pixelfed/app/Util/ActivityPub/HttpSignature.php

<?php

namespace App\Util\ActivityPub;

use App\Models\InstanceActor;
use App\Profile;
use Cache;
use DateTime;

class HttpSignature
{
    /*
     * source: https://github.com/aaronpk/Nautilus/blob/master/app/ActivityPub/HTTPSignature.php
     * thanks aaronpk!
     */

    public static function sign(Profile $profile, $url, $body = false, $addlHeaders = [])
    {
        if ($body) {
            $digest = self::_digest($body);
        }
        $user = $profile;
        $headers = self::_headersToSign($url, $body ? $digest : false);
        $headers = array_merge($headers, $addlHeaders);
        $stringToSign = self::_headersToSigningString($headers);
        $signedHeaders = implode(' ', array_map('strtolower', array_keys($headers)));
        $key = openssl_pkey_get_private($user->private_key);
        if (empty($key)) {
            return [];
        }
        openssl_sign($stringToSign, $signature, $key, OPENSSL_ALGO_SHA256);
        if (empty($signature)) {
            return [];
        }
        $signature = base64_encode($signature);
        $signatureHeader = 'keyId="'.$user->keyId().'",headers="'.$signedHeaders.'",algorithm="rsa-sha256",signature="'.$signature.'"';
        unset($headers['(request-target)']);
        $headers['Signature'] = $signatureHeader;

        return self::_headersToCurlArray($headers);
    }

    public static function signRaw($privateKey, $keyId, $url, $body = false, $addlHeaders = [])
    {
        if (empty($privateKey) || empty($keyId)) {
            return [];
        }
        if ($body) {
            $digest = self::_digest($body);
        }
        $headers = self::_headersToSign($url, $body ? $digest : false);
        $headers = array_merge($headers, $addlHeaders);
        $stringToSign = self::_headersToSigningString($headers);
        $signedHeaders = implode(' ', array_map('strtolower', array_keys($headers)));
        $key = openssl_pkey_get_private($privateKey);
        if (empty($key)) {
            return [];
        }
        openssl_sign($stringToSign, $signature, $key, OPENSSL_ALGO_SHA256);
        if (empty($signature)) {
            return [];
        }
        $signature = base64_encode($signature);
        $signatureHeader = 'keyId="'.$keyId.'",headers="'.$signedHeaders.'",algorithm="rsa-sha256",signature="'.$signature.'"';
        unset($headers['(request-target)']);
        $headers['Signature'] = $signatureHeader;

        return self::_headersToCurlArray($headers);
    }

    public static function instanceActorSign($url, $body = false, $addlHeaders = [], $method = 'post')
    {
        $keyId = config('app.url').'/i/actor#main-key';
        if(config_cache('database.default') === 'mysql') {
            $privateKey = Cache::rememberForever(InstanceActor::PKI_PRIVATE, function () {
                return InstanceActor::first()->private_key;
            });
        } else {
            $privateKey = InstanceActor::first()?->private_key;
        }
        abort_if(!$privateKey || empty($privateKey), 400, 'Missing instance actor key, please run php artisan instance:actor');
        if ($body) {
            $digest = self::_digest($body);
        }
        $headers = self::_headersToSign($url, $body ? $digest : false, $method);
        $headers = array_merge($headers, $addlHeaders);
        $stringToSign = self::_headersToSigningString($headers);
        $signedHeaders = implode(' ', array_map('strtolower', array_keys($headers)));
        $key = openssl_pkey_get_private($privateKey);
        openssl_sign($stringToSign, $signature, $key, OPENSSL_ALGO_SHA256);
        $signature = base64_encode($signature);
        $signatureHeader = 'keyId="'.$keyId.'",headers="'.$signedHeaders.'",algorithm="rsa-sha256",signature="'.$signature.'"';
        unset($headers['(request-target)']);
        $headers['Signature'] = $signatureHeader;

        return $headers;
    }

    public static function parseSignatureHeader($signature)
    {
        $parts = explode(',', $signature);
        $signatureData = [];

        foreach ($parts as $part) {
            if (preg_match('/(.+)="(.+)"/', $part, $match)) {
                $signatureData[$match[1]] = $match[2];
            }
        }

        if (! isset($signatureData['keyId'])) {
            return [
                'error' => 'No keyId was found in the signature header. Found: '.implode(', ', array_keys($signatureData)),
            ];
        }

        if (! filter_var($signatureData['keyId'], FILTER_VALIDATE_URL)) {
            return [
                'error' => 'keyId is not a URL: '.$signatureData['keyId'],
            ];
        }

        if (! Helpers::validateUrl($signatureData['keyId'])) {
            return [
                'error' => 'keyId is not a URL: '.$signatureData['keyId'],
            ];
        }

        if (! isset($signatureData['headers']) || ! isset($signatureData['signature'])) {
            return [
                'error' => 'Signature is missing headers or signature parts',
            ];
        }

        return $signatureData;
    }

    public static function verify($publicKey, $signatureData, $inputHeaders, $path, $body)
    {
        $digest = 'SHA-256='.base64_encode(hash('sha256', $body, true));
        $headersToSign = [];
        foreach (explode(' ', $signatureData['headers']) as $h) {
            if ($h == '(request-target)') {
                $headersToSign[$h] = 'post '.$path;
            } elseif ($h == 'digest') {
                $headersToSign[$h] = $digest;
            } elseif (isset($inputHeaders[$h][0])) {
                $headersToSign[$h] = $inputHeaders[$h][0];
            }
        }
        $signingString = self::_headersToSigningString($headersToSign);

        $verified = openssl_verify($signingString, base64_decode($signatureData['signature']), $publicKey, OPENSSL_ALGO_SHA256);

        return [$verified, $signingString];
    }

    private static function _headersToSigningString($headers)
    {
        return implode("\n", array_map(function ($k, $v) {
            return strtolower($k).': '.$v;
        }, array_keys($headers), $headers));
    }

    private static function _headersToCurlArray($headers)
    {
        return array_map(function ($k, $v) {
            return "$k: $v";
        }, array_keys($headers), $headers);
    }

    private static function _digest($body)
    {
        if (is_array($body)) {
            $body = json_encode($body);
        }

        return base64_encode(hash('sha256', $body, true));
    }

    protected static function _headersToSign($url, $digest = false, $method = 'post')
    {
        $date = new DateTime('UTC');

        if (! in_array($method, ['post', 'get'])) {
            throw new \Exception('Invalid method used to sign headers in HttpSignature');
        }
        $headers = [
            '(request-target)' => $method.' '.parse_url($url, PHP_URL_PATH),
            'Host' => parse_url($url, PHP_URL_HOST),
            'Date' => $date->format('D, d M Y H:i:s \G\M\T'),
        ];

        if ($digest) {
            $headers['Digest'] = 'SHA-256='.$digest;
        }

        return $headers;
    }
}