aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-09-24 16:46:52 -0700
committerzotlabs <mike@macgirvin.com>2017-09-24 16:46:52 -0700
commit866dc9a9b3ca1cd98fc032afe0aec14ccdb86ba0 (patch)
tree82d1394fc7820f75a05966bc7e661ccf662bfb4b
parent2988e33b57b8b971da86ce6e945f8c65f4ebb6b1 (diff)
downloadvolse-hubzilla-866dc9a9b3ca1cd98fc032afe0aec14ccdb86ba0.tar.gz
volse-hubzilla-866dc9a9b3ca1cd98fc032afe0aec14ccdb86ba0.tar.bz2
volse-hubzilla-866dc9a9b3ca1cd98fc032afe0aec14ccdb86ba0.zip
For zot6, allow HTTP Signatures to be encrypted, as they may contain sensitive (envelope, metadata) information.
-rw-r--r--Zotlabs/Web/HTTPSig.php52
1 files changed, 46 insertions, 6 deletions
diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php
index 8062764fb..701c29be5 100644
--- a/Zotlabs/Web/HTTPSig.php
+++ b/Zotlabs/Web/HTTPSig.php
@@ -175,7 +175,8 @@ class HTTPSig {
- static function create_sig($request,$head,$prvkey,$keyid = 'Key',$send_headers = false,$auth = false,$alg = 'sha256') {
+ static function create_sig($request,$head,$prvkey,$keyid = 'Key',$send_headers = false,$auth = false,$alg = 'sha256',
+ $crypt_key = null, $crypt_algo = 'aes256ctr') {
$return_headers = [];
@@ -186,15 +187,21 @@ class HTTPSig {
$algorithm = 'rsa-sha512';
}
- $x = self::sign($request,$head,$prvkey,$alg);
+ $x = self::sign($request,$head,$prvkey,$alg);
- if($auth) {
- $sighead = 'Authorization: Signature keyId="' . $keyid . '",algorithm="' . $algorithm
+ $headerval = keyId="' . $keyid . '",algorithm="' . $algorithm
. '",headers="' . $x['headers'] . '",signature="' . $x['signature'] . '"';
+
+ if($crypt_key) {
+ $x = crypto_encapsulate($headerval,$crypt_key,$crypt_alg);
+ $headerval = 'iv="' . $x['iv'] . '",key="' . $x['key'] . '",alg="' . $x['alg'] . '",data="' . $x['data'];
+ }
+
+ if($auth) {
+ $sighead = 'Authorization: Signature ' . $headerval;
}
else {
- $sighead = 'Signature: keyId="' . $keyid . '",algorithm="' . $algorithm
- . '",headers="' . $x['headers'] . '",signature="' . $x['signature'] . '"';
+ $sighead = 'Signature: ' . $headerval;
}
if($head) {
@@ -249,8 +256,15 @@ class HTTPSig {
}
static function parse_sigheader($header) {
+
$ret = [];
$matches = [];
+
+ // if the header is encrypted, decrypt with (default) site private key and continue
+
+ if(preg_match('/iv="(.*?)"/ism',$header,$matches))
+ $header = self::decrypt_sigheader($header);
+
if(preg_match('/keyId="(.*?)"/ism',$header,$matches))
$ret['keyId'] = $matches[1];
if(preg_match('/algorithm="(.*?)"/ism',$header,$matches))
@@ -267,6 +281,32 @@ class HTTPSig {
}
+ static function decrypt_sigheader($header,$prvkey = null) {
+
+ $iv = $key = $alg = $data = null;
+
+ if(! $prvkey) {
+ $prvkey = get_config('system','prvkey');
+ }
+
+ $matches = [];
+
+ if(preg_match('/iv="(.*?)"/ism',$header,$matches))
+ $iv = $matches[1];
+ if(preg_match('/key="(.*?)"/ism',$header,$matches))
+ $key = $matches[1];
+ if(preg_match('/alg="(.*?)"/ism',$header,$matches))
+ $alg = $matches[1];
+ if(preg_match('/data="(.*?)"/ism',$header,$matches))
+ $data = $matches[1];
+
+ if($iv && $key && $alg && $data) {
+ return crypto_unencapsulate([ 'iv' => $iv, 'key' => $key, 'alg' => $alg, 'data' => $data ] , $prvkey);
+ }
+ return '';
+
+ }
+
}