From 18c57eeaa03fedf9156369a10abe17bf61179adb Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sun, 20 Aug 2017 18:30:12 -0700 Subject: httpsig - return an array with all the different signing possibilities enumerated --- Zotlabs/Web/HTTPSig.php | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php index 48adf4ad2..537cd52a1 100644 --- a/Zotlabs/Web/HTTPSig.php +++ b/Zotlabs/Web/HTTPSig.php @@ -27,10 +27,18 @@ class HTTPSig { $body = $data; $headers = null; + $result = [ + 'signer' => '', + 'header_signed' => false, + 'header_valid' => false, + 'content_signed' => false, + 'content_valid' => false + ]; + // decide if $data arrived via controller submission or curl if(is_array($data) && $data['header']) { if(! $data['success']) - return false; + return $result; $h = new \Zotlabs\Web\HTTPHeaders($data['header']); $headers = $h->fetcharr(); $body = $data['body']; @@ -59,7 +67,9 @@ class HTTPSig { } if(! $sig_block) - return null; + return $result; + + $result['header_signed'] = true; $signed_headers = $sig_block['headers']; if(! $signed_headers) @@ -79,6 +89,7 @@ class HTTPSig { } if(! $key) { + $result['signer'] = $sig_block['keyId']; $key = self::get_activitypub_key($sig_block['keyId']); } @@ -88,21 +99,23 @@ class HTTPSig { $x = rsa_verify($signed_data,$sig_block['signature'],$key,$algorithm); if($x === false) - return $x; + return $result; + + $result['header_valid'] = true; if(in_array('digest',$signed_headers)) { + $result['content_signed'] = true; $digest = explode('=', $headers['digest']); if($digest[0] === 'SHA-256') $hashalg = 'sha256'; // The explode operation will have stripped the '=' padding, so compare against unpadded base64 - if(rtrim(base64_encode(hash($hashalg,$body,true)),'=') === $digest[1]) - return true; - else - return false; + if(rtrim(base64_encode(hash($hashalg,$body,true)),'=') === $digest[1]) { + $result['content_valid'] = true; + } } - return $x; + return $result; } -- cgit v1.2.3