|
|
@@ -2,146 +2,159 @@
|
|
|
|
|
|
namespace App\Util\ActivityPub;
|
|
|
|
|
|
-use Cache, Log;
|
|
|
use App\Models\InstanceActor;
|
|
|
use App\Profile;
|
|
|
-use \DateTime;
|
|
|
-
|
|
|
-class HttpSignature {
|
|
|
-
|
|
|
- /*
|
|
|
- * source: https://github.com/aaronpk/Nautilus/blob/master/app/ActivityPub/HTTPSignature.php
|
|
|
- * thanks aaronpk!
|
|
|
- */
|
|
|
-
|
|
|
- public static function sign(Profile $profile, $url, $body = false, $addlHeaders = []) {
|
|
|
- if($body) {
|
|
|
- $digest = self::_digest($body);
|
|
|
- }
|
|
|
- $user = $profile;
|
|
|
- $headers = self::_headersToSign($url, $body ? $digest : false);
|
|
|
- $headers = array_merge($headers, $addlHeaders);
|
|
|
- $stringToSign = self::_headersToSigningString($headers);
|
|
|
- $signedHeaders = implode(' ', array_map('strtolower', array_keys($headers)));
|
|
|
- $key = openssl_pkey_get_private($user->private_key);
|
|
|
- openssl_sign($stringToSign, $signature, $key, OPENSSL_ALGO_SHA256);
|
|
|
- $signature = base64_encode($signature);
|
|
|
- $signatureHeader = 'keyId="'.$user->keyId().'",headers="'.$signedHeaders.'",algorithm="rsa-sha256",signature="'.$signature.'"';
|
|
|
- unset($headers['(request-target)']);
|
|
|
- $headers['Signature'] = $signatureHeader;
|
|
|
-
|
|
|
- return self::_headersToCurlArray($headers);
|
|
|
- }
|
|
|
-
|
|
|
- public static function instanceActorSign($url, $body = false, $addlHeaders = [], $method = 'post')
|
|
|
- {
|
|
|
- $keyId = config('app.url') . '/i/actor#main-key';
|
|
|
- $privateKey = Cache::rememberForever(InstanceActor::PKI_PRIVATE, function() {
|
|
|
- return InstanceActor::first()->private_key;
|
|
|
- });
|
|
|
- if($body) {
|
|
|
- $digest = self::_digest($body);
|
|
|
- }
|
|
|
- $headers = self::_headersToSign($url, $body ? $digest : false, $method);
|
|
|
- $headers = array_merge($headers, $addlHeaders);
|
|
|
- $stringToSign = self::_headersToSigningString($headers);
|
|
|
- $signedHeaders = implode(' ', array_map('strtolower', array_keys($headers)));
|
|
|
- $key = openssl_pkey_get_private($privateKey);
|
|
|
- openssl_sign($stringToSign, $signature, $key, OPENSSL_ALGO_SHA256);
|
|
|
- $signature = base64_encode($signature);
|
|
|
- $signatureHeader = 'keyId="'.$keyId.'",headers="'.$signedHeaders.'",algorithm="rsa-sha256",signature="'.$signature.'"';
|
|
|
- unset($headers['(request-target)']);
|
|
|
- $headers['Signature'] = $signatureHeader;
|
|
|
-
|
|
|
- return $headers;
|
|
|
- }
|
|
|
-
|
|
|
- public static function parseSignatureHeader($signature) {
|
|
|
- $parts = explode(',', $signature);
|
|
|
- $signatureData = [];
|
|
|
-
|
|
|
- foreach($parts as $part) {
|
|
|
- if(preg_match('/(.+)="(.+)"/', $part, $match)) {
|
|
|
- $signatureData[$match[1]] = $match[2];
|
|
|
- }
|
|
|
+use Cache;
|
|
|
+use DateTime;
|
|
|
+
|
|
|
+class HttpSignature
|
|
|
+{
|
|
|
+ /*
|
|
|
+ * source: https://github.com/aaronpk/Nautilus/blob/master/app/ActivityPub/HTTPSignature.php
|
|
|
+ * thanks aaronpk!
|
|
|
+ */
|
|
|
+
|
|
|
+ public static function sign(Profile $profile, $url, $body = false, $addlHeaders = [])
|
|
|
+ {
|
|
|
+ if ($body) {
|
|
|
+ $digest = self::_digest($body);
|
|
|
+ }
|
|
|
+ $user = $profile;
|
|
|
+ $headers = self::_headersToSign($url, $body ? $digest : false);
|
|
|
+ $headers = array_merge($headers, $addlHeaders);
|
|
|
+ $stringToSign = self::_headersToSigningString($headers);
|
|
|
+ $signedHeaders = implode(' ', array_map('strtolower', array_keys($headers)));
|
|
|
+ $key = openssl_pkey_get_private($user->private_key);
|
|
|
+ openssl_sign($stringToSign, $signature, $key, OPENSSL_ALGO_SHA256);
|
|
|
+ $signature = base64_encode($signature);
|
|
|
+ $signatureHeader = 'keyId="'.$user->keyId().'",headers="'.$signedHeaders.'",algorithm="rsa-sha256",signature="'.$signature.'"';
|
|
|
+ unset($headers['(request-target)']);
|
|
|
+ $headers['Signature'] = $signatureHeader;
|
|
|
+
|
|
|
+ return self::_headersToCurlArray($headers);
|
|
|
}
|
|
|
|
|
|
- if(!isset($signatureData['keyId'])) {
|
|
|
- return [
|
|
|
- 'error' => 'No keyId was found in the signature header. Found: '.implode(', ', array_keys($signatureData))
|
|
|
- ];
|
|
|
+ public static function instanceActorSign($url, $body = false, $addlHeaders = [], $method = 'post')
|
|
|
+ {
|
|
|
+ $keyId = config('app.url').'/i/actor#main-key';
|
|
|
+ $privateKey = Cache::rememberForever(InstanceActor::PKI_PRIVATE, function () {
|
|
|
+ return InstanceActor::first()->private_key;
|
|
|
+ });
|
|
|
+ if ($body) {
|
|
|
+ $digest = self::_digest($body);
|
|
|
+ }
|
|
|
+ $headers = self::_headersToSign($url, $body ? $digest : false, $method);
|
|
|
+ $headers = array_merge($headers, $addlHeaders);
|
|
|
+ $stringToSign = self::_headersToSigningString($headers);
|
|
|
+ $signedHeaders = implode(' ', array_map('strtolower', array_keys($headers)));
|
|
|
+ $key = openssl_pkey_get_private($privateKey);
|
|
|
+ openssl_sign($stringToSign, $signature, $key, OPENSSL_ALGO_SHA256);
|
|
|
+ $signature = base64_encode($signature);
|
|
|
+ $signatureHeader = 'keyId="'.$keyId.'",headers="'.$signedHeaders.'",algorithm="rsa-sha256",signature="'.$signature.'"';
|
|
|
+ unset($headers['(request-target)']);
|
|
|
+ $headers['Signature'] = $signatureHeader;
|
|
|
+
|
|
|
+ return $headers;
|
|
|
}
|
|
|
|
|
|
- if(!filter_var($signatureData['keyId'], FILTER_VALIDATE_URL)) {
|
|
|
- return [
|
|
|
- 'error' => 'keyId is not a URL: '.$signatureData['keyId']
|
|
|
- ];
|
|
|
+ public static function parseSignatureHeader($signature)
|
|
|
+ {
|
|
|
+ $parts = explode(',', $signature);
|
|
|
+ $signatureData = [];
|
|
|
+
|
|
|
+ foreach ($parts as $part) {
|
|
|
+ if (preg_match('/(.+)="(.+)"/', $part, $match)) {
|
|
|
+ $signatureData[$match[1]] = $match[2];
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if (! isset($signatureData['keyId'])) {
|
|
|
+ return [
|
|
|
+ 'error' => 'No keyId was found in the signature header. Found: '.implode(', ', array_keys($signatureData)),
|
|
|
+ ];
|
|
|
+ }
|
|
|
+
|
|
|
+ if (! filter_var($signatureData['keyId'], FILTER_VALIDATE_URL)) {
|
|
|
+ return [
|
|
|
+ 'error' => 'keyId is not a URL: '.$signatureData['keyId'],
|
|
|
+ ];
|
|
|
+ }
|
|
|
+
|
|
|
+ if (! Helpers::validateUrl($signatureData['keyId'])) {
|
|
|
+ return [
|
|
|
+ 'error' => 'keyId is not a URL: '.$signatureData['keyId'],
|
|
|
+ ];
|
|
|
+ }
|
|
|
+
|
|
|
+ if (! isset($signatureData['headers']) || ! isset($signatureData['signature'])) {
|
|
|
+ return [
|
|
|
+ 'error' => 'Signature is missing headers or signature parts',
|
|
|
+ ];
|
|
|
+ }
|
|
|
+
|
|
|
+ return $signatureData;
|
|
|
}
|
|
|
|
|
|
- if(!isset($signatureData['headers']) || !isset($signatureData['signature'])) {
|
|
|
- return [
|
|
|
- 'error' => 'Signature is missing headers or signature parts'
|
|
|
- ];
|
|
|
+ public static function verify($publicKey, $signatureData, $inputHeaders, $path, $body)
|
|
|
+ {
|
|
|
+ $digest = 'SHA-256='.base64_encode(hash('sha256', $body, true));
|
|
|
+ $headersToSign = [];
|
|
|
+ foreach (explode(' ', $signatureData['headers']) as $h) {
|
|
|
+ if ($h == '(request-target)') {
|
|
|
+ $headersToSign[$h] = 'post '.$path;
|
|
|
+ } elseif ($h == 'digest') {
|
|
|
+ $headersToSign[$h] = $digest;
|
|
|
+ } elseif (isset($inputHeaders[$h][0])) {
|
|
|
+ $headersToSign[$h] = $inputHeaders[$h][0];
|
|
|
+ }
|
|
|
+ }
|
|
|
+ $signingString = self::_headersToSigningString($headersToSign);
|
|
|
+
|
|
|
+ $verified = openssl_verify($signingString, base64_decode($signatureData['signature']), $publicKey, OPENSSL_ALGO_SHA256);
|
|
|
+
|
|
|
+ return [$verified, $signingString];
|
|
|
}
|
|
|
|
|
|
- return $signatureData;
|
|
|
- }
|
|
|
-
|
|
|
- public static function verify($publicKey, $signatureData, $inputHeaders, $path, $body) {
|
|
|
- $digest = 'SHA-256='.base64_encode(hash('sha256', $body, true));
|
|
|
- $headersToSign = [];
|
|
|
- foreach(explode(' ',$signatureData['headers']) as $h) {
|
|
|
- if($h == '(request-target)') {
|
|
|
- $headersToSign[$h] = 'post '.$path;
|
|
|
- } elseif($h == 'digest') {
|
|
|
- $headersToSign[$h] = $digest;
|
|
|
- } elseif(isset($inputHeaders[$h][0])) {
|
|
|
- $headersToSign[$h] = $inputHeaders[$h][0];
|
|
|
- }
|
|
|
+ private static function _headersToSigningString($headers)
|
|
|
+ {
|
|
|
+ return implode("\n", array_map(function ($k, $v) {
|
|
|
+ return strtolower($k).': '.$v;
|
|
|
+ }, array_keys($headers), $headers));
|
|
|
}
|
|
|
- $signingString = self::_headersToSigningString($headersToSign);
|
|
|
-
|
|
|
- $verified = openssl_verify($signingString, base64_decode($signatureData['signature']), $publicKey, OPENSSL_ALGO_SHA256);
|
|
|
|
|
|
- return [$verified, $signingString];
|
|
|
- }
|
|
|
-
|
|
|
- private static function _headersToSigningString($headers) {
|
|
|
- return implode("\n", array_map(function($k, $v){
|
|
|
- return strtolower($k).': '.$v;
|
|
|
- }, array_keys($headers), $headers));
|
|
|
- }
|
|
|
+ private static function _headersToCurlArray($headers)
|
|
|
+ {
|
|
|
+ return array_map(function ($k, $v) {
|
|
|
+ return "$k: $v";
|
|
|
+ }, array_keys($headers), $headers);
|
|
|
+ }
|
|
|
|
|
|
- private static function _headersToCurlArray($headers) {
|
|
|
- return array_map(function($k, $v){
|
|
|
- return "$k: $v";
|
|
|
- }, array_keys($headers), $headers);
|
|
|
- }
|
|
|
+ private static function _digest($body)
|
|
|
+ {
|
|
|
+ if (is_array($body)) {
|
|
|
+ $body = json_encode($body);
|
|
|
+ }
|
|
|
|
|
|
- private static function _digest($body) {
|
|
|
- if(is_array($body)) {
|
|
|
- $body = json_encode($body);
|
|
|
+ return base64_encode(hash('sha256', $body, true));
|
|
|
}
|
|
|
- return base64_encode(hash('sha256', $body, true));
|
|
|
- }
|
|
|
|
|
|
- protected static function _headersToSign($url, $digest = false, $method = 'post') {
|
|
|
- $date = new DateTime('UTC');
|
|
|
+ protected static function _headersToSign($url, $digest = false, $method = 'post')
|
|
|
+ {
|
|
|
+ $date = new DateTime('UTC');
|
|
|
|
|
|
- if(!in_array($method, ['post', 'get'])) {
|
|
|
- throw new \Exception('Invalid method used to sign headers in HttpSignature');
|
|
|
- }
|
|
|
- $headers = [
|
|
|
- '(request-target)' => $method . ' '.parse_url($url, PHP_URL_PATH),
|
|
|
- 'Host' => parse_url($url, PHP_URL_HOST),
|
|
|
- 'Date' => $date->format('D, d M Y H:i:s \G\M\T'),
|
|
|
- ];
|
|
|
-
|
|
|
- if($digest) {
|
|
|
- $headers['Digest'] = 'SHA-256='.$digest;
|
|
|
- }
|
|
|
+ if (! in_array($method, ['post', 'get'])) {
|
|
|
+ throw new \Exception('Invalid method used to sign headers in HttpSignature');
|
|
|
+ }
|
|
|
+ $headers = [
|
|
|
+ '(request-target)' => $method.' '.parse_url($url, PHP_URL_PATH),
|
|
|
+ 'Host' => parse_url($url, PHP_URL_HOST),
|
|
|
+ 'Date' => $date->format('D, d M Y H:i:s \G\M\T'),
|
|
|
+ ];
|
|
|
|
|
|
- return $headers;
|
|
|
- }
|
|
|
+ if ($digest) {
|
|
|
+ $headers['Digest'] = 'SHA-256='.$digest;
|
|
|
+ }
|
|
|
|
|
|
+ return $headers;
|
|
|
+ }
|
|
|
}
|
Daniel Supernault