Resolved merge conflicts

3 files changed, 44 insertions, 15 deletions

diff --git a/Zotlabs/Zot6/HTTPSig.php b/Zotlabs/Zot6/HTTPSig.php
index a0f0d3500..72785b1e9 100644
--- a/Zotlabs/Zot6/HTTPSig.php
+++ b/Zotlabs/Zot6/HTTPSig.php
@@ -48,12 +48,14 @@ class HTTPSig {
 			$h = new HTTPHeaders($data['header']);
 			$headers = $h->fetcharr();
 			$body = $data['body'];
+			$headers['(request-target)'] = $data['request_target'];
 		}
 
 		else {
 			$headers = [];
 			$headers['(request-target)'] = strtolower($_SERVER['REQUEST_METHOD']) . ' ' . $_SERVER['REQUEST_URI'];
 			$headers['content-type'] = $_SERVER['CONTENT_TYPE'];
+			$headers['content-length'] = $_SERVER['CONTENT_LENGTH'];
 
 			foreach($_SERVER as $k => $v) {
 				if(strpos($k,'HTTP_') === 0) {
@@ -121,6 +123,17 @@ class HTTPSig {
 			if(array_key_exists($h,$headers)) {
 				$signed_data .= $h . ': ' . $headers[$h] . "\n";
 			}
+			if($h === 'date') {
+				$d = new \DateTime($headers[$h]);
+				$d->setTimeZone(new \DateTimeZone('UTC'));
+				$dplus = datetime_convert('UTC','UTC','now + 1 day');
+				$dminus = datetime_convert('UTC','UTC','now - 1 day');
+				$c = $d->format('Y-m-d H:i:s');
+				if($c > $dplus || $c < $dminus) {
+					logger('bad time: ' . $c);
+					return $result;
+				}
+			}
 		}
 		$signed_data = rtrim($signed_data,"\n");
 
@@ -147,8 +160,15 @@ class HTTPSig {
 
 		logger('verified: ' . $x, LOGGER_DEBUG);
 
-		if(! $x)
+		if(! $x) {
+			logger('verify failed for ' . $result['signer'] . ' alg=' . $algorithm . (($key['public_key']) ? '' : ' no key'));
+			$sig_block['signature'] = base64_encode($sig_block['signature']);
+			logger('affected sigblock: ' . print_r($sig_block,true));
+			logger('signed_data: ' . print_r($signed_data,true));
+			logger('headers: ' . print_r($headers,true));
+			logger('server: ' . print_r($_SERVER,true));
 			return $result;
+		}
 
 		$result['portable_id'] = $key['portable_id'];
 		$result['header_valid'] = true;
@@ -180,7 +200,9 @@ class HTTPSig {
 			return [ 'public_key' => $key ];
 		}
 
-		$key = self::get_webfinger_key($id);
+		if(strpos($id,'#') === false) {
+			$key = self::get_webfinger_key($id);
+		}
 
 		if(! $key) {
 			$key = self::get_activitystreams_key($id);
@@ -216,25 +238,29 @@ class HTTPSig {
 
 	function get_activitystreams_key($id) {
 
+		// remove fragment
+
+		$url = ((strpos($id,'#')) ? substr($id,0,strpos($id,'#')) : $id);
+
 		$x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1",
-			dbesc(str_replace('acct:','',$id)),
-			dbesc($id)
+			dbesc(str_replace('acct:','',$url)),
+			dbesc($url)
 		);
 
 		if($x && $x[0]['xchan_pubkey']) {
 			return [ 'portable_id' => $x[0]['xchan_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ];
 		}
 
-		$r = ActivityStreams::fetch_property($id);
+		$r = ActivityStreams::fetch($id);
 
 		if($r) {
-			if(array_key_exists('publicKey',$j) && array_key_exists('publicKeyPem',$j['publicKey']) && array_key_exists('id',$j['publicKey'])) {
-				if($j['publicKey']['id'] === $id || $j['id'] === $id) {
-					return [ 'public_key' => self::convertKey($j['publicKey']['publicKeyPem']), 'portable_id' => '', 'hubloc' => [] ];
+			if(array_key_exists('publicKey',$r) && array_key_exists('publicKeyPem',$r['publicKey']) && array_key_exists('id',$r['publicKey'])) {
+				if($r['publicKey']['id'] === $id || $r['id'] === $id) {
+					$portable_id = ((array_key_exists('owner',$r['publicKey'])) ? $r['publicKey']['owner'] : EMPTY_STR);
+					return [ 'public_key' => self::convertKey($r['publicKey']['publicKeyPem']), 'portable_id' => $portable_id, 'hubloc' => [] ];
 				}
 			}
 		}
-
 		return false;
 	}
 
@@ -409,6 +435,8 @@ class HTTPSig {
 		$headers = '';
 		$fields  = '';
 
+		logger('signing: ' . print_r($head,true), LOGGER_DATA);
+
 		if($head) {
 			foreach($head as $k => $v) {
 				$headers .= strtolower($k) . ': ' . trim($v) . "\n";
diff --git a/Zotlabs/Zot6/Receiver.php b/Zotlabs/Zot6/Receiver.php
index 4f26e2b0c..66559c9a5 100644
--- a/Zotlabs/Zot6/Receiver.php
+++ b/Zotlabs/Zot6/Receiver.php
@@ -4,7 +4,7 @@ namespace Zotlabs\Zot6;
 
 use Zotlabs\Lib\Config;
 use Zotlabs\Lib\Libzot;
-use Zotlabs\Web\HTTPSig;
+
 
 class Receiver {
 
diff --git a/Zotlabs/Zot6/Zot6Handler.php b/Zotlabs/Zot6/Zot6Handler.php
index 5597921cc..e320e7825 100644
--- a/Zotlabs/Zot6/Zot6Handler.php
+++ b/Zotlabs/Zot6/Zot6Handler.php
@@ -70,9 +70,10 @@ class Zot6Handler implements IHandler {
 			// This would be a permissions update, typically for one connection
 
 			foreach ($recipients as $recip) {
+
 				$r = q("select channel.*,xchan.* from channel
-					left join xchan on channel_hash = xchan_hash
-					where channel_hash ='%s' limit 1",
+					left join xchan on channel_portable_id = xchan_hash
+					where xchan_hash ='%s' limit 1",
 					dbesc($recip)
 				);
 
@@ -140,7 +141,7 @@ class Zot6Handler implements IHandler {
 
 		$arr = $data['recipients'][0];
 
-		$c = q("select * from channel left join xchan on channel_hash = xchan_hash where channel_hash = '%s' limit 1",
+		$c = q("select * from channel left join xchan on channel_portable_id = xchan_hash where channel_portable_id = '%s' limit 1",
 			dbesc($arr['portable_id'])
 		);
 		if (! $c) {
@@ -230,8 +231,8 @@ class Zot6Handler implements IHandler {
 			// basically this means "unfriend"
 			foreach ($recipients as $recip) {
 				$r = q("select channel.*,xchan.* from channel
-					left join xchan on channel_hash = xchan_hash
-					where channel_hash = '%s' and channel_guid_sig = '%s' limit 1",
+					left join xchan on channel_portable_id = xchan_hash
+					where channel_portable_id = '%s' limit 1",
 					dbesc($recip)
 				);
 				if ($r) {