Fixes key retrieval
This commit is contained in:
parent
e1722cd4d3
commit
30d78417d8
2 changed files with 11 additions and 14 deletions
|
@ -112,6 +112,7 @@ class Signature {
|
||||||
|
|
||||||
public static function verify_http_signature( $request = null ) {
|
public static function verify_http_signature( $request = null ) {
|
||||||
$headers = $request->get_headers();
|
$headers = $request->get_headers();
|
||||||
|
$actor = isset( json_decode( $request->get_body() )->actor ) ? json_decode( $request->get_body() )->actor : '' ;
|
||||||
$headers['(request-target)'][0] = strtolower( $request->get_method() ) . ' /wp-json' . $request->get_route();
|
$headers['(request-target)'][0] = strtolower( $request->get_method() ) . ' /wp-json' . $request->get_route();
|
||||||
|
|
||||||
if ( ! $headers ) {
|
if ( ! $headers ) {
|
||||||
|
@ -123,7 +124,7 @@ class Signature {
|
||||||
$signature_block = self::parse_signature_header( $headers['authorization'] );
|
$signature_block = self::parse_signature_header( $headers['authorization'] );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ! $signature_block ) {
|
if ( ! isset( $signature_block ) || ! $signature_block ) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -143,6 +144,9 @@ class Signature {
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( \in_array( 'digest', $signed_headers, true ) && isset( $body ) ) {
|
if ( \in_array( 'digest', $signed_headers, true ) && isset( $body ) ) {
|
||||||
|
if ( is_array( $headers['digest'] ) ) {
|
||||||
|
$headers['digest'] = $headers['digest'][0];
|
||||||
|
}
|
||||||
$digest = explode( '=', $headers['digest'], 2 );
|
$digest = explode( '=', $headers['digest'], 2 );
|
||||||
if ( 'SHA-256' === $digest[0] ) {
|
if ( 'SHA-256' === $digest[0] ) {
|
||||||
$hashalg = 'sha256';
|
$hashalg = 'sha256';
|
||||||
|
@ -156,7 +160,7 @@ class Signature {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$public_key = isset( $key ) ? $key : self::get_key( $signature_block['keyId'] );
|
$public_key = \rtrim( \Activitypub\get_publickey_by_actor( $actor, $signature_block['keyId'] ) ); // phpcs:ignore
|
||||||
|
|
||||||
return \openssl_verify( $signed_data, $signature_block['signature'], $public_key, $algorithm ) > 0;
|
return \openssl_verify( $signed_data, $signature_block['signature'], $public_key, $algorithm ) > 0;
|
||||||
|
|
||||||
|
@ -218,13 +222,6 @@ class Signature {
|
||||||
return $ret;
|
return $ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function get_key( $keyId ) { // phpcs:ignore
|
|
||||||
$actor = \Activitypub\get_actor_from_key( $keyId ); // phpcs:ignore
|
|
||||||
$publicKeyPem = \Activitypub\get_publickey_by_actor( $actor, $keyId ); // phpcs:ignore
|
|
||||||
return \rtrim( $publicKeyPem ); // phpcs:ignore
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public static function get_signed_data( $signed_headers, $signature_block, $headers ) {
|
public static function get_signed_data( $signed_headers, $signature_block, $headers ) {
|
||||||
$signed_data = '';
|
$signed_data = '';
|
||||||
// This also verifies time-based values by returning false if any of these are out of range.
|
// This also verifies time-based values by returning false if any of these are out of range.
|
||||||
|
|
|
@ -74,10 +74,6 @@ class Inbox {
|
||||||
return $served;
|
return $served;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) {
|
|
||||||
return $served;
|
|
||||||
}
|
|
||||||
|
|
||||||
return $served;
|
return $served;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -230,9 +226,13 @@ class Inbox {
|
||||||
$params['id'] = array(
|
$params['id'] = array(
|
||||||
'required' => true,
|
'required' => true,
|
||||||
'sanitize_callback' => 'esc_url_raw',
|
'sanitize_callback' => 'esc_url_raw',
|
||||||
|
);
|
||||||
|
|
||||||
|
$params['signature'] = array(
|
||||||
|
'required' => true,
|
||||||
'validate_callback' => function( $param, $request, $key ) {
|
'validate_callback' => function( $param, $request, $key ) {
|
||||||
if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) {
|
if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) {
|
||||||
return false;
|
return false; // returns http 400 rest_invalid_param
|
||||||
}
|
}
|
||||||
return $param;
|
return $param;
|
||||||
},
|
},
|
||||||
|
|
Loading…
Reference in a new issue