Fixes key retrieval

This commit is contained in:
Django Doucet 2023-04-14 23:53:43 -06:00
parent e1722cd4d3
commit 30d78417d8
2 changed files with 11 additions and 14 deletions

View file

@ -112,6 +112,7 @@ class Signature {
public static function verify_http_signature( $request = null ) {
$headers = $request->get_headers();
$actor = isset( json_decode( $request->get_body() )->actor ) ? json_decode( $request->get_body() )->actor : '' ;
$headers['(request-target)'][0] = strtolower( $request->get_method() ) . ' /wp-json' . $request->get_route();
if ( ! $headers ) {
@ -123,7 +124,7 @@ class Signature {
$signature_block = self::parse_signature_header( $headers['authorization'] );
}
if ( ! $signature_block ) {
if ( ! isset( $signature_block ) || ! $signature_block ) {
return false;
}
@ -143,6 +144,9 @@ class Signature {
}
if ( \in_array( 'digest', $signed_headers, true ) && isset( $body ) ) {
if ( is_array( $headers['digest'] ) ) {
$headers['digest'] = $headers['digest'][0];
}
$digest = explode( '=', $headers['digest'], 2 );
if ( 'SHA-256' === $digest[0] ) {
$hashalg = 'sha256';
@ -156,7 +160,7 @@ class Signature {
}
}
$public_key = isset( $key ) ? $key : self::get_key( $signature_block['keyId'] );
$public_key = \rtrim( \Activitypub\get_publickey_by_actor( $actor, $signature_block['keyId'] ) ); // phpcs:ignore
return \openssl_verify( $signed_data, $signature_block['signature'], $public_key, $algorithm ) > 0;
@ -218,13 +222,6 @@ class Signature {
return $ret;
}
public static function get_key( $keyId ) { // phpcs:ignore
$actor = \Activitypub\get_actor_from_key( $keyId ); // phpcs:ignore
$publicKeyPem = \Activitypub\get_publickey_by_actor( $actor, $keyId ); // phpcs:ignore
return \rtrim( $publicKeyPem ); // phpcs:ignore
}
public static function get_signed_data( $signed_headers, $signature_block, $headers ) {
$signed_data = '';
// This also verifies time-based values by returning false if any of these are out of range.

View file

@ -74,10 +74,6 @@ class Inbox {
return $served;
}
if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) {
return $served;
}
return $served;
}
@ -230,9 +226,13 @@ class Inbox {
$params['id'] = array(
'required' => true,
'sanitize_callback' => 'esc_url_raw',
);
$params['signature'] = array(
'required' => true,
'validate_callback' => function( $param, $request, $key ) {
if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) {
return false;
return false; // returns http 400 rest_invalid_param
}
return $param;
},