LD signatures will now be checked when receiving messages

2018-09-21 03:39:32 +00:00 · 2018-09-21 03:39:32 +00:00 · 355346298b
parent 752b5fe284
commit 355346298b
3 changed files with 39 additions and 4 deletions
--- a/src/Protocol/ActivityPub.php
+++ b/src/Protocol/ActivityPub.php
@ -688,7 +688,22 @@ class ActivityPub

 		logger('Receivers: ' . json_encode($receivers), LOGGER_DEBUG);

-		$public = in_array(0, $receivers);
+		$unsigned = true;
+
+		if (LDSignature::isSigned($activity)) {
+			if (!LDSignature::isVerified($activity)) {
+				logger('Invalid signature. Quitting here.', LOGGER_DEBUG);
+				return [];
+			}
+			logger('Valid signature.', LOGGER_DEBUG);
+			$unsigned = false;
+		} elseif (!in_array(0, $receivers)) {
+			/// @todo Add some checks to only accept unsigned private posts directly from the actor
+			$unsigned = false;
+			logger('Private post without signature.', LOGGER_DEBUG);
+		} else {
+			logger('Public post without signature. Object data will be fetched.', LOGGER_DEBUG);
+		}

 		if (is_string($activity['object'])) {
 			$object_url = $activity['object'];
@ -701,7 +716,7 @@ class ActivityPub

 		// Fetch the content only on activities where this matters
 		if (in_array($activity['type'], ['Create', 'Update', 'Announce'])) {
-			$object_data = self::fetchObject($object_url, $activity['object']);
+			$object_data = self::fetchObject($object_url, $activity['object'], $unsigned);
 			if (empty($object_data)) {
 				logger("Object data couldn't be processed", LOGGER_DEBUG);
 				return [];
@ -896,9 +911,9 @@ class ActivityPub
 		return $object_data;
 	}

-	private static function fetchObject($object_url, $object = [], $public = true)
+	private static function fetchObject($object_url, $object = [], $unsigned = true)
 	{
-		if ($public) {
+		if ($unsigned) {
 			$data = self::fetchContent($object_url);
 			if (empty($data)) {
 				logger('Empty content for ' . $object_url . ', check if content is available locally.', LOGGER_DEBUG);
--- a/src/Util/HTTPSignature.php
+++ b/src/Util/HTTPSignature.php
@ -393,10 +393,12 @@ class HTTPSignature

 		$profile = ActivityPub::fetchprofile($url);
 		if (!empty($profile)) {
+			logger('Taking key from id ' . $id, LOGGER_DEBUG);
 			return $profile['pubkey'];
 		} elseif ($url != $actor) {
 			$profile = ActivityPub::fetchprofile($actor);
 			if (!empty($profile)) {
+				logger('Taking key from actor ' . $actor, LOGGER_DEBUG);
 				return $profile['pubkey'];
 			}
 		}
--- a/src/Util/LDSignature.php
+++ b/src/Util/LDSignature.php
@ -20,6 +20,24 @@ class LDSignature
 		}

 		if (empty($pubkey)) {
+/*
+			$creator = $data['signature']['creator'];
+			$actor = JsonLD::fetchElement($data, 'actor', 'id');
+
+			$url = (strpos($creator, '#') ? substr($creator, 0, strpos($creator, '#')) : $creator);
+
+			$profile = ActivityPub::fetchprofile($url);
+			if (!empty($profile)) {
+				logger('Taking key from creator ' . $creator, LOGGER_DEBUG);
+			} elseif ($url != $actor) {
+				$profile = ActivityPub::fetchprofile($actor);
+				if (empty($profile)) {
+					return false;
+				}
+				logger('Taking key from actor ' . $actor, LOGGER_DEBUG);
+			}
+
+*/
 			$actor = JsonLD::fetchElement($data, 'actor', 'id');
 			if (empty($actor)) {
 				return false;