salmon protocol changes magicsig draft-experimental, fixes to hostxrd

6 files changed, 51 insertions, 18 deletions

diff --git a/boot.php b/boot.php
index 35f295d06..e1a1c5a50 100644
--- a/boot.php
+++ b/boot.php
@@ -320,13 +320,12 @@ class App {
 
 		/**
 		 * Special handling for the webfinger/lrdd host XRD file
-		 * Just spit out the contents and exit.
 		 */
 
 		if($this->cmd === '.well-known/host-meta') {
-			require_once('include/hostxrd.php');
-			hostxrd();
-			// NOTREACHED
+			$this->argc = 1;
+			$this->argv = array('hostxrd');
+			$this->module = 'hostxrd';
 		}
 
 		/**
diff --git a/include/salmon.php b/include/salmon.php
index 4994655df..f1cef0a49 100644
--- a/include/salmon.php
+++ b/include/salmon.php
@@ -110,7 +110,7 @@ EOT;
 	$data_type = 'application/atom+xml';
 	$encoding  = 'base64url';
 	$algorithm = 'RSA-SHA256';
-	$keyhash   = base64url_encode(hash('sha256',salmon_key($owner['spubkey'])));
+	$keyhash   = base64url_encode(hash('sha256',salmon_key($owner['spubkey'])),true);
 
 	// Setup RSA stuff to PKCS#1 sign the data
 
@@ -127,11 +127,14 @@ EOT;
 
 	$precomputed = '.YXBwbGljYXRpb24vYXRvbSt4bWw=.YmFzZTY0dXJs.UlNBLVNIQTI1Ng==';
 
-	$signature  = base64url_encode($rsa->sign($data . $precomputed));
+	$signature   = base64url_encode($rsa->sign(str_replace('=','',$data . $precomputed),true));
 
-	$signature2  = base64url_encode($rsa->sign($data));
+	$signature2  = base64url_encode($rsa->sign($data . $precomputed));
+
+	$signature3  = base64url_encode($rsa->sign($data));
 
 	$salmon_tpl = get_markup_template('magicsig.tpl');
+
 	$salmon = replace_macros($salmon_tpl,array(
 		'$data'      => $data,
 		'$encoding'  => $encoding,
@@ -153,11 +156,11 @@ EOT;
 
 	if($return_code > 299) {
 
-		logger('slapper: compliant salmon failed. Falling back to status.net hack');
+		logger('slapper: compliant salmon failed. Falling back to status.net hack2');
 
 		// Entirely likely that their salmon implementation is
 		// non-compliant. Let's try once more, this time only signing
-		// the data, without the precomputed blob 
+		// the data, without stripping '=' chars
 
 		$salmon = replace_macros($salmon_tpl,array(
 			'$data'      => $data,
@@ -174,6 +177,30 @@ EOT;
 		));
 		$return_code = $a->get_curl_code();
 
+
+		if($return_code > 299) {
+
+			logger('slapper: compliant salmon failed. Falling back to status.net hack3');
+
+			// Entirely likely that their salmon implementation is
+			// non-compliant. Let's try once more, this time only signing
+			// the data, without the precomputed blob 
+
+			$salmon = replace_macros($salmon_tpl,array(
+				'$data'      => $data,
+				'$encoding'  => $encoding,
+				'$algorithm' => $algorithm,
+				'$keyhash'   => $keyhash,
+				'$signature' => $signature3
+			));
+
+			// slap them 
+			post_url($url,$salmon, array(
+				'Content-type: application/magic-envelope+xml',
+				'Content-length: ' . strlen($salmon)
+			));
+			$return_code = $a->get_curl_code();
+		}
 	}
 	logger('slapper returned ' . $return_code); 
 	if(! $return_code)
diff --git a/include/hostxrd.php b/mod/hostxrd.php
index 18c3e4b1e..c7861d26d 100644
--- a/include/hostxrd.php
+++ b/mod/hostxrd.php
@@ -1,6 +1,6 @@
 <?php
 
-function hostxrd() {
+function hostxrd_init(&$a) {
 	header('Access-Control-Allow-Origin: *');
 	header("Content-type: text/xml");
 	$tpl = file_get_contents('view/xrd_host.tpl');
diff --git a/mod/salmon.php b/mod/salmon.php
index 56ac071b0..300ad8746 100644
--- a/mod/salmon.php
+++ b/mod/salmon.php
@@ -72,12 +72,16 @@ function salmon_post(&$a) {
 	$encoding = $base->encoding;
 	$alg = $base->alg;
 
-	// If we're talking to status.net or one of their ilk, they aren't following the magic envelope spec
-	// and only signed the data element. We'll be nice and let them validate anyway. 
+	// Salmon magic signatures have evolved and there is no way of knowing ahead of time which
+	// flavour we have. We'll try and verify it regardless.
 
 	$stnet_signed_data = $data;
+
 	$signed_data = $data  . '.' . base64url_encode($type) . '.' . base64url_encode($encoding) . '.' . base64url_encode($alg);
 
+	$compliant_format = str_replace('=','',$signed_data);
+
+
 	// decode the data
 	$data = base64url_decode($data);
 
@@ -150,13 +154,16 @@ function salmon_post(&$a) {
     $rsa->exponent = new Math_BigInteger($e, 256);
 
 	// We should have everything we need now. Let's see if it verifies.
-	// If it fails with the proper data format, try again using just the data
-	// (e.g. status.net)
 
-    $verify = $rsa->verify($signed_data,$signature);
+    $verify = $rsa->verify($compliant_format,$signature);
+
+	if(! $verify) {
+		logger('mod-salmon: message did not verify using protocol. Trying padding hack.');
+	    $verify = $rsa->verify($signed_data,$signature);
+    }
 
 	if(! $verify) {
-		logger('mod-salmon: message did not verify using protocol. Trying statusnet hack.');
+		logger('mod-salmon: message did not verify using padding. Trying old statusnet hack.');
 	    $verify = $rsa->verify($stnet_signed_data,$signature);
     }
 
diff --git a/mod/xrd.php b/mod/xrd.php
index 4889639f0..c96c18f3c 100644
--- a/mod/xrd.php
+++ b/mod/xrd.php
@@ -23,7 +23,7 @@ function xrd_content(&$a) {
 	if(! count($r))
 		killme();
 
-	$salmon_key = salmon_key($r[0]['spubkey']);
+	$salmon_key = str_replace('=','',salmon_key($r[0]['spubkey']));
 
 	header('Access-Control-Allow-Origin: *');
 	header("Content-type: text/xml");
diff --git a/view/magicsig.tpl b/view/magicsig.tpl
index 622e7c5a2..75f9bc475 100644
--- a/view/magicsig.tpl
+++ b/view/magicsig.tpl
@@ -5,5 +5,5 @@ $data
 </me:data>
 <me:encoding>$encoding</me:encoding>
 <me:alg>$algorithm</me:alg>
-<me:sig keyhash="$keyhash">$signature</me:sig>
+<me:sig key_id="$keyhash">$signature</me:sig>
 </me:env>