From 355346298bc99c97fa98157701c3fe7ef4905e5c Mon Sep 17 00:00:00 2001 From: Michael Date: Fri, 21 Sep 2018 03:39:32 +0000 Subject: [PATCH] LD signatures will now be checked when receiving messages --- src/Protocol/ActivityPub.php | 23 +++++++++++++++++++---- src/Util/HTTPSignature.php | 2 ++ src/Util/LDSignature.php | 18 ++++++++++++++++++ 3 files changed, 39 insertions(+), 4 deletions(-) diff --git a/src/Protocol/ActivityPub.php b/src/Protocol/ActivityPub.php index 6f5fdedc95..c064ffa396 100644 --- a/src/Protocol/ActivityPub.php +++ b/src/Protocol/ActivityPub.php @@ -688,7 +688,22 @@ class ActivityPub logger('Receivers: ' . json_encode($receivers), LOGGER_DEBUG); - $public = in_array(0, $receivers); + $unsigned = true; + + if (LDSignature::isSigned($activity)) { + if (!LDSignature::isVerified($activity)) { + logger('Invalid signature. Quitting here.', LOGGER_DEBUG); + return []; + } + logger('Valid signature.', LOGGER_DEBUG); + $unsigned = false; + } elseif (!in_array(0, $receivers)) { + /// @todo Add some checks to only accept unsigned private posts directly from the actor + $unsigned = false; + logger('Private post without signature.', LOGGER_DEBUG); + } else { + logger('Public post without signature. Object data will be fetched.', LOGGER_DEBUG); + } if (is_string($activity['object'])) { $object_url = $activity['object']; @@ -701,7 +716,7 @@ class ActivityPub // Fetch the content only on activities where this matters if (in_array($activity['type'], ['Create', 'Update', 'Announce'])) { - $object_data = self::fetchObject($object_url, $activity['object']); + $object_data = self::fetchObject($object_url, $activity['object'], $unsigned); if (empty($object_data)) { logger("Object data couldn't be processed", LOGGER_DEBUG); return []; @@ -896,9 +911,9 @@ class ActivityPub return $object_data; } - private static function fetchObject($object_url, $object = [], $public = true) + private static function fetchObject($object_url, $object = [], $unsigned = true) { - if ($public) { + if ($unsigned) { $data = self::fetchContent($object_url); if (empty($data)) { logger('Empty content for ' . $object_url . ', check if content is available locally.', LOGGER_DEBUG); diff --git a/src/Util/HTTPSignature.php b/src/Util/HTTPSignature.php index f6a5fe1fe4..2d8254eeb8 100644 --- a/src/Util/HTTPSignature.php +++ b/src/Util/HTTPSignature.php @@ -393,10 +393,12 @@ class HTTPSignature $profile = ActivityPub::fetchprofile($url); if (!empty($profile)) { + logger('Taking key from id ' . $id, LOGGER_DEBUG); return $profile['pubkey']; } elseif ($url != $actor) { $profile = ActivityPub::fetchprofile($actor); if (!empty($profile)) { + logger('Taking key from actor ' . $actor, LOGGER_DEBUG); return $profile['pubkey']; } } diff --git a/src/Util/LDSignature.php b/src/Util/LDSignature.php index 7288b584c7..a52d84e478 100644 --- a/src/Util/LDSignature.php +++ b/src/Util/LDSignature.php @@ -20,6 +20,24 @@ class LDSignature } if (empty($pubkey)) { +/* + $creator = $data['signature']['creator']; + $actor = JsonLD::fetchElement($data, 'actor', 'id'); + + $url = (strpos($creator, '#') ? substr($creator, 0, strpos($creator, '#')) : $creator); + + $profile = ActivityPub::fetchprofile($url); + if (!empty($profile)) { + logger('Taking key from creator ' . $creator, LOGGER_DEBUG); + } elseif ($url != $actor) { + $profile = ActivityPub::fetchprofile($actor); + if (empty($profile)) { + return false; + } + logger('Taking key from actor ' . $actor, LOGGER_DEBUG); + } + +*/ $actor = JsonLD::fetchElement($data, 'actor', 'id'); if (empty($actor)) { return false; -- 2.39.5