From fabcf841c9b4a360e2e496d04775e2ef594cb0e3 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Mon, 5 Nov 2018 19:34:10 -0800 Subject: z6 work --- Zotlabs/Zot6/Zot6Handler.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'Zotlabs/Zot6') diff --git a/Zotlabs/Zot6/Zot6Handler.php b/Zotlabs/Zot6/Zot6Handler.php index 5597921cc..6fc82501a 100644 --- a/Zotlabs/Zot6/Zot6Handler.php +++ b/Zotlabs/Zot6/Zot6Handler.php @@ -70,9 +70,10 @@ class Zot6Handler implements IHandler { // This would be a permissions update, typically for one connection foreach ($recipients as $recip) { + $r = q("select channel.*,xchan.* from channel left join xchan on channel_hash = xchan_hash - where channel_hash ='%s' limit 1", + where xchan_hash ='%s' limit 1", dbesc($recip) ); -- cgit v1.2.3 From e7f1d350c92bb2be87adefd33ab877ef6e121af2 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Mon, 5 Nov 2018 21:29:26 -0800 Subject: more zot6 work --- Zotlabs/Zot6/HTTPSig.php | 44 ++++++++++++++++++++++++++++++++++---------- Zotlabs/Zot6/Zot6Handler.php | 17 +++++++++-------- 2 files changed, 43 insertions(+), 18 deletions(-) (limited to 'Zotlabs/Zot6') diff --git a/Zotlabs/Zot6/HTTPSig.php b/Zotlabs/Zot6/HTTPSig.php index a0f0d3500..f5c59f9d6 100644 --- a/Zotlabs/Zot6/HTTPSig.php +++ b/Zotlabs/Zot6/HTTPSig.php @@ -215,14 +215,19 @@ class HTTPSig { */ function get_activitystreams_key($id) { - - $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", + $x = q("select * from xchan left join hubloc on xchan_portable_id = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", dbesc(str_replace('acct:','',$id)), dbesc($id) ); + if(! $x) { + $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", + dbesc(str_replace('acct:','',$id)), + dbesc($id) + ); + } if($x && $x[0]['xchan_pubkey']) { - return [ 'portable_id' => $x[0]['xchan_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ]; + return [ 'portable_id' => $x[0]['hubloc_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ]; } $r = ActivityStreams::fetch_property($id); @@ -235,19 +240,25 @@ class HTTPSig { } } - return false; + return false; } function get_webfinger_key($id) { - $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", + $x = q("select * from xchan left join hubloc on xchan_portable_id = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", dbesc(str_replace('acct:','',$id)), dbesc($id) ); + if(! $x) { + $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", + dbesc(str_replace('acct:','',$id)), + dbesc($id) + ); + } if($x && $x[0]['xchan_pubkey']) { - return [ 'portable_id' => $x[0]['xchan_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ]; + return [ 'portable_id' => $x[0]['hubloc_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ]; } $wf = Webfinger::exec($id); @@ -269,18 +280,26 @@ class HTTPSig { } } - return (($key['public_key']) ? $key : false); + return (($key['public_key']) ? $key : false); } function get_zotfinger_key($id) { - $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", + $x = q("select * from xchan left join hubloc on xchan_portable_id = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", dbesc(str_replace('acct:','',$id)), dbesc($id) ); + if(! $x) { + $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", + dbesc(str_replace('acct:','',$id)), + dbesc($id) + ); + } + + if($x && $x[0]['xchan_pubkey']) { - return [ 'portable_id' => $x[0]['xchan_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ]; + return [ 'portable_id' => $x[0]['hubloc_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ]; } $wf = Webfinger::exec($id); @@ -302,9 +321,14 @@ class HTTPSig { if($i['success']) { $key['portable_id'] = $i['hash']; - $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_id_url = '%s' limit 1", + $x = q("select * from xchan left join hubloc on xchan_portable_id = hubloc_hash where hubloc_id_url = '%s' limit 1", dbesc($l['href']) ); + if(! $x) { + $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_id_url = '%s' limit 1", + dbesc($l['href']) + ); + } if($x) { $key['hubloc'] = $x[0]; } diff --git a/Zotlabs/Zot6/Zot6Handler.php b/Zotlabs/Zot6/Zot6Handler.php index 6fc82501a..1fae81ae6 100644 --- a/Zotlabs/Zot6/Zot6Handler.php +++ b/Zotlabs/Zot6/Zot6Handler.php @@ -72,8 +72,8 @@ class Zot6Handler implements IHandler { foreach ($recipients as $recip) { $r = q("select channel.*,xchan.* from channel - left join xchan on channel_hash = xchan_hash - where xchan_hash ='%s' limit 1", + left join xchan on channel_portable_id = xchan_portable_id + where xchan_portable_id ='%s' limit 1", dbesc($recip) ); @@ -141,7 +141,7 @@ class Zot6Handler implements IHandler { $arr = $data['recipients'][0]; - $c = q("select * from channel left join xchan on channel_hash = xchan_hash where channel_hash = '%s' limit 1", + $c = q("select * from channel left join xchan on channel_portable_id = xchan_portable_id where channel_portable_id = '%s' limit 1", dbesc($arr['portable_id']) ); if (! $c) { @@ -197,7 +197,7 @@ class Zot6Handler implements IHandler { return $ret; } - $r = q("select * from xchan where xchan_hash = '%s' limit 1", + $r = q("select * from xchan where xchan_hash = '%s' or xchan_portable_id = '%s' limit 1", dbesc($sender) ); @@ -231,14 +231,15 @@ class Zot6Handler implements IHandler { // basically this means "unfriend" foreach ($recipients as $recip) { $r = q("select channel.*,xchan.* from channel - left join xchan on channel_hash = xchan_hash - where channel_hash = '%s' and channel_guid_sig = '%s' limit 1", + left join xchan on channel_portable_id = xchan_portable_id + where channel_portable_id = '%s' limit 1", dbesc($recip) ); if ($r) { - $r = q("select abook_id from abook where uid = %d and abook_xchan = '%s' limit 1", + $r = q("select abook_id from abook where uid = %d and (abook_xchan = '%s' or abook_xchan = '%s') limit 1", intval($r[0]['channel_id']), - dbesc($sender) + dbesc($sender), + dbesc($r[0]['xchan_portable_id']) ); if ($r) { contact_remove($r[0]['channel_id'],$r[0]['abook_id']); -- cgit v1.2.3 From bb8b3b92913832750a393533f491725b4330a8e1 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Tue, 6 Nov 2018 20:44:40 -0800 Subject: this is brutal --- Zotlabs/Zot6/HTTPSig.php | 90 +++++++++++++++++++++++--------------------- Zotlabs/Zot6/Receiver.php | 2 +- Zotlabs/Zot6/Zot6Handler.php | 15 ++++---- 3 files changed, 55 insertions(+), 52 deletions(-) (limited to 'Zotlabs/Zot6') diff --git a/Zotlabs/Zot6/HTTPSig.php b/Zotlabs/Zot6/HTTPSig.php index f5c59f9d6..6d52e5033 100644 --- a/Zotlabs/Zot6/HTTPSig.php +++ b/Zotlabs/Zot6/HTTPSig.php @@ -48,12 +48,14 @@ class HTTPSig { $h = new HTTPHeaders($data['header']); $headers = $h->fetcharr(); $body = $data['body']; + $headers['(request-target)'] = $data['request_target']; } else { $headers = []; $headers['(request-target)'] = strtolower($_SERVER['REQUEST_METHOD']) . ' ' . $_SERVER['REQUEST_URI']; $headers['content-type'] = $_SERVER['CONTENT_TYPE']; + $headers['content-length'] = $_SERVER['CONTENT_LENGTH']; foreach($_SERVER as $k => $v) { if(strpos($k,'HTTP_') === 0) { @@ -121,6 +123,17 @@ class HTTPSig { if(array_key_exists($h,$headers)) { $signed_data .= $h . ': ' . $headers[$h] . "\n"; } + if($h === 'date') { + $d = new \DateTime($headers[$h]); + $d->setTimeZone(new \DateTimeZone('UTC')); + $dplus = datetime_convert('UTC','UTC','now + 1 day'); + $dminus = datetime_convert('UTC','UTC','now - 1 day'); + $c = $d->format('Y-m-d H:i:s'); + if($c > $dplus || $c < $dminus) { + logger('bad time: ' . $c); + return $result; + } + } } $signed_data = rtrim($signed_data,"\n"); @@ -147,8 +160,15 @@ class HTTPSig { logger('verified: ' . $x, LOGGER_DEBUG); - if(! $x) + if(! $x) { + logger('verify failed for ' . $result['signer'] . ' alg=' . $algorithm . (($key['public_key']) ? '' : ' no key')); + $sig_block['signature'] = base64url_encode($sig_block['signature']); + logger('affected sigblock: ' . print_r($sig_block,true)); + logger('signed_data: ' . print_r($signed_data,true)); + logger('headers: ' . print_r($headers,true)); + logger('server: ' . print_r($_SERVER,true)); return $result; + } $result['portable_id'] = $key['portable_id']; $result['header_valid'] = true; @@ -180,7 +200,9 @@ class HTTPSig { return [ 'public_key' => $key ]; } - $key = self::get_webfinger_key($id); + if(strpos($id,'#') === false) { + $key = self::get_webfinger_key($id); + } if(! $key) { $key = self::get_activitystreams_key($id); @@ -215,50 +237,43 @@ class HTTPSig { */ function get_activitystreams_key($id) { - $x = q("select * from xchan left join hubloc on xchan_portable_id = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", - dbesc(str_replace('acct:','',$id)), - dbesc($id) + + // remove fragment + + $url = ((strpos($id,'#')) ? substr($id,0,strpos($id,'#')) : $id); + + $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", + dbesc(str_replace('acct:','',$url)), + dbesc($url) ); - if(! $x) { - $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", - dbesc(str_replace('acct:','',$id)), - dbesc($id) - ); - } if($x && $x[0]['xchan_pubkey']) { - return [ 'portable_id' => $x[0]['hubloc_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ]; + return [ 'portable_id' => $x[0]['xchan_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ]; } - $r = ActivityStreams::fetch_property($id); + $r = ActivityStreams::fetch($id); if($r) { - if(array_key_exists('publicKey',$j) && array_key_exists('publicKeyPem',$j['publicKey']) && array_key_exists('id',$j['publicKey'])) { - if($j['publicKey']['id'] === $id || $j['id'] === $id) { - return [ 'public_key' => self::convertKey($j['publicKey']['publicKeyPem']), 'portable_id' => '', 'hubloc' => [] ]; + if(array_key_exists('publicKey',$r) && array_key_exists('publicKeyPem',$r['publicKey']) && array_key_exists('id',$r['publicKey'])) { + if($r['publicKey']['id'] === $id || $r['id'] === $id) { + $portable_id = ((array_key_exists('owner',$r['publicKey'])) ? $r['publicKey']['owner'] : EMPTY_STR); + return [ 'public_key' => self::convertKey($r['publicKey']['publicKeyPem']), 'portable_id' => $portable_id, 'hubloc' => [] ]; } } } - - return false; + return false; } function get_webfinger_key($id) { - $x = q("select * from xchan left join hubloc on xchan_portable_id = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", + $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", dbesc(str_replace('acct:','',$id)), dbesc($id) ); - if(! $x) { - $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", - dbesc(str_replace('acct:','',$id)), - dbesc($id) - ); - } if($x && $x[0]['xchan_pubkey']) { - return [ 'portable_id' => $x[0]['hubloc_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ]; + return [ 'portable_id' => $x[0]['xchan_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ]; } $wf = Webfinger::exec($id); @@ -280,26 +295,18 @@ class HTTPSig { } } - return (($key['public_key']) ? $key : false); + return (($key['public_key']) ? $key : false); } function get_zotfinger_key($id) { - $x = q("select * from xchan left join hubloc on xchan_portable_id = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", + $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", dbesc(str_replace('acct:','',$id)), dbesc($id) ); - if(! $x) { - $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' or hubloc_id_url = '%s' limit 1", - dbesc(str_replace('acct:','',$id)), - dbesc($id) - ); - } - - if($x && $x[0]['xchan_pubkey']) { - return [ 'portable_id' => $x[0]['hubloc_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ]; + return [ 'portable_id' => $x[0]['xchan_hash'], 'public_key' => $x[0]['xchan_pubkey'] , 'hubloc' => $x[0] ]; } $wf = Webfinger::exec($id); @@ -321,14 +328,9 @@ class HTTPSig { if($i['success']) { $key['portable_id'] = $i['hash']; - $x = q("select * from xchan left join hubloc on xchan_portable_id = hubloc_hash where hubloc_id_url = '%s' limit 1", + $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_id_url = '%s' limit 1", dbesc($l['href']) ); - if(! $x) { - $x = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_id_url = '%s' limit 1", - dbesc($l['href']) - ); - } if($x) { $key['hubloc'] = $x[0]; } @@ -433,6 +435,8 @@ class HTTPSig { $headers = ''; $fields = ''; + logger('signing: ' . print_r($head,true), LOGGER_DATA); + if($head) { foreach($head as $k => $v) { $headers .= strtolower($k) . ': ' . trim($v) . "\n"; diff --git a/Zotlabs/Zot6/Receiver.php b/Zotlabs/Zot6/Receiver.php index 4f26e2b0c..66559c9a5 100644 --- a/Zotlabs/Zot6/Receiver.php +++ b/Zotlabs/Zot6/Receiver.php @@ -4,7 +4,7 @@ namespace Zotlabs\Zot6; use Zotlabs\Lib\Config; use Zotlabs\Lib\Libzot; -use Zotlabs\Web\HTTPSig; + class Receiver { diff --git a/Zotlabs/Zot6/Zot6Handler.php b/Zotlabs/Zot6/Zot6Handler.php index 1fae81ae6..e320e7825 100644 --- a/Zotlabs/Zot6/Zot6Handler.php +++ b/Zotlabs/Zot6/Zot6Handler.php @@ -72,8 +72,8 @@ class Zot6Handler implements IHandler { foreach ($recipients as $recip) { $r = q("select channel.*,xchan.* from channel - left join xchan on channel_portable_id = xchan_portable_id - where xchan_portable_id ='%s' limit 1", + left join xchan on channel_portable_id = xchan_hash + where xchan_hash ='%s' limit 1", dbesc($recip) ); @@ -141,7 +141,7 @@ class Zot6Handler implements IHandler { $arr = $data['recipients'][0]; - $c = q("select * from channel left join xchan on channel_portable_id = xchan_portable_id where channel_portable_id = '%s' limit 1", + $c = q("select * from channel left join xchan on channel_portable_id = xchan_hash where channel_portable_id = '%s' limit 1", dbesc($arr['portable_id']) ); if (! $c) { @@ -197,7 +197,7 @@ class Zot6Handler implements IHandler { return $ret; } - $r = q("select * from xchan where xchan_hash = '%s' or xchan_portable_id = '%s' limit 1", + $r = q("select * from xchan where xchan_hash = '%s' limit 1", dbesc($sender) ); @@ -231,15 +231,14 @@ class Zot6Handler implements IHandler { // basically this means "unfriend" foreach ($recipients as $recip) { $r = q("select channel.*,xchan.* from channel - left join xchan on channel_portable_id = xchan_portable_id + left join xchan on channel_portable_id = xchan_hash where channel_portable_id = '%s' limit 1", dbesc($recip) ); if ($r) { - $r = q("select abook_id from abook where uid = %d and (abook_xchan = '%s' or abook_xchan = '%s') limit 1", + $r = q("select abook_id from abook where uid = %d and abook_xchan = '%s' limit 1", intval($r[0]['channel_id']), - dbesc($sender), - dbesc($r[0]['xchan_portable_id']) + dbesc($sender) ); if ($r) { contact_remove($r[0]['channel_id'],$r[0]['abook_id']); -- cgit v1.2.3 From a5483a03c90967eea58f5a0db17c59c4ec3ff2ff Mon Sep 17 00:00:00 2001 From: zotlabs Date: Tue, 6 Nov 2018 21:44:57 -0800 Subject: fix signatures --- Zotlabs/Zot6/HTTPSig.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Zotlabs/Zot6') diff --git a/Zotlabs/Zot6/HTTPSig.php b/Zotlabs/Zot6/HTTPSig.php index 6d52e5033..72785b1e9 100644 --- a/Zotlabs/Zot6/HTTPSig.php +++ b/Zotlabs/Zot6/HTTPSig.php @@ -162,7 +162,7 @@ class HTTPSig { if(! $x) { logger('verify failed for ' . $result['signer'] . ' alg=' . $algorithm . (($key['public_key']) ? '' : ' no key')); - $sig_block['signature'] = base64url_encode($sig_block['signature']); + $sig_block['signature'] = base64_encode($sig_block['signature']); logger('affected sigblock: ' . print_r($sig_block,true)); logger('signed_data: ' . print_r($signed_data,true)); logger('headers: ' . print_r($headers,true)); -- cgit v1.2.3