$headers['digest'] = $headers['digest'][0];
}
$digest = explode( '=', $headers['digest'], 2 ); $digest = explode( '=', $headers['digest'], 2 );
if ( 'SHA-256' === $digest[0] ) { if ( 'SHA-256' === $digest[0] ) {
$hashalg = 'sha256'; $hashalg = 'sha256';
@ -156,7 +160,7 @@ class Signature {
} }
} }
$public_key = isset( $key ) ? $key : self::get_key( $signature_block['keyId'] ); $public_key = \rtrim( \Activitypub\get_publickey_by_actor( $actor, $signature_block['keyId'] ) ); // phpcs:ignore
return \openssl_verify( $signed_data, $signature_block['signature'], $public_key, $algorithm ) > 0; return \openssl_verify( $signed_data, $signature_block['signature'], $public_key, $algorithm ) > 0;
@ -218,13 +222,6 @@ class Signature {
return $ret; return $ret;
} }
public static function get_key( $keyId ) { // phpcs:ignore
$actor = \Activitypub\get_actor_from_key( $keyId ); // phpcs:ignore
$publicKeyPem = \Activitypub\get_publickey_by_actor( $actor, $keyId ); // phpcs:ignore
return \rtrim( $publicKeyPem ); // phpcs:ignore
}
public static function get_signed_data( $signed_headers, $signature_block, $headers ) { public static function get_signed_data( $signed_headers, $signature_block, $headers ) {
$signed_data = ''; $signed_data = '';
// This also verifies time-based values by returning false if any of these are out of range. // This also verifies time-based values by returning false if any of these are out of range.

10
includes/rest/class-inbox.php
View file

@ -74,10 +74,6 @@ class Inbox {
return $served; return $served;
} }
if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) {
return $served;
}
return $served; return $served;
} }
@ -230,9 +226,13 @@ class Inbox {
$params['id'] = array( $params['id'] = array(
'required' => true, 'required' => true,
'sanitize_callback' => 'esc_url_raw', 'sanitize_callback' => 'esc_url_raw',
);
$params['signature'] = array(
'required' => true,
'validate_callback' => function( $param, $request, $key ) { 'validate_callback' => function( $param, $request, $key ) {
if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) { if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) {
return false; return false; // returns http 400 rest_invalid_param
} }
return $param; return $param;
}, },