<?php
/**
- * @copyright Copyright (C) 2020, Friendica
+ * @copyright Copyright (C) 2010-2021, the Friendica project
*
* @license GNU AGPL version 3 or any later version
*
public static function getSigner($content, $http_headers)
{
if (empty($http_headers['HTTP_SIGNATURE'])) {
+ Logger::info('No HTTP_SIGNATURE header');
return false;
}
if (!empty($content)) {
$object = json_decode($content, true);
if (empty($object)) {
+ Logger::info('No object');
return false;
}
$sig_block = self::parseSigHeader($http_headers['HTTP_SIGNATURE']);
if (empty($sig_block) || empty($sig_block['headers']) || empty($sig_block['keyId'])) {
+ Logger::info('No headers or keyId');
return false;
}
$signed_data = rtrim($signed_data, "\n");
if (empty($signed_data)) {
+ Logger::info('Signed data is empty');
return false;
}
}
if (empty($algorithm)) {
+ Logger::info('No alagorithm');
return false;
}
$key = self::fetchKey($sig_block['keyId'], $actor);
if (empty($key)) {
+ Logger::info('Empty key');
return false;
}
// We now delete everything that we possibly knew from this actor
Contact::deleteContactByUrl($key['url']);
- return false;
+ return null;
}
if (empty($key['pubkey'])) {
+ Logger::info('Empty pubkey');
return false;
}
if (!Crypto::rsaVerify($signed_data, $sig_block['signature'], $key['pubkey'], $algorithm)) {
+ Logger::info('Verification failed');
return false;
}
/// @todo add all hashes from the rfc
if (!empty($hashalg) && base64_encode(hash($hashalg, $content, true)) != $digest[1]) {
+ Logger::info('Digest does not match');
return false;
}
// Check the content-length when it is part of the signed data
if (in_array('content-length', $sig_block['headers'])) {
if (strlen($content) != $headers['content-length']) {
+ Logger::info('Content length does not match');
return false;
}
}
// Ensure that the authentication had been done with some content
// Without this check someone could authenticate with fakeable data
if (!$hasGoodSignedContent) {
+ Logger::info('No good signed content');
return false;
}
projects / friendica.git / blobdiff