From b44fc62708f111449f9ead95c09d4570465c94b7 Mon Sep 17 00:00:00 2001 From: Michael Date: Fri, 21 Sep 2018 22:31:33 +0000 Subject: [PATCH] Improvements to signature check, private posts do work now again --- src/Module/Inbox.php | 4 +- src/Protocol/ActivityPub.php | 158 ++++++++++++++++++++++++----------- src/Util/HTTPSignature.php | 13 ++- src/Util/JsonLD.php | 21 ++++- src/Util/LDSignature.php | 67 +++++++-------- 5 files changed, 166 insertions(+), 97 deletions(-) diff --git a/src/Module/Inbox.php b/src/Module/Inbox.php index 49df14762..891211186 100644 --- a/src/Module/Inbox.php +++ b/src/Module/Inbox.php @@ -25,14 +25,14 @@ class Inbox extends BaseModule System::httpExit(400); } - if (HTTPSignature::verifyAP($postdata, $_SERVER)) { + if (HTTPSignature::getSigner($postdata, $_SERVER)) { $filename = 'signed-activitypub'; } else { $filename = 'failed-activitypub'; } $tempfile = tempnam(get_temppath(), $filename); - file_put_contents($tempfile, json_encode(['argv' => $a->argv, 'header' => $_SERVER, 'body' => $postdata])); + file_put_contents($tempfile, json_encode(['argv' => $a->argv, 'header' => $_SERVER, 'body' => $postdata], JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE)); logger('Incoming message stored under ' . $tempfile); diff --git a/src/Protocol/ActivityPub.php b/src/Protocol/ActivityPub.php index ad4308cbb..b27101aac 100644 --- a/src/Protocol/ActivityPub.php +++ b/src/Protocol/ActivityPub.php @@ -122,10 +122,49 @@ class ActivityPub return $data; } + public static function fetchPermissionBlockFromConversation($item) + { + if (empty($item['thr-parent'])) { + return []; + } + + $condition = ['item-uri' => $item['thr-parent'], 'protocol' => Conversation::PARCEL_ACTIVITYPUB]; + $conversation = DBA::selectFirst('conversation', ['source'], $condition); + if (!DBA::isResult($conversation)) { + return []; + } + + $activity = json_decode($conversation['source'], true); + + $actor = JsonLD::fetchElement($activity, 'actor', 'id'); + $profile = ActivityPub::fetchprofile($actor); + + $permissions = []; + + $elements = ['to', 'cc', 'bto', 'bcc']; + foreach ($elements as $element) { + if (empty($activity[$element])) { + continue; + } + if (is_string($activity[$element])) { + $activity[$element] = [$activity[$element]]; + } + foreach ($activity[$element] as $receiver) { + if ($receiver == $profile['followers']) { + $receiver = System::baseUrl() . '/followers/' . $item['author-nick']; + } + $permissions[$element][] = $receiver; + } + } + return $permissions; + } + public static function createPermissionBlockForItem($item) { $data = ['to' => [], 'cc' => []]; + $data = array_merge($data, self::fetchPermissionBlockFromConversation($item)); + $terms = Term::tagArrayFromItemId($item['id']); if (!$item['private']) { @@ -146,6 +185,7 @@ class ActivityPub $receiver_list = Item::enumeratePermissions($item); $mentioned = []; + $contacts = []; foreach ($terms as $term) { if ($term['type'] != TERM_MENTION) { @@ -155,12 +195,16 @@ class ActivityPub if (!empty($cid) && in_array($cid, $receiver_list)) { $contact = DBA::selectFirst('contact', ['url'], ['id' => $cid, 'network' => Protocol::ACTIVITYPUB]); $data['to'][] = $contact['url']; + $contacts[$contact['url']] = $contact['url']; } } foreach ($receiver_list as $receiver) { $contact = DBA::selectFirst('contact', ['url'], ['id' => $receiver, 'network' => Protocol::ACTIVITYPUB]); - $data['cc'][] = $contact['url']; + if (empty($contacts[$contact['url']])) { + $data['cc'][] = $contact['url']; + $contacts[$contact['url']] = $contact['url']; + } } if (empty($data['to'])) { @@ -213,7 +257,6 @@ class ActivityPub } } else { $receiver_list = Item::enumeratePermissions($item); - $mentioned = []; foreach ($terms as $term) { @@ -224,7 +267,7 @@ class ActivityPub if (!empty($cid) && in_array($cid, $receiver_list)) { $contact = DBA::selectFirst('contact', ['url'], ['id' => $cid, 'network' => Protocol::ACTIVITYPUB]); $profile = self::fetchprofile($contact['url']); - if (!empty($profile['network'])) { + if (!empty($profile)) { $target = defaults($profile, 'sharedinbox', $profile['inbox']); $inboxes[$target] = $target; } @@ -234,7 +277,7 @@ class ActivityPub foreach ($receiver_list as $receiver) { $contact = DBA::selectFirst('contact', ['url'], ['id' => $receiver, 'network' => Protocol::ACTIVITYPUB]); $profile = self::fetchprofile($contact['url']); - if (!empty($profile['network'])) { + if (!empty($profile)) { $target = defaults($profile, 'sharedinbox', $profile['inbox']); $inboxes[$target] = $target; } @@ -276,8 +319,8 @@ class ActivityPub 'conversation' => 'ostatus:conversation', 'inReplyToAtomUri' => 'ostatus:inReplyToAtomUri']]]; - $data['type'] = 'Create'; $data['id'] = $item['uri'] . '#activity'; + $data['type'] = 'Create'; $data['actor'] = $item['author-link']; $data['published'] = DateTimeFormat::utc($item["created"]."+00:00", DateTimeFormat::ATOM); @@ -339,13 +382,27 @@ class ActivityPub public static function createNote($item) { $data = []; - $data['type'] = 'Note'; $data['id'] = $item['uri']; + $data['type'] = 'Note'; + $data['summary'] = null; // Ignore by now if ($item['uri'] != $item['thr-parent']) { $data['inReplyTo'] = $item['thr-parent']; + } else { + $data['inReplyTo'] = null; } + $data['published'] = DateTimeFormat::utc($item["created"]."+00:00", DateTimeFormat::ATOM); + + if ($item["created"] != $item["edited"]) { + $data['updated'] = DateTimeFormat::utc($item["edited"]."+00:00", DateTimeFormat::ATOM); + } + + $data['url'] = $item['uri']; + $data['attributedTo'] = $item['author-link']; + $data['actor'] = $item['author-link']; + $data['sensitive'] = false; // - Query NSFW + $conversation = DBA::selectFirst('conversation', ['conversation-uri'], ['item-uri' => $item['parent-uri']]); if (DBA::isResult($conversation) && !empty($conversation['conversation-uri'])) { $conversation_uri = $conversation['conversation-uri']; @@ -353,24 +410,19 @@ class ActivityPub $conversation_uri = $item['parent-uri']; } - $data['context'] = $data['conversation'] = $conversation_uri; - $data['actor'] = $item['author-link']; - $data = array_merge($data, ActivityPub::createPermissionBlockForItem($item)); - $data['published'] = DateTimeFormat::utc($item["created"]."+00:00", DateTimeFormat::ATOM); + $data['conversation'] = $conversation_uri; - if ($item["created"] != $item["edited"]) { - $data['updated'] = DateTimeFormat::utc($item["edited"]."+00:00", DateTimeFormat::ATOM); + if (!empty($item['title'])) { + $data['name'] = BBCode::convert($item['title'], false, 7); } - $data['attributedTo'] = $item['author-link']; - $data['name'] = BBCode::convert($item['title'], false, 7); $data['content'] = BBCode::convert($item['body'], false, 7); $data['source'] = ['content' => $item['body'], 'mediaType' => "text/bbcode"]; - $data['summary'] = ''; // Ignore by now - $data['sensitive'] = false; // - Query NSFW - //$data['emoji'] = []; // Ignore by now - $data['tag'] = self::createTagList($item); $data['attachment'] = []; // @ToDo + $data['tag'] = self::createTagList($item); + $data = array_merge($data, ActivityPub::createPermissionBlockForItem($item)); + + //$data['emoji'] = []; // Ignore by now return $data; } @@ -643,21 +695,45 @@ class ActivityPub public static function processInbox($body, $header, $uid) { - logger('Incoming message for user ' . $uid, LOGGER_DEBUG); - - if (!HTTPSignature::verifyAP($body, $header)) { - logger('Invalid signature, message will be discarded.', LOGGER_DEBUG); + $http_signer = HTTPSignature::getSigner($body, $header); + if (empty($http_signer)) { + logger('Invalid HTTP signature, message will be discarded.', LOGGER_DEBUG); return; + } else { + logger('HTTP signature is signed by ' . $http_signer, LOGGER_DEBUG); } $activity = json_decode($body, true); - if (!is_array($activity)) { + $actor = JsonLD::fetchElement($activity, 'actor', 'id'); + logger('Message for user ' . $uid . ' is from actor ' . $actor, LOGGER_DEBUG); + + if (empty($activity)) { logger('Invalid body.', LOGGER_DEBUG); return; } - self::processActivity($activity, $body, $uid); + if (LDSignature::isSigned($activity)) { + $ld_signer = LDSignature::getSigner($activity); + if (!empty($ld_signer)) { + logger('JSON-LD signature is signed by ' . $ld_signer, LOGGER_DEBUG); + $trust_source = true; + } elseif ($actor == $http_signer) { + logger('Bad JSON-LD signature, but HTTP signer fits the actor.', LOGGER_DEBUG); + $trust_source = true; + } else { + logger('Invalid JSON-LD signature.', LOGGER_DEBUG); + $trust_source = false; + } + } elseif ($actor == $http_signer) { + logger('Trusting post without JSON-LD signature, The actor fits the HTTP signer.', LOGGER_DEBUG); + $trust_source = true; + } else { + logger('No JSON-LD signature, different actor.', LOGGER_DEBUG); + $trust_source = false; + } + + self::processActivity($activity, $body, $uid, $trust_source); } public static function fetchOutbox($url, $uid) @@ -679,11 +755,11 @@ class ActivityPub } foreach ($items as $activity) { - self::processActivity($activity, '', $uid); + self::processActivity($activity, '', $uid, true); } } - private static function prepareObjectData($activity, $uid) + private static function prepareObjectData($activity, $uid, $trust_source) { $actor = JsonLD::fetchElement($activity, 'actor', 'id'); if (empty($actor)) { @@ -703,23 +779,6 @@ class ActivityPub logger('Receivers: ' . json_encode($receivers), LOGGER_DEBUG); - $unsigned = true; - - if (LDSignature::isSigned($activity)) { - if (!LDSignature::isVerified($activity)) { - logger('Invalid signature. Quitting here.', LOGGER_DEBUG); - return []; - } - logger('Valid signature.', LOGGER_DEBUG); - $unsigned = false; - } elseif (!in_array(0, $receivers)) { - /// @todo Add some checks to only accept unsigned private posts directly from the actor - $unsigned = false; - logger('Private post without signature.', LOGGER_DEBUG); - } else { - logger('Public post without signature. Object data will be fetched.', LOGGER_DEBUG); - } - if (is_string($activity['object'])) { $object_url = $activity['object']; } elseif (!empty($activity['object']['id'])) { @@ -731,7 +790,7 @@ class ActivityPub // Fetch the content only on activities where this matters if (in_array($activity['type'], ['Create', 'Update', 'Announce'])) { - $object_data = self::fetchObject($object_url, $activity['object'], $unsigned); + $object_data = self::fetchObject($object_url, $activity['object'], $trust_source); if (empty($object_data)) { logger("Object data couldn't be processed", LOGGER_DEBUG); return []; @@ -767,7 +826,7 @@ class ActivityPub return $object_data; } - private static function processActivity($activity, $body = '', $uid = null) + private static function processActivity($activity, $body = '', $uid = null, $trust_source = false) { if (empty($activity['type'])) { logger('Empty type', LOGGER_DEBUG); @@ -793,7 +852,7 @@ class ActivityPub logger('Processing activity: ' . $activity['type'], LOGGER_DEBUG); - $object_data = self::prepareObjectData($activity, $uid); + $object_data = self::prepareObjectData($activity, $uid, $trust_source); if (empty($object_data)) { logger('No object data found', LOGGER_DEBUG); return; @@ -935,14 +994,15 @@ class ActivityPub return $object_data; } - private static function fetchObject($object_url, $object = [], $unsigned = true) + private static function fetchObject($object_url, $object = [], $trust_source = false) { - if ($unsigned) { + if (!$trust_source || is_string($object)) { $data = self::fetchContent($object_url); if (empty($data)) { logger('Empty content for ' . $object_url . ', check if content is available locally.', LOGGER_DEBUG); $data = $object_url; - $data = $object; + } else { + logger('Fetched content for ' . $object_url, LOGGER_DEBUG); } } else { logger('Using original object for url ' . $object_url, LOGGER_DEBUG); diff --git a/src/Util/HTTPSignature.php b/src/Util/HTTPSignature.php index 2d8254eeb..8fa8566af 100644 --- a/src/Util/HTTPSignature.php +++ b/src/Util/HTTPSignature.php @@ -266,7 +266,7 @@ class HTTPSignature return; } - $content = json_encode($data); + $content = json_encode($data, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE); // Header data that is about to be signed. $host = parse_url($target, PHP_URL_HOST); @@ -290,7 +290,7 @@ class HTTPSignature logger('Transmit to ' . $target . ' returned ' . $return_code); } - public static function verifyAP($content, $http_headers) + public static function getSigner($content, $http_headers) { $object = json_decode($content, true); @@ -355,7 +355,7 @@ class HTTPSignature return false; } - if (!Crypto::rsaVerify($signed_data, $sig_block['signature'], $key, $algorithm)) { + if (!Crypto::rsaVerify($signed_data, $sig_block['signature'], $key['pubkey'], $algorithm)) { return false; } @@ -383,8 +383,7 @@ class HTTPSignature } } - return true; - + return $key['url']; } private static function fetchKey($id, $actor) @@ -394,12 +393,12 @@ class HTTPSignature $profile = ActivityPub::fetchprofile($url); if (!empty($profile)) { logger('Taking key from id ' . $id, LOGGER_DEBUG); - return $profile['pubkey']; + return ['url' => $url, 'pubkey' => $profile['pubkey']]; } elseif ($url != $actor) { $profile = ActivityPub::fetchprofile($actor); if (!empty($profile)) { logger('Taking key from actor ' . $actor, LOGGER_DEBUG); - return $profile['pubkey']; + return ['url' => $actor, 'pubkey' => $profile['pubkey']]; } } diff --git a/src/Util/JsonLD.php b/src/Util/JsonLD.php index 8fd9f90cb..600896715 100644 --- a/src/Util/JsonLD.php +++ b/src/Util/JsonLD.php @@ -40,11 +40,26 @@ class JsonLD return $data; } + private static function objectify($element) + { + if (is_array($element)) { + $keys = array_keys($element); + if (is_int(array_pop($keys))) { + return array_map('objectify', $element); + } else { + return (object)array_map('objectify', $element); + } + } else { + return $element; + } + } + public static function normalize($json) { jsonld_set_document_loader('Friendica\Util\JsonLD::documentLoader'); - $jsonobj = json_decode(json_encode($json)); +// $jsonobj = array_map('Friendica\Util\JsonLD::objectify', $json); + $jsonobj = json_decode(json_encode($json, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE)); return jsonld_normalize($jsonobj, array('algorithm' => 'URDNA2015', 'format' => 'application/nquads')); } @@ -59,11 +74,11 @@ class JsonLD 'vcard' => (object)['@id' => 'http://www.w3.org/2006/vcard/ns#', '@type' => '@id'], 'uuid' => (object)['@id' => 'http://schema.org/identifier', '@type' => '@id']]; - $jsonobj = json_decode(json_encode($json)); + $jsonobj = json_decode(json_encode($json, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE)); $compacted = jsonld_compact($jsonobj, $context); - return json_decode(json_encode($compacted), true); + return json_decode(json_encode($compacted, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE), true); } public static function fetchElement($array, $element, $key, $type = null, $type_value = null) diff --git a/src/Util/LDSignature.php b/src/Util/LDSignature.php index a52d84e47..6db66a52a 100644 --- a/src/Util/LDSignature.php +++ b/src/Util/LDSignature.php @@ -13,50 +13,52 @@ class LDSignature return !empty($data['signature']); } - public static function isVerified($data, $pubkey = null) + public static function getSigner($data) { if (!self::isSigned($data)) { return false; } - if (empty($pubkey)) { /* - $creator = $data['signature']['creator']; - $actor = JsonLD::fetchElement($data, 'actor', 'id'); + $creator = $data['signature']['creator']; + $actor = JsonLD::fetchElement($data, 'actor', 'id'); - $url = (strpos($creator, '#') ? substr($creator, 0, strpos($creator, '#')) : $creator); + $url = (strpos($creator, '#') ? substr($creator, 0, strpos($creator, '#')) : $creator); - $profile = ActivityPub::fetchprofile($url); - if (!empty($profile)) { - logger('Taking key from creator ' . $creator, LOGGER_DEBUG); - } elseif ($url != $actor) { - $profile = ActivityPub::fetchprofile($actor); - if (empty($profile)) { - return false; - } - logger('Taking key from actor ' . $actor, LOGGER_DEBUG); + $profile = ActivityPub::fetchprofile($url); + if (!empty($profile)) { + logger('Taking key from creator ' . $creator, LOGGER_DEBUG); + } elseif ($url != $actor) { + $profile = ActivityPub::fetchprofile($actor); + if (empty($profile)) { + return false; } + logger('Taking key from actor ' . $actor, LOGGER_DEBUG); + } */ - $actor = JsonLD::fetchElement($data, 'actor', 'id'); - if (empty($actor)) { - return false; - } - - $profile = ActivityPub::fetchprofile($actor); - if (empty($profile['pubkey'])) { - return false; - } - $pubkey = $profile['pubkey']; + $actor = JsonLD::fetchElement($data, 'actor', 'id'); + if (empty($actor)) { + return false; } + $profile = ActivityPub::fetchprofile($actor); + if (empty($profile['pubkey'])) { + return false; + } + $pubkey = $profile['pubkey']; + $ohash = self::hash(self::signable_options($data['signature'])); $dhash = self::hash(self::signable_data($data)); $x = Crypto::rsaVerify($ohash . $dhash, base64_decode($data['signature']['signatureValue']), $pubkey); logger('LD-verify: ' . intval($x)); - return $x; + if (empty($x)) { + return false; + } else { + return $actor; + } } public static function sign($data, $owner) @@ -65,7 +67,7 @@ class LDSignature 'type' => 'RsaSignature2017', 'nonce' => random_string(64), 'creator' => $owner['url'] . '#main-key', - 'created' => DateTimeFormat::utcNow() + 'created' => DateTimeFormat::utcNow(DateTimeFormat::ATOM) ]; $ohash = self::hash(self::signable_options($options)); @@ -78,15 +80,8 @@ class LDSignature private static function signable_data($data) { - $newdata = []; - if (!empty($data)) { - foreach ($data as $k => $v) { - if (!in_array($k, ['signature'])) { - $newdata[$k] = $v; - } - } - } - return $newdata; + unset($data['signature']); + return $data; } @@ -95,7 +90,7 @@ class LDSignature $newopts = ['@context' => 'https://w3id.org/identity/v1']; if (!empty($options)) { foreach ($options as $k => $v) { - if (!in_array($k, ['type','id','signatureValue'])) { + if (!in_array($k, ['type', 'id', 'signatureValue'])) { $newopts[$k] = $v; } }