X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FUtil%2FHTTPSignature.php;h=1d57f5ea8095ff791750f6eec2e2ff875d715735;hb=e02c475c9e98f27f631bd245592f1641c181db72;hp=c8ff99eba0f5e6b68a1d359229dea8f86101bc57;hpb=5dcdf2322e843ffa2e5ab8bb3c287fc03d92c345;p=friendica.git diff --git a/src/Util/HTTPSignature.php b/src/Util/HTTPSignature.php index c8ff99eba0..1d57f5ea80 100644 --- a/src/Util/HTTPSignature.php +++ b/src/Util/HTTPSignature.php @@ -1,6 +1,6 @@ getMethod()).' '.$_SERVER['REQUEST_URI']; foreach ($_SERVER as $k => $v) { if (strpos($k, 'HTTP_') === 0) { @@ -78,7 +83,7 @@ class HTTPSignature $sig_block = self::parseSigheader($headers['authorization']); if (!$sig_block) { - Logger::log('no signature provided.'); + Logger::notice('no signature provided.'); return $result; } @@ -108,7 +113,7 @@ class HTTPSignature $key = $key($sig_block['keyId']); } - Logger::log('Got keyID ' . $sig_block['keyId'], Logger::DEBUG); + Logger::info('Got keyID ' . $sig_block['keyId']); if (!$key) { return $result; @@ -116,7 +121,7 @@ class HTTPSignature $x = Crypto::rsaVerify($signed_data, $sig_block['signature'], $key, $algorithm); - Logger::log('verified: ' . $x, Logger::DEBUG); + Logger::info('verified: ' . $x); if (!$x) { return $result; @@ -136,9 +141,12 @@ class HTTPSignature * * @return array */ - public static function createSig($head, $prvkey, $keyid = 'Key') + public static function createSig(array $head, string $prvkey, string $keyid = 'Key'): array { $return_headers = []; + if (!empty($head)) { + $return_headers = $head; + } $alg = 'sha512'; $algorithm = 'rsa-sha512'; @@ -148,15 +156,7 @@ class HTTPSignature $headerval = 'keyId="' . $keyid . '",algorithm="' . $algorithm . '",headers="' . $x['headers'] . '",signature="' . $x['signature'] . '"'; - $sighead = 'Authorization: Signature ' . $headerval; - - if ($head) { - foreach ($head as $k => $v) { - $return_headers[] = $k . ': ' . $v; - } - } - - $return_headers[] = $sighead; + $return_headers['Authorization'] = ['Signature ' . $headerval]; return $return_headers; } @@ -168,13 +168,16 @@ class HTTPSignature * * @return array */ - private static function sign($head, $prvkey, $alg = 'sha256') + private static function sign(array $head, string $prvkey, string $alg = 'sha256'): array { $ret = []; $headers = ''; $fields = ''; foreach ($head as $k => $v) { + if (is_array($v)) { + $v = implode(', ', $v); + } $headers .= strtolower($k) . ': ' . trim($v) . "\n"; if ($fields) { $fields .= ' '; @@ -203,7 +206,7 @@ class HTTPSignature * - \e string \b signature * @throws \Friendica\Network\HTTPException\InternalServerErrorException */ - public static function parseSigheader($header) + public static function parseSigheader(string $header): array { // Remove obsolete folds $header = preg_replace('/\n\s+/', ' ', $header); @@ -250,7 +253,7 @@ class HTTPSignature * @return string Decrypted signature string * @throws \Friendica\Network\HTTPException\InternalServerErrorException */ - private static function decryptSigheader(array $headers, string $prvkey) + private static function decryptSigheader(array $headers, string $prvkey): string { if (!empty($headers['iv']) && !empty($headers['key']) && !empty($headers['data'])) { return Crypto::unencapsulate($headers, $prvkey); @@ -264,23 +267,16 @@ class HTTPSignature */ /** - * Transmit given data to a target for a user + * Post given data to a target for a user, returns the result class * - * @param array $data Data that is about to be send - * @param string $target The URL of the inbox - * @param integer $uid User id of the sender + * @param array $data Data that is about to be sent + * @param string $target The URL of the inbox + * @param array $owner Sender owner-view record * - * @return boolean Was the transmission successful? - * @throws \Friendica\Network\HTTPException\InternalServerErrorException + * @return ICanHandleHttpResponses */ - public static function transmit($data, $target, $uid) + public static function post(array $data, string $target, array $owner): ICanHandleHttpResponses { - $owner = User::getOwnerDataById($uid); - - if (!$owner) { - return; - } - $content = json_encode($data, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE); // Header data that is about to be signed. @@ -290,26 +286,46 @@ class HTTPSignature $content_length = strlen($content); $date = DateTimeFormat::utcNow(DateTimeFormat::HTTP); - $headers = ['Date: ' . $date, 'Content-Length: ' . $content_length, 'Digest: ' . $digest, 'Host: ' . $host]; + $headers = [ + 'Date' => $date, + 'Content-Length' => $content_length, + 'Digest' => $digest, + 'Host' => $host + ]; $signed_data = "(request-target): post " . $path . "\ndate: ". $date . "\ncontent-length: " . $content_length . "\ndigest: " . $digest . "\nhost: " . $host; $signature = base64_encode(Crypto::rsaSign($signed_data, $owner['uprvkey'], 'sha256')); - $headers[] = 'Signature: keyId="' . $owner['url'] . '#main-key' . '",algorithm="rsa-sha256",headers="(request-target) date content-length digest host",signature="' . $signature . '"'; + $headers['Signature'] = 'keyId="' . $owner['url'] . '#main-key' . '",algorithm="rsa-sha256",headers="(request-target) date content-length digest host",signature="' . $signature . '"'; - $headers[] = 'Content-Type: application/activity+json'; + $headers['Content-Type'] = 'application/activity+json'; - $postResult = DI::httpRequest()->post($target, $content, $headers); + $postResult = DI::httpClient()->post($target, $content, $headers, DI::config()->get('system', 'curl_timeout')); $return_code = $postResult->getReturnCode(); - Logger::log('Transmit to ' . $target . ' returned ' . $return_code, Logger::DEBUG); + Logger::info('Transmit to ' . $target . ' returned ' . $return_code); - $success = ($return_code >= 200) && ($return_code <= 299); + self::setInboxStatus($target, ($return_code >= 200) && ($return_code <= 299)); - self::setInboxStatus($target, $success); + return $postResult; + } + + /** + * Transmit given data to a target for a user + * + * @param array $data Data that is about to be sent + * @param string $target The URL of the inbox + * @param array $owner Sender owner-vew record + * + * @return boolean Was the transmission successful? + */ + public static function transmit(array $data, string $target, array $owner): bool + { + $postResult = self::post($data, $target, $owner); + $return_code = $postResult->getReturnCode(); - return $success; + return ($return_code >= 200) && ($return_code <= 299); } /** @@ -318,15 +334,26 @@ class HTTPSignature * @param string $url The URL of the inbox * @param boolean $success Transmission status * @param boolean $shared The inbox is a shared inbox + * @param int $gsid Server ID + * @throws \Exception */ - static public function setInboxStatus($url, $success, $shared = false) + static public function setInboxStatus(string $url, bool $success, bool $shared = false, int $gsid = null) { $now = DateTimeFormat::utcNow(); $status = DBA::selectFirst('inbox-status', [], ['url' => $url]); if (!DBA::isResult($status)) { - DBA::insert('inbox-status', ['url' => $url, 'created' => $now, 'shared' => $shared], Database::INSERT_IGNORE); + $insertFields = ['url' => $url, 'uri-id' => ItemURI::getIdByURI($url), 'created' => $now, 'shared' => $shared]; + if (!empty($gsid)) { + $insertFields['gsid'] = $gsid; + } + DBA::insert('inbox-status', $insertFields, Database::INSERT_IGNORE); + $status = DBA::selectFirst('inbox-status', [], ['url' => $url]); + if (empty($status)) { + Logger::warning('Unable to insert inbox-status row', $insertFields); + return; + } } if ($success) { @@ -335,6 +362,10 @@ class HTTPSignature $fields = ['failure' => $now]; } + if (!empty($gsid)) { + $fields['gsid'] = $gsid; + } + if ($status['failure'] > DBA::NULL_DATETIME) { $new_previous_stamp = strtotime($status['failure']); $old_previous_stamp = strtotime($status['previous']); @@ -365,7 +396,19 @@ class HTTPSignature $fields['archive'] = false; } + if (empty($status['uri-id'])) { + $fields['uri-id'] = ItemURI::getIdByURI($url); + } + DBA::update('inbox-status', $fields, ['url' => $url]); + + if (!empty($status['gsid'])) { + if ($success) { + GServer::setReachableById($status['gsid'], Protocol::ACTIVITYPUB); + } elseif ($status['shared']) { + GServer::setFailureById($status['gsid']); + } + } } /** @@ -377,21 +420,26 @@ class HTTPSignature * @return array JSON array * @throws \Friendica\Network\HTTPException\InternalServerErrorException */ - public static function fetch($request, $uid) + public static function fetch(string $request, int $uid): array { - $curlResult = self::fetchRaw($request, $uid); + try { + $curlResult = self::fetchRaw($request, $uid); + } catch (\Exception $exception) { + Logger::notice('Error fetching url', ['url' => $request, 'exception' => $exception]); + return []; + } if (empty($curlResult)) { - return false; + return []; } if (!$curlResult->isSuccess() || empty($curlResult->getBody())) { - return false; + return []; } $content = json_decode($curlResult->getBody(), true); if (empty($content) || !is_array($content)) { - return false; + return []; } return $content; @@ -409,10 +457,10 @@ class HTTPSignature * 'nobody' => only return the header * 'cookiejar' => path to cookie jar file * - * @return CurlResult|void CurlResult + * @return \Friendica\Network\HTTPClient\Capability\ICanHandleHttpResponses CurlResult * @throws \Friendica\Network\HTTPException\InternalServerErrorException */ - public static function fetchRaw($request, $uid = 0, $opts = ['accept_content' => 'application/activity+json, application/ld+json']) + public static function fetchRaw(string $request, int $uid = 0, array $opts = [HttpClientOptions::ACCEPT_CONTENT => [HttpClientAccept::JSON_AS]]) { $header = []; @@ -434,47 +482,69 @@ class HTTPSignature $path = parse_url($request, PHP_URL_PATH); $date = DateTimeFormat::utcNow(DateTimeFormat::HTTP); - $header = ['Date: ' . $date, 'Host: ' . $host]; + $header['Date'] = $date; + $header['Host'] = $host; $signed_data = "(request-target): get " . $path . "\ndate: ". $date . "\nhost: " . $host; $signature = base64_encode(Crypto::rsaSign($signed_data, $owner['uprvkey'], 'sha256')); - $header[] = 'Signature: keyId="' . $owner['url'] . '#main-key' . '",algorithm="rsa-sha256",headers="(request-target) date host",signature="' . $signature . '"'; - } - - if (!empty($opts['accept_content'])) { - $header[] = 'Accept: ' . $opts['accept_content']; + $header['Signature'] = 'keyId="' . $owner['url'] . '#main-key' . '",algorithm="rsa-sha256",headers="(request-target) date host",signature="' . $signature . '"'; } - $curl_opts = $opts; - $curl_opts['header'] = $header; + $curl_opts = $opts; + $curl_opts[HttpClientOptions::HEADERS] = $header; if (!empty($opts['nobody'])) { - $curlResult = DI::httpRequest()->head($request, $curl_opts); + $curlResult = DI::httpClient()->head($request, $curl_opts); } else { - $curlResult = DI::httpRequest()->get($request, $curl_opts); + $curlResult = DI::httpClient()->get($request, HttpClientAccept::JSON_AS, $curl_opts); } $return_code = $curlResult->getReturnCode(); - Logger::log('Fetched for user ' . $uid . ' from ' . $request . ' returned ' . $return_code, Logger::DEBUG); + Logger::info('Fetched for user ' . $uid . ' from ' . $request . ' returned ' . $return_code); return $curlResult; } + /** + * Fetch the apcontact entry of the keyId in the given header + * + * @param array $http_headers + * + * @return array APContact entry + */ + public static function getKeyIdContact(array $http_headers): array + { + if (empty($http_headers['HTTP_SIGNATURE'])) { + Logger::debug('No HTTP_SIGNATURE header', ['header' => $http_headers]); + return []; + } + + $sig_block = self::parseSigHeader($http_headers['HTTP_SIGNATURE']); + + if (empty($sig_block['keyId'])) { + Logger::debug('No keyId', ['sig_block' => $sig_block]); + return []; + } + + $url = (strpos($sig_block['keyId'], '#') ? substr($sig_block['keyId'], 0, strpos($sig_block['keyId'], '#')) : $sig_block['keyId']); + return APContact::getByURL($url); + } + /** * Gets a signer from a given HTTP request * - * @param $content - * @param $http_headers + * @param string $content + * @param array $http_headers * - * @return string Signer + * @return string|null|false Signer * @throws \Friendica\Network\HTTPException\InternalServerErrorException */ - public static function getSigner($content, $http_headers) + public static function getSigner(string $content, array $http_headers) { if (empty($http_headers['HTTP_SIGNATURE'])) { - Logger::info('No HTTP_SIGNATURE header'); + Logger::debug('No HTTP_SIGNATURE header'); return false; } @@ -485,13 +555,13 @@ class HTTPSignature return false; } - $actor = JsonLD::fetchElement($object, 'actor', 'id'); + $actor = JsonLD::fetchElement($object, 'actor', 'id') ?? ''; } else { $actor = ''; } $headers = []; - $headers['(request-target)'] = strtolower($http_headers['REQUEST_METHOD']) . ' ' . parse_url($http_headers['REQUEST_URI'], PHP_URL_PATH); + $headers['(request-target)'] = strtolower(DI::args()->getMethod()) . ' ' . parse_url($http_headers['REQUEST_URI'], PHP_URL_PATH); // First take every header foreach ($http_headers as $k => $v) { @@ -509,6 +579,15 @@ class HTTPSignature $sig_block = self::parseSigHeader($http_headers['HTTP_SIGNATURE']); + // Add fields from the signature block to the header. See issue 8845 + if (!empty($sig_block['created']) && empty($headers['(created)'])) { + $headers['(created)'] = $sig_block['created']; + } + + if (!empty($sig_block['expires']) && empty($headers['(expires)'])) { + $headers['(expires)'] = $sig_block['expires']; + } + if (empty($sig_block) || empty($sig_block['headers']) || empty($sig_block['keyId'])) { Logger::info('No headers or keyId'); return false; @@ -518,6 +597,8 @@ class HTTPSignature foreach ($sig_block['headers'] as $h) { if (array_key_exists($h, $headers)) { $signed_data .= $h . ': ' . $headers[$h] . "\n"; + } else { + Logger::info('Requested header field not found', ['field' => $h, 'header' => $headers]); } } $signed_data = rtrim($signed_data, "\n"); @@ -546,7 +627,7 @@ class HTTPSignature } if (empty($algorithm)) { - Logger::info('No alagorithm'); + Logger::info('No algorithm'); return false; } @@ -572,7 +653,7 @@ class HTTPSignature } if (!Crypto::rsaVerify($signed_data, $sig_block['signature'], $key['pubkey'], $algorithm)) { - Logger::info('Verification failed'); + Logger::info('Verification failed', ['signed_data' => $signed_data, 'algorithm' => $algorithm, 'header' => $sig_block['headers'], 'http_headers' => $http_headers]); return false; } @@ -598,13 +679,36 @@ class HTTPSignature $hasGoodSignedContent = true; } + if (in_array('date', $sig_block['headers']) && !empty($headers['date'])) { + $created = strtotime($headers['date']); + } elseif (in_array('(created)', $sig_block['headers']) && !empty($sig_block['created'])) { + $created = $sig_block['created']; + } else { + $created = 0; + } + + if (in_array('(expires)', $sig_block['headers']) && !empty($sig_block['expires'])) { + $expired = min($sig_block['expires'], $created + 300); + } else { + $expired = $created + 300; + } + // Check if the signed date field is in an acceptable range - if (in_array('date', $sig_block['headers'])) { - $diff = abs(strtotime($headers['date']) - time()); - if ($diff > 300) { - Logger::log("Header date '" . $headers['date'] . "' is with " . $diff . " seconds out of the 300 second frame. The signature is invalid."); + if (!empty($created)) { + $current = time(); + + // Calculate with a grace period of 60 seconds to avoid slight time differences between the servers + if (($created - 60) > $current) { + Logger::notice('Signature created in the future', ['created' => date(DateTimeFormat::MYSQL, $created), 'expired' => date(DateTimeFormat::MYSQL, $expired), 'current' => date(DateTimeFormat::MYSQL, $current)]); return false; } + + if ($current > $expired) { + Logger::notice('Signature expired', ['created' => date(DateTimeFormat::MYSQL, $created), 'expired' => date(DateTimeFormat::MYSQL, $expired), 'current' => date(DateTimeFormat::MYSQL, $current)]); + return false; + } + + Logger::debug('Valid creation date', ['created' => date(DateTimeFormat::MYSQL, $created), 'expired' => date(DateTimeFormat::MYSQL, $expired), 'current' => date(DateTimeFormat::MYSQL, $current)]); $hasGoodSignedContent = true; } @@ -629,13 +733,13 @@ class HTTPSignature /** * fetches a key for a given id and actor * - * @param $id - * @param $actor + * @param string $id + * @param string $actor * * @return array with actor url and public key * @throws \Exception */ - private static function fetchKey($id, $actor) + private static function fetchKey(string $id, string $actor): array { $url = (strpos($id, '#') ? substr($id, 0, strpos($id, '#')) : $id); @@ -652,6 +756,6 @@ class HTTPSignature } Logger::notice('Key could not be fetched', ['url' => $url, 'actor' => $actor]); - return false; + return []; } }