salmon protocol changes magicsig draft-experimental, fixes to hostxrd

This commit is contained in:
Friendika 2011-08-04 22:37:45 -07:00
parent 12d5482fc1
commit 2abcf76ec1
6 changed files with 51 additions and 18 deletions

View file

@ -320,13 +320,12 @@ class App {
/** /**
* Special handling for the webfinger/lrdd host XRD file * Special handling for the webfinger/lrdd host XRD file
* Just spit out the contents and exit.
*/ */
if($this->cmd === '.well-known/host-meta') { if($this->cmd === '.well-known/host-meta') {
require_once('include/hostxrd.php'); $this->argc = 1;
hostxrd(); $this->argv = array('hostxrd');
// NOTREACHED $this->module = 'hostxrd';
} }
/** /**

View file

@ -110,7 +110,7 @@ EOT;
$data_type = 'application/atom+xml'; $data_type = 'application/atom+xml';
$encoding = 'base64url'; $encoding = 'base64url';
$algorithm = 'RSA-SHA256'; $algorithm = 'RSA-SHA256';
$keyhash = base64url_encode(hash('sha256',salmon_key($owner['spubkey']))); $keyhash = base64url_encode(hash('sha256',salmon_key($owner['spubkey'])),true);
// Setup RSA stuff to PKCS#1 sign the data // Setup RSA stuff to PKCS#1 sign the data
@ -127,11 +127,14 @@ EOT;
$precomputed = '.YXBwbGljYXRpb24vYXRvbSt4bWw=.YmFzZTY0dXJs.UlNBLVNIQTI1Ng=='; $precomputed = '.YXBwbGljYXRpb24vYXRvbSt4bWw=.YmFzZTY0dXJs.UlNBLVNIQTI1Ng==';
$signature = base64url_encode($rsa->sign($data . $precomputed)); $signature = base64url_encode($rsa->sign(str_replace('=','',$data . $precomputed),true));
$signature2 = base64url_encode($rsa->sign($data)); $signature2 = base64url_encode($rsa->sign($data . $precomputed));
$signature3 = base64url_encode($rsa->sign($data));
$salmon_tpl = get_markup_template('magicsig.tpl'); $salmon_tpl = get_markup_template('magicsig.tpl');
$salmon = replace_macros($salmon_tpl,array( $salmon = replace_macros($salmon_tpl,array(
'$data' => $data, '$data' => $data,
'$encoding' => $encoding, '$encoding' => $encoding,
@ -153,11 +156,11 @@ EOT;
if($return_code > 299) { if($return_code > 299) {
logger('slapper: compliant salmon failed. Falling back to status.net hack'); logger('slapper: compliant salmon failed. Falling back to status.net hack2');
// Entirely likely that their salmon implementation is // Entirely likely that their salmon implementation is
// non-compliant. Let's try once more, this time only signing // non-compliant. Let's try once more, this time only signing
// the data, without the precomputed blob // the data, without stripping '=' chars
$salmon = replace_macros($salmon_tpl,array( $salmon = replace_macros($salmon_tpl,array(
'$data' => $data, '$data' => $data,
@ -174,6 +177,30 @@ EOT;
)); ));
$return_code = $a->get_curl_code(); $return_code = $a->get_curl_code();
if($return_code > 299) {
logger('slapper: compliant salmon failed. Falling back to status.net hack3');
// Entirely likely that their salmon implementation is
// non-compliant. Let's try once more, this time only signing
// the data, without the precomputed blob
$salmon = replace_macros($salmon_tpl,array(
'$data' => $data,
'$encoding' => $encoding,
'$algorithm' => $algorithm,
'$keyhash' => $keyhash,
'$signature' => $signature3
));
// slap them
post_url($url,$salmon, array(
'Content-type: application/magic-envelope+xml',
'Content-length: ' . strlen($salmon)
));
$return_code = $a->get_curl_code();
}
} }
logger('slapper returned ' . $return_code); logger('slapper returned ' . $return_code);
if(! $return_code) if(! $return_code)

View file

@ -1,6 +1,6 @@
<?php <?php
function hostxrd() { function hostxrd_init(&$a) {
header('Access-Control-Allow-Origin: *'); header('Access-Control-Allow-Origin: *');
header("Content-type: text/xml"); header("Content-type: text/xml");
$tpl = file_get_contents('view/xrd_host.tpl'); $tpl = file_get_contents('view/xrd_host.tpl');

View file

@ -72,12 +72,16 @@ function salmon_post(&$a) {
$encoding = $base->encoding; $encoding = $base->encoding;
$alg = $base->alg; $alg = $base->alg;
// If we're talking to status.net or one of their ilk, they aren't following the magic envelope spec // Salmon magic signatures have evolved and there is no way of knowing ahead of time which
// and only signed the data element. We'll be nice and let them validate anyway. // flavour we have. We'll try and verify it regardless.
$stnet_signed_data = $data; $stnet_signed_data = $data;
$signed_data = $data . '.' . base64url_encode($type) . '.' . base64url_encode($encoding) . '.' . base64url_encode($alg); $signed_data = $data . '.' . base64url_encode($type) . '.' . base64url_encode($encoding) . '.' . base64url_encode($alg);
$compliant_format = str_replace('=','',$signed_data);
// decode the data // decode the data
$data = base64url_decode($data); $data = base64url_decode($data);
@ -150,13 +154,16 @@ function salmon_post(&$a) {
$rsa->exponent = new Math_BigInteger($e, 256); $rsa->exponent = new Math_BigInteger($e, 256);
// We should have everything we need now. Let's see if it verifies. // We should have everything we need now. Let's see if it verifies.
// If it fails with the proper data format, try again using just the data
// (e.g. status.net)
$verify = $rsa->verify($signed_data,$signature); $verify = $rsa->verify($compliant_format,$signature);
if(! $verify) { if(! $verify) {
logger('mod-salmon: message did not verify using protocol. Trying statusnet hack.'); logger('mod-salmon: message did not verify using protocol. Trying padding hack.');
$verify = $rsa->verify($signed_data,$signature);
}
if(! $verify) {
logger('mod-salmon: message did not verify using padding. Trying old statusnet hack.');
$verify = $rsa->verify($stnet_signed_data,$signature); $verify = $rsa->verify($stnet_signed_data,$signature);
} }

View file

@ -23,7 +23,7 @@ function xrd_content(&$a) {
if(! count($r)) if(! count($r))
killme(); killme();
$salmon_key = salmon_key($r[0]['spubkey']); $salmon_key = str_replace('=','',salmon_key($r[0]['spubkey']));
header('Access-Control-Allow-Origin: *'); header('Access-Control-Allow-Origin: *');
header("Content-type: text/xml"); header("Content-type: text/xml");

View file

@ -5,5 +5,5 @@ $data
</me:data> </me:data>
<me:encoding>$encoding</me:encoding> <me:encoding>$encoding</me:encoding>
<me:alg>$algorithm</me:alg> <me:alg>$algorithm</me:alg>
<me:sig keyhash="$keyhash">$signature</me:sig> <me:sig key_id="$keyhash">$signature</me:sig>
</me:env> </me:env>