salmon protocol changes magicsig draft-experimental, fixes to hostxrd

diff --git a/boot.php b/boot.php
index 35f295d068cb1fc59e4f273a5c0fedfb3b1c1bc2..e1a1c5a503a153ff570638930410e64234c3c2ac 100644 (file)
--- a/boot.php
+++ b/boot.php
@@ -320,13 +320,12 @@ class App {
 
                /**
                 * Special handling for the webfinger/lrdd host XRD file
-                * Just spit out the contents and exit.
                 */
 
                if($this->cmd === '.well-known/host-meta') {
-                       require_once('include/hostxrd.php');
-                       hostxrd();
-                       // NOTREACHED
+                       $this->argc = 1;
+                       $this->argv = array('hostxrd');
+                       $this->module = 'hostxrd';
                }
 
                /**

diff --git a/include/hostxrd.php b/include/hostxrd.php
deleted file mode 100644 (file)
index 18c3e4b..0000000
--- a/include/hostxrd.php
+++ /dev/null
@@ -1,11 +0,0 @@
-<?php
-
-function hostxrd() {
-       header('Access-Control-Allow-Origin: *');
-       header("Content-type: text/xml");
-       $tpl = file_get_contents('view/xrd_host.tpl');
-       echo str_replace(array('$zroot','$domain'),array(z_root(),z_path()),$tpl);
-       session_write_close();
-       exit();
-
-}
\ No newline at end of file

diff --git a/include/salmon.php b/include/salmon.php
index 4994655df8b97f22a0a87b2438bc1b2e409562fa..f1cef0a4971ebe71f2122fd87817ea314b86cca2 100644 (file)
--- a/include/salmon.php
+++ b/include/salmon.php
@@ -110,7 +110,7 @@ EOT;
        $data_type = 'application/atom+xml';
        $encoding  = 'base64url';
        $algorithm = 'RSA-SHA256';
-       $keyhash   = base64url_encode(hash('sha256',salmon_key($owner['spubkey'])));
+       $keyhash   = base64url_encode(hash('sha256',salmon_key($owner['spubkey'])),true);
 
        // Setup RSA stuff to PKCS#1 sign the data
 
@@ -127,11 +127,14 @@ EOT;
 
        $precomputed = '.YXBwbGljYXRpb24vYXRvbSt4bWw=.YmFzZTY0dXJs.UlNBLVNIQTI1Ng==';
 
-       $signature  = base64url_encode($rsa->sign($data . $precomputed));
+       $signature   = base64url_encode($rsa->sign(str_replace('=','',$data . $precomputed),true));
 
-       $signature2  = base64url_encode($rsa->sign($data));
+       $signature2  = base64url_encode($rsa->sign($data . $precomputed));
+
+       $signature3  = base64url_encode($rsa->sign($data));
 
        $salmon_tpl = get_markup_template('magicsig.tpl');
+
        $salmon = replace_macros($salmon_tpl,array(
                '$data'      => $data,
                '$encoding'  => $encoding,
@@ -153,11 +156,11 @@ EOT;
 
        if($return_code > 299) {
 
-               logger('slapper: compliant salmon failed. Falling back to status.net hack');
+               logger('slapper: compliant salmon failed. Falling back to status.net hack2');
 
                // Entirely likely that their salmon implementation is
                // non-compliant. Let's try once more, this time only signing
-               // the data, without the precomputed blob 
+               // the data, without stripping '=' chars
 
                $salmon = replace_macros($salmon_tpl,array(
                        '$data'      => $data,
@@ -174,6 +177,30 @@ EOT;
                ));
                $return_code = $a->get_curl_code();
 
+
+               if($return_code > 299) {
+
+                       logger('slapper: compliant salmon failed. Falling back to status.net hack3');
+
+                       // Entirely likely that their salmon implementation is
+                       // non-compliant. Let's try once more, this time only signing
+                       // the data, without the precomputed blob 
+
+                       $salmon = replace_macros($salmon_tpl,array(
+                               '$data'      => $data,
+                               '$encoding'  => $encoding,
+                               '$algorithm' => $algorithm,
+                               '$keyhash'   => $keyhash,
+                               '$signature' => $signature3
+                       ));
+
+                       // slap them 
+                       post_url($url,$salmon, array(
+                               'Content-type: application/magic-envelope+xml',
+                               'Content-length: ' . strlen($salmon)
+                       ));
+                       $return_code = $a->get_curl_code();
+               }
        }
        logger('slapper returned ' . $return_code); 
        if(! $return_code)

diff --git a/mod/hostxrd.php b/mod/hostxrd.php
new file mode 100644 (file)
index 0000000..c7861d2
--- /dev/null
+++ b/mod/hostxrd.php
@@ -0,0 +1,11 @@
+<?php
+
+function hostxrd_init(&$a) {
+       header('Access-Control-Allow-Origin: *');
+       header("Content-type: text/xml");
+       $tpl = file_get_contents('view/xrd_host.tpl');
+       echo str_replace(array('$zroot','$domain'),array(z_root(),z_path()),$tpl);
+       session_write_close();
+       exit();
+
+}
\ No newline at end of file

diff --git a/mod/salmon.php b/mod/salmon.php
index 56ac071b065209aa7a82ced4042790492026b889..300ad87466806cf2d982673f66b4d30d6b4b2f03 100644 (file)
--- a/mod/salmon.php
+++ b/mod/salmon.php
@@ -72,12 +72,16 @@ function salmon_post(&$a) {
        $encoding = $base->encoding;
        $alg = $base->alg;
 
-       // If we're talking to status.net or one of their ilk, they aren't following the magic envelope spec
-       // and only signed the data element. We'll be nice and let them validate anyway. 
+       // Salmon magic signatures have evolved and there is no way of knowing ahead of time which
+       // flavour we have. We'll try and verify it regardless.
 
        $stnet_signed_data = $data;
+
        $signed_data = $data  . '.' . base64url_encode($type) . '.' . base64url_encode($encoding) . '.' . base64url_encode($alg);
 
+       $compliant_format = str_replace('=','',$signed_data);
+
+
        // decode the data
        $data = base64url_decode($data);
 
@@ -150,13 +154,16 @@ function salmon_post(&$a) {
     $rsa->exponent = new Math_BigInteger($e, 256);
 
        // We should have everything we need now. Let's see if it verifies.
-       // If it fails with the proper data format, try again using just the data
-       // (e.g. status.net)
 
-    $verify = $rsa->verify($signed_data,$signature);
+    $verify = $rsa->verify($compliant_format,$signature);
+
+       if(! $verify) {
+               logger('mod-salmon: message did not verify using protocol. Trying padding hack.');
+           $verify = $rsa->verify($signed_data,$signature);
+    }
 
        if(! $verify) {
-               logger('mod-salmon: message did not verify using protocol. Trying statusnet hack.');
+               logger('mod-salmon: message did not verify using padding. Trying old statusnet hack.');
            $verify = $rsa->verify($stnet_signed_data,$signature);
     }
 

diff --git a/mod/xrd.php b/mod/xrd.php
index 4889639f07dcf7ca8b8cd6d26aedc56613d752cd..c96c18f3cead5c796563f7733f9f29ad03928b71 100644 (file)
--- a/mod/xrd.php
+++ b/mod/xrd.php
@@ -23,7 +23,7 @@ function xrd_content(&$a) {
        if(! count($r))
                killme();
 
-       $salmon_key = salmon_key($r[0]['spubkey']);
+       $salmon_key = str_replace('=','',salmon_key($r[0]['spubkey']));
 
        header('Access-Control-Allow-Origin: *');
        header("Content-type: text/xml");

diff --git a/view/magicsig.tpl b/view/magicsig.tpl
index 622e7c5a27a32cad6ea5376df161d30e4a58de30..75f9bc475bcb11885f6e3625e1e08f00111be98e 100644 (file)
--- a/view/magicsig.tpl
+++ b/view/magicsig.tpl
@@ -5,5 +5,5 @@ $data
 </me:data>
 <me:encoding>$encoding</me:encoding>
 <me:alg>$algorithm</me:alg>
-<me:sig keyhash="$keyhash">$signature</me:sig>
+<me:sig key_id="$keyhash">$signature</me:sig>
 </me:env>