support for hs2019

author: Mario <mario@mariovavti.com> 2022-03-10 09:44:37 +0000
committer: Mario <mario@mariovavti.com> 2022-03-10 09:44:37 +0000
commit: 9e7fd20adec8e3504ee19bd53d762a40c5ac75e4 (patch)
tree: 68b7bba13a5840d10dd6ba834967018352885663
parent: efa1d381ba8205ee64f41f1c3ba9f2416f15ef76 (diff)
download: volse-hubzilla-9e7fd20adec8e3504ee19bd53d762a40c5ac75e4.tar.gz
volse-hubzilla-9e7fd20adec8e3504ee19bd53d762a40c5ac75e4.tar.bz2
volse-hubzilla-9e7fd20adec8e3504ee19bd53d762a40c5ac75e4.zip
2 files changed, 61 insertions, 16 deletions
diff --git a/Zotlabs/Lib/Activity.php b/Zotlabs/Lib/Activity.php
index 721f2ed0e..f0e2bc805 100644
--- a/Zotlabs/Lib/Activity.php
+++ b/Zotlabs/Lib/Activity.php
@@ -1154,9 +1154,10 @@ class Activity {
 		$ret['url'] = $p['xchan_url'];
 
 		$ret['publicKey'] = [
-			'id'           => $p['xchan_url'],
-			'owner'        => $p['xchan_url'],
-			'publicKeyPem' => $p['xchan_pubkey']
+			'id'                 => $p['xchan_url'],
+			'owner'              => $p['xchan_url'],
+			'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
+			'publicKeyPem'       => $p['xchan_pubkey']
 		];
 
 		if ($c) {
diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php
index 660fdc4ce..15371d403 100644
--- a/Zotlabs/Web/HTTPSig.php
+++ b/Zotlabs/Web/HTTPSig.php
@@ -127,6 +127,7 @@ class HTTPSig {
 			if (array_key_exists($h, $headers)) {
 				$signed_data .= $h . ': ' . $headers[$h] . "\n";
 			}
+
 			if ($h === 'date') {
 				$d = new DateTime($headers[$h]);
 				$d->setTimeZone(new DateTimeZone('UTC'));
@@ -142,20 +143,34 @@ class HTTPSig {
 		$signed_data = rtrim($signed_data, "\n");
 
 		$algorithm = null;
+
 		if ($sig_block['algorithm'] === 'rsa-sha256') {
 			$algorithm = 'sha256';
 		}
+
 		if ($sig_block['algorithm'] === 'rsa-sha512') {
 			$algorithm = 'sha512';
 		}
 
-		if (!array_key_exists('keyId', $sig_block))
+		if (!array_key_exists('keyId', $sig_block)) {
 			return $result;
+		}
 
 		$result['signer'] = $sig_block['keyId'];
 
 		$cached_key = self::get_key($key, $keytype, $result['signer']);
 
+		if ($sig_block['algorithm'] === 'hs2019') {
+			if (isset($cached_key['algorithm'])) {
+				if (strpos($cached_key['algorithm'], 'rsa-sha256') !== false) {
+					$algorithm = 'sha256';
+				}
+
+				if (strpos($cached_key['algorithm'], 'rsa-sha512') !== false) {
+					$algorithm = 'sha512';
+				}
+			}
+		}
 
 		if (!($cached_key && $cached_key['public_key'])) {
 			return $result;
@@ -296,7 +311,7 @@ class HTTPSig {
 				$best = Libzot::zot_record_preferred($x);
 			}
 			if ($best && $best['xchan_pubkey']) {
-				return ['portable_id' => $best['xchan_hash'], 'public_key' => $best['xchan_pubkey'], 'hubloc' => $best];
+				return ['portable_id' => $best['xchan_hash'], 'public_key' => $best['xchan_pubkey'], 'algorithm' => get_xconfig($best['xchan_hash'], 'system', 'signing_algorithm'), 'hubloc' => $best];
 			}
 		}
 
@@ -308,15 +323,41 @@ class HTTPSig {
 
 		// The record wasn't in cache. Fetch it now.
 		$r = ActivityStreams::fetch($id);
-
-		if ($r) {
-			if (array_key_exists('publicKey', $r) && array_key_exists('publicKeyPem', $r['publicKey']) && array_key_exists('id', $r['publicKey'])) {
-				if ($r['publicKey']['id'] === $id || $r['id'] === $id) {
-					$portable_id = ((array_key_exists('owner', $r['publicKey'])) ? $r['publicKey']['owner'] : EMPTY_STR);
-					return ['public_key' => self::convertKey($r['publicKey']['publicKeyPem']), 'portable_id' => $portable_id, 'hubloc' => []];
-				}
-			}
-		}
+        $signatureAlgorithm = EMPTY_STR;
+
+        if ($r) {
+            if (array_key_exists('publicKey', $r) && array_key_exists('publicKeyPem', $r['publicKey']) && array_key_exists('id', $r['publicKey'])) {
+                if ($r['publicKey']['id'] === $id || $r['id'] === $id) {
+                    $portable_id = ((array_key_exists('owner', $r['publicKey'])) ? $r['publicKey']['owner'] : EMPTY_STR);
+
+                    // the w3c sec context has conflicting names and no defined values for this property except
+                    // "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+
+                    // Since the names conflict, it could mess up LD-signatures but we will accept both, and at this
+                    // time we will only look for the substrings 'rsa-sha256' and 'rsa-sha512' within those properties.
+                    // We will also accept a toplevel 'sigAlgorithm' regardless of namespace with the same constraints.
+                    // Default to rsa-sha256 if we can't figure out. If they're sending 'hs2019' we have to
+                    // look for something.
+
+                    if (isset($r['publicKey']['signingAlgorithm'])) {
+                        $signatureAlgorithm = $r['publicKey']['signingAlgorithm'];
+                        set_xconfig($portable_id, 'system', 'signing_algorithm', $signatureAlgorithm);
+                    }
+
+                    if (isset($r['publicKey']['signatureAlgorithm'])) {
+                        $signatureAlgorithm = $r['publicKey']['signatureAlgorithm'];
+                        set_xconfig($portable_id, 'system', 'signing_algorithm', $signatureAlgorithm);
+                    }
+
+                    if (isset($r['sigAlgorithm'])) {
+                        $signatureAlgorithm = $r['sigAlgorithm'];
+                        set_xconfig($portable_id, 'system', 'signing_algorithm', $signatureAlgorithm);
+                    }
+
+                    return ['public_key' => self::convertKey($r['publicKey']['publicKeyPem']), 'portable_id' => $portable_id, 'algorithm' => (($signatureAlgorithm) ? $signatureAlgorithm : 'rsa-sha256'), 'hubloc' => []];
+                }
+            }
+        }
 
 		// No key was found
 		return false;
@@ -343,7 +384,7 @@ class HTTPSig {
 			}
 
 			if ($best && $best['xchan_pubkey']) {
-				return ['portable_id' => $best['xchan_hash'], 'public_key' => $best['xchan_pubkey'], 'hubloc' => $best];
+				return ['portable_id' => $best['xchan_hash'], 'public_key' => $best['xchan_pubkey'], 'algorithm' => get_xconfig($best['xchan_hash'], 'system', 'signing_algorithm'), 'hubloc' => $best];
 			}
 		}
 
@@ -389,7 +430,7 @@ class HTTPSig {
 			}
 
 			if ($best && $best['xchan_pubkey']) {
-				return ['portable_id' => $best['xchan_hash'], 'public_key' => $best['xchan_pubkey'], 'hubloc' => $best];
+				return ['portable_id' => $best['xchan_hash'], 'public_key' => $best['xchan_pubkey'], 'algorithm' => get_xconfig($best['xchan_hash'], 'system', 'signing_algorithm'), 'hubloc' => $best];
 			}
 		}
 
@@ -461,6 +502,9 @@ class HTTPSig {
 
 		$x = self::sign($head, $prvkey, $alg);
 
+		// TODO: should we default to hs2019?
+		// $headerval = 'keyId="' . $keyid . '",algorithm="' . (($algorithm === 'rsa-sha256') ? 'hs2019' : $algorithm) . '",headers="' . $x['headers'] . '",signature="' . $x['signature'] . '"';
+
 		$headerval = 'keyId="' . $keyid . '",algorithm="' . $algorithm . '",headers="' . $x['headers'] . '",signature="' . $x['signature'] . '"';
 
 		if ($encryption) {
author	Mario <mario@mariovavti.com>	2022-03-10 09:44:37 +0000
committer	Mario <mario@mariovavti.com>	2022-03-10 09:44:37 +0000
commit	9e7fd20adec8e3504ee19bd53d762a40c5ac75e4 (patch)
tree	68b7bba13a5840d10dd6ba834967018352885663
parent	efa1d381ba8205ee64f41f1c3ba9f2416f15ef76 (diff)
download	volse-hubzilla-9e7fd20adec8e3504ee19bd53d762a40c5ac75e4.tar.gz volse-hubzilla-9e7fd20adec8e3504ee19bd53d762a40c5ac75e4.tar.bz2 volse-hubzilla-9e7fd20adec8e3504ee19bd53d762a40c5ac75e4.zip