code style phpcs
This commit is contained in:
parent
0c7cec3eba
commit
504bbb9999
1 changed files with 50 additions and 54 deletions
|
@ -1,8 +1,8 @@
|
||||||
<?php
|
<?php
|
||||||
namespace Activitypub;
|
namespace Activitypub;
|
||||||
|
|
||||||
// use DateTime;
|
use DateTime;
|
||||||
// use DateTimeZone;
|
use DateTimeZone;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ActivityPub Signature Class
|
* ActivityPub Signature Class
|
||||||
|
@ -15,7 +15,6 @@ class Signature {
|
||||||
* How much leeway to provide on the date header in seconds.
|
* How much leeway to provide on the date header in seconds.
|
||||||
* Not everybody uses NTP.
|
* Not everybody uses NTP.
|
||||||
*/
|
*/
|
||||||
const MAX_TIME_OFFSET = 10800;
|
|
||||||
|
|
||||||
const DEFAULT_SIGNING_ALGORITHM = 'sha256';
|
const DEFAULT_SIGNING_ALGORITHM = 'sha256';
|
||||||
|
|
||||||
|
@ -120,9 +119,9 @@ class Signature {
|
||||||
|
|
||||||
public static function verify_signature( $request = null ) {
|
public static function verify_signature( $request = null ) {
|
||||||
$headers = $request->get_headers();
|
$headers = $request->get_headers();
|
||||||
$headers["(request-target)"][0] = strtolower( $request->get_method() ) . ' /wp-json' . $request->get_route();
|
$headers['(request-target)'][0] = strtolower( $request->get_method() ) . ' /wp-json' . $request->get_route();
|
||||||
|
|
||||||
if ( !$headers ) {
|
if ( ! $headers ) {
|
||||||
$headers = self::default_server_headers();
|
$headers = self::default_server_headers();
|
||||||
}
|
}
|
||||||
if ( array_key_exists( 'signature', $headers ) ) {
|
if ( array_key_exists( 'signature', $headers ) ) {
|
||||||
|
@ -131,13 +130,13 @@ class Signature {
|
||||||
$signature_block = self::parse_signature_header( $headers['authorization'] );
|
$signature_block = self::parse_signature_header( $headers['authorization'] );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( !$signature_block ) {
|
if ( ! $signature_block ) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
$signed_headers = $signature_block['headers'];
|
$signed_headers = $signature_block['headers'];
|
||||||
if ( ! $signed_headers ) {
|
if ( ! $signed_headers ) {
|
||||||
$signed_headers = ['date'];
|
$signed_headers = array( 'date' );
|
||||||
}
|
}
|
||||||
|
|
||||||
$signed_data = self::get_signed_data( $signed_headers, $signature_block, $headers );
|
$signed_data = self::get_signed_data( $signed_headers, $signature_block, $headers );
|
||||||
|
@ -150,37 +149,36 @@ class Signature {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( in_array( 'digest', $signed_headers ) && isset( $body ) ) {
|
if ( \in_array( 'digest', $signed_headers, true ) && isset( $body ) ) {
|
||||||
$digest = explode( '=', $headers['digest'], 2 );
|
$digest = explode( '=', $headers['digest'], 2 );
|
||||||
if ( $digest[0] === 'SHA-256' ) {
|
if ( 'SHA-256' === $digest[0] ) {
|
||||||
$hashalg = 'sha256';
|
$hashalg = 'sha256';
|
||||||
}
|
}
|
||||||
if ( $digest[0] === 'SHA-512' ) {
|
if ( 'SHA-512' === $digest[0] ) {
|
||||||
$hashalg = 'sha512';
|
$hashalg = 'sha512';
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO Test
|
if ( \base64_encode( \hash( $hashalg, $body, true ) ) !== $digest[1] ) { // phpcs:ignore
|
||||||
if ( base64_encode( hash( $hashalg, $body, true ) ) !== $digest[1] ) {
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$public_key = $key?? self::get_key( $signature_block['keyId'] );
|
$public_key = isset( $key ) ? $key : self::get_key( $signature_block['keyId'] );
|
||||||
|
|
||||||
return \openssl_verify( $signed_data,$signature_block['signature'], $public_key, $algorithm ) > 0;
|
return \openssl_verify( $signed_data, $signature_block['signature'], $public_key, $algorithm ) > 0;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function default_server_headers() {
|
public static function default_server_headers() {
|
||||||
$headers = array(
|
$headers = array(
|
||||||
'(request-target)' => strtolower( $_SERVER['REQUEST_METHOD'] ) . ' ' . $_SERVER['REQUEST_URI'],
|
'(request-target)' => strtolower( $_SERVER['REQUEST_METHOD'] ) . ' ' . $_SERVER['REQUEST_URI'],
|
||||||
'content-type' => $_SERVER['CONTENT_TYPE'],
|
'content-type' => $_SERVER['CONTENT_TYPE'],
|
||||||
'content-length' => $_SERVER['CONTENT_LENGTH'],
|
'content-length' => $_SERVER['CONTENT_LENGTH'],
|
||||||
);
|
);
|
||||||
foreach ( $_SERVER as $k => $v ) {
|
foreach ( $_SERVER as $k => $v ) {
|
||||||
if ( strpos( $k, 'HTTP_' ) === 0 ) {
|
if ( \strpos( $k, 'HTTP_' ) === 0 ) {
|
||||||
$field = str_replace( '_', '-', strtolower( substr( $k, 5 ) ) );
|
$field = \str_replace( '_', '-', \strtolower( \substr( $k, 5 ) ) );
|
||||||
$headers[$field] = $v;
|
$headers[ $field ] = $v;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return $headers;
|
return $headers;
|
||||||
|
@ -199,86 +197,85 @@ class Signature {
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function parse_signature_header( $header ) {
|
public static function parse_signature_header( $header ) {
|
||||||
$ret = [];
|
$ret = array();
|
||||||
$matches = [];
|
$matches = array();
|
||||||
$h_string = implode( ',', (array) $header[0] );
|
$h_string = \implode( ',', (array) $header[0] );
|
||||||
|
|
||||||
if ( preg_match( '/keyId="(.*?)"/ism', $h_string, $matches ) ) {
|
if ( \preg_match( '/keyId="(.*?)"/ism', $h_string, $matches ) ) {
|
||||||
$ret['keyId'] = $matches[1];
|
$ret['keyId'] = $matches[1];
|
||||||
}
|
}
|
||||||
if ( preg_match( '/created=([0-9]*)/ism', $h_string, $matches ) ) {
|
if ( \preg_match( '/created=([0-9]*)/ism', $h_string, $matches ) ) {
|
||||||
$ret['(created)'] = $matches[1];
|
$ret['(created)'] = $matches[1];
|
||||||
}
|
}
|
||||||
if ( preg_match( '/expires=([0-9]*)/ism', $h_string, $matches ) ) {
|
if ( \preg_match( '/expires=([0-9]*)/ism', $h_string, $matches ) ) {
|
||||||
$ret['(expires)'] = $matches[1];
|
$ret['(expires)'] = $matches[1];
|
||||||
}
|
}
|
||||||
if ( preg_match( '/algorithm="(.*?)"/ism', $h_string, $matches ) ) {
|
if ( \preg_match( '/algorithm="(.*?)"/ism', $h_string, $matches ) ) {
|
||||||
$ret['algorithm'] = $matches[1];
|
$ret['algorithm'] = $matches[1];
|
||||||
}
|
}
|
||||||
if ( preg_match( '/headers="(.*?)"/ism', $h_string, $matches ) ) {
|
if ( \preg_match( '/headers="(.*?)"/ism', $h_string, $matches ) ) {
|
||||||
$ret['headers'] = explode( ' ', $matches[1] );
|
$ret['headers'] = \explode( ' ', $matches[1] );
|
||||||
}
|
}
|
||||||
if ( preg_match( '/signature="(.*?)"/ism', $h_string, $matches ) ) {
|
if ( \preg_match( '/signature="(.*?)"/ism', $h_string, $matches ) ) {
|
||||||
$ret['signature'] = base64_decode( preg_replace( '/\s+/', '', $matches[1] ) );
|
$ret['signature'] = \base64_decode( preg_replace( '/\s+/', '', $matches[1] ) ); // phpcs:ignore
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ( $ret['signature'] ) && ( $ret['algorithm'] ) && ( !$ret['headers'] ) ) {
|
if ( ( $ret['signature'] ) && ( $ret['algorithm'] ) && ( ! $ret['headers'] ) ) {
|
||||||
$ret['headers'] = ['date'];
|
$ret['headers'] = array( 'date' );
|
||||||
}
|
}
|
||||||
|
|
||||||
return $ret;
|
return $ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function get_key( $keyId ) {
|
public static function get_key( $keyId ) { // phpcs:ignore
|
||||||
// If there was no key passed to verify, it will find the keyId and call this
|
// If there was no key passed to verify, it will find the keyId and call this
|
||||||
// function to fetch the public key from stored data or a network fetch.
|
// function to fetch the public key from stored data or a network fetch.
|
||||||
$actor = \strip_fragment_from_url( $keyId );
|
$actor = \strip_fragment_from_url( $keyId ); // phpcs:ignore
|
||||||
$publicKeyPem = \Activitypub\get_publickey_by_actor( $actor, $keyId );
|
$publicKeyPem = \Activitypub\get_publickey_by_actor( $actor, $keyId ); // phpcs:ignore
|
||||||
return rtrim( $publicKeyPem );
|
return \rtrim( $publicKeyPem ); // phpcs:ignore
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public static function get_signed_data( $signed_headers, $signature_block, $headers ) {
|
public static function get_signed_data( $signed_headers, $signature_block, $headers ) {
|
||||||
|
|
||||||
$signed_data = '';
|
$signed_data = '';
|
||||||
// This also verifies time-based values by returning false if any of these are out of range.
|
// This also verifies time-based values by returning false if any of these are out of range.
|
||||||
foreach ( $signed_headers as $header ) {
|
foreach ( $signed_headers as $header ) {
|
||||||
if ( array_key_exists($header, $headers ) ) {
|
if ( \array_key_exists( $header, $headers ) ) {
|
||||||
if ( $header === 'host' ) {
|
if ( 'host' === $header ) {
|
||||||
if ( isset( $headers['x_original_host'] ) ) {
|
if ( isset( $headers['x_original_host'] ) ) {
|
||||||
$signed_data .= 'host: ' . $headers['x_original_host'][0] . "\n";
|
$signed_data .= $header . ': ' . $headers['x_original_host'][0] . "\n";
|
||||||
} else {
|
} else {
|
||||||
$signed_data .= $header . ': ' . $headers[$header][0] . "\n";
|
$signed_data .= $header . ': ' . $headers[ $header ][0] . "\n";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$signed_data .= $header . ': ' . $headers[$header][0] . "\n";
|
$signed_data .= $header . ': ' . $headers[ $header ][0] . "\n";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if ( $header === '(created)' ) {
|
if ( '(created)' === $header ) {
|
||||||
if ( !empty( $signature_block['(created)'] ) && intval( $signature_block['(created)'] ) > time() ) {
|
if ( ! \empty( $signature_block['(created)'] ) && \intval( $signature_block['(created)'] ) > \time() ) {
|
||||||
// created in future
|
// created in future
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
$signed_data .= '(created): ' . $signature_block['(created)'] . "\n";
|
$signed_data .= '(created): ' . $signature_block['(created)'] . "\n";
|
||||||
}
|
}
|
||||||
if ( $header === '(expires)' ) {
|
if ( '(expires)' === $header ) {
|
||||||
if ( !empty( $signature_block['(expires)'] ) && intval( $signature_block['(expires)'] ) < time() ) {
|
if ( ! empty( $signature_block['(expires)'] ) && \intval( $signature_block['(expires)'] ) < \time() ) {
|
||||||
// expired in past
|
// expired in past
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
$signed_data .= '(expires): ' . $signature_block['(expires)'] . "\n";
|
$signed_data .= '(expires): ' . $signature_block['(expires)'] . "\n";
|
||||||
}
|
}
|
||||||
if ( $header === 'content-type' ) {
|
if ( 'content-type' === $header ) {
|
||||||
$signed_data .= $header . ': ' . $headers['content_type'][0] . "\n";
|
$signed_data .= $header . ': ' . $headers['content_type'][0] . "\n";
|
||||||
}
|
}
|
||||||
if ( $header === 'date' ) {
|
if ( 'date' === $header ) {
|
||||||
// allow a bit of leeway for misconfigured clocks.
|
// allow a bit of leeway for misconfigured clocks.
|
||||||
$d = new DateTime( $headers[$header][0] );
|
$d = new DateTime( $headers[ $header ][0] );
|
||||||
$d->setTimeZone( new DateTimeZone('UTC') );
|
$d->setTimeZone( new DateTimeZone( 'UTC' ) );
|
||||||
|
$c = $d->format( 'U' );
|
||||||
|
|
||||||
$dplus = time() + self::MAX_TIME_OFFSET;
|
$dplus = time() + ( 3 * HOUR_IN_SECONDS );
|
||||||
$dminus = time() - self::MAX_TIME_OFFSET;
|
$dminus = time() - ( 3 * HOUR_IN_SECONDS );
|
||||||
$c = wp_date( 'U' );
|
|
||||||
|
|
||||||
if ( $c > $dplus || $c < $dminus ) {
|
if ( $c > $dplus || $c < $dminus ) {
|
||||||
// time out of range
|
// time out of range
|
||||||
|
@ -286,8 +283,7 @@ class Signature {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// error_log( '$signed_data: ' . print_r( rtrim( $signed_data, "\n" ), true ) );
|
return \rtrim( $signed_data, "\n" );
|
||||||
return rtrim($signed_data, "\n");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function generate_digest( $body ) {
|
public static function generate_digest( $body ) {
|
||||||
|
|
Loading…
Reference in a new issue