diff --git a/includes/class-signature.php b/includes/class-signature.php index a4c45f4..d10309f 100644 --- a/includes/class-signature.php +++ b/includes/class-signature.php @@ -1,8 +1,8 @@ get_headers(); - $headers["(request-target)"][0] = strtolower( $request->get_method() ) . ' /wp-json' . $request->get_route(); + $headers['(request-target)'][0] = strtolower( $request->get_method() ) . ' /wp-json' . $request->get_route(); - if ( !$headers ) { + if ( ! $headers ) { $headers = self::default_server_headers(); } if ( array_key_exists( 'signature', $headers ) ) { @@ -131,13 +130,13 @@ class Signature { $signature_block = self::parse_signature_header( $headers['authorization'] ); } - if ( !$signature_block ) { + if ( ! $signature_block ) { return false; } $signed_headers = $signature_block['headers']; if ( ! $signed_headers ) { - $signed_headers = ['date']; + $signed_headers = array( 'date' ); } $signed_data = self::get_signed_data( $signed_headers, $signature_block, $headers ); @@ -150,37 +149,36 @@ class Signature { return false; } - if ( in_array( 'digest', $signed_headers ) && isset( $body ) ) { + if ( \in_array( 'digest', $signed_headers, true ) && isset( $body ) ) { $digest = explode( '=', $headers['digest'], 2 ); - if ( $digest[0] === 'SHA-256' ) { + if ( 'SHA-256' === $digest[0] ) { $hashalg = 'sha256'; } - if ( $digest[0] === 'SHA-512' ) { + if ( 'SHA-512' === $digest[0] ) { $hashalg = 'sha512'; } - // TODO Test - if ( base64_encode( hash( $hashalg, $body, true ) ) !== $digest[1] ) { + if ( \base64_encode( \hash( $hashalg, $body, true ) ) !== $digest[1] ) { // phpcs:ignore return false; } } - $public_key = $key?? self::get_key( $signature_block['keyId'] ); + $public_key = isset( $key ) ? $key : self::get_key( $signature_block['keyId'] ); - return \openssl_verify( $signed_data,$signature_block['signature'], $public_key, $algorithm ) > 0; + return \openssl_verify( $signed_data, $signature_block['signature'], $public_key, $algorithm ) > 0; } public static function default_server_headers() { - $headers = array( + $headers = array( '(request-target)' => strtolower( $_SERVER['REQUEST_METHOD'] ) . ' ' . $_SERVER['REQUEST_URI'], 'content-type' => $_SERVER['CONTENT_TYPE'], 'content-length' => $_SERVER['CONTENT_LENGTH'], ); foreach ( $_SERVER as $k => $v ) { - if ( strpos( $k, 'HTTP_' ) === 0 ) { - $field = str_replace( '_', '-', strtolower( substr( $k, 5 ) ) ); - $headers[$field] = $v; + if ( \strpos( $k, 'HTTP_' ) === 0 ) { + $field = \str_replace( '_', '-', \strtolower( \substr( $k, 5 ) ) ); + $headers[ $field ] = $v; } } return $headers; @@ -199,86 +197,85 @@ class Signature { } public static function parse_signature_header( $header ) { - $ret = []; - $matches = []; - $h_string = implode( ',', (array) $header[0] ); + $ret = array(); + $matches = array(); + $h_string = \implode( ',', (array) $header[0] ); - if ( preg_match( '/keyId="(.*?)"/ism', $h_string, $matches ) ) { + if ( \preg_match( '/keyId="(.*?)"/ism', $h_string, $matches ) ) { $ret['keyId'] = $matches[1]; } - if ( preg_match( '/created=([0-9]*)/ism', $h_string, $matches ) ) { + if ( \preg_match( '/created=([0-9]*)/ism', $h_string, $matches ) ) { $ret['(created)'] = $matches[1]; } - if ( preg_match( '/expires=([0-9]*)/ism', $h_string, $matches ) ) { + if ( \preg_match( '/expires=([0-9]*)/ism', $h_string, $matches ) ) { $ret['(expires)'] = $matches[1]; } - if ( preg_match( '/algorithm="(.*?)"/ism', $h_string, $matches ) ) { + if ( \preg_match( '/algorithm="(.*?)"/ism', $h_string, $matches ) ) { $ret['algorithm'] = $matches[1]; } - if ( preg_match( '/headers="(.*?)"/ism', $h_string, $matches ) ) { - $ret['headers'] = explode( ' ', $matches[1] ); + if ( \preg_match( '/headers="(.*?)"/ism', $h_string, $matches ) ) { + $ret['headers'] = \explode( ' ', $matches[1] ); } - if ( preg_match( '/signature="(.*?)"/ism', $h_string, $matches ) ) { - $ret['signature'] = base64_decode( preg_replace( '/\s+/', '', $matches[1] ) ); + if ( \preg_match( '/signature="(.*?)"/ism', $h_string, $matches ) ) { + $ret['signature'] = \base64_decode( preg_replace( '/\s+/', '', $matches[1] ) ); // phpcs:ignore } - if ( ( $ret['signature'] ) && ( $ret['algorithm'] ) && ( !$ret['headers'] ) ) { - $ret['headers'] = ['date']; + if ( ( $ret['signature'] ) && ( $ret['algorithm'] ) && ( ! $ret['headers'] ) ) { + $ret['headers'] = array( 'date' ); } return $ret; } - public static function get_key( $keyId ) { + public static function get_key( $keyId ) { // phpcs:ignore // If there was no key passed to verify, it will find the keyId and call this // function to fetch the public key from stored data or a network fetch. - $actor = \strip_fragment_from_url( $keyId ); - $publicKeyPem = \Activitypub\get_publickey_by_actor( $actor, $keyId ); - return rtrim( $publicKeyPem ); + $actor = \strip_fragment_from_url( $keyId ); // phpcs:ignore + $publicKeyPem = \Activitypub\get_publickey_by_actor( $actor, $keyId ); // phpcs:ignore + return \rtrim( $publicKeyPem ); // phpcs:ignore } public static function get_signed_data( $signed_headers, $signature_block, $headers ) { - $signed_data = ''; // This also verifies time-based values by returning false if any of these are out of range. foreach ( $signed_headers as $header ) { - if ( array_key_exists($header, $headers ) ) { - if ( $header === 'host' ) { + if ( \array_key_exists( $header, $headers ) ) { + if ( 'host' === $header ) { if ( isset( $headers['x_original_host'] ) ) { - $signed_data .= 'host: ' . $headers['x_original_host'][0] . "\n"; + $signed_data .= $header . ': ' . $headers['x_original_host'][0] . "\n"; } else { - $signed_data .= $header . ': ' . $headers[$header][0] . "\n"; + $signed_data .= $header . ': ' . $headers[ $header ][0] . "\n"; } } else { - $signed_data .= $header . ': ' . $headers[$header][0] . "\n"; + $signed_data .= $header . ': ' . $headers[ $header ][0] . "\n"; } } - if ( $header === '(created)' ) { - if ( !empty( $signature_block['(created)'] ) && intval( $signature_block['(created)'] ) > time() ) { + if ( '(created)' === $header ) { + if ( ! \empty( $signature_block['(created)'] ) && \intval( $signature_block['(created)'] ) > \time() ) { // created in future return false; } $signed_data .= '(created): ' . $signature_block['(created)'] . "\n"; } - if ( $header === '(expires)' ) { - if ( !empty( $signature_block['(expires)'] ) && intval( $signature_block['(expires)'] ) < time() ) { + if ( '(expires)' === $header ) { + if ( ! empty( $signature_block['(expires)'] ) && \intval( $signature_block['(expires)'] ) < \time() ) { // expired in past return false; } $signed_data .= '(expires): ' . $signature_block['(expires)'] . "\n"; } - if ( $header === 'content-type' ) { + if ( 'content-type' === $header ) { $signed_data .= $header . ': ' . $headers['content_type'][0] . "\n"; } - if ( $header === 'date' ) { + if ( 'date' === $header ) { // allow a bit of leeway for misconfigured clocks. - $d = new DateTime( $headers[$header][0] ); - $d->setTimeZone( new DateTimeZone('UTC') ); + $d = new DateTime( $headers[ $header ][0] ); + $d->setTimeZone( new DateTimeZone( 'UTC' ) ); + $c = $d->format( 'U' ); - $dplus = time() + self::MAX_TIME_OFFSET; - $dminus = time() - self::MAX_TIME_OFFSET; - $c = wp_date( 'U' ); + $dplus = time() + ( 3 * HOUR_IN_SECONDS ); + $dminus = time() - ( 3 * HOUR_IN_SECONDS ); if ( $c > $dplus || $c < $dminus ) { // time out of range @@ -286,8 +283,7 @@ class Signature { } } } - // error_log( '$signed_data: ' . print_r( rtrim( $signed_data, "\n" ), true ) ); - return rtrim($signed_data, "\n"); + return \rtrim( $signed_data, "\n" ); } public static function generate_digest( $body ) {