public function onEndAttachPubkeyToUserXRD(Magicsig $magicsig, XML_XRD $xrd, Profile $target) { // So far we've only handled RSA keys, but it can change in the future, // so be prepared. And remember to change the statically assigned type attribute below! assert($magicsig->publicKey instanceof Crypt_RSA); $xrd->links[] = new XML_XRD_Element_Link(self::REL_PUBLIC_KEY, base64_encode($magicsig->exportPublicKey()), 'RSA'); // Instead of choosing a random string, we calculate our GUID from the public key // by fingerprint through a sha256 hash. $xrd->links[] = new XML_XRD_Element_Link(self::REL_GUID, strtolower($magicsig->toFingerprint())); }
function handle() { $nick = $this->user->nickname; $profile = $this->user->getProfile(); if (empty($this->xrd)) { $xrd = new XRD(); } else { $xrd = $this->xrd; } if (empty($xrd->subject)) { $xrd->subject = Discovery::normalize($this->uri); } // Possible aliases for the user $uris = array($this->user->uri, $profile->profileurl); // FIXME: Webfinger generation code should live somewhere on its own $path = common_config('site', 'path'); if (empty($path)) { $uris[] = sprintf('acct:%s@%s', $nick, common_config('site', 'server')); } foreach ($uris as $uri) { if ($uri != $xrd->subject) { $xrd->alias[] = $uri; } } $xrd->links[] = array('rel' => Discovery::PROFILEPAGE, 'type' => 'text/html', 'href' => $profile->profileurl); $xrd->links[] = array('rel' => Discovery::UPDATESFROM, 'href' => common_local_url('ApiTimelineUser', array('id' => $this->user->id, 'format' => 'atom')), 'type' => 'application/atom+xml'); // hCard $xrd->links[] = array('rel' => Discovery::HCARD, 'type' => 'text/html', 'href' => common_local_url('hcard', array('nickname' => $nick))); // XFN $xrd->links[] = array('rel' => 'http://gmpg.org/xfn/11', 'type' => 'text/html', 'href' => $profile->profileurl); // FOAF $xrd->links[] = array('rel' => 'describedby', 'type' => 'application/rdf+xml', 'href' => common_local_url('foaf', array('nickname' => $nick))); // Salmon $salmon_url = common_local_url('usersalmon', array('id' => $this->user->id)); $xrd->links[] = array('rel' => Salmon::REL_SALMON, 'href' => $salmon_url); // XXX : Deprecated - to be removed. $xrd->links[] = array('rel' => Salmon::NS_REPLIES, 'href' => $salmon_url); $xrd->links[] = array('rel' => Salmon::NS_MENTIONS, 'href' => $salmon_url); // Get this user's keypair $magickey = Magicsig::staticGet('user_id', $this->user->id); if (!$magickey) { // No keypair yet, let's generate one. $magickey = new Magicsig(); $magickey->generate($this->user->id); } $xrd->links[] = array('rel' => Magicsig::PUBLICKEYREL, 'href' => 'data:application/magic-public-key,' . $magickey->toString(false)); // TODO - finalize where the redirect should go on the publisher $url = common_local_url('ostatussub') . '?profile={uri}'; $xrd->links[] = array('rel' => 'http://ostatus.org/schema/1.0/subscribe', 'template' => $url); $url = common_local_url('tagprofile') . '?uri={uri}'; $xrd->links[] = array('rel' => 'http://ostatus.org/schema/1.0/tag', 'template' => $url); header('Content-type: application/xrd+xml'); print $xrd->toXML(); }
public function createMagicEnv($text, $actor) { $magic_env = new MagicEnvelope(); $user = User::staticGet('id', $actor->id); if ($user->id) { // Use local key $magickey = Magicsig::staticGet('user_id', $user->id); if (!$magickey) { // No keypair yet, let's generate one. $magickey = new Magicsig(); $magickey->generate($user->id); } } else { throw new Exception("Salmon invalid actor for signing"); } try { $env = $magic_env->signMessage($text, 'application/atom+xml', $magickey->toString()); } catch (Exception $e) { return $text; } return $magic_env->toXML($env); }
function handle() { $nick = $this->user->nickname; if (empty($this->xrd)) { $xrd = new XRD(); } else { $xrd = $this->xrd; } if (empty($xrd->subject)) { $xrd->subject = Discovery::normalize($this->uri); } $xrd->alias[] = $this->user->uri; $xrd->links[] = array('rel' => Discovery::PROFILEPAGE, 'type' => 'text/html', 'href' => $this->user->uri); $xrd->links[] = array('rel' => Discovery::UPDATESFROM, 'href' => common_local_url('ApiTimelineUser', array('id' => $this->user->id, 'format' => 'atom')), 'type' => 'application/atom+xml'); // hCard $xrd->links[] = array('rel' => Discovery::HCARD, 'type' => 'text/html', 'href' => common_local_url('hcard', array('nickname' => $nick))); // XFN $xrd->links[] = array('rel' => 'http://gmpg.org/xfn/11', 'type' => 'text/html', 'href' => $this->user->uri); // FOAF $xrd->links[] = array('rel' => 'describedby', 'type' => 'application/rdf+xml', 'href' => common_local_url('foaf', array('nickname' => $nick))); // Salmon $salmon_url = common_local_url('usersalmon', array('id' => $this->user->id)); $xrd->links[] = array('rel' => Salmon::NS_REPLIES, 'href' => $salmon_url); $xrd->links[] = array('rel' => Salmon::NS_MENTIONS, 'href' => $salmon_url); // Get this user's keypair $magickey = Magicsig::staticGet('user_id', $this->user->id); if (!$magickey) { // No keypair yet, let's generate one. $magickey = new Magicsig(); $magickey->generate($this->user->id); } $xrd->links[] = array('rel' => Magicsig::PUBLICKEYREL, 'href' => 'data:application/magic-public-key,' . $magickey->toString(false)); // TODO - finalize where the redirect should go on the publisher $url = common_local_url('ostatussub') . '?profile={uri}'; $xrd->links[] = array('rel' => 'http://ostatus.org/schema/1.0/subscribe', 'template' => $url); header('Content-type: text/xml'); print $xrd->toXML(); }
protected function prepare(array $args = array()) { GNUsocial::setApi(true); // Send smaller error pages parent::prepare($args); if (!isset($_SERVER['CONTENT_TYPE'])) { // TRANS: Client error. Do not translate "Content-type" $this->clientError(_m('Salmon requires a Content-type header.')); } $envxml = null; switch ($_SERVER['CONTENT_TYPE']) { case 'application/magic-envelope+xml': $envxml = file_get_contents('php://input'); break; case 'application/x-www-form-urlencoded': $envxml = Magicsig::base64_url_decode($this->trimmed('xml')); break; default: // TRANS: Client error. Do not translate the quoted "application/[type]" strings. $this->clientError(_m('Salmon requires "application/magic-envelope+xml". For Diaspora we also accept "application/x-www-form-urlencoded" with an "xml" parameter.', 415)); } try { if (empty($envxml)) { throw new ClientException('No magic envelope supplied in POST.'); } $magic_env = new MagicEnvelope($envxml); // parse incoming XML as a MagicEnvelope $entry = $magic_env->getPayload(); // Not cryptographically verified yet! $this->activity = new Activity($entry->documentElement); if (empty($this->activity->actor->id)) { common_log(LOG_ERR, "broken actor: " . var_export($this->activity->actor->id, true)); common_log(LOG_ERR, "activity with no actor: " . var_export($this->activity, true)); // TRANS: Exception. throw new Exception(_m('Received a salmon slap from unidentified actor.')); } // ensureProfiles sets $this->actor and $this->oprofile $this->ensureProfiles(); } catch (Exception $e) { common_debug('Salmon envelope parsing failed with: ' . $e->getMessage()); $this->clientError($e->getMessage()); } // Cryptographic verification test if (!$magic_env->verify($this->actor)) { common_log(LOG_DEBUG, "Salmon signature verification failed."); // TRANS: Client error. $this->clientError(_m('Salmon signature verification failed.')); } return true; }
/** * Sign and post the given Atom entry as a Salmon message. * * Side effects: may generate a keypair on-demand for the given user, * which can be very slow on some systems (like those without php5-gmp). * * @param string $endpoint_uri * @param string $xml string representation of payload * @param User $user local user profile whose keys we sign with * @return boolean success */ public static function post($endpoint_uri, $xml, User $user) { if (empty($endpoint_uri)) { common_debug('No endpoint URI for Salmon post to ' . $user->getUri()); return false; } try { $magic_env = MagicEnvelope::signAsUser($xml, $user); $envxml = $magic_env->toXML(); } catch (Exception $e) { common_log(LOG_ERR, "Salmon unable to sign: " . $e->getMessage()); return false; } $headers = array('Content-Type: application/magic-envelope+xml'); try { $client = new HTTPClient(); $client->setBody($envxml); $response = $client->post($endpoint_uri, $headers); } catch (HTTP_Request2_Exception $e) { common_log(LOG_ERR, "Salmon post to {$endpoint_uri} failed: " . $e->getMessage()); return false; } // Diaspora wants a slightly different formatting on the POST (other Content-type, so body needs "xml=") if ($response->getStatus() === 422) { common_debug(sprintf('Salmon (from profile %d) endpoint %s returned status %s. Diaspora? Will try again! Body: %s', $user->id, $endpoint_uri, $response->getStatus(), $response->getBody())); $headers = array('Content-Type: application/x-www-form-urlencoded'); $client->setBody('xml=' . Magicsig::base64_url_encode($envxml)); $response = $client->post($endpoint_uri, $headers); } // 200 OK is the best response // 202 Accepted is what we get from Diaspora for example if (!in_array($response->getStatus(), array(200, 202))) { common_log(LOG_ERR, sprintf('Salmon (from profile %d) endpoint %s returned status %s: %s', $user->id, $endpoint_uri, $response->getStatus(), $response->getBody())); return false; } // Success! return true; }
/** * * @param string $signed_bytes as raw byte string * @param string $signature as base64 * @return boolean */ public function verify($signed_bytes, $signature) { $signature = Magicsig::base64_url_decode($signature); return $this->publicKey->verify($signed_bytes, $signature); }
public function verify($env) { if ($env['alg'] != 'RSA-SHA256') { common_log(LOG_DEBUG, "Salmon error: bad algorithm"); return false; } if ($env['encoding'] != MagicEnvelope::ENCODING) { common_log(LOG_DEBUG, "Salmon error: bad encoding"); return false; } $text = Magicsig::base64_url_decode($env['data']); $signer_uri = $this->getAuthor($text); try { $keypair = $this->getKeyPair($signer_uri); } catch (Exception $e) { common_log(LOG_DEBUG, "Salmon error: " . $e->getMessage()); return false; } $verifier = Magicsig::fromString($keypair); if (!$verifier) { common_log(LOG_DEBUG, "Salmon error: unable to parse keypair"); return false; } return $verifier->verify($env['data'], $env['sig']); }
/** * Encode the given string as a signed MagicEnvelope XML document, * using the keypair for the given local user profile. We can of * course not sign a remote profile's slap, since we don't have the * private key. * * Side effects: will create and store a keypair on-demand if one * hasn't already been generated for this user. This can be very slow * on some systems. * * @param string $text XML fragment to sign, assumed to be Atom * @param User $user User who cryptographically signs $text * * @return MagicEnvelope object complete with signature * * @throws Exception on bad profile input or key generation problems */ public static function signAsUser($text, User $user) { // Find already stored key $magicsig = Magicsig::getKV('user_id', $user->id); if (!$magicsig instanceof Magicsig) { $magicsig = Magicsig::generate($user); } assert($magicsig instanceof Magicsig); assert($magicsig->privateKey instanceof Crypt_RSA); $magic_env = new MagicEnvelope(); $magic_env->signMessage($text, 'application/atom+xml', $magicsig); return $magic_env; }
function onEndXrdActionLinks(&$xrd, $user) { $xrd->links[] = array('rel' => Discovery::UPDATESFROM, 'href' => common_local_url('ApiTimelineUser', array('id' => $user->id, 'format' => 'atom')), 'type' => 'application/atom+xml'); // Salmon $salmon_url = common_local_url('usersalmon', array('id' => $user->id)); $xrd->links[] = array('rel' => Salmon::REL_SALMON, 'href' => $salmon_url); // XXX : Deprecated - to be removed. $xrd->links[] = array('rel' => Salmon::NS_REPLIES, 'href' => $salmon_url); $xrd->links[] = array('rel' => Salmon::NS_MENTIONS, 'href' => $salmon_url); // Get this user's keypair $magickey = Magicsig::staticGet('user_id', $user->id); if (!$magickey) { // No keypair yet, let's generate one. $magickey = new Magicsig(); $magickey->generate($user->id); } $xrd->links[] = array('rel' => Magicsig::PUBLICKEYREL, 'href' => 'data:application/magic-public-key,' . $magickey->toString(false)); // TODO - finalize where the redirect should go on the publisher $url = common_local_url('ostatussub') . '?profile={uri}'; $xrd->links[] = array('rel' => 'http://ostatus.org/schema/1.0/subscribe', 'template' => $url); return true; }
/** * Make sure necessary tables are filled out. */ function onCheckSchema() { $schema = Schema::get(); $schema->ensureTable('ostatus_profile', Ostatus_profile::schemaDef()); $schema->ensureTable('ostatus_source', Ostatus_source::schemaDef()); $schema->ensureTable('feedsub', FeedSub::schemaDef()); $schema->ensureTable('hubsub', HubSub::schemaDef()); $schema->ensureTable('magicsig', Magicsig::schemaDef()); return true; }
/** * Generate base64-encoded signature for the given byte string * using our private key. * * @param string $bytes as raw byte string * @return string base64url-encoded signature */ public function sign($bytes) { $sig = $this->privateKey->sign($bytes); if ($sig === false) { throw new ServerException('Could not sign data'); } return Magicsig::base64_url_encode($sig); }
public function getPayload() { $dom = new DOMDocument(); if (!$dom->loadXML(Magicsig::base64_url_decode($this->data))) { throw new ServerException('Malformed XML in Salmon payload'); } switch ($this->data_type) { case 'application/atom+xml': if ($dom->documentElement->namespaceURI !== Activity::ATOM || $dom->documentElement->tagName !== 'entry') { throw new ServerException(_m('Salmon post must be an Atom entry.')); } $prov = $dom->createElementNS(self::NS, 'me:provenance'); $prov->setAttribute('xmlns:me', self::NS); $data = $dom->createElementNS(self::NS, 'me:data', $this->data); $data->setAttribute('type', $this->data_type); $prov->appendChild($data); $enc = $dom->createElementNS(self::NS, 'me:encoding', $this->encoding); $prov->appendChild($enc); $alg = $dom->createElementNS(self::NS, 'me:alg', $this->alg); $prov->appendChild($alg); $sig = $dom->createElementNS(self::NS, 'me:sig', $this->getSignature()); $prov->appendChild($sig); $dom->documentElement->appendChild($prov); break; default: throw new ServerException('Unknown Salmon payload data type'); } return $dom; }
public function onProfileDeleteRelated($profile, &$related) { // Ostatus_profile has a 'profile_id' property, which will be used to find the object $related[] = 'Ostatus_profile'; // Magicsig has a "user_id" column instead, so we have to delete it more manually: $magicsig = Magicsig::getKV('user_id', $profile->id); if ($magicsig instanceof Magicsig) { $magicsig->delete(); } return true; }
public function onSalmonSlap($endpoint_uri, MagicEnvelope $magic_env, Profile $target = null) { $envxml = $magic_env->toXML($target, 'diaspora'); // Diaspora wants another POST format (base64url-encoded POST variable 'xml') $headers = array('Content-Type: application/x-www-form-urlencoded'); // Another way to distinguish Diaspora from GNU social is that a POST with // $headers=array('Content-Type: application/magic-envelope+xml') would return // HTTP status code 422 Unprocessable Entity, at least as of 2015-10-04. try { $client = new HTTPClient(); $client->setBody('xml=' . Magicsig::base64_url_encode($envxml)); $response = $client->post($endpoint_uri, $headers); } catch (HTTP_Request2_Exception $e) { common_log(LOG_ERR, "Diaspora-flavoured Salmon post to {$endpoint_uri} failed: " . $e->getMessage()); return false; } // 200 OK is the best response // 202 Accepted is what we get from Diaspora for example if (!in_array($response->getStatus(), array(200, 202))) { common_log(LOG_ERR, sprintf('Salmon (from profile %d) endpoint %s returned status %s: %s', $magic_env->getActor()->getID(), $endpoint_uri, $response->getStatus(), $response->getBody())); return true; } // Success! return false; }