Merge pull request #10189 from annando/signature-message
Improved logging for invalid HTTP signatures
This commit is contained in:
commit
60f0af3daa
2 changed files with 16 additions and 2 deletions
|
@ -111,9 +111,12 @@ class Receiver
|
||||||
}
|
}
|
||||||
|
|
||||||
$http_signer = HTTPSignature::getSigner($body, $header);
|
$http_signer = HTTPSignature::getSigner($body, $header);
|
||||||
if (empty($http_signer)) {
|
if ($http_signer === false) {
|
||||||
Logger::warning('Invalid HTTP signature, message will be discarded.');
|
Logger::warning('Invalid HTTP signature, message will be discarded.');
|
||||||
return;
|
return;
|
||||||
|
} elseif (empty($http_signer)) {
|
||||||
|
Logger::info('Signer is a tombstone. The message will be discarded, the signer account is deleted.');
|
||||||
|
return;
|
||||||
} else {
|
} else {
|
||||||
Logger::info('Valid HTTP signature', ['signer' => $http_signer]);
|
Logger::info('Valid HTTP signature', ['signer' => $http_signer]);
|
||||||
}
|
}
|
||||||
|
|
|
@ -473,12 +473,14 @@ class HTTPSignature
|
||||||
public static function getSigner($content, $http_headers)
|
public static function getSigner($content, $http_headers)
|
||||||
{
|
{
|
||||||
if (empty($http_headers['HTTP_SIGNATURE'])) {
|
if (empty($http_headers['HTTP_SIGNATURE'])) {
|
||||||
|
Logger::info('No HTTP_SIGNATURE header');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!empty($content)) {
|
if (!empty($content)) {
|
||||||
$object = json_decode($content, true);
|
$object = json_decode($content, true);
|
||||||
if (empty($object)) {
|
if (empty($object)) {
|
||||||
|
Logger::info('No object');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -507,6 +509,7 @@ class HTTPSignature
|
||||||
$sig_block = self::parseSigHeader($http_headers['HTTP_SIGNATURE']);
|
$sig_block = self::parseSigHeader($http_headers['HTTP_SIGNATURE']);
|
||||||
|
|
||||||
if (empty($sig_block) || empty($sig_block['headers']) || empty($sig_block['keyId'])) {
|
if (empty($sig_block) || empty($sig_block['headers']) || empty($sig_block['keyId'])) {
|
||||||
|
Logger::info('No headers or keyId');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -519,6 +522,7 @@ class HTTPSignature
|
||||||
$signed_data = rtrim($signed_data, "\n");
|
$signed_data = rtrim($signed_data, "\n");
|
||||||
|
|
||||||
if (empty($signed_data)) {
|
if (empty($signed_data)) {
|
||||||
|
Logger::info('Signed data is empty');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -541,11 +545,13 @@ class HTTPSignature
|
||||||
}
|
}
|
||||||
|
|
||||||
if (empty($algorithm)) {
|
if (empty($algorithm)) {
|
||||||
|
Logger::info('No alagorithm');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
$key = self::fetchKey($sig_block['keyId'], $actor);
|
$key = self::fetchKey($sig_block['keyId'], $actor);
|
||||||
if (empty($key)) {
|
if (empty($key)) {
|
||||||
|
Logger::info('Empty key');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -554,14 +560,16 @@ class HTTPSignature
|
||||||
|
|
||||||
// We now delete everything that we possibly knew from this actor
|
// We now delete everything that we possibly knew from this actor
|
||||||
Contact::deleteContactByUrl($key['url']);
|
Contact::deleteContactByUrl($key['url']);
|
||||||
return false;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (empty($key['pubkey'])) {
|
if (empty($key['pubkey'])) {
|
||||||
|
Logger::info('Empty pubkey');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!Crypto::rsaVerify($signed_data, $sig_block['signature'], $key['pubkey'], $algorithm)) {
|
if (!Crypto::rsaVerify($signed_data, $sig_block['signature'], $key['pubkey'], $algorithm)) {
|
||||||
|
Logger::info('Verification failed');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -580,6 +588,7 @@ class HTTPSignature
|
||||||
/// @todo add all hashes from the rfc
|
/// @todo add all hashes from the rfc
|
||||||
|
|
||||||
if (!empty($hashalg) && base64_encode(hash($hashalg, $content, true)) != $digest[1]) {
|
if (!empty($hashalg) && base64_encode(hash($hashalg, $content, true)) != $digest[1]) {
|
||||||
|
Logger::info('Digest does not match');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -599,6 +608,7 @@ class HTTPSignature
|
||||||
// Check the content-length when it is part of the signed data
|
// Check the content-length when it is part of the signed data
|
||||||
if (in_array('content-length', $sig_block['headers'])) {
|
if (in_array('content-length', $sig_block['headers'])) {
|
||||||
if (strlen($content) != $headers['content-length']) {
|
if (strlen($content) != $headers['content-length']) {
|
||||||
|
Logger::info('Content length does not match');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -606,6 +616,7 @@ class HTTPSignature
|
||||||
// Ensure that the authentication had been done with some content
|
// Ensure that the authentication had been done with some content
|
||||||
// Without this check someone could authenticate with fakeable data
|
// Without this check someone could authenticate with fakeable data
|
||||||
if (!$hasGoodSignedContent) {
|
if (!$hasGoodSignedContent) {
|
||||||
|
Logger::info('No good signed content');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue