X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=plugins%2FOStatus%2Fclasses%2FMagicsig.php;h=be87052ac3e82fe58a6c22d9ae95ceb5c0c7531c;hb=29ac42addd2ac3f967a805d3f253fb8fffd11cc8;hp=87c684c93d87702eac562585797a0167070c4ad9;hpb=26f49de0dd5673584e734152d2d3329b90eb6978;p=quix0rs-gnu-social.git diff --git a/plugins/OStatus/classes/Magicsig.php b/plugins/OStatus/classes/Magicsig.php index 87c684c93d..be87052ac3 100644 --- a/plugins/OStatus/classes/Magicsig.php +++ b/plugins/OStatus/classes/Magicsig.php @@ -27,120 +27,186 @@ * @link http://status.net/ */ -class Magicsig extends Memcached_DataObject -{ +if (!defined('STATUSNET')) { + exit(1); +} + +require_once 'Crypt/RSA.php'; +class Magicsig extends Managed_DataObject +{ const PUBLICKEYREL = 'magic-public-key'; - + const DIASPORA_PUBLICKEYREL = 'diaspora-public-key'; + public $__table = 'magicsig'; + /** + * Key to user.id/profile.id for the local user whose key we're storing. + * + * @var int + */ public $user_id; + + /** + * Flattened string representation of the key pair; callers should + * usually use $this->publicKey and $this->privateKey directly, + * which hold live Crypt_RSA key objects. + * + * @var string + */ public $keypair; + + /** + * Crypto algorithm used for this key; currently only RSA-SHA256 is supported. + * + * @var string + */ public $alg; - + + /** + * Public RSA key; gets serialized in/out via $this->keypair string. + * + * @var Crypt_RSA + */ public $publicKey; + + /** + * PrivateRSA key; gets serialized in/out via $this->keypair string. + * + * @var Crypt_RSA + */ public $privateKey; - + public function __construct($alg = 'RSA-SHA256') { $this->alg = $alg; } - - public /*static*/ function staticGet($k, $v=null) + + /** + * Fetch a Magicsig object from the cache or database on a field match. + * + * @param string $k + * @param mixed $v + * @return Magicsig + */ + static function getKV($k, $v=null) { - $obj = parent::staticGet(__CLASS__, $k, $v); - if (!empty($obj)) { - return Magicsig::fromString($obj->keypair); + $obj = parent::getKV($k, $v); + if ($obj instanceof Magicsig) { + $obj->importKeys(); // Loads Crypt_RSA objects etc. + + // Throw out a big fat warning for keys of less than 1024 bits. ( + // The only case these show up in would be imported or + // legacy very-old-StatusNet generated keypairs. + if (strlen($obj->publicKey->modulus->toBits()) < 1024) { + common_log(LOG_WARNING, sprintf('Salmon key with <1024 bits (%d) belongs to profile with id==%d', + strlen($obj->publicKey->modulus->toBits()), + $obj->user_id)); + } } return $obj; } - - function table() + public static function schemaDef() { return array( - 'user_id' => DB_DATAOBJECT_INT, - 'keypair' => DB_DATAOBJECT_STR + DB_DATAOBJECT_NOTNULL, - 'alg' => DB_DATAOBJECT_STR + 'fields' => array( + 'user_id' => array('type' => 'int', 'not null' => true, 'description' => 'user id'), + 'keypair' => array('type' => 'text', 'description' => 'keypair text representation'), + 'alg' => array('type' => 'varchar', 'length' => 64, 'description' => 'algorithm'), + ), + 'primary key' => array('user_id'), + 'foreign keys' => array( + 'magicsig_user_id_fkey' => array('profile', array('user_id' => 'id')), + ), ); } - static function schemaDef() + /** + * Save this keypair into the database. + * + * Overloads default insert behavior to encode the live key objects + * as a flat string for storage. + * + * @return mixed + */ + function insert() { - return array(new ColumnDef('user_id', 'integer', - null, false, 'PRI'), - new ColumnDef('keypair', 'text', - false, false), - new ColumnDef('alg', 'varchar', - 64, false)); - } - + $this->keypair = $this->toString(true); - function keys() - { - return array_keys($this->keyTypes()); + return parent::insert(); } - function keyTypes() + /** + * Generate a new keypair for a local user and store in the database. + * + * Warning: this can be very slow on systems without the GMP module. + * Runtimes of 20-30 seconds are not unheard-of. + * + * @param User $user the local user (since we don't have remote private keys) + */ + public static function generate(User $user, $bits=1024, $alg='RSA-SHA256') { - return array('user_id' => 'K'); - } + $magicsig = new Magicsig($alg); + $magicsig->user_id = $user->id; - function sequenceKey() { - return array(false, false, false); - } + $rsa = new Crypt_RSA(); - function insert() - { - $this->keypair = $this->toString(); - - return parent::insert(); - } + $keypair = $rsa->createKey($bits); - public function generate($user_id) - { - $rsa = new SafeCrypt_RSA(); - - $keypair = $rsa->createKey(); + $magicsig->privateKey = new Crypt_RSA(); + $magicsig->privateKey->loadKey($keypair['privatekey']); - $rsa->loadKey($keypair['privatekey']); + $magicsig->publicKey = new Crypt_RSA(); + $magicsig->publicKey->loadKey($keypair['publickey']); - $this->privateKey = new SafeCrypt_RSA(); - $this->privateKey->loadKey($keypair['privatekey']); + $magicsig->insert(); // will do $this->keypair = $this->toString(true); + $magicsig->importKeys(); // seems it's necessary to re-read keys from text keypair - $this->publicKey = new SafeCrypt_RSA(); - $this->publicKey->loadKey($keypair['publickey']); - - $this->user_id = $user_id; - $this->insert(); + return $magicsig; } - - public function toString($full_pair = true) + /** + * Encode the keypair or public key as a string. + * + * @param boolean $full_pair set to true to include the private key. + * @return string + */ + public function toString($full_pair=false) { - $mod = base64_url_encode($this->publicKey->modulus->toBytes()); - $exp = base64_url_encode($this->publicKey->exponent->toBytes()); + $mod = Magicsig::base64_url_encode($this->publicKey->modulus->toBytes()); + $exp = Magicsig::base64_url_encode($this->publicKey->exponent->toBytes()); $private_exp = ''; - if ($full_pair && $this->privateKey->exponent->toBytes()) { - $private_exp = '.' . base64_url_encode($this->privateKey->exponent->toBytes()); + if ($full_pair && $this->privateKey instanceof Crypt_RSA && $this->privateKey->exponent->toBytes()) { + $private_exp = '.' . Magicsig::base64_url_encode($this->privateKey->exponent->toBytes()); } - return 'RSA.' . $mod . '.' . $exp . $private_exp; + return 'RSA.' . $mod . '.' . $exp . $private_exp; + } + + public function exportPublicKey($format=CRYPT_RSA_PUBLIC_FORMAT_PKCS1) + { + $this->publicKey->setPublicKey(); + return $this->publicKey->getPublicKey($format); } - - public static function fromString($text) + + /** + * importKeys will load the object's keypair string, which initiates + * loadKey() and configures Crypt_RSA objects. + * + * @param string $keypair optional, otherwise the object's "keypair" property will be used + */ + public function importKeys($keypair=null) { - $magic_sig = new Magicsig(); - - // remove whitespace - $text = preg_replace('/\s+/', '', $text); + $this->keypair = $keypair===null ? $this->keypair : preg_replace('/\s+/', '', $keypair); // parse components - if (!preg_match('/RSA\.([^\.]+)\.([^\.]+)(.([^\.]+))?/', $text, $matches)) { - return false; + if (!preg_match('/RSA\.([^\.]+)\.([^\.]+)(\.([^\.]+))?/', $this->keypair, $matches)) { + common_debug('Magicsig error: RSA key not found in provided string.'); + throw new ServerException('RSA key not found in keypair string.'); } - + $mod = $matches[1]; $exp = $matches[2]; if (!empty($matches[4])) { @@ -149,24 +215,28 @@ class Magicsig extends Memcached_DataObject $private_exp = false; } - $magic_sig->loadKey($mod, $exp, 'public'); + $this->loadKey($mod, $exp, 'public'); if ($private_exp) { - $magic_sig->loadKey($mod, $private_exp, 'private'); + $this->loadKey($mod, $private_exp, 'private'); } - - return $magic_sig; } + /** + * Fill out $this->privateKey or $this->publicKey with a Crypt_RSA object + * representing the give key (as mod/exponent pair). + * + * @param string $mod base64-encoded + * @param string $exp base64-encoded exponent + * @param string $type one of 'public' or 'private' + */ public function loadKey($mod, $exp, $type = 'public') { - common_log(LOG_DEBUG, "Adding ".$type." key: (".$mod .', '. $exp .")"); - - $rsa = new SafeCrypt_RSA(); - $rsa->signatureMode = CRYPT_RSA_SIGNATURE_PKCS1; - $rsa->setHash('sha256'); - $rsa->modulus = new Math_BigInteger(base64_url_decode($mod), 256); + $rsa = new Crypt_RSA(); + $rsa->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS1); + $rsa->setHash($this->getHash()); + $rsa->modulus = new Math_BigInteger(Magicsig::base64_url_decode($mod), 256); $rsa->k = strlen($rsa->modulus->toBytes()); - $rsa->exponent = new Math_BigInteger(base64_url_decode($exp), 256); + $rsa->exponent = new Math_BigInteger(Magicsig::base64_url_decode($exp), 256); if ($type == 'private') { $this->privateKey = $rsa; @@ -174,42 +244,78 @@ class Magicsig extends Memcached_DataObject $this->publicKey = $rsa; } } - + + /** + * Returns the name of the crypto algorithm used for this key. + * + * @return string + */ public function getName() { return $this->alg; } + /** + * Returns the name of a hash function to use for signing with this key. + * + * @return string + */ public function getHash() { switch ($this->alg) { - case 'RSA-SHA256': return 'sha256'; } - + throw new ServerException('Unknown or unsupported hash algorithm for Salmon'); } - + + /** + * Generate base64-encoded signature for the given byte string + * using our private key. + * + * @param string $bytes as raw byte string + * @return string base64url-encoded signature + */ public function sign($bytes) { $sig = $this->privateKey->sign($bytes); - return base64_url_encode($sig); + if ($sig === false) { + throw new ServerException('Could not sign data'); + } + return Magicsig::base64_url_encode($sig); } + /** + * + * @param string $signed_bytes as raw byte string + * @param string $signature as base64url encoded + * @return boolean + */ public function verify($signed_bytes, $signature) { - $signature = base64_url_decode($signature); + $signature = self::base64_url_decode($signature); return $this->publicKey->verify($signed_bytes, $signature); } - -} -function base64_url_encode($input) -{ - return strtr(base64_encode($input), '+/', '-_'); -} + /** + * URL-encoding-friendly base64 variant encoding. + * + * @param string $input + * @return string + */ + public static function base64_url_encode($input) + { + return strtr(base64_encode($input), '+/', '-_'); + } -function base64_url_decode($input) -{ - return base64_decode(strtr($input, '-_', '+/')); + /** + * URL-encoding-friendly base64 variant decoding. + * + * @param string $input + * @return string + */ + public static function base64_url_decode($input) + { + return base64_decode(strtr($input, '-_', '+/')); + } }