salmon protocol changes magicsig draft-experimental, fixes to hostxrd

12 years ago · 2abcf76ec1
parent 12d5482fc1
commit 2abcf76ec1
6 changed files with 51 additions and 18 deletions
--- a/boot.php
+++ b/boot.php
@ -320,13 +320,12 @@ class App {

 		/**
 		 * Special handling for the webfinger/lrdd host XRD file
-		 * Just spit out the contents and exit.
 		 */

 		if($this->cmd === '.well-known/host-meta') {
-			require_once('include/hostxrd.php');
-			hostxrd();
-			// NOTREACHED
+			$this->argc = 1;
+			$this->argv = array('hostxrd');
+			$this->module = 'hostxrd';
 		}

 		/**
--- a/include/salmon.php
+++ b/include/salmon.php
@ -110,7 +110,7 @@ EOT;
 	$data_type = 'application/atom+xml';
 	$encoding  = 'base64url';
 	$algorithm = 'RSA-SHA256';
-	$keyhash   = base64url_encode(hash('sha256',salmon_key($owner['spubkey'])));
+	$keyhash   = base64url_encode(hash('sha256',salmon_key($owner['spubkey'])),true);

 	// Setup RSA stuff to PKCS#1 sign the data

@ -127,11 +127,14 @@ EOT;

 	$precomputed = '.YXBwbGljYXRpb24vYXRvbSt4bWw=.YmFzZTY0dXJs.UlNBLVNIQTI1Ng==';

-	$signature  = base64url_encode($rsa->sign($data . $precomputed));
+	$signature   = base64url_encode($rsa->sign(str_replace('=','',$data . $precomputed),true));

-	$signature2  = base64url_encode($rsa->sign($data));
+	$signature2  = base64url_encode($rsa->sign($data . $precomputed));
+
+	$signature3  = base64url_encode($rsa->sign($data));

 	$salmon_tpl = get_markup_template('magicsig.tpl');
+
 	$salmon = replace_macros($salmon_tpl,array(
 		'$data'      => $data,
 		'$encoding'  => $encoding,
@ -153,11 +156,11 @@ EOT;

 	if($return_code > 299) {

-		logger('slapper: compliant salmon failed. Falling back to status.net hack');
+		logger('slapper: compliant salmon failed. Falling back to status.net hack2');

 		// Entirely likely that their salmon implementation is
 		// non-compliant. Let's try once more, this time only signing
-		// the data, without the precomputed blob 
+		// the data, without stripping '=' chars

 		$salmon = replace_macros($salmon_tpl,array(
 			'$data'      => $data,
@ -174,6 +177,30 @@ EOT;
 		));
 		$return_code = $a->get_curl_code();

+
+		if($return_code > 299) {
+
+			logger('slapper: compliant salmon failed. Falling back to status.net hack3');
+
+			// Entirely likely that their salmon implementation is
+			// non-compliant. Let's try once more, this time only signing
+			// the data, without the precomputed blob 
+
+			$salmon = replace_macros($salmon_tpl,array(
+				'$data'      => $data,
+				'$encoding'  => $encoding,
+				'$algorithm' => $algorithm,
+				'$keyhash'   => $keyhash,
+				'$signature' => $signature3
+			));
+
+			// slap them 
+			post_url($url,$salmon, array(
+				'Content-type: application/magic-envelope+xml',
+				'Content-length: ' . strlen($salmon)
+			));
+			$return_code = $a->get_curl_code();
+		}
 	}
 	logger('slapper returned ' . $return_code); 
 	if(! $return_code)
--- a/include/hostxrd.php
+++ b/include/hostxrd.php
@ -1,6 +1,6 @@
 <?php

-function hostxrd() {
+function hostxrd_init(&$a) {
 	header('Access-Control-Allow-Origin: *');
 	header("Content-type: text/xml");
 	$tpl = file_get_contents('view/xrd_host.tpl');
--- a/mod/salmon.php
+++ b/mod/salmon.php
@ -72,12 +72,16 @@ function salmon_post(&$a) {
 	$encoding = $base->encoding;
 	$alg = $base->alg;

-	// If we're talking to status.net or one of their ilk, they aren't following the magic envelope spec
-	// and only signed the data element. We'll be nice and let them validate anyway. 
+	// Salmon magic signatures have evolved and there is no way of knowing ahead of time which
+	// flavour we have. We'll try and verify it regardless.

 	$stnet_signed_data = $data;
+
 	$signed_data = $data  . '.' . base64url_encode($type) . '.' . base64url_encode($encoding) . '.' . base64url_encode($alg);

+	$compliant_format = str_replace('=','',$signed_data);
+
+
 	// decode the data
 	$data = base64url_decode($data);

@ -150,13 +154,16 @@ function salmon_post(&$a) {
    $rsa->exponent = new Math_BigInteger($e, 256);

 	// We should have everything we need now. Let's see if it verifies.
-	// If it fails with the proper data format, try again using just the data
-	// (e.g. status.net)

-    $verify = $rsa->verify($signed_data,$signature);
+    $verify = $rsa->verify($compliant_format,$signature);
+
+	if(! $verify) {
+		logger('mod-salmon: message did not verify using protocol. Trying padding hack.');
+	    $verify = $rsa->verify($signed_data,$signature);
+    }

 	if(! $verify) {
-		logger('mod-salmon: message did not verify using protocol. Trying statusnet hack.');
+		logger('mod-salmon: message did not verify using padding. Trying old statusnet hack.');
 	    $verify = $rsa->verify($stnet_signed_data,$signature);
    }

--- a/mod/xrd.php
+++ b/mod/xrd.php
@ -23,7 +23,7 @@ function xrd_content(&$a) {
 	if(! count($r))
 		killme();

-	$salmon_key = salmon_key($r[0]['spubkey']);
+	$salmon_key = str_replace('=','',salmon_key($r[0]['spubkey']));

 	header('Access-Control-Allow-Origin: *');
 	header("Content-type: text/xml");
--- a/view/magicsig.tpl
+++ b/view/magicsig.tpl
@ -5,5 +5,5 @@ $data
 </me:data>
 <me:encoding>$encoding</me:encoding>
 <me:alg>$algorithm</me:alg>
-<me:sig keyhash="$keyhash">$signature</me:sig>
+<me:sig key_id="$keyhash">$signature</me:sig>
 </me:env>